Repository: bridgecrewio/checkov
Branch: main
Commit: 53b25944bdc5
Files: 9724
Total size: 35.5 MB
Directory structure:
gitextract_81zemmz3/
├── .cfnlintrc
├── .coveragerc
├── .dockerignore
├── .flake8
├── .github/
│ ├── ISSUE_TEMPLATE/
│ │ ├── best_practices_issue.md
│ │ ├── checks_issue.md
│ │ ├── crash_report.md
│ │ ├── feature_request.md
│ │ ├── graph_issue.md
│ │ ├── integrations_issue.md
│ │ ├── languages_issue.md
│ │ ├── noise_issue.md
│ │ ├── outputs_issue.md
│ │ └── skips_issue.md
│ ├── PULL_REQUEST_TEMPLATE.md
│ ├── actionlint.yaml
│ ├── checkov.yaml
│ ├── codeql-config.yml
│ ├── dependabot.yml
│ ├── exclude-patterns.txt
│ ├── pr-title-checker-config.json
│ ├── release-changelog-config.json
│ ├── stale.yml
│ └── workflows/
│ ├── build.yml
│ ├── codeql-analysis.yml
│ ├── coverage.yaml
│ ├── jekyll-gh-pages.yml
│ ├── nightly.yml
│ ├── pipenv-update.yml
│ ├── pr-test.yml
│ ├── pr-title.yml
│ ├── security-shared.yml
│ └── security.yml
├── .gitignore
├── .gitmodules
├── .gitpod.Dockerfile
├── .gitpod.yml
├── .pre-commit-config.yaml
├── .pre-commit-hooks.yaml
├── .swm/
│ ├── creating-a-solver.gm0ti.sw.md
│ └── swimm.json
├── CHANGELOG.md
├── CNAME
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── Dockerfile
├── INTHEWILD.md
├── LICENSE
├── Pipfile
├── README.md
├── SECURITY.md
├── bin/
│ ├── checkov
│ └── checkov.cmd
├── cdk_integration_tests/
│ ├── __init__.py
│ ├── prepare_data.sh
│ ├── run_integration_tests.sh
│ ├── src/
│ │ ├── python/
│ │ │ ├── ALBDropHttpHeaders/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ALBListenerHTTPS/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── APIGatewayAccessLogging/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── APIGatewayAuthorization/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── APIGatewayCacheEnable/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── APIGatewayV2AccessLogging/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── APIGatewayXray/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── AmazonMQBrokerPublicAccess/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── AppSyncFieldLevelLogs/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── AppSyncLogging/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── AthenaWorkgroupConfiguration/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── AuroraEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── BackupVaultEncrypted/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudFrontTLS12/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudTrailLogValidation/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudWatchLogGroupKMSKey/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudWatchLogGroupRetention/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudfrontDistributionEncryption/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudfrontDistributionLogging/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudtrailEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CloudtrailMultiRegion/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── CodeBuildProjectEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DAXEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DMSReplicationInstancePubliclyAccessible/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DocDBAuditLogs/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DocDBEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DocDBTLS/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DynamodbGlobalTableRecovery/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── DynamodbRecovery/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── EBSEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── EC2PublicIP/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── ECRImageScanning/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ECRImmutableTags/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ECRRepositoryEncrypted/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ECSClusterContainerInsights/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ECSTaskDefinitionEFSVolumeEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── EFSEncryptionEnabled/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── EKSSecretsEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ELBAccessLogs/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ELBv2AccessLogs/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticacheReplicationGroupEncryptionAtRest/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransit/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticsearchDomainEnforceHTTPS/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticsearchDomainLogging/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticsearchEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── ElasticsearchNodeToNodeEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── GlueDataCatalogEncryption/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── GlueSecurityConfiguration/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── GlueSecurityConfigurationEnabled/
│ │ │ │ ├── fail__3__.py
│ │ │ │ └── pass.py
│ │ │ ├── IAMPolicyAttachedToGroupOrRoles/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── KinesisStreamEncryptionType/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── LambdaDLQConfigured/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── LambdaEnvironmentCredentials/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── LambdaEnvironmentEncryptionSettings/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── LambdaFunctionLevelConcurrentExecutionLimit/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── LambdaInVPC/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── LaunchConfigurationEBSEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── NeptuneClusterStorageEncrypted/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── RDSEnhancedMonitorEnabled/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── RDSMultiAZEnabled/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── RDSPubliclyAccessible/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── RedShiftSSL/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── RedshiftClusterEncryption/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── RedshiftClusterLogging/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── RedshiftClusterPubliclyAccessible/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── RedshiftInEc2ClassicMode/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BlockPublicACLs/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BlockPublicPolicy/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BucketEncryption/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BucketKMSEncryption/
│ │ │ │ ├── fail__3__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BucketLogging/
│ │ │ │ ├── fail.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BucketPublicAccessBlock/
│ │ │ │ ├── fail.py
│ │ │ │ └── pass.py
│ │ │ ├── S3BucketVersioning/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3IgnorePublicACLs/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3PublicACLRead/
│ │ │ │ ├── fail__3__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3PublicACLWrite/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── S3RestrictPublicBuckets/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── SNSTopicEncryption/
│ │ │ │ ├── fail.py
│ │ │ │ └── pass.py
│ │ │ ├── SQSQueueEncryption/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── SecretManagerSecretEncrypted/
│ │ │ │ ├── fail__2__.py
│ │ │ │ └── pass.py
│ │ │ ├── SecurityGroupRuleDescription/
│ │ │ │ ├── fail__4__.py
│ │ │ │ └── pass.py
│ │ │ ├── TransferServerIsPublic/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── VPCEndpointAcceptanceConfigured/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── WAFEnabled/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── WorkspaceRootVolumeEncrypted/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ ├── WorkspaceUserVolumeEncrypted/
│ │ │ │ ├── fail__1__.py
│ │ │ │ └── pass.py
│ │ │ └── s3.py
│ │ └── typescript/
│ │ ├── ALBDropHttpHeaders/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ALBListenerHTTPS/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── APIGatewayAccessLogging/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── APIGatewayAuthorization/
│ │ │ ├── fail.ts
│ │ │ ├── fail__2__.ts
│ │ │ ├── pass.ts
│ │ │ └── pass__2__.ts
│ │ ├── APIGatewayCacheEnable/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── APIGatewayV2AccessLogging/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── APIGatewayXray/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── AmazonMQBrokerPublicAccess/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── AppSyncFieldLevelLogs/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── AppSyncLogging/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── AthenaWorkgroupConfiguration/
│ │ │ ├── fail.ts
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── AuroraEncryption/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── BackupVaultEncrypted/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── CloudFrontTLS12/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── CloudTrailLogValidation/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── CloudWatchLogGroupKMSKey/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── CloudWatchLogGroupRetention/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── CloudfrontDistributionEncryption/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── CloudfrontDistributionLogging/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── CloudtrailEncryption/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── CloudtrailMultiRegion/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── CodeBuildProjectEncryption/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── DAXEncryption/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── DMSReplicationInstancePubliclyAccessible/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── DocDBAuditLogs/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── DocDBEncryption/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── DocDBTLS/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── DynamodbGlobalTableRecovery/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── DynamodcRecovery/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── EBSEncryption/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── EC2PublicIP/
│ │ │ ├── fail.ts
│ │ │ ├── fail_2.ts
│ │ │ └── pass.ts
│ │ ├── ECRImageScanning/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ECRImmutableTags/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ECRRepositoryEncrypted/
│ │ │ ├── fail.ts
│ │ │ ├── pass.ts
│ │ │ └── pass_2.ts
│ │ ├── ECSClusterContainerInsights/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ECSTaskDefinitionEFSVolumeEncryption/
│ │ │ ├── fail.ts
│ │ │ ├── fail_2.ts
│ │ │ └── pass.ts
│ │ ├── EFSEncryptionEnabled/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── EKSSecretsEncryption/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ELBAccessLogs/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ELBv2AccessLogs/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ElasticacheReplicationGroupEncryptionAtRest/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ElasticacheReplicationGroupEncryptionAtTransit/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken/
│ │ │ ├── fail.ts
│ │ │ ├── pass.ts
│ │ │ └── pass_2.ts
│ │ ├── ElasticsearchDomainEnforceHTTPS/
│ │ │ ├── fail.ts
│ │ │ ├── fail_2.ts
│ │ │ ├── pass.ts
│ │ │ └── pass_2.ts
│ │ ├── ElasticsearchDomainLogging/
│ │ │ ├── fail.ts
│ │ │ ├── fail_2.ts
│ │ │ ├── pass.ts
│ │ │ └── pass_2.ts
│ │ ├── ElasticsearchEncryption/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── ElasticsearchNodeToNodeEncryption/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── GlueDataCatalogEncryption/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── GlueSecurityConfiguration/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── GlueSecurityConfigurationEnabled/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── IAMPolicyAttachedToGroupOrRoles/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── KinesisStreamEncryptionType/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── LambdaDLQConfigured/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── LambdaEnvironmentCredentials/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── LambdaEnvironmentEncryptionSettings/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── LambdaFunctionLevelConcurrentExecutionLimit/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── LambdaInVPC/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── LaunchConfigurationEBSEncryption/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── NeptuneClusterStorageEncrypted/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── RDSEnhancedMonitorEnabled/
│ │ │ ├── fail2.ts
│ │ │ └── pass.ts
│ │ ├── RDSMultiAZEnabled/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── RDSPubliclyAccessible/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── RedShiftSSL/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── RedshiftClusterEncryption/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── RedshiftClusterLogging/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── RedshiftClusterPubliclyAccessible/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── RedshiftInEc2ClassicMode/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── S3BlockPublicACLs/
│ │ │ ├── fail.ts
│ │ │ ├── fail__3__.ts
│ │ │ ├── pass.ts
│ │ │ ├── pass2.ts
│ │ │ └── pass3.ts
│ │ ├── S3BlockPublicPolicy/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── S3BucketEncryption/
│ │ │ ├── fail2__2__.ts
│ │ │ ├── fail__2__.ts
│ │ │ ├── pass.ts
│ │ │ └── pass2.ts
│ │ ├── S3BucketKMSEncryption/
│ │ │ ├── fail2__3__.ts
│ │ │ ├── fail__3__.ts
│ │ │ ├── pass.ts
│ │ │ └── pass2.ts
│ │ ├── S3BucketLogging/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ ├── pass.ts
│ │ │ └── pass2.ts
│ │ ├── S3BucketPublicAccessBlock/
│ │ │ ├── fail.ts
│ │ │ ├── fail2.ts
│ │ │ ├── pass.ts
│ │ │ └── pass2.ts
│ │ ├── S3BucketVersioning/
│ │ │ ├── fail2__2__.ts
│ │ │ ├── fail__2__.ts
│ │ │ ├── pass.ts
│ │ │ └── pass2.ts
│ │ ├── S3PublicACLRead/
│ │ │ ├── fail__3__.ts
│ │ │ └── pass.ts
│ │ ├── S3RestrictPublicBuckets/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── SNSTopicEncryption/
│ │ │ ├── fail.ts
│ │ │ └── pass.ts
│ │ ├── SQSQueueEncryption/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── SecretManagerSecretEncrypted/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── SecurityGroupRuleDescription/
│ │ │ ├── fail__4__.ts
│ │ │ └── pass.ts
│ │ ├── TransferServerIsPublic/
│ │ │ ├── fail__1__.ts
│ │ │ └── pass.ts
│ │ ├── VPCEndpointAcceptanceConfigured/
│ │ │ ├── fail__2__.ts
│ │ │ └── pass.ts
│ │ ├── WAFEnabled/
│ │ │ ├── fail__1__.ts
│ │ │ └── pass.ts
│ │ ├── WorkspaceRootVolumeEncrypted/
│ │ │ ├── fail__1__.ts
│ │ │ └── pass.ts
│ │ ├── WorkspaceUserVolumeEncrypted/
│ │ │ ├── fail__1__.ts
│ │ │ └── pass.ts
│ │ └── s3.ts
│ ├── test_checks_python.py
│ ├── test_checks_typescript.py
│ └── utils.py
├── checkov/
│ ├── __init__.py
│ ├── ansible/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_ansible_task_check.py
│ │ │ ├── base_ansible_task_value_check.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── BlockErrorHandling.yaml
│ │ │ │ ├── DnfDisableGpgCheck.yaml
│ │ │ │ ├── DnfSslVerify.yaml
│ │ │ │ ├── DnfValidateCerts.yaml
│ │ │ │ ├── GetUrlHttpsOnly.yaml
│ │ │ │ ├── PanosIPsecAuthenticationAlgorithms.yaml
│ │ │ │ ├── PanosIPsecProtocols.yaml
│ │ │ │ ├── PanosInterfaceMgmtProfileNoHTTP.yaml
│ │ │ │ ├── PanosInterfaceMgmtProfileNoTelnet.yaml
│ │ │ │ ├── PanosPolicyDescription.yaml
│ │ │ │ ├── PanosPolicyLogForwarding.yaml
│ │ │ │ ├── PanosPolicyLogSessionStart.yaml
│ │ │ │ ├── PanosPolicyLoggingEnabled.yaml
│ │ │ │ ├── PanosPolicyNoApplicationAny.yaml
│ │ │ │ ├── PanosPolicyNoDSRI.yaml
│ │ │ │ ├── PanosPolicyNoServiceAny.yaml
│ │ │ │ ├── PanosPolicyNoSrcAnyDstAny.yaml
│ │ │ │ ├── PanosPolicyNoSrcZoneAnyNoDstZoneAny.yaml
│ │ │ │ ├── PanosZoneProtectionProfile.yaml
│ │ │ │ ├── PanosZoneUserIDIncludeACL.yaml
│ │ │ │ ├── UriHttpsOnly.yaml
│ │ │ │ └── __init__.py
│ │ │ ├── registry.py
│ │ │ └── task/
│ │ │ ├── __init__.py
│ │ │ ├── aws/
│ │ │ │ ├── EC2EBSOptimized.py
│ │ │ │ ├── EC2PublicIP.py
│ │ │ │ └── __init__.py
│ │ │ └── builtin/
│ │ │ ├── AptAllowUnauthenticated.py
│ │ │ ├── AptForce.py
│ │ │ ├── GetUrlValidateCerts.py
│ │ │ ├── UriValidateCerts.py
│ │ │ ├── YumSslVerify.py
│ │ │ ├── YumValidateCerts.py
│ │ │ └── __init__.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ └── resource_types.py
│ │ │ └── local_graph.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── argo_workflows/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_argo_workflows_check.py
│ │ │ ├── registry.py
│ │ │ └── template/
│ │ │ ├── DefaultServiceAccount.py
│ │ │ ├── RunAsNonRoot.py
│ │ │ └── __init__.py
│ │ ├── common/
│ │ │ └── __init__.py
│ │ └── runner.py
│ ├── arm/
│ │ ├── __init__.py
│ │ ├── base_parameter_check.py
│ │ ├── base_registry.py
│ │ ├── base_resource_check.py
│ │ ├── base_resource_negative_value_check.py
│ │ ├── base_resource_value_check.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── AzureMLWorkspacePublicNetwork.yaml
│ │ │ │ ├── AzureSpringCloudConfigWithVnet.yaml
│ │ │ │ ├── SynapseLogMonitoringEnabledForSQLPool.yaml
│ │ │ │ ├── SynapseSQLPoolHasSecurityAlertPolicy.yaml
│ │ │ │ ├── SynapseSQLPoolHasVulnerabilityAssessment.yaml
│ │ │ │ ├── SynapseWorkspaceHasExtendedAuditLogs.yaml
│ │ │ │ └── __init__.py
│ │ │ ├── parameter/
│ │ │ │ ├── SecureStringParameterNoHardcodedValue.py
│ │ │ │ └── __init__.py
│ │ │ └── resource/
│ │ │ ├── ACRAdminAccountDisabled.py
│ │ │ ├── ACRAnonymousPullDisabled.py
│ │ │ ├── ACRContainerScanEnabled.py
│ │ │ ├── ACREnableImageQuarantine.py
│ │ │ ├── ACREnableZoneRedundancy.py
│ │ │ ├── ACRPublicNetworkAccessDisabled.py
│ │ │ ├── AKSApiServerAuthorizedIpRanges.py
│ │ │ ├── AKSDashboardDisabled.py
│ │ │ ├── AKSEncryptionAtHostEnabled.py
│ │ │ ├── AKSEphemeralOSDisks.py
│ │ │ ├── AKSLocalAdminDisabled.py
│ │ │ ├── AKSLoggingEnabled.py
│ │ │ ├── AKSMaxPodsMinimum.py
│ │ │ ├── AKSNetworkPolicy.py
│ │ │ ├── AKSPoolTypeIsScaleSet.py
│ │ │ ├── AKSRbacEnabled.py
│ │ │ ├── AKSUpgradeChannel.py
│ │ │ ├── APIManagementMinTLS12.py
│ │ │ ├── APIManagementPublicAccess.py
│ │ │ ├── APIServicesUseVirtualNetwork.py
│ │ │ ├── AkSSecretStoreRotation.py
│ │ │ ├── AppGWDefinesSecureProtocols.py
│ │ │ ├── AppGatewayWAFACLCVE202144228.py
│ │ │ ├── AppServiceAuthentication.py
│ │ │ ├── AppServiceClientCertificate.py
│ │ │ ├── AppServiceDetailedErrorMessagesEnabled.py
│ │ │ ├── AppServiceDisallowCORS.py
│ │ │ ├── AppServiceDotnetFrameworkVersion.py
│ │ │ ├── AppServiceEnableFailedRequest.py
│ │ │ ├── AppServiceFTPSState.py
│ │ │ ├── AppServiceHTTPSOnly.py
│ │ │ ├── AppServiceHttpLoggingEnabled.py
│ │ │ ├── AppServiceHttps20Enabled.py
│ │ │ ├── AppServiceIdentity.py
│ │ │ ├── AppServiceIdentityProviderEnabled.py
│ │ │ ├── AppServiceInstanceMinimum.py
│ │ │ ├── AppServiceJavaVersion.py
│ │ │ ├── AppServiceMinTLSVersion.py
│ │ │ ├── AppServicePHPVersion.py
│ │ │ ├── AppServicePlanZoneRedundant.py
│ │ │ ├── AppServicePublicAccessDisabled.py
│ │ │ ├── AppServicePythonVersion.py
│ │ │ ├── AppServiceRemoteDebuggingNotEnabled.py
│ │ │ ├── AppServiceSetHealthCheck.py
│ │ │ ├── AppServiceSlotDebugDisabled.py
│ │ │ ├── AppServiceSlotHTTPSOnly.py
│ │ │ ├── AppServiceUsedAzureFiles.py
│ │ │ ├── AutomationEncrypted.py
│ │ │ ├── AzureBatchAccountEndpointAccessDefaultAction.py
│ │ │ ├── AzureBatchAccountUsesKeyVaultEncryption.py
│ │ │ ├── AzureDataExplorerDoubleEncryptionEnabled.py
│ │ │ ├── AzureDefenderOnKeyVaults.py
│ │ │ ├── AzureDefenderOnKubernetes.py
│ │ │ ├── AzureDefenderOnSqlServersVMS.py
│ │ │ ├── AzureDefenderOnStorage.py
│ │ │ ├── AzureFirewallDenyThreatIntelMode.py
│ │ │ ├── AzureFrontDoorEnablesWAF.py
│ │ │ ├── AzureInstanceExtensions.py
│ │ │ ├── AzureInstancePassword.py
│ │ │ ├── AzureMLWorkspacePrivateEndpoint.py
│ │ │ ├── AzureManagedDiscEncryption.py
│ │ │ ├── AzureManagedDiskEncryptionSet.py
│ │ │ ├── AzureScaleSetPassword.py
│ │ │ ├── AzureSearchSLAIndex.py
│ │ │ ├── AzureSearchSLAQueryUpdates.py
│ │ │ ├── AzureServiceFabricClusterProtectionLevel.py
│ │ │ ├── AzureSparkPoolIsolatedComputeEnabled.py
│ │ │ ├── AzureSynapseWorkspaceVAisEnabled.py
│ │ │ ├── AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py
│ │ │ ├── CognitiveServicesConfigureIdentity.py
│ │ │ ├── CognitiveServicesDisablesPublicNetwork.py
│ │ │ ├── CognitiveServicesEnableLocalAuth.py
│ │ │ ├── CosmosDBAccountsRestrictedAccess.py
│ │ │ ├── CosmosDBDisableAccessKeyWrite.py
│ │ │ ├── CosmosDBDisablesPublicNetwork.py
│ │ │ ├── CosmosDBHaveCMK.py
│ │ │ ├── CosmosDBLocalAuthDisabled.py
│ │ │ ├── CustomRoleDefinitionSubscriptionOwner.py
│ │ │ ├── DataExplorerUsesDiskEncryption.py
│ │ │ ├── DataFactoryNoPublicNetworkAccess.py
│ │ │ ├── DataFactoryUsesGitRepository.py
│ │ │ ├── DataLakeStoreEncryption.py
│ │ │ ├── DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py
│ │ │ ├── DatabricksWorkspaceIsNotPublic.py
│ │ │ ├── EventHubNamespaceMinTLS12.py
│ │ │ ├── EventgridTopicIdentityProviderEnabled.py
│ │ │ ├── EventgridTopicLocalAuthentication.py
│ │ │ ├── EventgridTopicNetworkAccess.py
│ │ │ ├── FrontDoorWAFACLCVE202144228.py
│ │ │ ├── FrontdoorUseWAFMode.py
│ │ │ ├── FunctionAppDisallowCORS.py
│ │ │ ├── FunctionAppHttpVersionLatest.py
│ │ │ ├── FunctionAppMinTLSVersion.py
│ │ │ ├── FunctionAppsAccessibleOverHttps.py
│ │ │ ├── FunctionAppsEnableAuthentication.py
│ │ │ ├── KeyBackedByHSM.py
│ │ │ ├── KeyExpirationDate.py
│ │ │ ├── KeyVaultDisablesPublicNetworkAccess.py
│ │ │ ├── KeyVaultEnablesFirewallRulesSettings.py
│ │ │ ├── KeyVaultEnablesPurgeProtection.py
│ │ │ ├── KeyVaultEnablesSoftDelete.py
│ │ │ ├── KeyvaultRecoveryEnabled.py
│ │ │ ├── LinuxVMUsesSSH.py
│ │ │ ├── MSSQLServerMinTLSVersion.py
│ │ │ ├── MariaDBGeoBackupEnabled.py
│ │ │ ├── MariaDBPublicAccessDisabled.py
│ │ │ ├── MariaDBSSLEnforcementEnabled.py
│ │ │ ├── MonitorLogProfileCategories.py
│ │ │ ├── MonitorLogProfileRetentionDays.py
│ │ │ ├── MySQLEncryptionEnabled.py
│ │ │ ├── MySQLGeoBackupEnabled.py
│ │ │ ├── MySQLPublicAccessDisabled.py
│ │ │ ├── MySQLServerMinTLSVersion.py
│ │ │ ├── MySQLServerSSLEnforcementEnabled.py
│ │ │ ├── NSGRuleHTTPAccessRestricted.py
│ │ │ ├── NSGRulePortAccessRestricted.py
│ │ │ ├── NSGRuleRDPAccessRestricted.py
│ │ │ ├── NSGRuleSSHAccessRestricted.py
│ │ │ ├── NetworkWatcherFlowLogPeriod.py
│ │ │ ├── PostgreSQLEncryptionEnabled.py
│ │ │ ├── PostgreSQLServerConnectionThrottlingEnabled.py
│ │ │ ├── PostgreSQLServerLogCheckpointsEnabled.py
│ │ │ ├── PostgreSQLServerLogConnectionsEnabled.py
│ │ │ ├── PostgreSQLServerPublicAccessDisabled.py
│ │ │ ├── PostgreSQLServerSSLEnforcementEnabled.py
│ │ │ ├── PostgressSQLGeoBackupEnabled.py
│ │ │ ├── PubsubSKUSLA.py
│ │ │ ├── PubsubSpecifyIdentity.py
│ │ │ ├── RedisCachePublicNetworkAccessEnabled.py
│ │ │ ├── SQLDatabaseZoneRedundant.py
│ │ │ ├── SQLServerAuditingEnabled.py
│ │ │ ├── SQLServerAuditingRetention90Days.py
│ │ │ ├── SQLServerEmailAlertsEnabled.py
│ │ │ ├── SQLServerEmailAlertsToAdminsEnabled.py
│ │ │ ├── SQLServerHasPublicAccessDisabled.py
│ │ │ ├── SQLServerNoPublicAccess.py
│ │ │ ├── SQLServerThreatDetectionTypes.py
│ │ │ ├── SQLServerUsesADAuth.py
│ │ │ ├── SecretContentType.py
│ │ │ ├── SecretExpirationDate.py
│ │ │ ├── SecurityCenterContactEmailAlert.py
│ │ │ ├── SecurityCenterContactEmailAlertAdmins.py
│ │ │ ├── SecurityCenterContactPhone.py
│ │ │ ├── SecurityCenterStandardPricing.py
│ │ │ ├── StorageAccountAzureServicesAccessEnabled.py
│ │ │ ├── StorageAccountDefaultNetworkAccessDeny.py
│ │ │ ├── StorageAccountDisablePublicAccess.py
│ │ │ ├── StorageAccountLoggingQueueServiceEnabled.py
│ │ │ ├── StorageAccountMinimumTlsVersion.py
│ │ │ ├── StorageAccountName.py
│ │ │ ├── StorageAccountsTransportEncryption.py
│ │ │ ├── StorageAccountsUseReplication.py
│ │ │ ├── StorageBlobServiceContainerPrivateAccess.py
│ │ │ ├── StorageSyncPublicAccessDisabled.py
│ │ │ ├── SynapseWorkspaceAdministratorLoginPasswordHidden.py
│ │ │ ├── SynapseWorkspaceCMKEncryption.py
│ │ │ ├── SynapseWorkspaceEnablesDataExfilProtection.py
│ │ │ ├── SynapseWorkspaceEnablesManagedVirtualNetworks.py
│ │ │ ├── VMCredsInCustomData.py
│ │ │ ├── VMDisablePasswordAuthentication.py
│ │ │ ├── VMEncryptionAtHostEnabled.py
│ │ │ ├── VMScaleSetsAutoOSImagePatchingEnabled.py
│ │ │ ├── VMStorageOsDisk.py
│ │ │ ├── VnetLocalDNS.py
│ │ │ ├── VnetSingleDNSServer.py
│ │ │ ├── WinVMAutomaticUpdates.py
│ │ │ ├── WinVMEncryptionAtHost.py
│ │ │ └── __init__.py
│ │ ├── context_parser.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── definition_context.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── block_types.py
│ │ │ │ └── blocks.py
│ │ │ ├── graph_to_definitions.py
│ │ │ ├── local_graph.py
│ │ │ └── variable_rendering/
│ │ │ ├── __init__.py
│ │ │ └── renderer.py
│ │ ├── graph_manager.py
│ │ ├── parser/
│ │ │ ├── __init__.py
│ │ │ └── parser.py
│ │ ├── registry.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── azure_pipelines/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_azure_pipelines_check.py
│ │ │ ├── job/
│ │ │ │ ├── ContainerDigest.py
│ │ │ │ ├── ContainerLatestTag.py
│ │ │ │ ├── DetectImagesUsage.py
│ │ │ │ ├── SetSecretVariable.py
│ │ │ │ └── __init__.py
│ │ │ └── registry.py
│ │ ├── common/
│ │ │ ├── __init__.py
│ │ │ └── resource_id_utils.py
│ │ └── runner.py
│ ├── bicep/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── SQLServerAuditingEnabled.yaml
│ │ │ │ ├── SQLServerAuditingRetention90Days.yaml
│ │ │ │ ├── SQLServerThreatDetectionTypes.yaml
│ │ │ │ └── __init__.py
│ │ │ ├── param/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── azure/
│ │ │ │ │ ├── SecureStringParameterNoHardcodedValue.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── base_param_check.py
│ │ │ │ ├── base_registry.py
│ │ │ │ └── registry.py
│ │ │ └── resource/
│ │ │ ├── __init__.py
│ │ │ ├── azure/
│ │ │ │ ├── StorageAccountAzureServicesAccessEnabled.py
│ │ │ │ ├── StorageAccountDefaultNetworkAccessDeny.py
│ │ │ │ ├── StorageAccountsTransportEncryption.py
│ │ │ │ └── __init__.py
│ │ │ ├── base_registry.py
│ │ │ ├── base_resource_check.py
│ │ │ ├── base_resource_value_check.py
│ │ │ └── registry.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── context_definitions.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── block_types.py
│ │ │ │ └── blocks.py
│ │ │ ├── graph_to_tf_definitions.py
│ │ │ ├── local_graph.py
│ │ │ └── variable_rendering/
│ │ │ ├── __init__.py
│ │ │ └── renderer.py
│ │ ├── graph_manager.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── base_provider.py
│ │ │ ├── manager.py
│ │ │ └── provider/
│ │ │ ├── __init__.py
│ │ │ └── azure.py
│ │ ├── parser.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── bitbucket/
│ │ ├── __init__.py
│ │ ├── base_bitbucket_configuration_check.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ └── merge_requests_approvals.py
│ │ ├── dal.py
│ │ ├── registry.py
│ │ ├── runner.py
│ │ └── schemas/
│ │ ├── __init__.py
│ │ └── branch_restrictions.py
│ ├── bitbucket_pipelines/
│ │ ├── __init__.py
│ │ ├── base_bitbucket_pipelines_check.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ └── latest_image.py
│ │ ├── registry.py
│ │ └── runner.py
│ ├── cdk/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── python/
│ │ │ │ ├── ALBDropHttpHeaders.yaml
│ │ │ │ ├── ALBListenerHTTPS.yaml
│ │ │ │ ├── APIGatewayAccessLogging.yaml
│ │ │ │ ├── APIGatewayAuthorization.yaml
│ │ │ │ ├── APIGatewayCacheEnable.yaml
│ │ │ │ ├── APIGatewayV2AccessLogging.yaml
│ │ │ │ ├── APIGatewayXray.yaml
│ │ │ │ ├── AmazonMQBrokerPublicAccess.yaml
│ │ │ │ ├── AppSyncFieldLevelLogs.yaml
│ │ │ │ ├── AppSyncLogging.yaml
│ │ │ │ ├── AthenaWorkgroupConfiguration.yaml
│ │ │ │ ├── AuroraEncryption.yaml
│ │ │ │ ├── BackupVaultEncrypted.yaml
│ │ │ │ ├── CloudFrontTLS12.yaml
│ │ │ │ ├── CloudTrailLogValidation.yaml
│ │ │ │ ├── CloudWatchLogGroupKMSKey.yaml
│ │ │ │ ├── CloudWatchLogGroupRetention.yaml
│ │ │ │ ├── CloudfrontDistributionEncryption.yaml
│ │ │ │ ├── CloudfrontDistributionLogging.yaml
│ │ │ │ ├── CloudtrailEncryption.yaml
│ │ │ │ ├── CloudtrailMultiRegion.yaml
│ │ │ │ ├── CodeBuildProjectEncryption.yaml
│ │ │ │ ├── DAXEncryption.yaml
│ │ │ │ ├── DMSReplicationInstancePubliclyAccessible.yaml
│ │ │ │ ├── DocDBAuditLogs.yaml
│ │ │ │ ├── DocDBEncryption.yaml
│ │ │ │ ├── DocDBTLS.yaml
│ │ │ │ ├── DynamodbGlobalTableRecovery.yaml
│ │ │ │ ├── DynamodbRecovery.yaml
│ │ │ │ ├── EBSEncryption.yaml
│ │ │ │ ├── EC2PublicIP.yaml
│ │ │ │ ├── ECRImageScanning.yaml
│ │ │ │ ├── ECRImmutableTags.yaml
│ │ │ │ ├── ECRRepositoryEncrypted.yaml
│ │ │ │ ├── ECSClusterContainerInsights.yaml
│ │ │ │ ├── ECSTaskDefinitionEFSVolumeEncryption.yaml
│ │ │ │ ├── EFSEncryptionEnabled.yaml
│ │ │ │ ├── EKSSecretsEncryption.yaml
│ │ │ │ ├── ELBAccessLogs.yaml
│ │ │ │ ├── ELBv2AccessLogs.yaml
│ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtRest.yaml
│ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransit.yaml
│ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken.yaml
│ │ │ │ ├── ElasticsearchDomainEnforceHTTPS.yaml
│ │ │ │ ├── ElasticsearchDomainLogging.yaml
│ │ │ │ ├── ElasticsearchEncryption.yaml
│ │ │ │ ├── ElasticsearchNodeToNodeEncryption.yaml
│ │ │ │ ├── GlueDataCatalogEncryption.yaml
│ │ │ │ ├── GlueSecurityConfiguration.yaml
│ │ │ │ ├── GlueSecurityConfigurationEnabled.yaml
│ │ │ │ ├── IAMPolicyAttachedToGroupOrRoles.yaml
│ │ │ │ ├── KinesisStreamEncryptionType.yaml
│ │ │ │ ├── LambdaDLQConfigured.yaml
│ │ │ │ ├── LambdaEnvironmentCredentials.yaml
│ │ │ │ ├── LambdaEnvironmentEncryptionSettings.yaml
│ │ │ │ ├── LambdaFunctionLevelConcurrentExecutionLimit.yaml
│ │ │ │ ├── LambdaInVPC.yaml
│ │ │ │ ├── LaunchConfigurationEBSEncryption.yaml
│ │ │ │ ├── NeptuneClusterStorageEncrypted.yaml
│ │ │ │ ├── RDSEnhancedMonitorEnabled.yaml
│ │ │ │ ├── RDSMultiAZEnabled.yaml
│ │ │ │ ├── RDSPubliclyAccessible.yaml
│ │ │ │ ├── RedShiftSSL.yaml
│ │ │ │ ├── RedshiftClusterEncryption.yaml
│ │ │ │ ├── RedshiftClusterLogging.yaml
│ │ │ │ ├── RedshiftClusterPubliclyAccessible.yaml
│ │ │ │ ├── RedshiftInEc2ClassicMode.yaml
│ │ │ │ ├── S3BlockPublicACLs.yaml
│ │ │ │ ├── S3BlockPublicPolicy.yaml
│ │ │ │ ├── S3BucketEncryption.yaml
│ │ │ │ ├── S3BucketKMSEncryption.yaml
│ │ │ │ ├── S3BucketLogging.yaml
│ │ │ │ ├── S3BucketPublicAccessBlock.yaml
│ │ │ │ ├── S3BucketVersioning.yaml
│ │ │ │ ├── S3IgnorePublicACLs.yaml
│ │ │ │ ├── S3PublicACLRead.yaml
│ │ │ │ ├── S3PublicACLWrite.yaml
│ │ │ │ ├── S3RestrictPublicBuckets.yaml
│ │ │ │ ├── SNSTopicEncryption.yaml
│ │ │ │ ├── SQSQueueEncryption.yaml
│ │ │ │ ├── SecretManagerSecretEncrypted.yaml
│ │ │ │ ├── SecurityGroupRuleDescription.yaml
│ │ │ │ ├── TransferServerIsPublic.yaml
│ │ │ │ ├── VPCEndpointAcceptanceConfigured.yaml
│ │ │ │ ├── WAFEnabled.yaml
│ │ │ │ ├── WorkspaceRootVolumeEncrypted.yaml
│ │ │ │ └── WorkspaceUserVolumeEncrypted.yaml
│ │ │ └── typescript/
│ │ │ ├── ALBDropHttpHeaders.yaml
│ │ │ ├── ALBListenerHTTPS.yaml
│ │ │ ├── APIGatewayAccessLogging.yaml
│ │ │ ├── APIGatewayAuthorization.yaml
│ │ │ ├── APIGatewayCacheEnable.yaml
│ │ │ ├── APIGatewayV2AccessLogging.yaml
│ │ │ ├── APIGatewayXray.yaml
│ │ │ ├── AmazonMQBrokerPublicAccess.yaml
│ │ │ ├── AppSyncFieldLevelLogs.yaml
│ │ │ ├── AppSyncLogging.yaml
│ │ │ ├── AthenaWorkgroupConfiguration.yaml
│ │ │ ├── AuroraEncryption.yaml
│ │ │ ├── BackupVaultEncrypted.yaml
│ │ │ ├── CloudFrontTLS12.yaml
│ │ │ ├── CloudTrailLogValidation.yaml
│ │ │ ├── CloudWatchLogGroupKMSKey.yaml
│ │ │ ├── CloudWatchLogGroupRetention.yaml
│ │ │ ├── CloudfrontDistributionEncryption.yaml
│ │ │ ├── CloudfrontDistributionLogging.yaml
│ │ │ ├── CloudtrailEncryption.yaml
│ │ │ ├── CloudtrailMultiRegion.yaml
│ │ │ ├── CodeBuildProjectEncryption.yaml
│ │ │ ├── DAXEncryption.yaml
│ │ │ ├── DMSReplicationInstancePubliclyAccessible.yaml
│ │ │ ├── DocDBAuditLogs.yaml
│ │ │ ├── DocDBEncryption.yaml
│ │ │ ├── DocDBTLS.yaml
│ │ │ ├── DynamodbGlobalTableRecovery.yaml
│ │ │ ├── DynamodbRecovery.yaml
│ │ │ ├── EBSEncryption.yaml
│ │ │ ├── EC2PublicIP.yaml
│ │ │ ├── ECRImageScanning.yaml
│ │ │ ├── ECRImmutableTags.yaml
│ │ │ ├── ECRRepositoryEncrypted.yaml
│ │ │ ├── ECSClusterContainerInsights.yaml
│ │ │ ├── ECSTaskDefinitionEFSVolumeEncryption.yaml
│ │ │ ├── EFSEncryptionEnabled.yaml
│ │ │ ├── EKSSecretsEncryption.yaml
│ │ │ ├── ELBAccessLogs.yaml
│ │ │ ├── ELBv2AccessLogs.yaml
│ │ │ ├── ElasticacheReplicationGroupEncryptionAtRest.yaml
│ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransit.yaml
│ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken.yaml
│ │ │ ├── ElasticsearchDomainEnforceHTTPS.yaml
│ │ │ ├── ElasticsearchDomainLogging.yaml
│ │ │ ├── ElasticsearchEncryption.yaml
│ │ │ ├── ElasticsearchNodeToNodeEncryption.yaml
│ │ │ ├── GlueDataCatalogEncryption.yaml
│ │ │ ├── GlueSecurityConfiguration.yaml
│ │ │ ├── GlueSecurityConfigurationEnabled.yaml
│ │ │ ├── IAMPolicyAttachedToGroupOrRoles.yaml
│ │ │ ├── KinesisStreamEncryptionType.yaml
│ │ │ ├── LambdaDLQConfigured.yaml
│ │ │ ├── LambdaEnvironmentCredentials.yaml
│ │ │ ├── LambdaEnvironmentEncryptionSettings.yaml
│ │ │ ├── LambdaFunctionLevelConcurrentExecutionLimit.yaml
│ │ │ ├── LambdaInVPC.yaml
│ │ │ ├── LaunchConfigurationEBSEncryption.yaml
│ │ │ ├── NeptuneClusterStorageEncrypted.yaml
│ │ │ ├── RDSEnhancedMonitorEnabled.yaml
│ │ │ ├── RDSMultiAZEnabled.yaml
│ │ │ ├── RDSPubliclyAccessible.yaml
│ │ │ ├── RedShiftSSL.yaml
│ │ │ ├── RedshiftClusterEncryption.yaml
│ │ │ ├── RedshiftClusterLogging.yaml
│ │ │ ├── RedshiftClusterPubliclyAccessible.yaml
│ │ │ ├── RedshiftInEc2ClassicMode.yaml
│ │ │ ├── S3BlockPublicACLs.yaml
│ │ │ ├── S3BlockPublicPolicy.yaml
│ │ │ ├── S3BucketEncryption.yaml
│ │ │ ├── S3BucketKMSEncryption.yaml
│ │ │ ├── S3BucketLogging.yaml
│ │ │ ├── S3BucketPublicAccessBlock.yaml
│ │ │ ├── S3BucketVersioning.yaml
│ │ │ ├── S3PublicACLRead.yaml
│ │ │ ├── S3RestrictPublicBuckets.yaml
│ │ │ ├── SNSTopicEncryption.yaml
│ │ │ ├── SQSQueueEncryption.yaml
│ │ │ ├── SecretManagerSecretEncrypted.yaml
│ │ │ ├── SecurityGroupRuleDescription.yaml
│ │ │ ├── TransferServerIsPublic.yaml
│ │ │ ├── VPCEndpointAcceptanceConfigured.yaml
│ │ │ ├── WAFEnabled.yaml
│ │ │ ├── WorkspaceRootVolumeEncrypted.yaml
│ │ │ └── WorkspaceUserVolumeEncrypted.yaml
│ │ ├── checks_infra/
│ │ │ ├── __init__.py
│ │ │ └── base_registry.py
│ │ ├── report.py
│ │ └── runner.py
│ ├── circleci_pipelines/
│ │ ├── __init__.py
│ │ ├── base_circleci_pipelines_check.py
│ │ ├── checks/
│ │ │ ├── DetectImagesUsage.py
│ │ │ ├── ReverseShellNetcat.py
│ │ │ ├── ShellInjection.py
│ │ │ ├── SuspectCurlInScript.py
│ │ │ ├── __init__.py
│ │ │ ├── image_version_not_hash.py
│ │ │ ├── latest_image.py
│ │ │ ├── prevent_development_orbs.py
│ │ │ └── prevent_volatile_orbs.py
│ │ ├── common/
│ │ │ ├── __init__.py
│ │ │ └── shell_injection_list.py
│ │ ├── registry.py
│ │ └── runner.py
│ ├── cloudformation/
│ │ ├── __init__.py
│ │ ├── cfn_utils.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── ACMWildcardDomainName.yaml
│ │ │ │ ├── AppSyncProtectedByWAF.yaml
│ │ │ │ ├── CloudfrontOriginNotHTTPSOnly.yaml
│ │ │ │ ├── LambdaOpenCorsPolicy.yaml
│ │ │ │ ├── RDSEncryptionInTransit.yaml
│ │ │ │ ├── SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml
│ │ │ │ └── __init__.py
│ │ │ ├── resource/
│ │ │ │ ├── BaseCloudsplainingIAMCheck.py
│ │ │ │ ├── __init__.py
│ │ │ │ ├── aws/
│ │ │ │ │ ├── ALBDropHttpHeaders.py
│ │ │ │ │ ├── ALBListenerHTTPS.py
│ │ │ │ │ ├── ALBListenerTLS12.py
│ │ │ │ │ ├── APIGatewayAccessLogging.py
│ │ │ │ │ ├── APIGatewayAuthorization.py
│ │ │ │ │ ├── APIGatewayCacheEnable.py
│ │ │ │ │ ├── APIGatewayV2AccessLogging.py
│ │ │ │ │ ├── APIGatewayXray.py
│ │ │ │ │ ├── AbsSecurityGroupUnrestrictedIngress.py
│ │ │ │ │ ├── AmazonMQBrokerPublicAccess.py
│ │ │ │ │ ├── AppSyncFieldLevelLogs.py
│ │ │ │ │ ├── AppSyncLogging.py
│ │ │ │ │ ├── AthenaWorkgroupConfiguration.py
│ │ │ │ │ ├── AuroraEncryption.py
│ │ │ │ │ ├── BackupVaultEncrypted.py
│ │ │ │ │ ├── BedrockAgentEncrypted.py
│ │ │ │ │ ├── CloudFrontTLS12.py
│ │ │ │ │ ├── CloudWatchLogGroupKMSKey.py
│ │ │ │ │ ├── CloudWatchLogGroupRetention.py
│ │ │ │ │ ├── CloudfrontDistributionEncryption.py
│ │ │ │ │ ├── CloudfrontDistributionLogging.py
│ │ │ │ │ ├── CloudtrailEncryption.py
│ │ │ │ │ ├── CloudtrailLogValidation.py
│ │ │ │ │ ├── CloudtrailMultiRegion.py
│ │ │ │ │ ├── CodeBuildProjectEncryption.py
│ │ │ │ │ ├── CognitoUnauthenticatedIdentities.py
│ │ │ │ │ ├── DAXEncryption.py
│ │ │ │ │ ├── DMSReplicationInstancePubliclyAccessible.py
│ │ │ │ │ ├── DeprecatedLambdaRuntime.py
│ │ │ │ │ ├── DocDBAuditLogs.py
│ │ │ │ │ ├── DocDBBackupRetention.py
│ │ │ │ │ ├── DocDBEncryption.py
│ │ │ │ │ ├── DocDBLogging.py
│ │ │ │ │ ├── DocDBTLS.py
│ │ │ │ │ ├── DynamoDBTablesEncrypted.py
│ │ │ │ │ ├── DynamodbGlobalTableRecovery.py
│ │ │ │ │ ├── DynamodbRecovery.py
│ │ │ │ │ ├── EBSDefaultEncryption.py
│ │ │ │ │ ├── EBSEncryption.py
│ │ │ │ │ ├── EC2Credentials.py
│ │ │ │ │ ├── EC2PublicIP.py
│ │ │ │ │ ├── ECRImageScanning.py
│ │ │ │ │ ├── ECRImmutableTags.py
│ │ │ │ │ ├── ECRPolicy.py
│ │ │ │ │ ├── ECRRepositoryEncrypted.py
│ │ │ │ │ ├── ECSClusterContainerInsights.py
│ │ │ │ │ ├── ECSTaskDefinitionEFSVolumeEncryption.py
│ │ │ │ │ ├── EFSEncryptionEnabled.py
│ │ │ │ │ ├── EKSControlPlaneLogging.py
│ │ │ │ │ ├── EKSNodeGroupRemoteAccess.py
│ │ │ │ │ ├── EKSPublicAccess.py
│ │ │ │ │ ├── EKSPublicAccessCIDR.py
│ │ │ │ │ ├── EKSSecretsEncryption.py
│ │ │ │ │ ├── ELBAccessLogs.py
│ │ │ │ │ ├── ELBv2AccessLogs.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtRest.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransit.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py
│ │ │ │ │ ├── ElasticsearchDomainAuditLogging.py
│ │ │ │ │ ├── ElasticsearchDomainEnforceHTTPS.py
│ │ │ │ │ ├── ElasticsearchDomainLogging.py
│ │ │ │ │ ├── ElasticsearchEncryption.py
│ │ │ │ │ ├── ElasticsearchNodeToNodeEncryption.py
│ │ │ │ │ ├── GlobalAcceleratorAcceleratorFlowLogs.py
│ │ │ │ │ ├── GlueDataCatalogEncryption.py
│ │ │ │ │ ├── GlueSecurityConfiguration.py
│ │ │ │ │ ├── GlueSecurityConfigurationEnabled.py
│ │ │ │ │ ├── IAMAdminPolicyDocument.py
│ │ │ │ │ ├── IAMCredentialsExposure.py
│ │ │ │ │ ├── IAMDataExfiltration.py
│ │ │ │ │ ├── IAMPermissionsManagement.py
│ │ │ │ │ ├── IAMPolicyAttachedToGroupOrRoles.py
│ │ │ │ │ ├── IAMPrivilegeEscalation.py
│ │ │ │ │ ├── IAMRoleAllowAssumeFromAccount.py
│ │ │ │ │ ├── IAMRoleAllowsPublicAssume.py
│ │ │ │ │ ├── IAMStarActionPolicyDocument.py
│ │ │ │ │ ├── IAMWriteAccess.py
│ │ │ │ │ ├── IMDSv1Disabled.py
│ │ │ │ │ ├── KMSKeyWildCardPrincipal.py
│ │ │ │ │ ├── KMSRotation.py
│ │ │ │ │ ├── KinesisStreamEncryptionType.py
│ │ │ │ │ ├── LambdaDLQConfigured.py
│ │ │ │ │ ├── LambdaEnvironmentCredentials.py
│ │ │ │ │ ├── LambdaEnvironmentEncryptionSettings.py
│ │ │ │ │ ├── LambdaFunctionLevelConcurrentExecutionLimit.py
│ │ │ │ │ ├── LambdaFunctionURLAuth.py
│ │ │ │ │ ├── LambdaInVPC.py
│ │ │ │ │ ├── LambdaServicePermission.py
│ │ │ │ │ ├── LaunchConfigurationEBSEncryption.py
│ │ │ │ │ ├── MQBrokerAuditLogging.py
│ │ │ │ │ ├── MSKClusterEncryption.py
│ │ │ │ │ ├── MSKClusterLogging.py
│ │ │ │ │ ├── MSKClusterNodesArePrivate.py
│ │ │ │ │ ├── NeptuneClusterBackupRetention.py
│ │ │ │ │ ├── NeptuneClusterInstancePublic.py
│ │ │ │ │ ├── NeptuneClusterLogging.py
│ │ │ │ │ ├── NeptuneClusterStorageEncrypted.py
│ │ │ │ │ ├── ParameterStoreCredentials.py
│ │ │ │ │ ├── PasswordPolicyExpiration.py
│ │ │ │ │ ├── PasswordPolicyLength.py
│ │ │ │ │ ├── PasswordPolicyLowercaseLetter.py
│ │ │ │ │ ├── PasswordPolicyNumber.py
│ │ │ │ │ ├── PasswordPolicyReuse.py
│ │ │ │ │ ├── PasswordPolicySymbol.py
│ │ │ │ │ ├── PasswordPolicyUppercaseLetter.py
│ │ │ │ │ ├── QLDBLedgerDeletionProtection.py
│ │ │ │ │ ├── QLDBLedgerPermissionsMode.py
│ │ │ │ │ ├── RDSClusterIAMAuthentication.py
│ │ │ │ │ ├── RDSEncryption.py
│ │ │ │ │ ├── RDSEnhancedMonitorEnabled.py
│ │ │ │ │ ├── RDSIAMAuthentication.py
│ │ │ │ │ ├── RDSMultiAZEnabled.py
│ │ │ │ │ ├── RDSPubliclyAccessible.py
│ │ │ │ │ ├── RedShiftSSL.py
│ │ │ │ │ ├── RedshiftClusterEncryption.py
│ │ │ │ │ ├── RedshiftClusterLogging.py
│ │ │ │ │ ├── RedshiftClusterPubliclyAccessible.py
│ │ │ │ │ ├── RedshiftInEc2ClassicMode.py
│ │ │ │ │ ├── S3AccessLogs.py
│ │ │ │ │ ├── S3BlockPublicACLs.py
│ │ │ │ │ ├── S3BlockPublicPolicy.py
│ │ │ │ │ ├── S3Encryption.py
│ │ │ │ │ ├── S3IgnorePublicACLs.py
│ │ │ │ │ ├── S3PublicACLRead.py
│ │ │ │ │ ├── S3PublicACLWrite.py
│ │ │ │ │ ├── S3RestrictPublicBuckets.py
│ │ │ │ │ ├── S3Versioning.py
│ │ │ │ │ ├── SNSTopicEncryption.py
│ │ │ │ │ ├── SQSQueueEncryption.py
│ │ │ │ │ ├── SagemakerDataQualityJobDefinitionEncryption.py
│ │ │ │ │ ├── SagemakerDataQualityJobDefinitionTrafficEncryption.py
│ │ │ │ │ ├── SagemakerDataQualityJobDefinitionVolumeEncryption.py
│ │ │ │ │ ├── SagemakerModelWithNetworkIsolation.py
│ │ │ │ │ ├── SagemakerNotebookEncryptedWithCMK.py
│ │ │ │ │ ├── SagemakerNotebookInstanceAllowsIMDSv2.py
│ │ │ │ │ ├── SecretManagerSecretEncrypted.py
│ │ │ │ │ ├── SecurityGroupRuleDescription.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress22.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress3389.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress80.py
│ │ │ │ │ ├── TimestreamDatabaseKMSKey.py
│ │ │ │ │ ├── TransferServerIsPublic.py
│ │ │ │ │ ├── VPCEndpointAcceptanceConfigured.py
│ │ │ │ │ ├── WAFACLCVE202144228.py
│ │ │ │ │ ├── WAFEnabled.py
│ │ │ │ │ ├── WorkspaceRootVolumeEncrypted.py
│ │ │ │ │ ├── WorkspaceUserVolumeEncrypted.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── base_registry.py
│ │ │ │ ├── base_resource_check.py
│ │ │ │ ├── base_resource_negative_value_check.py
│ │ │ │ ├── base_resource_value_check.py
│ │ │ │ └── registry.py
│ │ │ └── utils/
│ │ │ ├── __init__.py
│ │ │ └── iam_cloudformation_document_to_policy_converter.py
│ │ ├── context_parser.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── block_types.py
│ │ │ │ ├── blocks.py
│ │ │ │ └── generic_resource_encryption.py
│ │ │ ├── graph_to_definitions.py
│ │ │ ├── local_graph.py
│ │ │ ├── utils.py
│ │ │ └── variable_rendering/
│ │ │ ├── __init__.py
│ │ │ ├── renderer.py
│ │ │ └── vertex_reference.py
│ │ ├── graph_manager.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── base_provider.py
│ │ │ ├── manager.py
│ │ │ └── provider/
│ │ │ ├── __init__.py
│ │ │ └── aws.py
│ │ ├── parser/
│ │ │ ├── __init__.py
│ │ │ ├── cfn_keywords.py
│ │ │ └── cfn_yaml.py
│ │ └── runner.py
│ ├── common/
│ │ ├── __init__.py
│ │ ├── bridgecrew/
│ │ │ ├── __init__.py
│ │ │ ├── bc_source.py
│ │ │ ├── check_type.py
│ │ │ ├── code_categories.py
│ │ │ ├── integration_features/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_integration_feature.py
│ │ │ │ ├── features/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── custom_policies_integration.py
│ │ │ │ │ ├── fixes_integration.py
│ │ │ │ │ ├── licensing_integration.py
│ │ │ │ │ ├── policies_3d_integration.py
│ │ │ │ │ ├── policy_metadata_integration.py
│ │ │ │ │ ├── repo_config_integration.py
│ │ │ │ │ ├── suppressions_integration.py
│ │ │ │ │ └── vulnerabilities_integration.py
│ │ │ │ └── integration_feature_registry.py
│ │ │ ├── licensing.py
│ │ │ ├── platform_errors.py
│ │ │ ├── platform_integration.py
│ │ │ ├── platform_key.py
│ │ │ ├── run_metadata/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── abstract_run_metadata_extractor.py
│ │ │ │ ├── ci_variables.py
│ │ │ │ ├── extractors/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── bitbucket.py
│ │ │ │ │ ├── default_extractor.py
│ │ │ │ │ ├── github_actions.py
│ │ │ │ │ ├── gitlab_ci.py
│ │ │ │ │ └── jenkins.py
│ │ │ │ └── registry.py
│ │ │ ├── severities.py
│ │ │ ├── vulnerability_scanning/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── image_scanner.py
│ │ │ │ ├── integrations/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── docker_image_scanning.py
│ │ │ │ │ ├── package_scanning.py
│ │ │ │ │ └── twistcli.py
│ │ │ │ └── report.py
│ │ │ └── wrapper.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_check.py
│ │ │ ├── base_check_registry.py
│ │ │ ├── enums.py
│ │ │ └── object_registry.py
│ │ ├── checks_infra/
│ │ │ ├── __init__.py
│ │ │ ├── checks_parser.py
│ │ │ ├── registry.py
│ │ │ ├── resources_types.py
│ │ │ └── solvers/
│ │ │ ├── __init__.py
│ │ │ ├── attribute_solvers/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── any_attribute_solver.py
│ │ │ │ ├── base_attribute_solver.py
│ │ │ │ ├── base_number_of_words_attribute_solver.py
│ │ │ │ ├── cidr_range_not_subset_attribute_solver.py
│ │ │ │ ├── cidr_range_subset_attribute_solver.py
│ │ │ │ ├── contains_attribute_solver.py
│ │ │ │ ├── ending_with_attribute_solver.py
│ │ │ │ ├── equals_attribute_solver.py
│ │ │ │ ├── equals_ignore_case_attribute_solver.py
│ │ │ │ ├── exists_attribute_solver.py
│ │ │ │ ├── greater_than_attribute_solver.py
│ │ │ │ ├── greater_than_or_equal_attribute_solver.py
│ │ │ │ ├── intersects_attribute_solver.py
│ │ │ │ ├── is_empty_attribute_solver.py
│ │ │ │ ├── is_false_attribute_solver.py
│ │ │ │ ├── is_not_empty_attribute_solver.py
│ │ │ │ ├── is_true_attribute_solver.py
│ │ │ │ ├── length_equals_attribute_solver.py
│ │ │ │ ├── length_greater_than_attribute_solver.py
│ │ │ │ ├── length_greater_than_or_equal_attribute_solver.py
│ │ │ │ ├── length_less_than_attribute_solver.py
│ │ │ │ ├── length_less_than_or_equal_attribute_solver.py
│ │ │ │ ├── length_not_equals_attribute_solver.py
│ │ │ │ ├── less_than_attribute_solver.py
│ │ │ │ ├── less_than_or_equal_attribute_solver.py
│ │ │ │ ├── not_contains_attribute_solver.py
│ │ │ │ ├── not_ending_with_attribute_solver.py
│ │ │ │ ├── not_equals_attribute_solver.py
│ │ │ │ ├── not_equals_ignore_case_attribute_solver.py
│ │ │ │ ├── not_exists_attribute_solver.py
│ │ │ │ ├── not_intersects_attribute_solver.py
│ │ │ │ ├── not_regex_match_attribute_solver.py
│ │ │ │ ├── not_starting_with_attribute_solver.py
│ │ │ │ ├── not_subset_attribute_solver.py
│ │ │ │ ├── not_within_attribute_solver.py
│ │ │ │ ├── number_of_words_equals_attribute_solver.py
│ │ │ │ ├── number_of_words_greater_than_attribute_solver.py
│ │ │ │ ├── number_of_words_greater_than_or_equal_attribute_solver.py
│ │ │ │ ├── number_of_words_less_than_attribute_solver.py
│ │ │ │ ├── number_of_words_less_than_or_equal_attribute_solver.py
│ │ │ │ ├── number_of_words_not_equals_attribute_solver.py
│ │ │ │ ├── range_includes_attribute_solver.py
│ │ │ │ ├── range_not_includes_attribute_solver.py
│ │ │ │ ├── regex_match_attribute_solver.py
│ │ │ │ ├── starting_with_attribute_solver.py
│ │ │ │ ├── subset_attribute_solver.py
│ │ │ │ └── within_attribute_solver.py
│ │ │ ├── complex_solvers/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── and_solver.py
│ │ │ │ ├── base_complex_solver.py
│ │ │ │ ├── not_solver.py
│ │ │ │ └── or_solver.py
│ │ │ ├── connections_solvers/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── and_connection_solver.py
│ │ │ │ ├── base_connection_solver.py
│ │ │ │ ├── complex_connection_solver.py
│ │ │ │ ├── connection_exists_solver.py
│ │ │ │ ├── connection_not_exists_solver.py
│ │ │ │ ├── connection_one_exists_solver.py
│ │ │ │ └── or_connection_solver.py
│ │ │ ├── filter_solvers/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_filter_solver.py
│ │ │ │ └── within_filter_solver.py
│ │ │ └── resource_solvers/
│ │ │ ├── __init__.py
│ │ │ ├── base_resource_solver.py
│ │ │ ├── exists_resource_solver.py
│ │ │ └── not_exists_resource_solver.py
│ │ ├── comment/
│ │ │ ├── __init__.py
│ │ │ └── enum.py
│ │ ├── goget/
│ │ │ ├── __init__.py
│ │ │ ├── base_getter.py
│ │ │ ├── github/
│ │ │ │ ├── __init__.py
│ │ │ │ └── get_git.py
│ │ │ └── registry/
│ │ │ ├── __init__.py
│ │ │ └── get_registry.py
│ │ ├── graph/
│ │ │ ├── __init__.py
│ │ │ ├── checks_infra/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_check.py
│ │ │ │ ├── base_parser.py
│ │ │ │ ├── debug.py
│ │ │ │ ├── enums.py
│ │ │ │ ├── registry.py
│ │ │ │ └── solvers/
│ │ │ │ ├── __init__.py
│ │ │ │ └── base_solver.py
│ │ │ ├── db_connectors/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── db_connector.py
│ │ │ │ ├── networkx/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── networkx_db_connector.py
│ │ │ │ └── rustworkx/
│ │ │ │ ├── __init__.py
│ │ │ │ └── rustworkx_db_connector.py
│ │ │ ├── graph_builder/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── consts.py
│ │ │ │ ├── graph_components/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── attribute_names.py
│ │ │ │ │ ├── block_types.py
│ │ │ │ │ ├── blocks.py
│ │ │ │ │ ├── edge.py
│ │ │ │ │ └── generic_resource_encryption_base.py
│ │ │ │ ├── graph_resources_encription_manager.py
│ │ │ │ ├── local_graph.py
│ │ │ │ ├── utils.py
│ │ │ │ └── variable_rendering/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── breadcrumb_metadata.py
│ │ │ │ ├── renderer.py
│ │ │ │ └── vertex_reference.py
│ │ │ └── graph_manager.py
│ │ ├── images/
│ │ │ ├── __init__.py
│ │ │ ├── graph/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── image_referencer_manager.py
│ │ │ │ └── image_referencer_provider.py
│ │ │ ├── image_referencer.py
│ │ │ └── workflow/
│ │ │ ├── __init__.py
│ │ │ ├── image_referencer_manager.py
│ │ │ └── image_referencer_provider.py
│ │ ├── logger_streams.py
│ │ ├── models/
│ │ │ ├── __init__.py
│ │ │ ├── consts.py
│ │ │ └── enums.py
│ │ ├── output/
│ │ │ ├── __init__.py
│ │ │ ├── baseline.py
│ │ │ ├── common.py
│ │ │ ├── csv.py
│ │ │ ├── cyclonedx.py
│ │ │ ├── cyclonedx_consts.py
│ │ │ ├── extra_resource.py
│ │ │ ├── github_actions_record.py
│ │ │ ├── gitlab_sast.py
│ │ │ ├── graph_record.py
│ │ │ ├── record.py
│ │ │ ├── report.py
│ │ │ ├── sarif.py
│ │ │ ├── secrets_record.py
│ │ │ └── spdx.py
│ │ ├── packaging/
│ │ │ ├── __init__.py
│ │ │ └── version.py
│ │ ├── parallelizer/
│ │ │ ├── __init__.py
│ │ │ └── parallel_runner.py
│ │ ├── parsers/
│ │ │ ├── __init__.py
│ │ │ ├── json/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── decoder.py
│ │ │ │ └── errors.py
│ │ │ ├── node.py
│ │ │ └── yaml/
│ │ │ ├── __init__.py
│ │ │ ├── loader.py
│ │ │ └── parser.py
│ │ ├── proxy/
│ │ │ ├── __init__.py
│ │ │ └── proxy_client.py
│ │ ├── resource_code_logger_filter.py
│ │ ├── runners/
│ │ │ ├── __init__.py
│ │ │ ├── base_post_runner.py
│ │ │ ├── base_runner.py
│ │ │ ├── graph_builder/
│ │ │ │ ├── __init__.py
│ │ │ │ └── local_graph.py
│ │ │ ├── graph_manager.py
│ │ │ ├── object_runner.py
│ │ │ └── runner_registry.py
│ │ ├── sast/
│ │ │ ├── __init__.py
│ │ │ ├── consts.py
│ │ │ └── report_types.py
│ │ ├── sca/
│ │ │ ├── __init__.py
│ │ │ ├── commons.py
│ │ │ ├── consts.py
│ │ │ ├── output.py
│ │ │ └── reachability/
│ │ │ ├── __init__.py
│ │ │ ├── package_alias_mapping/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── abstract_alias_mapping_strategy.py
│ │ │ │ ├── alias_mapping_creator.py
│ │ │ │ └── nodejs/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── nodejs_alias_mapping_strategy.py
│ │ │ │ └── utils.py
│ │ │ └── sast_contract/
│ │ │ ├── __init__.py
│ │ │ ├── data_fetcher_sast_lib.py
│ │ │ └── models.py
│ │ ├── secrets/
│ │ │ ├── __init__.py
│ │ │ └── consts.py
│ │ ├── typing.py
│ │ ├── util/
│ │ │ ├── __init__.py
│ │ │ ├── banner.py
│ │ │ ├── config_utils.py
│ │ │ ├── consts.py
│ │ │ ├── contextmanagers.py
│ │ │ ├── data_structures_utils.py
│ │ │ ├── decorators.py
│ │ │ ├── deep_merge.py
│ │ │ ├── dockerfile.py
│ │ │ ├── env_vars_config.py
│ │ │ ├── ext_argument_parser.py
│ │ │ ├── file_utils.py
│ │ │ ├── http_utils.py
│ │ │ ├── json_utils.py
│ │ │ ├── oidc_utils.py
│ │ │ ├── parser_utils.py
│ │ │ ├── prompt.py
│ │ │ ├── runner_dependency_handler.py
│ │ │ ├── secrets.py
│ │ │ ├── secrets_omitter.py
│ │ │ ├── stopit/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── signalstop.py
│ │ │ │ ├── threadstop.py
│ │ │ │ └── utils.py
│ │ │ ├── str_utils.py
│ │ │ ├── suppression.py
│ │ │ ├── templates/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── data.jinja2
│ │ │ │ ├── init.jinja2
│ │ │ │ ├── provider.jinja2
│ │ │ │ ├── resource.jinja2
│ │ │ │ ├── unittest-python.jinja2
│ │ │ │ └── unittest-terraform.jinja2
│ │ │ ├── tqdm_utils.py
│ │ │ ├── type_forcers.py
│ │ │ ├── update_checker/
│ │ │ │ ├── __init__.py
│ │ │ │ └── update_checker.py
│ │ │ └── var_utils.py
│ │ ├── variables/
│ │ │ ├── __init__.py
│ │ │ └── context.py
│ │ ├── vcs/
│ │ │ ├── __init__.py
│ │ │ ├── base_vcs_dal.py
│ │ │ └── vcs_schema.py
│ │ └── version_manager.py
│ ├── contributor_metrics.py
│ ├── dockerfile/
│ │ ├── __init__.py
│ │ ├── base_dockerfile_check.py
│ │ ├── base_registry.py
│ │ ├── checks/
│ │ │ ├── AddExists.py
│ │ │ ├── AliasIsUnique.py
│ │ │ ├── ExposePort22.py
│ │ │ ├── HealthcheckExists.py
│ │ │ ├── MaintainerExists.py
│ │ │ ├── ReferenceLatestTag.py
│ │ │ ├── RootUser.py
│ │ │ ├── RunUsingAPT.py
│ │ │ ├── UpdateNotAlone.py
│ │ │ ├── UserExists.py
│ │ │ ├── WorkdirIsAbsolute.py
│ │ │ ├── __init__.py
│ │ │ └── graph_checks/
│ │ │ ├── EnvGitSslNoVerify.yaml
│ │ │ ├── EnvNodeTlsRejectUnauthorized.yaml
│ │ │ ├── EnvNpmConfigStrictSsl.yaml
│ │ │ ├── EnvPipTrustedHost.yaml
│ │ │ ├── EnvPythonHttpsVerify.yaml
│ │ │ ├── RunApkAllowUntrusted.yaml
│ │ │ ├── RunAptGetAllowUnauthenticated.yaml
│ │ │ ├── RunAptGetForceYes.yaml
│ │ │ ├── RunChpasswd.yaml
│ │ │ ├── RunNpmConfigSetStrictSsl.yaml
│ │ │ ├── RunPipTrustedHost.yaml
│ │ │ ├── RunRpmNoSignature.yaml
│ │ │ ├── RunUnsafeCurl.yaml
│ │ │ ├── RunUnsafeWget.yaml
│ │ │ ├── RunUsingSudo.yaml
│ │ │ ├── RunYumConfigManagerSslVerify.yaml
│ │ │ ├── RunYumNoGpgCheck.yaml
│ │ │ └── __init__.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ └── resource_types.py
│ │ │ └── local_graph.py
│ │ ├── graph_manager.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── manager.py
│ │ │ └── provider.py
│ │ ├── parser.py
│ │ ├── registry.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── docs_generator.py
│ ├── example_runner/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_example_runner_check.py
│ │ │ ├── base_example_runner_job_check.py
│ │ │ ├── job/
│ │ │ │ ├── ExampleCheckTrueFalse.py
│ │ │ │ └── __init__.py
│ │ │ └── job_registry.py
│ │ ├── common/
│ │ │ └── __init__.py
│ │ └── runner.py
│ ├── github/
│ │ ├── __init__.py
│ │ ├── base_github_branch_security.py
│ │ ├── base_github_configuration_check.py
│ │ ├── base_github_negative_branch_security.py
│ │ ├── base_github_org_check.py
│ │ ├── base_github_org_security.py
│ │ ├── checks/
│ │ │ ├── 2fa.py
│ │ │ ├── __init__.py
│ │ │ ├── disallow_branch_deletions.py
│ │ │ ├── disallow_force_pushes.py
│ │ │ ├── disallow_inactive_branch_60days.py
│ │ │ ├── dismiss_stale_reviews.py
│ │ │ ├── enforce_branch_protection_admins.py
│ │ │ ├── internal_repository_creation_is_limited.py
│ │ │ ├── ipallowlist.py
│ │ │ ├── minimum_admins_in_org.py
│ │ │ ├── private_repository_creation_is_limited.py
│ │ │ ├── public_repository_creation_is_limited.py
│ │ │ ├── repository_collaborators.py
│ │ │ ├── require_2approvals.py
│ │ │ ├── require_code_owner_reviews.py
│ │ │ ├── require_conversation_resolution.py
│ │ │ ├── require_linear_history.py
│ │ │ ├── require_push_restrictions.py
│ │ │ ├── require_signatures.py
│ │ │ ├── require_status_checks_pr.py
│ │ │ ├── require_strict_base_permissions_repository.py
│ │ │ ├── require_updated_branch_pr.py
│ │ │ ├── require_verified_organization.py
│ │ │ ├── restrict_pr_review_dismissal.py
│ │ │ ├── sso.py
│ │ │ ├── webhooks_https_orgs.py
│ │ │ └── webhooks_https_repos.py
│ │ ├── dal.py
│ │ ├── registry.py
│ │ ├── runner.py
│ │ └── schemas/
│ │ ├── __init__.py
│ │ ├── branch.py
│ │ ├── branch_protection.py
│ │ ├── no_branch_protection.py
│ │ ├── org_members.py
│ │ ├── org_security.py
│ │ ├── org_webhooks.py
│ │ ├── organization.py
│ │ ├── repository_collaborators.py
│ │ └── repository_webhooks.py
│ ├── github_actions/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_github_action_check.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── ReadOnlyTopLevelPermissions.yaml
│ │ │ │ └── __init__.py
│ │ │ ├── job/
│ │ │ │ ├── AllowUnsecureCommandsOnJob.py
│ │ │ │ ├── CosignArtifacts.py
│ │ │ │ ├── CosignSBOM.py
│ │ │ │ ├── EmptyWorkflowDispatch.py
│ │ │ │ ├── ReverseShellNetcat.py
│ │ │ │ ├── ShellInjection.py
│ │ │ │ ├── SuspectCurlInScript.py
│ │ │ │ └── __init__.py
│ │ │ └── registry.py
│ │ ├── common/
│ │ │ ├── __init__.py
│ │ │ ├── artifact_build.py
│ │ │ ├── build_actions.py
│ │ │ └── shell_injection_list.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ └── resource_types.py
│ │ │ └── local_graph.py
│ │ ├── runner.py
│ │ ├── schemas.py
│ │ └── utils.py
│ ├── gitlab/
│ │ ├── __init__.py
│ │ ├── base_gitlab_configuration_check.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ └── merge_requests_approvals.py
│ │ ├── dal.py
│ │ ├── registry.py
│ │ ├── runner.py
│ │ └── schemas/
│ │ ├── __init__.py
│ │ ├── groups.py
│ │ └── project_approvals.py
│ ├── gitlab_ci/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_gitlab_ci_check.py
│ │ │ ├── job/
│ │ │ │ ├── AvoidDoublePipelines.py
│ │ │ │ ├── DetectImagesUsage.py
│ │ │ │ ├── SuspectCurlInScript.py
│ │ │ │ └── __init__.py
│ │ │ └── registry.py
│ │ ├── common/
│ │ │ ├── __init__.py
│ │ │ ├── reserved.py
│ │ │ └── resource_id_utils.py
│ │ └── runner.py
│ ├── helm/
│ │ ├── __init__.py
│ │ ├── base_registry.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── base_provider.py
│ │ │ ├── manager.py
│ │ │ └── provider/
│ │ │ ├── __init__.py
│ │ │ └── helm.py
│ │ ├── registry.py
│ │ └── runner.py
│ ├── json_doc/
│ │ ├── __init__.py
│ │ ├── base_json_check.py
│ │ ├── base_registry.py
│ │ ├── enums.py
│ │ ├── registry.py
│ │ └── runner.py
│ ├── kubernetes/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── ImpersonatePermissions.yaml
│ │ │ │ ├── ModifyServicesStatus.yaml
│ │ │ │ ├── NoCreateNodesProxyOrPodsExec.yaml
│ │ │ │ ├── ReadAllSecrets.yaml
│ │ │ │ ├── RequireAllPodsToHaveNetworkPolicy.yaml
│ │ │ │ ├── RoleBindingPE.yaml
│ │ │ │ └── __init__.py
│ │ │ └── resource/
│ │ │ ├── __init__.py
│ │ │ ├── base_container_check.py
│ │ │ ├── base_rbac_check.py
│ │ │ ├── base_registry.py
│ │ │ ├── base_root_container_check.py
│ │ │ ├── base_spec_check.py
│ │ │ ├── base_spec_omitted_or_value_check.py
│ │ │ ├── k8s/
│ │ │ │ ├── AllowPrivilegeEscalation.py
│ │ │ │ ├── AllowPrivilegeEscalationPSP.py
│ │ │ │ ├── AllowedCapabilities.py
│ │ │ │ ├── AllowedCapabilitiesPSP.py
│ │ │ │ ├── AllowedCapabilitiesSysAdmin.py
│ │ │ │ ├── ApiServerAdmissionControlAlwaysAdmit.py
│ │ │ │ ├── ApiServerAdmissionControlEventRateLimit.py
│ │ │ │ ├── ApiServerAlwaysPullImagesPlugin.py
│ │ │ │ ├── ApiServerAnonymousAuth.py
│ │ │ │ ├── ApiServerAuditLog.py
│ │ │ │ ├── ApiServerAuditLogMaxAge.py
│ │ │ │ ├── ApiServerAuditLogMaxBackup.py
│ │ │ │ ├── ApiServerAuditLogMaxSize.py
│ │ │ │ ├── ApiServerAuthorizationModeNode.py
│ │ │ │ ├── ApiServerAuthorizationModeNotAlwaysAllow.py
│ │ │ │ ├── ApiServerAuthorizationModeRBAC.py
│ │ │ │ ├── ApiServerBasicAuthFile.py
│ │ │ │ ├── ApiServerEncryptionProviders.py
│ │ │ │ ├── ApiServerEtcdCaFile.py
│ │ │ │ ├── ApiServerEtcdCertAndKey.py
│ │ │ │ ├── ApiServerInsecureBindAddress.py
│ │ │ │ ├── ApiServerInsecurePort.py
│ │ │ │ ├── ApiServerKubeletClientCertAndKey.py
│ │ │ │ ├── ApiServerKubeletHttps.py
│ │ │ │ ├── ApiServerNamespaceLifecyclePlugin.py
│ │ │ │ ├── ApiServerNodeRestrictionPlugin.py
│ │ │ │ ├── ApiServerPodSecurityPolicyPlugin.py
│ │ │ │ ├── ApiServerProfiling.py
│ │ │ │ ├── ApiServerRequestTimeout.py
│ │ │ │ ├── ApiServerSecurePort.py
│ │ │ │ ├── ApiServerSecurityContextDenyPlugin.py
│ │ │ │ ├── ApiServerServiceAccountKeyFile.py
│ │ │ │ ├── ApiServerServiceAccountLookup.py
│ │ │ │ ├── ApiServerServiceAccountPlugin.py
│ │ │ │ ├── ApiServerStrongCryptographicCiphers.py
│ │ │ │ ├── ApiServerTlsCertAndKey.py
│ │ │ │ ├── ApiServerTokenAuthFile.py
│ │ │ │ ├── ApiServerkubeletCertificateAuthority.py
│ │ │ │ ├── CPULimits.py
│ │ │ │ ├── CPURequests.py
│ │ │ │ ├── ContainerSecurityContext.py
│ │ │ │ ├── ControllerManagerBindAddress.py
│ │ │ │ ├── DangerousGitSync.py
│ │ │ │ ├── DefaultNamespace.py
│ │ │ │ ├── DefaultServiceAccount.py
│ │ │ │ ├── DefaultServiceAccountBinding.py
│ │ │ │ ├── DockerSocketVolume.py
│ │ │ │ ├── DropCapabilities.py
│ │ │ │ ├── DropCapabilitiesPSP.py
│ │ │ │ ├── EtcdAutoTls.py
│ │ │ │ ├── EtcdCertAndKey.py
│ │ │ │ ├── EtcdClientCertAuth.py
│ │ │ │ ├── EtcdPeerFiles.py
│ │ │ │ ├── HostPort.py
│ │ │ │ ├── ImageDigest.py
│ │ │ │ ├── ImagePullPolicyAlways.py
│ │ │ │ ├── ImageTagFixed.py
│ │ │ │ ├── KubeControllerManagerBlockProfiles.py
│ │ │ │ ├── KubeControllerManagerRootCAFile.py
│ │ │ │ ├── KubeControllerManagerServiceAccountCredentials.py
│ │ │ │ ├── KubeControllerManagerServiceAccountPrivateKeyFile.py
│ │ │ │ ├── KubeControllerManagerTerminatedPods.py
│ │ │ │ ├── KubeletAnonymousAuth.py
│ │ │ │ ├── KubeletAuthorizationModeNotAlwaysAllow.py
│ │ │ │ ├── KubeletClientCa.py
│ │ │ │ ├── KubeletCryptographicCiphers.py
│ │ │ │ ├── KubeletHostnameOverride.py
│ │ │ │ ├── KubeletKeyFilesSetAppropriate.py
│ │ │ │ ├── KubeletMakeIptablesUtilChains.py
│ │ │ │ ├── KubeletProtectKernelDefaults.py
│ │ │ │ ├── KubeletReadOnlyPort.py
│ │ │ │ ├── KubeletStreamingConnectionIdleTimeout.py
│ │ │ │ ├── KubernetesDashboard.py
│ │ │ │ ├── KubletEventCapture.py
│ │ │ │ ├── KubletRotateCertificates.py
│ │ │ │ ├── LivenessProbe.py
│ │ │ │ ├── MemoryLimits.py
│ │ │ │ ├── MemoryRequests.py
│ │ │ │ ├── MinimizeCapabilities.py
│ │ │ │ ├── MinimizeCapabilitiesPSP.py
│ │ │ │ ├── NginxIngressCVE202125742Alias.py
│ │ │ │ ├── NginxIngressCVE202125742AllSnippets.py
│ │ │ │ ├── NginxIngressCVE202125742Lua.py
│ │ │ │ ├── PeerClientCertAuthTrue.py
│ │ │ │ ├── PodSecurityContext.py
│ │ │ │ ├── PrivilegedContainers.py
│ │ │ │ ├── PrivilegedContainersPSP.py
│ │ │ │ ├── RbacApproveCertificateSigningRequests.py
│ │ │ │ ├── RbacBindRoleBindings.py
│ │ │ │ ├── RbacControlWebhooks.py
│ │ │ │ ├── RbacEscalateRoles.py
│ │ │ │ ├── ReadOnlyFilesystem.py
│ │ │ │ ├── ReadinessProbe.py
│ │ │ │ ├── RootContainers.py
│ │ │ │ ├── RootContainersHighUID.py
│ │ │ │ ├── RootContainersPSP.py
│ │ │ │ ├── RotateKubeletServerCertificate.py
│ │ │ │ ├── SchedulerBindAddress.py
│ │ │ │ ├── SchedulerProfiling.py
│ │ │ │ ├── Seccomp.py
│ │ │ │ ├── SeccompPSP.py
│ │ │ │ ├── Secrets.py
│ │ │ │ ├── ServiceAccountTokens.py
│ │ │ │ ├── ShareHostIPC.py
│ │ │ │ ├── ShareHostIPCPSP.py
│ │ │ │ ├── ShareHostPID.py
│ │ │ │ ├── ShareHostPIDPSP.py
│ │ │ │ ├── SharedHostNetworkNamespace.py
│ │ │ │ ├── SharedHostNetworkNamespacePSP.py
│ │ │ │ ├── Tiller.py
│ │ │ │ ├── TillerDeploymentListener.py
│ │ │ │ ├── TillerService.py
│ │ │ │ ├── WildcardRoles.py
│ │ │ │ ├── __init__.py
│ │ │ │ └── k8s_check_utils.py
│ │ │ └── registry.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── graph_components/
│ │ │ │ ├── ResourceKeywordIdentifier.py
│ │ │ │ ├── __init__.py
│ │ │ │ ├── blocks.py
│ │ │ │ └── edge_builders/
│ │ │ │ ├── K8SEdgeBuilder.py
│ │ │ │ ├── KeywordEdgeBuilder.py
│ │ │ │ ├── LabelSelectorEdgeBuilder.py
│ │ │ │ ├── NetworkPolicyEdgeBuilder.py
│ │ │ │ ├── ServiceAccountEdgeBuilder.py
│ │ │ │ └── __init__.py
│ │ │ └── local_graph.py
│ │ ├── graph_manager.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── base_provider.py
│ │ │ ├── manager.py
│ │ │ └── provider/
│ │ │ ├── __init__.py
│ │ │ └── k8s.py
│ │ ├── kubernetes_graph_flags.py
│ │ ├── kubernetes_utils.py
│ │ ├── parser/
│ │ │ ├── __init__.py
│ │ │ ├── k8_json.py
│ │ │ ├── k8_yaml.py
│ │ │ ├── parser.py
│ │ │ └── validatior.py
│ │ ├── runner.py
│ │ └── test/
│ │ └── share-process-namespace.yaml
│ ├── kustomize/
│ │ ├── __init__.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── base_provider.py
│ │ │ ├── manager.py
│ │ │ └── provider/
│ │ │ ├── __init__.py
│ │ │ └── kustomize.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── logging_init.py
│ ├── main.py
│ ├── openapi/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_openapi_check.py
│ │ │ ├── base_registry.py
│ │ │ ├── registry.py
│ │ │ └── resource/
│ │ │ ├── __init__.py
│ │ │ ├── generic/
│ │ │ │ ├── ClearTextAPIKey.py
│ │ │ │ ├── GlobalSecurityFieldIsEmpty.py
│ │ │ │ ├── NoMaximumNumberItems.py
│ │ │ │ ├── SecurityOperations.py
│ │ │ │ └── __init__.py
│ │ │ ├── v2/
│ │ │ │ ├── BaseOpenapiCheckV2.py
│ │ │ │ ├── GlobalSchemeDefineHTTP.py
│ │ │ │ ├── GlobalSecurityScopeUndefined.py
│ │ │ │ ├── Oauth2OperationObjectPasswordFlow.py
│ │ │ │ ├── Oauth2SecurityDefinitionImplicitFlow.py
│ │ │ │ ├── Oauth2SecurityDefinitionPasswordFlow.py
│ │ │ │ ├── Oauth2SecurityPasswordFlow.py
│ │ │ │ ├── Oauth2SecurityRequirement.py
│ │ │ │ ├── OperationObjectBasicAuth.py
│ │ │ │ ├── OperationObjectConsumesUndefined.py
│ │ │ │ ├── OperationObjectImplicitFlow.py
│ │ │ │ ├── OperationObjectProducesUndefined.py
│ │ │ │ ├── OperationObjectSecurityScopeUndefined.py
│ │ │ │ ├── PathSchemeDefineHTTP.py
│ │ │ │ ├── SecurityDefinitionBasicAuth.py
│ │ │ │ ├── SecurityDefinitions.py
│ │ │ │ ├── SecurityRequirement.py
│ │ │ │ └── __init__.py
│ │ │ └── v3/
│ │ │ ├── BaseOpenapiCheckV3.py
│ │ │ ├── CleartextOverUnencryptedChannel.py
│ │ │ └── __init__.py
│ │ └── runner.py
│ ├── policies_3d/
│ │ ├── __init__.py
│ │ ├── checks_infra/
│ │ │ ├── __init__.py
│ │ │ ├── base_check.py
│ │ │ └── base_parser.py
│ │ ├── checks_parser.py
│ │ ├── output.py
│ │ ├── record.py
│ │ ├── runner.py
│ │ └── syntax/
│ │ ├── __init__.py
│ │ ├── cves_syntax.py
│ │ ├── iac_syntax.py
│ │ ├── secrets_syntax.py
│ │ └── syntax.py
│ ├── py.typed
│ ├── runner_filter.py
│ ├── sast/
│ │ ├── __init__.py
│ │ ├── checks_infra/
│ │ │ ├── __init__.py
│ │ │ ├── base_check.py
│ │ │ ├── base_registry.py
│ │ │ └── registry.py
│ │ ├── common.py
│ │ ├── engines/
│ │ │ ├── __init__.py
│ │ │ ├── base_engine.py
│ │ │ ├── files_filter_manager.py
│ │ │ └── prisma_engine.py
│ │ ├── prisma_models/
│ │ │ ├── __init__.py
│ │ │ ├── library_input.py
│ │ │ └── policies_list.py
│ │ ├── record.py
│ │ ├── report.py
│ │ └── runner.py
│ ├── sca_image/
│ │ ├── __init__.py
│ │ ├── models.py
│ │ └── runner.py
│ ├── sca_package_2/
│ │ ├── __init__.py
│ │ ├── output.py
│ │ ├── runner.py
│ │ └── scanner.py
│ ├── secrets/
│ │ ├── __init__.py
│ │ ├── context_parser.py
│ │ ├── coordinator.py
│ │ ├── git_history_store.py
│ │ ├── git_types.py
│ │ ├── local_secrets_runner.py
│ │ ├── log_prefix_stripper.py
│ │ ├── parsers/
│ │ │ ├── __init__.py
│ │ │ ├── json/
│ │ │ │ ├── __init__.py
│ │ │ │ └── multiline_parser.py
│ │ │ ├── multiline_parser.py
│ │ │ ├── single_line_parser.py
│ │ │ ├── terraform/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── multiline_parser.py
│ │ │ │ └── single_line_parser.py
│ │ │ └── yaml/
│ │ │ ├── __init__.py
│ │ │ └── multiline_parser.py
│ │ ├── plugins/
│ │ │ ├── __init__.py
│ │ │ ├── custom_regex_detector.py
│ │ │ ├── detector_utils.py
│ │ │ ├── entropy_keyword_combinator.py
│ │ │ └── load_detectors.py
│ │ ├── runner.py
│ │ ├── scan_git_history.py
│ │ └── utils.py
│ ├── serverless/
│ │ ├── __init__.py
│ │ ├── base_registry.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── base_function_check.py
│ │ │ ├── complete/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_complete_check.py
│ │ │ │ └── registry.py
│ │ │ ├── custom/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_custom_check.py
│ │ │ │ └── registry.py
│ │ │ ├── function/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── aws/
│ │ │ │ │ ├── AWSCredentials.py
│ │ │ │ │ ├── AdminPolicyDocument.py
│ │ │ │ │ ├── StarActionPolicyDocument.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── base_function_check.py
│ │ │ │ └── registry.py
│ │ │ ├── layer/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_layer_check.py
│ │ │ │ └── registry.py
│ │ │ ├── package/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_package_check.py
│ │ │ │ └── registry.py
│ │ │ ├── plugin/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_plugin_check.py
│ │ │ │ └── registry.py
│ │ │ ├── provider/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_provider_check.py
│ │ │ │ └── registry.py
│ │ │ └── service/
│ │ │ ├── __init__.py
│ │ │ ├── base_service_check.py
│ │ │ └── registry.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── definition_context.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ └── blocks.py
│ │ │ ├── graph_to_definitions.py
│ │ │ └── local_graph.py
│ │ ├── graph_manager.py
│ │ ├── parsers/
│ │ │ ├── __init__.py
│ │ │ ├── context_parser.py
│ │ │ └── parser.py
│ │ ├── registry.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── terraform/
│ │ ├── __init__.py
│ │ ├── base_runner.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── data/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── aws/
│ │ │ │ │ ├── AdminPolicyDocument.py
│ │ │ │ │ ├── GithubActionsOIDCTrustPolicy.py
│ │ │ │ │ ├── IAMCredentialsExposure.py
│ │ │ │ │ ├── IAMDataExfiltration.py
│ │ │ │ │ ├── IAMManagedAdminPolicy.py
│ │ │ │ │ ├── IAMPermissionsManagement.py
│ │ │ │ │ ├── IAMPrivilegeEscalation.py
│ │ │ │ │ ├── IAMPublicActionsPolicy.py
│ │ │ │ │ ├── IAMWriteAccess.py
│ │ │ │ │ ├── ResourcePolicyDocument.py
│ │ │ │ │ ├── StarActionPolicyDocument.py
│ │ │ │ │ ├── WhoAMI.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── base_check.py
│ │ │ │ ├── base_cloudsplaining_data_iam_check.py
│ │ │ │ ├── base_registry.py
│ │ │ │ ├── external/
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── gcp/
│ │ │ │ │ ├── GooglePolicyIsPrivate.py
│ │ │ │ │ └── __init__.py
│ │ │ │ └── registry.py
│ │ │ ├── graph_checks/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── alicloud/
│ │ │ │ │ └── OSSBucketPublic.yaml
│ │ │ │ ├── aws/
│ │ │ │ │ ├── ACMWildcardDomainName.yaml
│ │ │ │ │ ├── ALBProtectedByWAF.yaml
│ │ │ │ │ ├── ALBRedirectsHTTPToHTTPS.yaml
│ │ │ │ │ ├── ALBWebACLConfiguredWIthLog4jVulnerability.yaml
│ │ │ │ │ ├── AMRClustersNotOpenToInternet.yaml
│ │ │ │ │ ├── APIGWLoggingLevelsDefinedProperly.yaml
│ │ │ │ │ ├── APIGatewayEndpointsUsesCertificateForAuthentication.yaml
│ │ │ │ │ ├── APIGatewayRequestParameterValidationEnabled.yaml
│ │ │ │ │ ├── APIGatewayWebACLConfiguredWIthLog4jVulnerability.yaml
│ │ │ │ │ ├── APIProtectedByWAF.yaml
│ │ │ │ │ ├── AWSConfigRecorderEnabled.yaml
│ │ │ │ │ ├── AWSNATGatewaysshouldbeutilized.yaml
│ │ │ │ │ ├── AWSSSMParameterShouldBeEncrypted.yaml
│ │ │ │ │ ├── AWS_private_MWAA_environment.yaml
│ │ │ │ │ ├── AWSdisableS3ACL.yaml
│ │ │ │ │ ├── AppLoadBalancerTLS12.yaml
│ │ │ │ │ ├── AppSyncProtectedByWAF.yaml
│ │ │ │ │ ├── AppsyncWebACLConfiguredWIthLog4jVulnerability.yaml
│ │ │ │ │ ├── AutoScalingEnableOnDynamoDBTables.yaml
│ │ │ │ │ ├── AutoScallingEnabledELB.yaml
│ │ │ │ │ ├── CLoudFrontS3OriginConfigWithOAI.yaml
│ │ │ │ │ ├── CloudFrontHasCustomSSLCertificate.yaml
│ │ │ │ │ ├── CloudFrontHasResponseHeadersPolicy.yaml
│ │ │ │ │ ├── CloudFrontUsesSecureProtocolsForHTTPS.yaml
│ │ │ │ │ ├── CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml
│ │ │ │ │ ├── CloudfrontOriginNotHTTPSOnly.yaml
│ │ │ │ │ ├── CloudtrailHasCloudwatch.yaml
│ │ │ │ │ ├── CodecommitApprovalRulesAttached.yaml
│ │ │ │ │ ├── ConfigRecorderRecordsAllGlobalResources.yaml
│ │ │ │ │ ├── DMSEndpointHaveSSLConfigured.yaml
│ │ │ │ │ ├── EBSAddedBackup.yaml
│ │ │ │ │ ├── EC2InstanceHasIAMRoleAttached.yaml
│ │ │ │ │ ├── EFSAddedBackup.yaml
│ │ │ │ │ ├── EIPAllocatedToVPCAttachedEC2.yaml
│ │ │ │ │ ├── EMRClusterHasSecurityConfiguration.yaml
│ │ │ │ │ ├── ElastiCacheRedisConfiguredAutomaticFailOver.yaml
│ │ │ │ │ ├── ElasticSearchDedicatedMasterEnabled.yaml
│ │ │ │ │ ├── EncryptedEBSVolumeOnlyConnectedToEC2s.yaml
│ │ │ │ │ ├── GuardDutyIsEnabled.yaml
│ │ │ │ │ ├── HTTPNotSendingPasswords.yaml
│ │ │ │ │ ├── IAMGroupHasAtLeastOneUser.yaml
│ │ │ │ │ ├── IAMManagedIAMFullAccessPolicy.yaml
│ │ │ │ │ ├── IAMPolicyNotAllowFullIAMAccess.yaml
│ │ │ │ │ ├── IAMUserHasNoConsoleAccess.yaml
│ │ │ │ │ ├── IAMUsersAreMembersAtLeastOneGroup.yaml
│ │ │ │ │ ├── KmsKeyPolicyIsDefined.yaml
│ │ │ │ │ ├── LBTargetGroup.yaml
│ │ │ │ │ ├── LBWeakCiphers.yaml
│ │ │ │ │ ├── LambdaOpenCorsPolicy.yaml
│ │ │ │ │ ├── NeptuneDeletionProtectionEnabled.yaml
│ │ │ │ │ ├── NetworkFirewallHasLogging.yaml
│ │ │ │ │ ├── OpenSearchDomainHasFineGrainedControl.yaml
│ │ │ │ │ ├── PostgresDBHasQueryLoggingEnabled.yaml
│ │ │ │ │ ├── PostgresRDSHasQueryLoggingEnabled.yaml
│ │ │ │ │ ├── RDSClusterHasBackupPlan.yaml
│ │ │ │ │ ├── RDSEnableCopyTagsToSnapshot.yaml
│ │ │ │ │ ├── RDSEncryptionInTransit.yaml
│ │ │ │ │ ├── Route53ARecordAttachedResource.yaml
│ │ │ │ │ ├── Route53ZoneEnableDNSSECSigning.yaml
│ │ │ │ │ ├── Route53ZoneHasMatchingQueryLog.yaml
│ │ │ │ │ ├── S3BucketEncryption.yaml
│ │ │ │ │ ├── S3BucketEventNotifications.yaml
│ │ │ │ │ ├── S3BucketHasPublicAccessBlock.yaml
│ │ │ │ │ ├── S3BucketLifecycle.yaml
│ │ │ │ │ ├── S3BucketLogging.yaml
│ │ │ │ │ ├── S3BucketReplicationConfiguration.yaml
│ │ │ │ │ ├── S3BucketVersioning.yaml
│ │ │ │ │ ├── S3KMSEncryptedByDefault.yaml
│ │ │ │ │ ├── S3NotAllowAccessToAllAuthenticatedUsers.yaml
│ │ │ │ │ ├── S3PublicACLRead.yaml
│ │ │ │ │ ├── S3PublicACLWrite.yaml
│ │ │ │ │ ├── SGAttachedToResource.yaml
│ │ │ │ │ ├── SQSEncryptionCMK.yaml
│ │ │ │ │ ├── SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml
│ │ │ │ │ ├── SecretsAreRotated.yaml
│ │ │ │ │ ├── SubnetHasACL.yaml
│ │ │ │ │ ├── VPCHasFlowLog.yaml
│ │ │ │ │ ├── VPCHasRestrictedSG.yaml
│ │ │ │ │ ├── VPCPeeringRouteTableOverlyPermissive.yaml
│ │ │ │ │ └── WAF2HasLogs.yaml
│ │ │ │ ├── azure/
│ │ │ │ │ ├── AccessToPostgreSQLFromAzureServicesIsDisabled.yaml
│ │ │ │ │ ├── ApplicationGatewayEnablesWAF.yaml
│ │ │ │ │ ├── AzureACR_HTTPSwebhook.yaml
│ │ │ │ │ ├── AzureAKSclusterAzureCNIEnabled.yaml
│ │ │ │ │ ├── AzureActiveDirectoryAdminIsConfigured.yaml
│ │ │ │ │ ├── AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml
│ │ │ │ │ ├── AzureAutomationAccConfigManagedIdentity.yaml
│ │ │ │ │ ├── AzureAutomationAccNotOverlyPermissiveNetAccess.yaml
│ │ │ │ │ ├── AzureConfigMSSQLwithAD.yaml
│ │ │ │ │ ├── AzureContainerInstanceconfigManagedIdentity.yaml
│ │ │ │ │ ├── AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml
│ │ │ │ │ ├── AzureKeyVaultConfigPrivateEndpoint.yaml
│ │ │ │ │ ├── AzureMLWorkspaceHBIPublicNetwork.yaml
│ │ │ │ │ ├── AzureMLWorkspacePublicNetwork.yaml
│ │ │ │ │ ├── AzureMSSQLServerHasSecurityAlertPolicy.yaml
│ │ │ │ │ ├── AzureMSSQLserverConfigPrivEndpt.yaml
│ │ │ │ │ ├── AzureMariaDBserverConfigPrivEndpt.yaml
│ │ │ │ │ ├── AzureMariaDBserverUsingTLS_1_2.yaml
│ │ │ │ │ ├── AzureMySQLFlexibleServerConfigPrivEndpt.yaml
│ │ │ │ │ ├── AzureMySQLserverConfigPrivEndpt.yaml
│ │ │ │ │ ├── AzureNetworkInterfacePublicIPAddressId.yaml
│ │ │ │ │ ├── AzurePostgreSQLFlexServerNotOverlyPermissive.yaml
│ │ │ │ │ ├── AzurePostgreSQLFlexibleServerConfigPrivEndpt.yaml
│ │ │ │ │ ├── AzurePostgreSQLserverConfigPrivEndpt.yaml
│ │ │ │ │ ├── AzureRecoveryServicesvaultConfigManagedIdentity.yaml
│ │ │ │ │ ├── AzureSQLserverNotOverlyPermissive.yaml
│ │ │ │ │ ├── AzureSpringCloudConfigWithVnet.yaml
│ │ │ │ │ ├── AzureSpringCloudTLSDisabled.yaml
│ │ │ │ │ ├── AzureSqlDbEnableTransparentDataEncryption.yaml
│ │ │ │ │ ├── AzureStorageAccConfigSharedKeyAuth.yaml
│ │ │ │ │ ├── AzureStorageAccConfigWithPrivateEndpoint.yaml
│ │ │ │ │ ├── AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml
│ │ │ │ │ ├── AzureStorageAccConfig_SAS_expirePolicy.yaml
│ │ │ │ │ ├── AzureStorageAccountEnableSoftDelete.yaml
│ │ │ │ │ ├── AzureSubnetConfigWithNSG.yaml
│ │ │ │ │ ├── AzureSynapseWorkspaceVAisEnabled.yaml
│ │ │ │ │ ├── AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml
│ │ │ │ │ ├── AzureUnattachedDisksAreEncrypted.yaml
│ │ │ │ │ ├── AzureVMconfigPublicIP_SerialConsoleAccess.yaml
│ │ │ │ │ ├── CognitiveServicesCustomerManagedKey.yaml
│ │ │ │ │ ├── DataExplorerEncryptionUsesCustomKey.yaml
│ │ │ │ │ ├── DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.yaml
│ │ │ │ │ ├── MSQLenablesCustomerManagedKey.yaml
│ │ │ │ │ ├── PGSQLenablesCustomerManagedKey.yaml
│ │ │ │ │ ├── SQLServerAuditingEnabled.yaml
│ │ │ │ │ ├── SQLServerAuditingRetention90Days.yaml
│ │ │ │ │ ├── StorageContainerActivityLogsNotPublic.yaml
│ │ │ │ │ ├── StorageCriticalDataEncryptedCMK.yaml
│ │ │ │ │ ├── StorageLoggingIsEnabledForBlobService.yaml
│ │ │ │ │ ├── StorageLoggingIsEnabledForTableService.yaml
│ │ │ │ │ ├── SynapseLogMonitoringEnabledForSQLPool.yaml
│ │ │ │ │ ├── SynapseSQLPoolHasSecurityAlertPolicy.yaml
│ │ │ │ │ ├── SynapseSQLPoolHasVulnerabilityAssessment.yaml
│ │ │ │ │ ├── SynapseWorkspaceHasExtendedAuditLogs.yaml
│ │ │ │ │ ├── VAconfiguredToSendReports.yaml
│ │ │ │ │ ├── VAconfiguredToSendReportsToAdmins.yaml
│ │ │ │ │ ├── VAisEnabledInStorageAccount.yaml
│ │ │ │ │ ├── VAsetPeriodicScansOnSQL.yaml
│ │ │ │ │ ├── VMHasBackUpMachine.yaml
│ │ │ │ │ └── VirtualMachinesUtilizingManagedDisks.yaml
│ │ │ │ ├── azuredevops/
│ │ │ │ │ └── ADORepositoryHasMinTwoReviewers.yaml
│ │ │ │ ├── gcp/
│ │ │ │ │ ├── CloudFunctionSecureHTTPTrigger.yaml
│ │ │ │ │ ├── DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml
│ │ │ │ │ ├── GCPAuditLogsConfiguredForAllServicesAndUsers.yaml
│ │ │ │ │ ├── GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml
│ │ │ │ │ ├── GCPComputeGlobalForwardingRuleCheck.yaml
│ │ │ │ │ ├── GCPComputeRegionalForwardingRuleCheck.yaml
│ │ │ │ │ ├── GCPContainerRegistryReposAreNotPubliclyAccessible.yaml
│ │ │ │ │ ├── GCPDialogFlowAgentLoggingEnabled.yaml
│ │ │ │ │ ├── GCPDialogFlowCxAgentLoggingEnabled.yaml
│ │ │ │ │ ├── GCPDialogFlowCxWebhookLoggingEnabled.yaml
│ │ │ │ │ ├── GCPDocumentAIProcessorEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPDocumentAIWarehouseLocationEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml
│ │ │ │ │ ├── GCPKMSKeyRingsAreNotPubliclyAccessible.yaml
│ │ │ │ │ ├── GCPLogBucketsConfiguredUsingLock.yaml
│ │ │ │ │ ├── GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml
│ │ │ │ │ ├── GCPNetworkDoesNotUseDefaultFirewall.yaml
│ │ │ │ │ ├── GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml
│ │ │ │ │ ├── GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml
│ │ │ │ │ ├── GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml
│ │ │ │ │ ├── GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml
│ │ │ │ │ ├── GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml
│ │ │ │ │ ├── GCPProjectHasNoLegacyNetworks.yaml
│ │ │ │ │ ├── GCPTpuV2VmPrivateEndpoint.yaml
│ │ │ │ │ ├── GCPVertexAIEndpointEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPVertexAIFeaturestoreEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPVertexAIPrivateEndpoint.yaml
│ │ │ │ │ ├── GCPVertexAIPrivateIndexEndpoint.yaml
│ │ │ │ │ ├── GCPVertexAITensorboardEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPVertexInstanceEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPVertexRuntimeEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPVertexRuntimePrivate.yaml
│ │ │ │ │ ├── GCPVertexWorkbenchInstanceEncryptedWithCMK.yaml
│ │ │ │ │ ├── GCPVertexWorkbenchInstanceNoPublicIp.yaml
│ │ │ │ │ ├── GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml
│ │ │ │ │ ├── GCRContainerVulnerabilityScanningEnabled.yaml
│ │ │ │ │ ├── GKEClustersAreNotUsingDefaultServiceAccount.yaml
│ │ │ │ │ └── ServiceAccountHasGCPmanagedKey.yaml
│ │ │ │ ├── github/
│ │ │ │ │ └── RepositoryHasBranchProtection.yaml
│ │ │ │ ├── ibm/
│ │ │ │ │ ├── IBM_EnableMFAatAccountLevel.yaml
│ │ │ │ │ ├── IBM_K8sClustersAccessibleViaPrivateEndPt.yaml
│ │ │ │ │ ├── IBM_LoadBalancerforVPCisPrivate.yaml
│ │ │ │ │ ├── IBM_RestrictAPIkeyCreationInAccountSettings.yaml
│ │ │ │ │ ├── IBM_RestrictServiceIDCreationInAccountSettings.yaml
│ │ │ │ │ └── IBM_VPCclassicAccessIsDisabled.yaml
│ │ │ │ ├── ncp/
│ │ │ │ │ ├── AccessControlGroupRuleDefine.yaml
│ │ │ │ │ ├── AutoScalingEnabledLB.yaml
│ │ │ │ │ └── RouteTablePublicSubnetConnection.yaml
│ │ │ │ └── oci/
│ │ │ │ ├── AdministratorUserNotAssociatedWithAPIKey.yaml
│ │ │ │ ├── OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml
│ │ │ │ ├── OCI_K8EngineClusterPodSecPolicyEnforced.yaml
│ │ │ │ ├── OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml
│ │ │ │ ├── OCI_NFSaccessRestrictedToRootUsers.yaml
│ │ │ │ └── OCI_NSGNotAllowRDP.yaml
│ │ │ ├── module/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── base_module_check.py
│ │ │ │ ├── base_registry.py
│ │ │ │ ├── generic/
│ │ │ │ │ ├── RevisionHash.py
│ │ │ │ │ ├── RevisionVersionTag.py
│ │ │ │ │ └── __init__.py
│ │ │ │ └── registry.py
│ │ │ ├── provider/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── aws/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ ├── base_check.py
│ │ │ │ ├── base_registry.py
│ │ │ │ ├── bridgecrew/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ ├── linode/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ ├── ncp/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ ├── oci/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ ├── openstack/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ ├── panos/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── credentials.py
│ │ │ │ └── registry.py
│ │ │ ├── resource/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── alicloud/
│ │ │ │ │ ├── ALBACLIsUnrestricted.py
│ │ │ │ │ ├── APIGatewayProtocolHTTPS.py
│ │ │ │ │ ├── AbsRDSParameter.py
│ │ │ │ │ ├── AbsSecurityGroupUnrestrictedIngress.py
│ │ │ │ │ ├── ActionTrailLogAllEvents.py
│ │ │ │ │ ├── ActionTrailLogAllRegions.py
│ │ │ │ │ ├── DiskEncryptedWithCMK.py
│ │ │ │ │ ├── DiskIsEncrypted.py
│ │ │ │ │ ├── K8sEnableNetworkPolicies.py
│ │ │ │ │ ├── K8sNodePoolAutoRepair.py
│ │ │ │ │ ├── KMSKeyIsEnabled.py
│ │ │ │ │ ├── KMSKeyRotationIsEnabled.py
│ │ │ │ │ ├── LaunchTemplateDisksAreEncrypted.py
│ │ │ │ │ ├── LogAuditRDSEnabled.py
│ │ │ │ │ ├── MongoDBInsideVPC.py
│ │ │ │ │ ├── MongoDBInstanceSSL.py
│ │ │ │ │ ├── MongoDBIsPublic.py
│ │ │ │ │ ├── MongoDBTransparentDataEncryptionEnabled.py
│ │ │ │ │ ├── OSSBucketAccessLogs.py
│ │ │ │ │ ├── OSSBucketEncryptedWithCMK.py
│ │ │ │ │ ├── OSSBucketTransferAcceleration.py
│ │ │ │ │ ├── OSSBucketVersioning.py
│ │ │ │ │ ├── RAMPasswordPolicyExpiration.py
│ │ │ │ │ ├── RAMPasswordPolicyLength.py
│ │ │ │ │ ├── RAMPasswordPolicyLowercaseLetter.py
│ │ │ │ │ ├── RAMPasswordPolicyMaxLogin.py
│ │ │ │ │ ├── RAMPasswordPolicyNumber.py
│ │ │ │ │ ├── RAMPasswordPolicyReuse.py
│ │ │ │ │ ├── RAMPasswordPolicySymbol.py
│ │ │ │ │ ├── RAMPasswordPolicyUppcaseLetter.py
│ │ │ │ │ ├── RAMSecurityEnforceMFA.py
│ │ │ │ │ ├── RDSInstanceAutoUpgrade.py
│ │ │ │ │ ├── RDSInstanceLogConnections.py
│ │ │ │ │ ├── RDSInstanceLogDisconnections.py
│ │ │ │ │ ├── RDSInstanceLogsEnabled.py
│ │ │ │ │ ├── RDSInstanceSSL.py
│ │ │ │ │ ├── RDSIsPublic.py
│ │ │ │ │ ├── RDSRetention.py
│ │ │ │ │ ├── RDSTransparentDataEncryptionEnabled.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress22.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress3389.py
│ │ │ │ │ ├── TLSPoliciesAreSecure.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── aws/
│ │ │ │ │ ├── ACMCertCreateBeforeDestroy.py
│ │ │ │ │ ├── ACMCertSetLoggingPreference.py
│ │ │ │ │ ├── ALBDesyncMode.py
│ │ │ │ │ ├── ALBDropHttpHeaders.py
│ │ │ │ │ ├── ALBListenerHTTPS.py
│ │ │ │ │ ├── AMICopyIsEncrypted.py
│ │ │ │ │ ├── AMICopyUsesCMK.py
│ │ │ │ │ ├── AMIEncryption.py
│ │ │ │ │ ├── AMILaunchIsShared.py
│ │ │ │ │ ├── APIGatewayAccessLogging.py
│ │ │ │ │ ├── APIGatewayAuthorization.py
│ │ │ │ │ ├── APIGatewayCacheEnable.py
│ │ │ │ │ ├── APIGatewayCreateBeforeDestroy.py
│ │ │ │ │ ├── APIGatewayDeploymentCreateBeforeDestroy.py
│ │ │ │ │ ├── APIGatewayDomainNameTLS.py
│ │ │ │ │ ├── APIGatewayMethodSettingsCacheEnabled.py
│ │ │ │ │ ├── APIGatewayMethodSettingsCacheEncrypted.py
│ │ │ │ │ ├── APIGatewayMethodSettingsDataTrace.py
│ │ │ │ │ ├── APIGatewayMethodWOAuth.py
│ │ │ │ │ ├── APIGatewayV2RouteDefinesAuthorizationType.py
│ │ │ │ │ ├── APIGatewayXray.py
│ │ │ │ │ ├── AWSCodeGuruHasCMK.py
│ │ │ │ │ ├── AbsNACLUnrestrictedIngress.py
│ │ │ │ │ ├── AbsSecurityGroupUnrestrictedEgress.py
│ │ │ │ │ ├── AbsSecurityGroupUnrestrictedIngress.py
│ │ │ │ │ ├── AppFlowConnectorProfileUsesCMK.py
│ │ │ │ │ ├── AppFlowUsesCMK.py
│ │ │ │ │ ├── AppSyncFieldLevelLogs.py
│ │ │ │ │ ├── AppSyncLogging.py
│ │ │ │ │ ├── AppsyncAPICacheEncryptionAtRest.py
│ │ │ │ │ ├── AppsyncAPICacheEncryptionInTransit.py
│ │ │ │ │ ├── AthenaDatabaseEncryption.py
│ │ │ │ │ ├── AthenaWorkgroupConfiguration.py
│ │ │ │ │ ├── AthenaWorkgroupEncryption.py
│ │ │ │ │ ├── AuroraEncryption.py
│ │ │ │ │ ├── AutoScalingGroupWithPublicAccess.py
│ │ │ │ │ ├── AutoScalingLaunchTemplate.py
│ │ │ │ │ ├── AutoScalingTagging.py
│ │ │ │ │ ├── BackupVaultEncrypted.py
│ │ │ │ │ ├── BatchJobIsNotPrivileged.py
│ │ │ │ │ ├── BedrockAgentEncrypted.py
│ │ │ │ │ ├── BedrockGuardrails.py
│ │ │ │ │ ├── CloudFrontGeoRestrictionDisabled.py
│ │ │ │ │ ├── CloudFrontResponseHeaderStrictTransportSecurity.py
│ │ │ │ │ ├── CloudWatchAlarmsEnabled.py
│ │ │ │ │ ├── CloudWatchLogGroupKMSKey.py
│ │ │ │ │ ├── CloudWatchLogGroupRetention.py
│ │ │ │ │ ├── CloudWatchLogGroupRetentionYear.py
│ │ │ │ │ ├── CloudformationStackNotificationArns.py
│ │ │ │ │ ├── CloudfrontDistributionDefaultRoot.py
│ │ │ │ │ ├── CloudfrontDistributionEnabled.py
│ │ │ │ │ ├── CloudfrontDistributionEncryption.py
│ │ │ │ │ ├── CloudfrontDistributionLogging.py
│ │ │ │ │ ├── CloudfrontDistributionOriginFailover.py
│ │ │ │ │ ├── CloudfrontTLS12.py
│ │ │ │ │ ├── CloudsearchDomainEnforceHttps.py
│ │ │ │ │ ├── CloudsearchDomainTLS.py
│ │ │ │ │ ├── CloudtrailDefinesSNSTopic.py
│ │ │ │ │ ├── CloudtrailEnableLogging.py
│ │ │ │ │ ├── CloudtrailEncryptionWithCMK.py
│ │ │ │ │ ├── CloudtrailEventDataStoreUsesCMK.py
│ │ │ │ │ ├── CloudtrailLogValidation.py
│ │ │ │ │ ├── CloudtrailMultiRegion.py
│ │ │ │ │ ├── CodeArtifactDomainEncryptedWithCMK.py
│ │ │ │ │ ├── CodeBuildPrivilegedMode.py
│ │ │ │ │ ├── CodeBuildProjectEncryption.py
│ │ │ │ │ ├── CodePipelineArtifactsEncrypted.py
│ │ │ │ │ ├── CodebuildHasLogs.py
│ │ │ │ │ ├── CodebuildS3LogsEncrypted.py
│ │ │ │ │ ├── CodebuildUsesCMK.py
│ │ │ │ │ ├── CodecommitApprovalsRulesRequireMin2.py
│ │ │ │ │ ├── CognitoUnauthenticatedIdentities.py
│ │ │ │ │ ├── ComprehendEntityRecognizerModelUsesCMK.py
│ │ │ │ │ ├── ComprehendEntityRecognizerVolumeUsesCMK.py
│ │ │ │ │ ├── ConfigConfgurationAggregatorAllRegions.py
│ │ │ │ │ ├── ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py
│ │ │ │ │ ├── ConnectInstanceS3StorageConfigUsesCMK.py
│ │ │ │ │ ├── DAXEncryption.py
│ │ │ │ │ ├── DAXEndpointTLS.py
│ │ │ │ │ ├── DBInstanceBackupRetentionPeriod.py
│ │ │ │ │ ├── DBInstanceLogging.py
│ │ │ │ │ ├── DBInstanceMinorUpgrade.py
│ │ │ │ │ ├── DBSnapshotCopyUsesCMK.py
│ │ │ │ │ ├── DBSnapshotsArePrivate.py
│ │ │ │ │ ├── DLMEventsCrossRegionEncryption.py
│ │ │ │ │ ├── DLMEventsCrossRegionEncryptionWithCMK.py
│ │ │ │ │ ├── DLMScheduleCrossRegionEncryption.py
│ │ │ │ │ ├── DLMScheduleCrossRegionEncryptionWithCMK.py
│ │ │ │ │ ├── DMSEndpointUsesCMK.py
│ │ │ │ │ ├── DMSReplicationInstanceEncryptedWithCMK.py
│ │ │ │ │ ├── DMSReplicationInstanceMinorUpgrade.py
│ │ │ │ │ ├── DMSReplicationInstancePubliclyAccessible.py
│ │ │ │ │ ├── DMSS3UsesCMK.py
│ │ │ │ │ ├── DatasyncLocationExposesSecrets.py
│ │ │ │ │ ├── DeprecatedLambdaRuntime.py
│ │ │ │ │ ├── DocDBAuditLogs.py
│ │ │ │ │ ├── DocDBBackupRetention.py
│ │ │ │ │ ├── DocDBEncryptedWithCMK.py
│ │ │ │ │ ├── DocDBEncryption.py
│ │ │ │ │ ├── DocDBGlobalClusterEncryption.py
│ │ │ │ │ ├── DocDBLogging.py
│ │ │ │ │ ├── DocDBTLS.py
│ │ │ │ │ ├── DynamoDBGlobalTableRecovery.py
│ │ │ │ │ ├── DynamoDBTableReplicaKMSUsesCMK.py
│ │ │ │ │ ├── DynamoDBTablesEncrypted.py
│ │ │ │ │ ├── DynamodbRecovery.py
│ │ │ │ │ ├── EBSDefaultEncryption.py
│ │ │ │ │ ├── EBSEncryption.py
│ │ │ │ │ ├── EBSSnapshotCopyEncryptedWithCMK.py
│ │ │ │ │ ├── EBSVolumeEncryptedWithCMK.py
│ │ │ │ │ ├── EC2Credentials.py
│ │ │ │ │ ├── EC2DetailedMonitoringEnabled.py
│ │ │ │ │ ├── EC2EBSOptimized.py
│ │ │ │ │ ├── EC2PublicIP.py
│ │ │ │ │ ├── ECRImageScanning.py
│ │ │ │ │ ├── ECRImmutableTags.py
│ │ │ │ │ ├── ECRPolicy.py
│ │ │ │ │ ├── ECRRepositoryEncrypted.py
│ │ │ │ │ ├── ECSClusterContainerInsights.py
│ │ │ │ │ ├── ECSClusterLoggingEnabled.py
│ │ │ │ │ ├── ECSClusterLoggingEncryptedWithCMK.py
│ │ │ │ │ ├── ECSContainerHostProcess.py
│ │ │ │ │ ├── ECSContainerPrivilege.py
│ │ │ │ │ ├── ECSContainerReadOnlyRoot.py
│ │ │ │ │ ├── ECSServiceFargateLatest.py
│ │ │ │ │ ├── ECSServicePublicIP.py
│ │ │ │ │ ├── ECSTaskDefinitionEFSVolumeEncryption.py
│ │ │ │ │ ├── ECSTaskDefinitionRoleCheck.py
│ │ │ │ │ ├── EFSAccessPointRoot.py
│ │ │ │ │ ├── EFSAccessUserIdentity.py
│ │ │ │ │ ├── EFSEncryptionEnabled.py
│ │ │ │ │ ├── EFSFileSystemEncryptedWithCMK.py
│ │ │ │ │ ├── EKSControlPlaneLogging.py
│ │ │ │ │ ├── EKSNodeGroupRemoteAccess.py
│ │ │ │ │ ├── EKSPlatformVersion.py
│ │ │ │ │ ├── EKSPublicAccess.py
│ │ │ │ │ ├── EKSPublicAccessCIDR.py
│ │ │ │ │ ├── EKSSecretsEncryption.py
│ │ │ │ │ ├── ELBAccessLogs.py
│ │ │ │ │ ├── ELBCrossZoneEnable.py
│ │ │ │ │ ├── ELBPolicyUsesSecureProtocols.py
│ │ │ │ │ ├── ELBUsesSSL.py
│ │ │ │ │ ├── ELBv2AccessLogs.py
│ │ │ │ │ ├── ELBwListenerNotTLSSSL.py
│ │ │ │ │ ├── EMRClusterConfEncryptsEBS.py
│ │ │ │ │ ├── EMRClusterConfEncryptsInTransit.py
│ │ │ │ │ ├── EMRClusterConfEncryptsLocalDisk.py
│ │ │ │ │ ├── EMRClusterIsEncryptedKMS.py
│ │ │ │ │ ├── EMRClusterKerberosAttributes.py
│ │ │ │ │ ├── EMRPubliclyAccessible.py
│ │ │ │ │ ├── Ec2TransitGatewayAutoAccept.py
│ │ │ │ │ ├── ElastiCacheHasCustomSubnet.py
│ │ │ │ │ ├── ElasticBeanstalkUseEnhancedHealthChecks.py
│ │ │ │ │ ├── ElasticBeanstalkUseManagedUpdates.py
│ │ │ │ │ ├── ElasticCacheAutomaticBackup.py
│ │ │ │ │ ├── ElasticCacheAutomaticMinorUpgrades.py
│ │ │ │ │ ├── ElasticacheHasSecurityGroup.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptedWithCMK.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtRest.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransit.py
│ │ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py
│ │ │ │ │ ├── ElasticsearchDefaultSG.py
│ │ │ │ │ ├── ElasticsearchDomainAuditLogging.py
│ │ │ │ │ ├── ElasticsearchDomainEnforceHTTPS.py
│ │ │ │ │ ├── ElasticsearchDomainHA.py
│ │ │ │ │ ├── ElasticsearchDomainLogging.py
│ │ │ │ │ ├── ElasticsearchEncryption.py
│ │ │ │ │ ├── ElasticsearchEncryptionWithCMK.py
│ │ │ │ │ ├── ElasticsearchInVPC.py
│ │ │ │ │ ├── ElasticsearchNodeToNodeEncryption.py
│ │ │ │ │ ├── ElasticsearchTLSPolicy.py
│ │ │ │ │ ├── FSXOntapFSEncryptedWithCMK.py
│ │ │ │ │ ├── FSXOpenZFSFileSystemEncryptedWithCMK.py
│ │ │ │ │ ├── FSXWindowsFSEncryptedWithCMK.py
│ │ │ │ │ ├── GlacierVaultAnyPrincipal.py
│ │ │ │ │ ├── GlobalAcceleratorAcceleratorFlowLogs.py
│ │ │ │ │ ├── GlueDataCatalogEncryption.py
│ │ │ │ │ ├── GlueSecurityConfiguration.py
│ │ │ │ │ ├── GlueSecurityConfigurationEnabled.py
│ │ │ │ │ ├── GuarddutyDetectorEnabled.py
│ │ │ │ │ ├── IAMAdminPolicyDocument.py
│ │ │ │ │ ├── IAMCredentialsExposure.py
│ │ │ │ │ ├── IAMDataExfiltration.py
│ │ │ │ │ ├── IAMManagedAdminPolicy.py
│ │ │ │ │ ├── IAMPermissionsManagement.py
│ │ │ │ │ ├── IAMPolicyAttachedToGroupOrRoles.py
│ │ │ │ │ ├── IAMPrivilegeEscalation.py
│ │ │ │ │ ├── IAMRoleAllowAssumeFromAccount.py
│ │ │ │ │ ├── IAMRoleAllowsPublicAssume.py
│ │ │ │ │ ├── IAMStarActionPolicyDocument.py
│ │ │ │ │ ├── IAMStarResourcePolicyDocument.py
│ │ │ │ │ ├── IAMUserNotUsedForAccess.py
│ │ │ │ │ ├── IAMUserRootAccessKeys.py
│ │ │ │ │ ├── IAMWriteAccess.py
│ │ │ │ │ ├── IMDSv1Disabled.py
│ │ │ │ │ ├── ImagebuilderComponentEncryptedWithCMK.py
│ │ │ │ │ ├── ImagebuilderDistributionConfigurationEncryptedWithCMK.py
│ │ │ │ │ ├── ImagebuilderImageRecipeEBSEncrypted.py
│ │ │ │ │ ├── KMSKeyIsEnabled.py
│ │ │ │ │ ├── KMSKeyWildcardPrincipal.py
│ │ │ │ │ ├── KMSRotation.py
│ │ │ │ │ ├── KendraIndexSSEUsesCMK.py
│ │ │ │ │ ├── KeyspacesTableUsesCMK.py
│ │ │ │ │ ├── KinesisFirehoseDeliveryStreamSSE.py
│ │ │ │ │ ├── KinesisFirehoseDeliveryStreamUsesCMK.py
│ │ │ │ │ ├── KinesisStreamEncryptedWithCMK.py
│ │ │ │ │ ├── KinesisStreamEncryptionType.py
│ │ │ │ │ ├── KinesisVideoEncryptedWithCMK.py
│ │ │ │ │ ├── LBCrossZone.py
│ │ │ │ │ ├── LBDeletionProtection.py
│ │ │ │ │ ├── LBTargetGroupsDefinesHealthcheck.py
│ │ │ │ │ ├── LambdaCodeSigningConfigured.py
│ │ │ │ │ ├── LambdaDLQConfigured.py
│ │ │ │ │ ├── LambdaEnvironmentCredentials.py
│ │ │ │ │ ├── LambdaEnvironmentEncryptionSettings.py
│ │ │ │ │ ├── LambdaFunctionIsNotPublic.py
│ │ │ │ │ ├── LambdaFunctionLevelConcurrentExecutionLimit.py
│ │ │ │ │ ├── LambdaFunctionURLAuth.py
│ │ │ │ │ ├── LambdaInVPC.py
│ │ │ │ │ ├── LambdaServicePermission.py
│ │ │ │ │ ├── LambdaXrayEnabled.py
│ │ │ │ │ ├── LaunchConfigurationEBSEncryption.py
│ │ │ │ │ ├── LaunchTemplateMetadataHop.py
│ │ │ │ │ ├── LustreFSEncryptedWithCMK.py
│ │ │ │ │ ├── MQBrokerAuditLogging.py
│ │ │ │ │ ├── MQBrokerEncryptedWithCMK.py
│ │ │ │ │ ├── MQBrokerLogging.py
│ │ │ │ │ ├── MQBrokerMinorAutoUpgrade.py
│ │ │ │ │ ├── MQBrokerNotPubliclyExposed.py
│ │ │ │ │ ├── MQBrokerVersion.py
│ │ │ │ │ ├── MSKClusterEncryption.py
│ │ │ │ │ ├── MSKClusterLogging.py
│ │ │ │ │ ├── MSKClusterNodesArePrivate.py
│ │ │ │ │ ├── MWAASchedulerLogsEnabled.py
│ │ │ │ │ ├── MWAAWebserverLogsEnabled.py
│ │ │ │ │ ├── MWAAWorkerLogsEnabled.py
│ │ │ │ │ ├── MemoryDBClusterIntransitEncryption.py
│ │ │ │ │ ├── MemoryDBEncryptionWithCMK.py
│ │ │ │ │ ├── MemoryDBSnapshotEncryptionWithCMK.py
│ │ │ │ │ ├── NeptuneClusterBackupRetention.py
│ │ │ │ │ ├── NeptuneClusterEncryptedWithCMK.py
│ │ │ │ │ ├── NeptuneClusterInstancePublic.py
│ │ │ │ │ ├── NeptuneClusterLogging.py
│ │ │ │ │ ├── NeptuneClusterSnapshotEncrypted.py
│ │ │ │ │ ├── NeptuneClusterSnapshotEncryptedWithCMK.py
│ │ │ │ │ ├── NeptuneClusterStorageEncrypted.py
│ │ │ │ │ ├── NeptuneDBClustersCopyTagsToSnapshots.py
│ │ │ │ │ ├── NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py
│ │ │ │ │ ├── NetworkACLUnrestricted.py
│ │ │ │ │ ├── NetworkACLUnrestrictedIngress20.py
│ │ │ │ │ ├── NetworkACLUnrestrictedIngress21.py
│ │ │ │ │ ├── NetworkACLUnrestrictedIngress22.py
│ │ │ │ │ ├── NetworkACLUnrestrictedIngress3389.py
│ │ │ │ │ ├── NetworkFirewallDeletionProtection.py
│ │ │ │ │ ├── NetworkFirewallPolicyDefinesCMK.py
│ │ │ │ │ ├── NetworkFirewallUsesCMK.py
│ │ │ │ │ ├── PasswordPolicyExpiration.py
│ │ │ │ │ ├── PasswordPolicyLength.py
│ │ │ │ │ ├── PasswordPolicyLowercaseLetter.py
│ │ │ │ │ ├── PasswordPolicyNumber.py
│ │ │ │ │ ├── PasswordPolicyReuse.py
│ │ │ │ │ ├── PasswordPolicySymbol.py
│ │ │ │ │ ├── PasswordPolicyUppercaseLetter.py
│ │ │ │ │ ├── QLDBLedgerDeletionProtection.py
│ │ │ │ │ ├── QLDBLedgerPermissionsMode.py
│ │ │ │ │ ├── RDSCACertIsRecent.py
│ │ │ │ │ ├── RDSClusterActivityStreamEncryptedWithCMK.py
│ │ │ │ │ ├── RDSClusterAuditLogging.py
│ │ │ │ │ ├── RDSClusterAuroraBacktrack.py
│ │ │ │ │ ├── RDSClusterCopyTags.py
│ │ │ │ │ ├── RDSClusterEncrypted.py
│ │ │ │ │ ├── RDSClusterEncryptedWithCMK.py
│ │ │ │ │ ├── RDSClusterIAMAuthentication.py
│ │ │ │ │ ├── RDSClusterLogging.py
│ │ │ │ │ ├── RDSClusterSnapshotEncrypted.py
│ │ │ │ │ ├── RDSDeletionProtection.py
│ │ │ │ │ ├── RDSEncryption.py
│ │ │ │ │ ├── RDSEnhancedMonitorEnabled.py
│ │ │ │ │ ├── RDSHasSecurityGroup.py
│ │ │ │ │ ├── RDSIAMAuthentication.py
│ │ │ │ │ ├── RDSInstanceAutoBackupEncryptionWithCMK.py
│ │ │ │ │ ├── RDSInstanceDeletionProtection.py
│ │ │ │ │ ├── RDSInstancePerfInsightsEncryptionWithCMK.py
│ │ │ │ │ ├── RDSInstancePerformanceInsights.py
│ │ │ │ │ ├── RDSMultiAZEnabled.py
│ │ │ │ │ ├── RDSPostgreSQLLogFDWExtension.py
│ │ │ │ │ ├── RDSPubliclyAccessible.py
│ │ │ │ │ ├── RedShiftSSL.py
│ │ │ │ │ ├── RedshiftClusterAllowVersionUpgrade.py
│ │ │ │ │ ├── RedshiftClusterAutoSnap.py
│ │ │ │ │ ├── RedshiftClusterDatabaseName.py
│ │ │ │ │ ├── RedshiftClusterEncryption.py
│ │ │ │ │ ├── RedshiftClusterKMSKey.py
│ │ │ │ │ ├── RedshiftClusterLogging.py
│ │ │ │ │ ├── RedshiftClusterSnapshotCopyGrantEncryptedWithCMK.py
│ │ │ │ │ ├── RedshiftClusterUseEnhancedVPCRouting.py
│ │ │ │ │ ├── RedshiftClusterWithCommonUsernameAndPublicAccess.py
│ │ │ │ │ ├── RedshiftInEc2ClassicMode.py
│ │ │ │ │ ├── RedshiftServerlessNamespaceKMSKey.py
│ │ │ │ │ ├── RedshitClusterPubliclyAvailable.py
│ │ │ │ │ ├── Route53TransferLock.py
│ │ │ │ │ ├── S3AbortIncompleteUploads.py
│ │ │ │ │ ├── S3AccessPointPubliclyAccessible.py
│ │ │ │ │ ├── S3AllowsAnyPrincipal.py
│ │ │ │ │ ├── S3BlockPublicACLs.py
│ │ │ │ │ ├── S3BlockPublicPolicy.py
│ │ │ │ │ ├── S3BucketObjectEncryptedWithCMK.py
│ │ │ │ │ ├── S3BucketObjectLock.py
│ │ │ │ │ ├── S3GlobalViewACL.py
│ │ │ │ │ ├── S3IgnorePublicACLs.py
│ │ │ │ │ ├── S3ObjectCopyEncryptedWithCMK.py
│ │ │ │ │ ├── S3ProtectAgainstPolicyLockout.py
│ │ │ │ │ ├── S3RestrictPublicBuckets.py
│ │ │ │ │ ├── S3SecureDataTransport.py
│ │ │ │ │ ├── SNSCrossAccountAccess.py
│ │ │ │ │ ├── SNSTopicEncryption.py
│ │ │ │ │ ├── SNSTopicPolicyAnyPrincipal.py
│ │ │ │ │ ├── SQSOverlyPermissive.py
│ │ │ │ │ ├── SQSPolicy.py
│ │ │ │ │ ├── SQSQueueEncryption.py
│ │ │ │ │ ├── SQSQueuePolicyAnyPrincipal.py
│ │ │ │ │ ├── SSMDocumentsArePrivate.py
│ │ │ │ │ ├── SSMParameterUsesCMK.py
│ │ │ │ │ ├── SSMSessionManagerDocumentEncryption.py
│ │ │ │ │ ├── SSMSessionManagerDocumentLogging.py
│ │ │ │ │ ├── SageMakerInternetAccessDisabled.py
│ │ │ │ │ ├── SagemakerDataQualityJobDefinitionEncryption.py
│ │ │ │ │ ├── SagemakerDataQualityJobDefinitionTrafficEncryption.py
│ │ │ │ │ ├── SagemakerDataQualityJobDefinitionVolumeEncryption.py
│ │ │ │ │ ├── SagemakerDomainEncryptedWithCMK.py
│ │ │ │ │ ├── SagemakerEndpointConfigurationEncryption.py
│ │ │ │ │ ├── SagemakerFlowDefinitionUsesKMS.py
│ │ │ │ │ ├── SagemakerModelWithNetworkIsolation.py
│ │ │ │ │ ├── SagemakerNotebookEncryption.py
│ │ │ │ │ ├── SagemakerNotebookInCustomVPC.py
│ │ │ │ │ ├── SagemakerNotebookInstanceAllowsIMDSv2.py
│ │ │ │ │ ├── SagemakerNotebookRoot.py
│ │ │ │ │ ├── SchedulerScheduleUsesCMK.py
│ │ │ │ │ ├── SecretManagerSecret90days.py
│ │ │ │ │ ├── SecretManagerSecretEncrypted.py
│ │ │ │ │ ├── SecurityGroupRuleDescription.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedEgressAny.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress22.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress3389.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress80.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngressAny.py
│ │ │ │ │ ├── SesConfigurationSetDefinesTLS.py
│ │ │ │ │ ├── StateMachineLoggingExecutionHistory.py
│ │ │ │ │ ├── StateMachineXray.py
│ │ │ │ │ ├── SubnetPublicIP.py
│ │ │ │ │ ├── TimestreamDatabaseKMSKey.py
│ │ │ │ │ ├── TransferServerAllowsOnlySecureProtocols.py
│ │ │ │ │ ├── TransferServerIsPublic.py
│ │ │ │ │ ├── TransferServerLatestPolicy.py
│ │ │ │ │ ├── UnpatchedAuroraPostgresDB.py
│ │ │ │ │ ├── VPCDefaultNetwork.py
│ │ │ │ │ ├── VPCEndpointAcceptanceConfigured.py
│ │ │ │ │ ├── WAFACLCVE202144228.py
│ │ │ │ │ ├── WAFEnabled.py
│ │ │ │ │ ├── WAFHasAnyRules.py
│ │ │ │ │ ├── WAFHasLogs.py
│ │ │ │ │ ├── WAFRuleHasAnyActions.py
│ │ │ │ │ ├── WorkspaceRootVolumeEncrypted.py
│ │ │ │ │ ├── WorkspaceUserVolumeEncrypted.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── azure/
│ │ │ │ │ ├── ACRAdminAccountDisabled.py
│ │ │ │ │ ├── ACRAnonymousPullDisabled.py
│ │ │ │ │ ├── ACRContainerScanEnabled.py
│ │ │ │ │ ├── ACRDedicatedDataEndpointEnabled.py
│ │ │ │ │ ├── ACREnableImageQuarantine.py
│ │ │ │ │ ├── ACREnableRetentionPolicy.py
│ │ │ │ │ ├── ACREnableZoneRedundancy.py
│ │ │ │ │ ├── ACRGeoreplicated.py
│ │ │ │ │ ├── ACRPublicNetworkAccessDisabled.py
│ │ │ │ │ ├── ACRUseSignedImages.py
│ │ │ │ │ ├── AKSApiServerAuthorizedIpRanges.py
│ │ │ │ │ ├── AKSDashboardDisabled.py
│ │ │ │ │ ├── AKSEnablesPrivateClusters.py
│ │ │ │ │ ├── AKSEncryptionAtHostEnabled.py
│ │ │ │ │ ├── AKSEphemeralOSDisks.py
│ │ │ │ │ ├── AKSIsPaidSku.py
│ │ │ │ │ ├── AKSLocalAdminDisabled.py
│ │ │ │ │ ├── AKSLoggingEnabled.py
│ │ │ │ │ ├── AKSMaxPodsMinimum.py
│ │ │ │ │ ├── AKSNetworkPolicy.py
│ │ │ │ │ ├── AKSNodePublicIpDisabled.py
│ │ │ │ │ ├── AKSOnlyCriticalPodsOnSystemNodes.py
│ │ │ │ │ ├── AKSPoolTypeIsScaleSet.py
│ │ │ │ │ ├── AKSRbacEnabled.py
│ │ │ │ │ ├── AKSSecretStoreRotation.py
│ │ │ │ │ ├── AKSUpgradeChannel.py
│ │ │ │ │ ├── AKSUsesAzurePoliciesAddon.py
│ │ │ │ │ ├── AKSUsesDiskEncryptionSet.py
│ │ │ │ │ ├── APIManagementBackendHTTPS.py
│ │ │ │ │ ├── APIManagementCertsEnforced.py
│ │ │ │ │ ├── APIManagementMinTLS12.py
│ │ │ │ │ ├── APIManagementPublicAccess.py
│ │ │ │ │ ├── APIServicesUseVirtualNetwork.py
│ │ │ │ │ ├── ActiveDirectoryUsedAuthenticationServiceFabric.py
│ │ │ │ │ ├── AppConfigEncryption.py
│ │ │ │ │ ├── AppConfigLocalAuth.py
│ │ │ │ │ ├── AppConfigPublicAccess.py
│ │ │ │ │ ├── AppConfigPurgeProtection.py
│ │ │ │ │ ├── AppConfigSku.py
│ │ │ │ │ ├── AppGWDefinesSecureProtocols.py
│ │ │ │ │ ├── AppGWUseWAFMode.py
│ │ │ │ │ ├── AppGWUsesHttps.py
│ │ │ │ │ ├── AppGatewayWAFACLCVE202144228.py
│ │ │ │ │ ├── AppServiceAlwaysOn.py
│ │ │ │ │ ├── AppServiceAuthentication.py
│ │ │ │ │ ├── AppServiceClientCertificate.py
│ │ │ │ │ ├── AppServiceDetailedErrorMessagesEnabled.py
│ │ │ │ │ ├── AppServiceDisallowCORS.py
│ │ │ │ │ ├── AppServiceDotnetFrameworkVersion.py
│ │ │ │ │ ├── AppServiceEnableFailedRequest.py
│ │ │ │ │ ├── AppServiceEnvironmentZoneRedundant.py
│ │ │ │ │ ├── AppServiceFTPSState.py
│ │ │ │ │ ├── AppServiceHTTPSOnly.py
│ │ │ │ │ ├── AppServiceHttpLoggingEnabled.py
│ │ │ │ │ ├── AppServiceHttps20Enabled.py
│ │ │ │ │ ├── AppServiceIdentity.py
│ │ │ │ │ ├── AppServiceIdentityProviderEnabled.py
│ │ │ │ │ ├── AppServiceInstanceMinimum.py
│ │ │ │ │ ├── AppServiceJavaVersion.py
│ │ │ │ │ ├── AppServiceMinTLSVersion.py
│ │ │ │ │ ├── AppServicePHPVersion.py
│ │ │ │ │ ├── AppServicePlanZoneRedundant.py
│ │ │ │ │ ├── AppServicePublicAccessDisabled.py
│ │ │ │ │ ├── AppServicePythonVersion.py
│ │ │ │ │ ├── AppServiceRemoteDebuggingNotEnabled.py
│ │ │ │ │ ├── AppServiceSetHealthCheck.py
│ │ │ │ │ ├── AppServiceSkuMinimum.py
│ │ │ │ │ ├── AppServiceSlotDebugDisabled.py
│ │ │ │ │ ├── AppServiceSlotHTTPSOnly.py
│ │ │ │ │ ├── AppServiceSlotMinTLS.py
│ │ │ │ │ ├── AppServiceUsedAzureFiles.py
│ │ │ │ │ ├── AutomationEncrypted.py
│ │ │ │ │ ├── AzureBatchAccountEndpointAccessDefaultAction.py
│ │ │ │ │ ├── AzureBatchAccountUsesKeyVaultEncryption.py
│ │ │ │ │ ├── AzureContainerGroupDeployedIntoVirtualNetwork.py
│ │ │ │ │ ├── AzureContainerInstanceEnvVarSecureValueType.py
│ │ │ │ │ ├── AzureContainerInstancePublicIPAddressType.py
│ │ │ │ │ ├── AzureDataExplorerDoubleEncryptionEnabled.py
│ │ │ │ │ ├── AzureDefenderDisabledForResManager.py
│ │ │ │ │ ├── AzureDefenderOnAppServices.py
│ │ │ │ │ ├── AzureDefenderOnContainerRegistry.py
│ │ │ │ │ ├── AzureDefenderOnKeyVaults.py
│ │ │ │ │ ├── AzureDefenderOnKubernetes.py
│ │ │ │ │ ├── AzureDefenderOnServers.py
│ │ │ │ │ ├── AzureDefenderOnSqlServerVMS.py
│ │ │ │ │ ├── AzureDefenderOnSqlServers.py
│ │ │ │ │ ├── AzureDefenderOnStorage.py
│ │ │ │ │ ├── AzureFirewallDefinesPolicy.py
│ │ │ │ │ ├── AzureFirewallDenyThreatIntelMode.py
│ │ │ │ │ ├── AzureFirewallPolicyIDPSDeny.py
│ │ │ │ │ ├── AzureFrontDoorEnablesWAF.py
│ │ │ │ │ ├── AzureInstanceExtensions.py
│ │ │ │ │ ├── AzureInstancePassword.py
│ │ │ │ │ ├── AzureManagedDiskEncryption.py
│ │ │ │ │ ├── AzureManagedDiskEncryptionSet.py
│ │ │ │ │ ├── AzureScaleSetPassword.py
│ │ │ │ │ ├── AzureSearchAllowedIPsNotGlobal.py
│ │ │ │ │ ├── AzureSearchManagedIdentity.py
│ │ │ │ │ ├── AzureSearchPublicNetworkAccessDisabled.py
│ │ │ │ │ ├── AzureSearchSLAIndex.py
│ │ │ │ │ ├── AzureSearchSLAQueryUpdates.py
│ │ │ │ │ ├── AzureServiceFabricClusterProtectionLevel.py
│ │ │ │ │ ├── AzureServicebusDoubleEncryptionEnabled.py
│ │ │ │ │ ├── AzureServicebusHasCMK.py
│ │ │ │ │ ├── AzureServicebusIdentityProviderEnabled.py
│ │ │ │ │ ├── AzureServicebusLocalAuthDisabled.py
│ │ │ │ │ ├── AzureServicebusMinTLSVersion.py
│ │ │ │ │ ├── AzureServicebusPublicAccessDisabled.py
│ │ │ │ │ ├── AzureSparkPoolIsolatedComputeEnabled.py
│ │ │ │ │ ├── CDNDisableHttpEndpoints.py
│ │ │ │ │ ├── CDNEnableHttpsEndpoints.py
│ │ │ │ │ ├── CDNTLSProtocol12.py
│ │ │ │ │ ├── CognitiveServicesConfigureIdentity.py
│ │ │ │ │ ├── CognitiveServicesDisablesPublicNetwork.py
│ │ │ │ │ ├── CognitiveServicesEnableLocalAuth.py
│ │ │ │ │ ├── CosmosDBAccountsRestrictedAccess.py
│ │ │ │ │ ├── CosmosDBDisableAccessKeyWrite.py
│ │ │ │ │ ├── CosmosDBDisablesPublicNetwork.py
│ │ │ │ │ ├── CosmosDBHaveCMK.py
│ │ │ │ │ ├── CosmosDBLocalAuthDisabled.py
│ │ │ │ │ ├── CutsomRoleDefinitionSubscriptionOwner.py
│ │ │ │ │ ├── DataExplorerSKUHasSLA.py
│ │ │ │ │ ├── DataExplorerServiceIdentity.py
│ │ │ │ │ ├── DataExplorerUsesDiskEncryption.py
│ │ │ │ │ ├── DataFactoryNoPublicNetworkAccess.py
│ │ │ │ │ ├── DataFactoryUsesGitRepository.py
│ │ │ │ │ ├── DataLakeStoreEncryption.py
│ │ │ │ │ ├── DatabricksWorkspaceIsNotPublic.py
│ │ │ │ │ ├── EventHubNamespaceMinTLS12.py
│ │ │ │ │ ├── EventHubNamespaceZoneRedundant.py
│ │ │ │ │ ├── EventgridDomainIdentityProviderEnabled.py
│ │ │ │ │ ├── EventgridDomainLocalAuthentication.py
│ │ │ │ │ ├── EventgridDomainNetworkAccess.py
│ │ │ │ │ ├── EventgridTopicIdentityProviderEnabled.py
│ │ │ │ │ ├── EventgridTopicLocalAuthentication.py
│ │ │ │ │ ├── EventgridTopicNetworkAccess.py
│ │ │ │ │ ├── FrontDoorWAFACLCVE202144228.py
│ │ │ │ │ ├── FrontdoorUseWAFMode.py
│ │ │ │ │ ├── FunctionAppDisallowCORS.py
│ │ │ │ │ ├── FunctionAppEnableLogging.py
│ │ │ │ │ ├── FunctionAppHttpVersionLatest.py
│ │ │ │ │ ├── FunctionAppMinTLSVersion.py
│ │ │ │ │ ├── FunctionAppPublicAccessDisabled.py
│ │ │ │ │ ├── FunctionAppsAccessibleOverHttps.py
│ │ │ │ │ ├── FunctionAppsEnableAuthentication.py
│ │ │ │ │ ├── GithubActionsOIDCTrustPolicy.py
│ │ │ │ │ ├── IoTNoPublicNetworkAccess.py
│ │ │ │ │ ├── KeyBackedByHSM.py
│ │ │ │ │ ├── KeyExpirationDate.py
│ │ │ │ │ ├── KeyVaultDisablesPublicNetworkAccess.py
│ │ │ │ │ ├── KeyVaultEnablesFirewallRulesSettings.py
│ │ │ │ │ ├── KeyVaultEnablesPurgeProtection.py
│ │ │ │ │ ├── KeyVaultEnablesSoftDelete.py
│ │ │ │ │ ├── KeyvaultRecoveryEnabled.py
│ │ │ │ │ ├── KubernetesClusterHTTPApplicationRouting.py
│ │ │ │ │ ├── LinuxVMUsesSSH.py
│ │ │ │ │ ├── MLCCLADisabled.py
│ │ │ │ │ ├── MLComputeClusterMinNodes.py
│ │ │ │ │ ├── MLPublicAccess.py
│ │ │ │ │ ├── MSSQLServerAuditPolicyLogMonitor.py
│ │ │ │ │ ├── MSSQLServerMinTLSVersion.py
│ │ │ │ │ ├── MariaDBGeoBackupEnabled.py
│ │ │ │ │ ├── MariaDBPublicAccessDisabled.py
│ │ │ │ │ ├── MariaDBSSLEnforcementEnabled.py
│ │ │ │ │ ├── MonitorLogProfileCategories.py
│ │ │ │ │ ├── MonitorLogProfileRetentionDays.py
│ │ │ │ │ ├── MySQLEncryptionEnabled.py
│ │ │ │ │ ├── MySQLGeoBackupEnabled.py
│ │ │ │ │ ├── MySQLPublicAccessDisabled.py
│ │ │ │ │ ├── MySQLServerMinTLSVersion.py
│ │ │ │ │ ├── MySQLServerSSLEnforcementEnabled.py
│ │ │ │ │ ├── MySQLTreatDetectionEnabled.py
│ │ │ │ │ ├── NSGRuleHTTPAccessRestricted.py
│ │ │ │ │ ├── NSGRulePortAccessRestricted.py
│ │ │ │ │ ├── NSGRuleRDPAccessRestricted.py
│ │ │ │ │ ├── NSGRuleSSHAccessRestricted.py
│ │ │ │ │ ├── NSGRuleUDPAccessRestricted.py
│ │ │ │ │ ├── NetworkInterfaceEnableIPForwarding.py
│ │ │ │ │ ├── NetworkWatcherFlowLogPeriod.py
│ │ │ │ │ ├── OpenAICognitiveServicesRestrictOutboundNetwork.py
│ │ │ │ │ ├── PostgreSQLEncryptionEnabled.py
│ │ │ │ │ ├── PostgreSQLFlexiServerGeoBackupEnabled.py
│ │ │ │ │ ├── PostgreSQLMinTLSVersion.py
│ │ │ │ │ ├── PostgreSQLServerConnectionThrottlingEnabled.py
│ │ │ │ │ ├── PostgreSQLServerLogCheckpointsEnabled.py
│ │ │ │ │ ├── PostgreSQLServerLogConnectionsEnabled.py
│ │ │ │ │ ├── PostgreSQLServerLogRetentionEnabled.py
│ │ │ │ │ ├── PostgreSQLServerPublicAccessDisabled.py
│ │ │ │ │ ├── PostgreSQLServerSSLEnforcementEnabled.py
│ │ │ │ │ ├── PostgresSQLTreatDetectionEnabled.py
│ │ │ │ │ ├── PostgressSQLGeoBackupEnabled.py
│ │ │ │ │ ├── PubsubSKUSLA.py
│ │ │ │ │ ├── PubsubSpecifyIdentity.py
│ │ │ │ │ ├── RedisCacheEnableNonSSLPort.py
│ │ │ │ │ ├── RedisCacheMinTLSVersion.py
│ │ │ │ │ ├── RedisCachePublicNetworkAccessEnabled.py
│ │ │ │ │ ├── RedisCacheStandardReplicationEnabled.py
│ │ │ │ │ ├── SQLDatabaseLedgerEnabled.py
│ │ │ │ │ ├── SQLDatabaseZoneRedundant.py
│ │ │ │ │ ├── SQLServerEmailAlertsEnabled.py
│ │ │ │ │ ├── SQLServerEmailAlertsToAdminsEnabled.py
│ │ │ │ │ ├── SQLServerNoPublicAccess.py
│ │ │ │ │ ├── SQLServerPublicAccessDisabled.py
│ │ │ │ │ ├── SQLServerThreatDetectionTypes.py
│ │ │ │ │ ├── SecretContentType.py
│ │ │ │ │ ├── SecretExpirationDate.py
│ │ │ │ │ ├── SecurityCenterContactEmailAlert.py
│ │ │ │ │ ├── SecurityCenterContactEmailAlertAdmins.py
│ │ │ │ │ ├── SecurityCenterContactEmails.py
│ │ │ │ │ ├── SecurityCenterContactPhone.py
│ │ │ │ │ ├── SecurityCenterStandardPricing.py
│ │ │ │ │ ├── SignalRSKUSLA.py
│ │ │ │ │ ├── SpringCloudAPIPortalHTTPSOnly.py
│ │ │ │ │ ├── SpringCloudAPIPortalPublicAccessIsDisabled.py
│ │ │ │ │ ├── StorageAccountAzureServicesAccessEnabled.py
│ │ │ │ │ ├── StorageAccountDefaultNetworkAccessDeny.py
│ │ │ │ │ ├── StorageAccountDisablePublicAccess.py
│ │ │ │ │ ├── StorageAccountLoggingQueueServiceEnabled.py
│ │ │ │ │ ├── StorageAccountMinimumTlsVersion.py
│ │ │ │ │ ├── StorageAccountName.py
│ │ │ │ │ ├── StorageAccountsTransportEncryption.py
│ │ │ │ │ ├── StorageAccountsUseReplication.py
│ │ │ │ │ ├── StorageBlobRestrictPublicAccess.py
│ │ │ │ │ ├── StorageBlobServiceContainerPrivateAccess.py
│ │ │ │ │ ├── StorageLocalUsers.py
│ │ │ │ │ ├── StorageSyncPublicAccessDisabled.py
│ │ │ │ │ ├── StorageSyncServicePermissiveAccess.py
│ │ │ │ │ ├── SynapseSQLPoolDataEncryption.py
│ │ │ │ │ ├── SynapseWorkspaceAdministratorLoginPasswordHidden.py
│ │ │ │ │ ├── SynapseWorkspaceCMKEncryption.py
│ │ │ │ │ ├── SynapseWorkspaceEnablesDataExfilProtection.py
│ │ │ │ │ ├── SynapseWorkspaceEnablesManagedVirtualNetworks.py
│ │ │ │ │ ├── VMAgentIsInstalled.py
│ │ │ │ │ ├── VMCredsInCustomData.py
│ │ │ │ │ ├── VMDisablePasswordAuthentication.py
│ │ │ │ │ ├── VMDiskWithPublicAccess.py
│ │ │ │ │ ├── VMEncryptionAtHostEnabled.py
│ │ │ │ │ ├── VMScaleSetsAutoOSImagePatchingEnabled.py
│ │ │ │ │ ├── VMStorageOsDisk.py
│ │ │ │ │ ├── VnetLocalDNS.py
│ │ │ │ │ ├── VnetSingleDNSServer.py
│ │ │ │ │ ├── WinVMAutomaticUpdates.py
│ │ │ │ │ ├── WinVMEncryptionAtHost.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── base_cloudsplaining_resource_iam_check.py
│ │ │ │ ├── base_registry.py
│ │ │ │ ├── base_resource_check.py
│ │ │ │ ├── base_resource_negative_value_check.py
│ │ │ │ ├── base_resource_value_check.py
│ │ │ │ ├── digitalocean/
│ │ │ │ │ ├── DropletSSHKeys.py
│ │ │ │ │ ├── FirewallIngressOpen.py
│ │ │ │ │ ├── SpacesBucketPublicRead.py
│ │ │ │ │ ├── SpacesBucketVersioning.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── gcp/
│ │ │ │ │ ├── AbsGoogleBasicRoles.py
│ │ │ │ │ ├── AbsGoogleComputeFirewallUnrestrictedIngress.py
│ │ │ │ │ ├── AbsGoogleIAMMemberDefaultServiceAccount.py
│ │ │ │ │ ├── AbsGoogleImpersonationRoles.py
│ │ │ │ │ ├── AbsGooglePostgresqlDatabaseFlags.py
│ │ │ │ │ ├── ArtifactRegistryPrivateRepo.py
│ │ │ │ │ ├── ArtifactRegsitryEncryptedWithCMK.py
│ │ │ │ │ ├── BigQueryDatasetEncryptedWithCMK.py
│ │ │ │ │ ├── BigQueryPrivateTable.py
│ │ │ │ │ ├── BigQueryTableDeletionProtection.py
│ │ │ │ │ ├── BigQueryTableEncryptedWithCMK.py
│ │ │ │ │ ├── BigTableInstanceDeletionProtection.py
│ │ │ │ │ ├── BigTableInstanceEncryptedWithCMK.py
│ │ │ │ │ ├── CloudArmorWAFACLCVE202144228.py
│ │ │ │ │ ├── CloudBuildWorkersArePrivate.py
│ │ │ │ │ ├── CloudFunctionPermissiveIngress.py
│ │ │ │ │ ├── CloudFunctionsShouldNotBePublic.py
│ │ │ │ │ ├── CloudPubSubEncryptedWithCMK.py
│ │ │ │ │ ├── CloudSqlMajorVersion.py
│ │ │ │ │ ├── CloudStorageLogging.py
│ │ │ │ │ ├── CloudStorageSelfLogging.py
│ │ │ │ │ ├── CloudStorageVersioningEnabled.py
│ │ │ │ │ ├── DataFusionPrivateInstance.py
│ │ │ │ │ ├── DataFusionStackdriverLogs.py
│ │ │ │ │ ├── DataFusionStackdriverMonitoring.py
│ │ │ │ │ ├── DataflowJobEncryptedWithCMK.py
│ │ │ │ │ ├── DataflowPrivateJob.py
│ │ │ │ │ ├── DataprocClusterEncryptedWithCMK.py
│ │ │ │ │ ├── DataprocPrivateCluster.py
│ │ │ │ │ ├── DataprocPublicIpCluster.py
│ │ │ │ │ ├── GCPCloudRunPrivateService.py
│ │ │ │ │ ├── GKEAliasIpEnabled.py
│ │ │ │ │ ├── GKEBinaryAuthorization.py
│ │ │ │ │ ├── GKEClientCertificateDisabled.py
│ │ │ │ │ ├── GKEClusterLogging.py
│ │ │ │ │ ├── GKEDisableLegacyAuth.py
│ │ │ │ │ ├── GKEDontUseNodePools.py
│ │ │ │ │ ├── GKEEnableShieldedNodes.py
│ │ │ │ │ ├── GKEEnableVPCFlowLogs.py
│ │ │ │ │ ├── GKEEnsureIntegrityMonitoring.py
│ │ │ │ │ ├── GKEHasLabels.py
│ │ │ │ │ ├── GKEKubernetesRBACGoogleGroups.py
│ │ │ │ │ ├── GKEMasterAuthorizedNetworksEnabled.py
│ │ │ │ │ ├── GKEMetadataServerIsEnabled.py
│ │ │ │ │ ├── GKEMonitoringEnabled.py
│ │ │ │ │ ├── GKENetworkPolicyEnabled.py
│ │ │ │ │ ├── GKENodePoolAutoRepairEnabled.py
│ │ │ │ │ ├── GKENodePoolAutoUpgradeEnabled.py
│ │ │ │ │ ├── GKEPodSecurityPolicyEnabled.py
│ │ │ │ │ ├── GKEPrivateClusterConfig.py
│ │ │ │ │ ├── GKEPrivateNodes.py
│ │ │ │ │ ├── GKEPublicControlPlane.py
│ │ │ │ │ ├── GKEReleaseChannel.py
│ │ │ │ │ ├── GKESecureBootforShieldedNodes.py
│ │ │ │ │ ├── GKEUseCosImage.py
│ │ │ │ │ ├── GithubActionsOIDCTrustPolicy.py
│ │ │ │ │ ├── GoogleBigQueryDatasetPublicACL.py
│ │ │ │ │ ├── GoogleCloudDNSKeySpecsRSASHA1.py
│ │ │ │ │ ├── GoogleCloudDNSSECEnabled.py
│ │ │ │ │ ├── GoogleCloudMySqlLocalInfileOff.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlEnablePgaudit.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogCheckpoints.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogConnection.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogDisconnection.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogHostname.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogLockWaits.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogMinDuration.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogMinErrorStatement.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogMinMessage.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogStatement.py
│ │ │ │ │ ├── GoogleCloudPostgreSqlLogTemp.py
│ │ │ │ │ ├── GoogleCloudSqlBackupConfiguration.py
│ │ │ │ │ ├── GoogleCloudSqlDatabasePubliclyAccessible.py
│ │ │ │ │ ├── GoogleCloudSqlDatabaseRequireSsl.py
│ │ │ │ │ ├── GoogleCloudSqlServerContainedDBAuthentication.py
│ │ │ │ │ ├── GoogleCloudSqlServerCrossDBOwnershipChaining.py
│ │ │ │ │ ├── GoogleCloudSqlServerNoPublicIP.py
│ │ │ │ │ ├── GoogleComputeBlockProjectSSH.py
│ │ │ │ │ ├── GoogleComputeBootDiskEncryption.py
│ │ │ │ │ ├── GoogleComputeDefaultServiceAccount.py
│ │ │ │ │ ├── GoogleComputeDefaultServiceAccountFullAccess.py
│ │ │ │ │ ├── GoogleComputeDiskEncryption.py
│ │ │ │ │ ├── GoogleComputeExternalIP.py
│ │ │ │ │ ├── GoogleComputeFirewallUnrestrictedIngress20.py
│ │ │ │ │ ├── GoogleComputeFirewallUnrestrictedIngress21.py
│ │ │ │ │ ├── GoogleComputeFirewallUnrestrictedIngress22.py
│ │ │ │ │ ├── GoogleComputeFirewallUnrestrictedIngress3306.py
│ │ │ │ │ ├── GoogleComputeFirewallUnrestrictedIngress3389.py
│ │ │ │ │ ├── GoogleComputeFirewallUnrestrictedIngress80.py
│ │ │ │ │ ├── GoogleComputeIPForward.py
│ │ │ │ │ ├── GoogleComputeInstanceOSLogin.py
│ │ │ │ │ ├── GoogleComputeProjectOSLogin.py
│ │ │ │ │ ├── GoogleComputeSSLPolicy.py
│ │ │ │ │ ├── GoogleComputeSerialPorts.py
│ │ │ │ │ ├── GoogleComputeShieldedVM.py
│ │ │ │ │ ├── GoogleFolderBasicRole.py
│ │ │ │ │ ├── GoogleFolderImpersonationRole.py
│ │ │ │ │ ├── GoogleFolderMemberDefaultServiceAccount.py
│ │ │ │ │ ├── GoogleIAMWorkloadIdentityConditional.py
│ │ │ │ │ ├── GoogleKMSKeyIsPublic.py
│ │ │ │ │ ├── GoogleKMSPreventDestroy.py
│ │ │ │ │ ├── GoogleKMSRotationPeriod.py
│ │ │ │ │ ├── GoogleOrgBasicRole.py
│ │ │ │ │ ├── GoogleOrgImpersonationRole.py
│ │ │ │ │ ├── GoogleOrgMemberDefaultServiceAccount.py
│ │ │ │ │ ├── GoogleProjectAdminServiceAccount.py
│ │ │ │ │ ├── GoogleProjectBasicRole.py
│ │ │ │ │ ├── GoogleProjectDefaultNetwork.py
│ │ │ │ │ ├── GoogleProjectImpersonationRole.py
│ │ │ │ │ ├── GoogleProjectMemberDefaultServiceAccount.py
│ │ │ │ │ ├── GoogleRoleServiceAccountUser.py
│ │ │ │ │ ├── GoogleStorageBucketNotPublic.py
│ │ │ │ │ ├── GoogleStorageBucketUniformAccess.py
│ │ │ │ │ ├── GoogleStoragePublicAccessPrevention.py
│ │ │ │ │ ├── GoogleSubnetworkIPV6PrivateGoogleEnabled.py
│ │ │ │ │ ├── GoogleSubnetworkLoggingEnabled.py
│ │ │ │ │ ├── GoogleSubnetworkPrivateGoogleEnabled.py
│ │ │ │ │ ├── GoogleVertexAINotebookShieldedVM.py
│ │ │ │ │ ├── MemorystoreForRedisAuthEnabled.py
│ │ │ │ │ ├── MemorystoreForRedisInTransitEncryption.py
│ │ │ │ │ ├── PubSubPrivateTopic.py
│ │ │ │ │ ├── SpannerDatabaseDeletionProtection.py
│ │ │ │ │ ├── SpannerDatabaseDropProtection.py
│ │ │ │ │ ├── SpannerDatabaseEncryptedWithCMK.py
│ │ │ │ │ ├── VertexAIDatasetEncryptedWithCMK.py
│ │ │ │ │ ├── VertexAIMetadataStoreEncryptedWithCMK.py
│ │ │ │ │ ├── VertexAINotebookEnsureIntegrityMonitoring.py
│ │ │ │ │ ├── VertexAIPrivateInstance.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── github/
│ │ │ │ │ ├── BranchProtectionRequireSignedCommits.py
│ │ │ │ │ ├── BranchProtectionReviewNumTwo.py
│ │ │ │ │ ├── PrivateRepo.py
│ │ │ │ │ ├── RepositoryEnableVulnerabilityAlerts.py
│ │ │ │ │ ├── SecretsEncrypted.py
│ │ │ │ │ ├── WebhookInsecureSsl.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── gitlab/
│ │ │ │ │ ├── ForcePushDisabled.py
│ │ │ │ │ ├── PreventSecretsEnabled.py
│ │ │ │ │ ├── RejectUnsignedCommits.py
│ │ │ │ │ ├── RequireTwoApprovalsToMerge.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── kubernetes/
│ │ │ │ │ ├── AllowPrivilegeEscalation.py
│ │ │ │ │ ├── AllowPrivilegeEscalationPSP.py
│ │ │ │ │ ├── AllowedCapabilities.py
│ │ │ │ │ ├── AllowedCapabilitiesPSP.py
│ │ │ │ │ ├── AllowedCapabilitiesSysAdmin.py
│ │ │ │ │ ├── CPULimits.py
│ │ │ │ │ ├── CPURequests.py
│ │ │ │ │ ├── ContainerSecurityContext.py
│ │ │ │ │ ├── DangerousGitSync.py
│ │ │ │ │ ├── DefaultNamespace.py
│ │ │ │ │ ├── DefaultServiceAccount.py
│ │ │ │ │ ├── DefaultServiceAccountBinding.py
│ │ │ │ │ ├── DockerSocketVolume.py
│ │ │ │ │ ├── DropCapabilities.py
│ │ │ │ │ ├── DropCapabilitiesPSP.py
│ │ │ │ │ ├── HostPort.py
│ │ │ │ │ ├── ImageDigest.py
│ │ │ │ │ ├── ImagePullPolicyAlways.py
│ │ │ │ │ ├── ImageTagFixed.py
│ │ │ │ │ ├── LivenessProbe.py
│ │ │ │ │ ├── MemoryLimits.py
│ │ │ │ │ ├── MemoryRequests.py
│ │ │ │ │ ├── MinimiseCapabilities.py
│ │ │ │ │ ├── MinimiseCapabilitiesPSP.py
│ │ │ │ │ ├── PodSecurityContext.py
│ │ │ │ │ ├── PrivilegedContainer.py
│ │ │ │ │ ├── PrivilegedContainerPSP.py
│ │ │ │ │ ├── ReadinessProbe.py
│ │ │ │ │ ├── ReadonlyRootFilesystem.py
│ │ │ │ │ ├── RootContainerPSP.py
│ │ │ │ │ ├── SeccompPSP.py
│ │ │ │ │ ├── Secrets.py
│ │ │ │ │ ├── ShareHostIPC.py
│ │ │ │ │ ├── ShareHostIPCPSP.py
│ │ │ │ │ ├── ShareHostPID.py
│ │ │ │ │ ├── ShareHostPIDPSP.py
│ │ │ │ │ ├── SharedHostNetworkNamespace.py
│ │ │ │ │ ├── SharedHostNetworkNamespacePSP.py
│ │ │ │ │ ├── Tiller.py
│ │ │ │ │ ├── TillerService.py
│ │ │ │ │ ├── WildcardRoles.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── linode/
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── authorized_keys.py
│ │ │ │ │ ├── firewall_inbound_policy.py
│ │ │ │ │ ├── firewall_outbound_policy.py
│ │ │ │ │ ├── user_email_set.py
│ │ │ │ │ └── user_username_set.py
│ │ │ │ ├── ncp/
│ │ │ │ │ ├── AccessControlGroupInboundRule.py
│ │ │ │ │ ├── AccessControlGroupInboundRulePort22.py
│ │ │ │ │ ├── AccessControlGroupInboundRulePort3389.py
│ │ │ │ │ ├── AccessControlGroupInboundRulePort80.py
│ │ │ │ │ ├── AccessControlGroupOutboundRule.py
│ │ │ │ │ ├── AccessControlGroupRuleDescription.py
│ │ │ │ │ ├── LBListenerUsesSecureProtocols.py
│ │ │ │ │ ├── LBListenerUsingHTTPS.py
│ │ │ │ │ ├── LBNetworkPrivate.py
│ │ │ │ │ ├── LBTargetGroupDefinesHealthCheck.py
│ │ │ │ │ ├── LBTargetGroupUsingHTTPS.py
│ │ │ │ │ ├── LaunchConfigurationEncryptionVPC.py
│ │ │ │ │ ├── NACLInbound20.py
│ │ │ │ │ ├── NACLInbound21.py
│ │ │ │ │ ├── NACLInbound22.py
│ │ │ │ │ ├── NACLInbound3389.py
│ │ │ │ │ ├── NACLInboundCheck.py
│ │ │ │ │ ├── NACLPortCheck.py
│ │ │ │ │ ├── NASEncryptionEnabled.py
│ │ │ │ │ ├── NKSControlPlaneLogging.py
│ │ │ │ │ ├── NKSPublicAccess.py
│ │ │ │ │ ├── RouteTableNATGatewayDefault.py
│ │ │ │ │ ├── ServerEncryptionVPC.py
│ │ │ │ │ ├── ServerPublicIP.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── oci/
│ │ │ │ │ ├── AbsSecurityGroupUnrestrictedIngress.py
│ │ │ │ │ ├── AbsSecurityListUnrestrictedIngress.py
│ │ │ │ │ ├── DataCatalogWithPublicAccess.py
│ │ │ │ │ ├── FileSystemEncryption.py
│ │ │ │ │ ├── IAMPasswordLength.py
│ │ │ │ │ ├── IAMPasswordPolicyLowerCase.py
│ │ │ │ │ ├── IAMPasswordPolicyNumeric.py
│ │ │ │ │ ├── IAMPasswordPolicySpecialCharacters.py
│ │ │ │ │ ├── IAMPasswordPolicyUpperCase.py
│ │ │ │ │ ├── InstanceBootVolumeIntransitEncryption.py
│ │ │ │ │ ├── InstanceMetadataServiceEnabled.py
│ │ │ │ │ ├── InstanceMonitoringEnabled.py
│ │ │ │ │ ├── ObjectStorageEmitEvents.py
│ │ │ │ │ ├── ObjectStorageEncryption.py
│ │ │ │ │ ├── ObjectStoragePublic.py
│ │ │ │ │ ├── ObjectStorageVersioning.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress22.py
│ │ │ │ │ ├── SecurityGroupsIngressStatelessSecurityRules.py
│ │ │ │ │ ├── SecurityListIngress.py
│ │ │ │ │ ├── SecurityListIngressStateless.py
│ │ │ │ │ ├── SecurityListUnrestrictedIngress22.py
│ │ │ │ │ ├── SecurityListUnrestrictedIngress3389.py
│ │ │ │ │ ├── StorageBlockBackupEnabled.py
│ │ │ │ │ ├── StorageBlockEncryption.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── okta/
│ │ │ │ │ ├── TwoFASignOnPolicyRule.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── openstack/
│ │ │ │ │ ├── AbsSecurityGroupUnrestrictedIngress.py
│ │ │ │ │ ├── ComputeInstanceAdminPassword.py
│ │ │ │ │ ├── FirewallRuleSetDestinationIP.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress22.py
│ │ │ │ │ ├── SecurityGroupUnrestrictedIngress3389.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── panos/
│ │ │ │ │ ├── InterfaceMgmtProfileNoHTTP.py
│ │ │ │ │ ├── InterfaceMgmtProfileNoTelnet.py
│ │ │ │ │ ├── NetworkIPsecAlgorithms.py
│ │ │ │ │ ├── NetworkIPsecAuthAlgorithms.py
│ │ │ │ │ ├── NetworkIPsecProtocols.py
│ │ │ │ │ ├── PolicyDescription.py
│ │ │ │ │ ├── PolicyLogForwarding.py
│ │ │ │ │ ├── PolicyLoggingEnabled.py
│ │ │ │ │ ├── PolicyNoApplicationAny.py
│ │ │ │ │ ├── PolicyNoDSRI.py
│ │ │ │ │ ├── PolicyNoServiceAny.py
│ │ │ │ │ ├── PolicyNoSrcAnyDstAny.py
│ │ │ │ │ ├── ZoneProtectionProfile.py
│ │ │ │ │ ├── ZoneUserIDIncludeACL.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── registry.py
│ │ │ │ ├── tencentcloud/
│ │ │ │ │ ├── CBSEncryption.py
│ │ │ │ │ ├── CDBInternetService.py
│ │ │ │ │ ├── CDBIntranetPort.py
│ │ │ │ │ ├── CLBInstanceLog.py
│ │ │ │ │ ├── CLBListenerProtocol.py
│ │ │ │ │ ├── CVMAllocatePublicIp.py
│ │ │ │ │ ├── CVMDisableMonitorService.py
│ │ │ │ │ ├── CVMUseDefaultSecurityGroup.py
│ │ │ │ │ ├── CVMUseDefaultVPC.py
│ │ │ │ │ ├── CVMUserData.py
│ │ │ │ │ ├── TKELogAgentEnabled.py
│ │ │ │ │ ├── TKEPublicIpAssigned.py
│ │ │ │ │ ├── VPCFlowLogConfigEnable.py
│ │ │ │ │ ├── VPCSecurityGroupRuleSet.py
│ │ │ │ │ └── __init__.py
│ │ │ │ └── yandexcloud/
│ │ │ │ ├── ComputeInstanceGroupPublicIP.py
│ │ │ │ ├── ComputeInstanceGroupSecurityGroup.py
│ │ │ │ ├── ComputeVMPublicIP.py
│ │ │ │ ├── ComputeVMSecurityGroup.py
│ │ │ │ ├── ComputeVMSerialConsole.py
│ │ │ │ ├── IAMCloudElevatedMembers.py
│ │ │ │ ├── IAMFolderElevatedMembers.py
│ │ │ │ ├── IAMOrganizationElevatedMembers.py
│ │ │ │ ├── IAMPassportAccountUsage.py
│ │ │ │ ├── K8SAutoUpgrade.py
│ │ │ │ ├── K8SEtcdKMSEncryption.py
│ │ │ │ ├── K8SNetworkPolicy.py
│ │ │ │ ├── K8SNodeGroupAutoUpgrade.py
│ │ │ │ ├── K8SNodeGroupPublicIP.py
│ │ │ │ ├── K8SNodeGroupSecurityGroup.py
│ │ │ │ ├── K8SPublicIP.py
│ │ │ │ ├── K8SSecurityGroup.py
│ │ │ │ ├── KMSSymmetricKeyRotation.py
│ │ │ │ ├── MDBPublicIP.py
│ │ │ │ ├── MDBSecurityGroup.py
│ │ │ │ ├── ObjectStorageBucketEncryption.py
│ │ │ │ ├── ObjectStorageBucketPublicAccess.py
│ │ │ │ ├── VPCSecurityGroupAllowAll.py
│ │ │ │ ├── VPCSecurityGroupRuleAllowAll.py
│ │ │ │ └── __init__.py
│ │ │ └── utils/
│ │ │ ├── __init__.py
│ │ │ ├── base_cloudsplaining_iam_scanner.py
│ │ │ ├── consts.py
│ │ │ ├── dependency_path_handler.py
│ │ │ └── iam_terraform_document_to_policy_converter.py
│ │ ├── context_parsers/
│ │ │ ├── __init__.py
│ │ │ ├── base_parser.py
│ │ │ ├── parsers/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── data_context_parser.py
│ │ │ │ ├── locals_context_parser.py
│ │ │ │ ├── module_context_parser.py
│ │ │ │ ├── provider_context_parser.py
│ │ │ │ ├── resource_context_parser.py
│ │ │ │ └── variable_context_parser.py
│ │ │ ├── registry.py
│ │ │ └── tf_plan/
│ │ │ └── __init__.py
│ │ ├── deep_analysis_plan_graph_manager.py
│ │ ├── evaluation/
│ │ │ ├── __init__.py
│ │ │ └── base_variable_evaluation.py
│ │ ├── graph_builder/
│ │ │ ├── EncryptionCalculation.md
│ │ │ ├── __init__.py
│ │ │ ├── foreach/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── abstract_handler.py
│ │ │ │ ├── builder.py
│ │ │ │ ├── consts.py
│ │ │ │ ├── data_handler.py
│ │ │ │ ├── foreach_entity_handler.py
│ │ │ │ ├── module_handler.py
│ │ │ │ ├── resource_handler.py
│ │ │ │ └── utils.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── attribute_names.py
│ │ │ │ ├── block_types.py
│ │ │ │ ├── blocks.py
│ │ │ │ ├── generic_resource_encryption.py
│ │ │ │ └── module.py
│ │ │ ├── graph_to_tf_definitions.py
│ │ │ ├── local_graph.py
│ │ │ ├── utils.py
│ │ │ └── variable_rendering/
│ │ │ ├── __init__.py
│ │ │ ├── evaluate_terraform.py
│ │ │ ├── renderer.py
│ │ │ ├── safe_eval_functions.py
│ │ │ └── vertex_reference.py
│ │ ├── graph_manager.py
│ │ ├── image_referencer/
│ │ │ ├── __init__.py
│ │ │ ├── base_provider.py
│ │ │ ├── manager.py
│ │ │ └── provider/
│ │ │ ├── __init__.py
│ │ │ ├── aws.py
│ │ │ ├── azure.py
│ │ │ └── gcp.py
│ │ ├── module_loading/
│ │ │ ├── __init__.py
│ │ │ ├── content.py
│ │ │ ├── loader.py
│ │ │ ├── loaders/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── bitbucket_access_token_loader.py
│ │ │ │ ├── bitbucket_loader.py
│ │ │ │ ├── git_loader.py
│ │ │ │ ├── github_access_token_loader.py
│ │ │ │ ├── github_loader.py
│ │ │ │ ├── local_path_loader.py
│ │ │ │ ├── registry_loader.py
│ │ │ │ └── versions_parser.py
│ │ │ ├── module_finder.py
│ │ │ ├── module_params.py
│ │ │ └── registry.py
│ │ ├── modules/
│ │ │ ├── __init__.py
│ │ │ ├── module_objects.py
│ │ │ └── module_utils.py
│ │ ├── parser_functions.py
│ │ ├── parser_utils.py
│ │ ├── plan_parser.py
│ │ ├── plan_runner.py
│ │ ├── plan_utils.py
│ │ ├── runner.py
│ │ ├── tag_providers/
│ │ │ ├── __init__.py
│ │ │ ├── aws.py
│ │ │ ├── azure.py
│ │ │ └── gcp.py
│ │ └── tf_parser.py
│ ├── terraform_json/
│ │ ├── __init__.py
│ │ ├── parser.py
│ │ ├── runner.py
│ │ └── utils.py
│ ├── version.py
│ └── yaml_doc/
│ ├── __init__.py
│ ├── base_registry.py
│ ├── base_yaml_check.py
│ ├── enums.py
│ ├── registry.py
│ └── runner.py
├── dangerfile.ts
├── docs/
│ ├── 1.Welcome/
│ │ ├── Feature Descriptions.md
│ │ ├── Migration.md
│ │ ├── Quick Start.md
│ │ ├── Terms and Concepts.md
│ │ └── What is Checkov.md
│ ├── 2.Basics/
│ │ ├── CLI Command Reference.md
│ │ ├── Handling Variables.md
│ │ ├── Hard and soft fail.md
│ │ ├── Installing Checkov.md
│ │ ├── Reviewing Scan Results.md
│ │ ├── Scanning Credentials and Secrets.md
│ │ ├── Suppressing and Skipping Policies.md
│ │ └── Visualizing Checkov Output.md
│ ├── 3.Custom Policies/
│ │ ├── Custom Policies Overview.md
│ │ ├── Examples.md
│ │ ├── Python Custom Policies.md
│ │ ├── Sharing Custom Policies.md
│ │ └── YAML Custom Policies.md
│ ├── 4.Integrations/
│ │ ├── Bitbucket Cloud Pipelines.md
│ │ ├── Docker.md
│ │ ├── GitHub Actions.md
│ │ ├── GitLab CI.md
│ │ ├── Jenkins.md
│ │ ├── Kubernetes.md
│ │ └── pre-commit.md
│ ├── 404.md
│ ├── 5.Policy Index/
│ │ ├── all.md
│ │ ├── ansible.md
│ │ ├── argo_workflows.md
│ │ ├── arm.md
│ │ ├── azure_pipelines.md
│ │ ├── bicep.md
│ │ ├── bitbucket_configuration.md
│ │ ├── bitbucket_pipelines.md
│ │ ├── circleci_pipelines.md
│ │ ├── cloudformation.md
│ │ ├── dockerfile.md
│ │ ├── github_actions.md
│ │ ├── github_configuration.md
│ │ ├── gitlab_ci.md
│ │ ├── gitlab_configuration.md
│ │ ├── kubernetes.md
│ │ ├── openapi.md
│ │ ├── secrets.md
│ │ ├── serverless.md
│ │ └── terraform.md
│ ├── 6.Contribution/
│ │ ├── Contribute New Argo Workflows Policies.md
│ │ ├── Contribute New Azure Pipelines Policies.md
│ │ ├── Contribute New Bitbucket Policies.md
│ │ ├── Contribute New GitHub Policies.md
│ │ ├── Contribute New Gitlab Policies.md
│ │ ├── Contribute New OpenAPI Policies.md
│ │ ├── Contribute New Terraform Provider.md
│ │ ├── Contribute Python-Based Policies.md
│ │ ├── Contribute YAML-based Policies.md
│ │ ├── Contribution New IaC Runner.md
│ │ ├── Contribution Overview.md
│ │ ├── Implementing CI Metadata Extractor.md
│ │ └── Implementing ImageReferencer.md
│ ├── 7.Scan Examples/
│ │ ├── AWS SAM.md
│ │ ├── Ansible.md
│ │ ├── Argo Workflows.md
│ │ ├── Azure ARM templates.md
│ │ ├── Azure Pipelines.md
│ │ ├── Bicep.md
│ │ ├── Bitbucket.md
│ │ ├── CDK.md
│ │ ├── Cloudformation.md
│ │ ├── Dockerfile.md
│ │ ├── Git History.md
│ │ ├── Github.md
│ │ ├── Gitlab.md
│ │ ├── Helm.md
│ │ ├── Kubernetes.md
│ │ ├── Kustomize.md
│ │ ├── OpenAPI.md
│ │ ├── Sca.md
│ │ ├── Serverless Framework.md
│ │ ├── Terraform Plan Scanning.md
│ │ └── Terraform.md
│ ├── 8.Outputs/
│ │ ├── CSV.md
│ │ ├── CycloneDX BOM.md
│ │ ├── GitLab SAST.md
│ │ ├── JUnit XML.md
│ │ └── SARIF.md
│ ├── CNAME
│ ├── Gemfile
│ ├── _config.yml
│ ├── index.md
│ ├── menus.json
│ ├── search.html
│ └── web/
│ ├── css/
│ │ ├── checkov.pyro.css
│ │ ├── normalize.css
│ │ ├── pyro.css
│ │ └── theme.css
│ └── js/
│ └── pyro.js
├── dogfood_tests/
│ ├── pytest.ini
│ └── test_checkov_dogfood.py
├── extra_stubs/
│ ├── boolean/
│ │ ├── __init__.pyi
│ │ └── boolean.py
│ ├── docker/
│ │ ├── __init__.pyi
│ │ ├── client.pyi
│ │ └── models/
│ │ └── images.pyi
│ ├── dockerfile_parse/
│ │ ├── __init__.pyi
│ │ ├── constants.pyi
│ │ └── parser.pyi
│ ├── junit_xml/
│ │ └── __init__.pyi
│ └── license_expression/
│ └── __init__.pyi
├── flake8_plugins/
│ ├── __init__.py
│ └── flake8_class_attributes_plugin/
│ ├── __init__.py
│ ├── flake8_class_attributes/
│ │ ├── __init__.py
│ │ ├── checker.py
│ │ ├── class_members_errors.py
│ │ └── model_parts_info.py
│ └── tests/
│ ├── __init__.py
│ ├── conftest.py
│ ├── test_files/
│ │ ├── __init__.py
│ │ ├── class_attribute_fail.py
│ │ ├── class_const_pass.py
│ │ ├── class_special_attributes_pass.py
│ │ ├── dataclass_skip.py
│ │ └── typing_class_skip.py
│ └── test_handler.py
├── github_action_resources/
│ ├── checkov-problem-matcher-softfail.json
│ ├── checkov-problem-matcher.json
│ └── entrypoint.sh
├── integration_tests/
│ ├── __init__.py
│ ├── example_config_files/
│ │ └── config.yaml
│ ├── example_ext_private_modules/
│ │ └── main.tf
│ ├── example_workflow_file/
│ │ ├── .github/
│ │ │ └── workflows/
│ │ │ └── vulnerable_container.yaml
│ │ └── bitbucket/
│ │ └── bitbucket-pipelines.yml
│ ├── prepare_data.sh
│ ├── run_integration_tests.sh
│ ├── test_checkov_cli_integration_report.py
│ ├── test_checkov_config.py
│ ├── test_checkov_cyclonedx_report.py
│ ├── test_checkov_ext_module_cloning.py
│ ├── test_checkov_json_report.py
│ ├── test_checkov_junit_report.py
│ ├── test_checkov_platform_only_policies.py
│ └── test_checkov_sarif_report.py
├── kubernetes/
│ ├── Dockerfile
│ ├── README.md
│ ├── checkov-job.yaml
│ ├── requirements.txt
│ └── run_checkov.sh
├── mypy.ini
├── performance_tests/
│ ├── __init__.py
│ ├── pytest.ini
│ └── test_checkov_performance.py
├── pyproject.toml
├── sast_integration_tests/
│ ├── __init__.py
│ ├── prepare_data.sh
│ ├── run_integration_tests.sh
│ └── test_checkov_sast_report.py
├── setup.py
└── tests/
├── __init__.py
├── ansible/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ ├── graph_checks/
│ │ │ ├── __init__.py
│ │ │ ├── resources/
│ │ │ │ ├── BlockErrorHandling/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── DnfDisableGpgCheck/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── DnfSslVerify/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── DnfValidateCerts/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── GetUrlHttpsOnly/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.yaml
│ │ │ │ │ └── unknown.yaml
│ │ │ │ ├── PanosIPsecAuthenticationAlgorithms/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosIPsecProtocols/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosInterfaceMgmtProfileNoHTTP/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosInterfaceMgmtProfileNoTelnet/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyDescription/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyLogForwarding/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyLogSessionStart/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyLoggingEnabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyNoApplicationAny/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyNoDSRI/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyNoServiceAny/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyNoSrcAnyDstAny/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosPolicyNoSrcZoneAnyNoDstZoneAny/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosZoneProtectionProfile/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── PanosZoneUserIDIncludeACL/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ └── pass.yaml
│ │ │ │ └── UriHttpsOnly/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ └── test_yaml_policies.py
│ │ ├── task/
│ │ │ ├── __init__.py
│ │ │ ├── aws/
│ │ │ │ ├── EC2EBSOptimized/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.yaml
│ │ │ │ │ └── unknown.yaml
│ │ │ │ ├── EC2PublicIP/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.yaml
│ │ │ │ │ └── unknown.yaml
│ │ │ │ └── __init__.py
│ │ │ └── builtin/
│ │ │ ├── AptAllowUnauthenticated/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ ├── AptForce/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ ├── GetUrlValidateCerts/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ ├── UriValidateCerts/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ ├── YumSslVerify/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ ├── YumValidateCerts/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.yaml
│ │ │ │ └── pass.yaml
│ │ │ └── __init__.py
│ │ └── test_python_policies.py
│ ├── examples/
│ │ ├── blocks.yml
│ │ ├── empty_tasks.yml
│ │ ├── k8s_utf16.yaml
│ │ ├── nested_blocks.yml
│ │ ├── no_tasks.yml
│ │ ├── site.yml
│ │ ├── skip.yml
│ │ └── tasks.yml
│ ├── graph_builder/
│ │ ├── __init__.py
│ │ └── test_local_graph.py
│ ├── test_graph_manager.py
│ ├── test_runner.py
│ └── test_utils.py
├── argo_workflows/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ └── template/
│ │ ├── __init__.py
│ │ ├── example_DefaultServiceAccount/
│ │ │ ├── fail_default.yaml
│ │ │ ├── fail_none.yaml
│ │ │ └── pass.yaml
│ │ ├── example_RunAsNonRoot/
│ │ │ ├── fail.yaml
│ │ │ └── pass.yaml
│ │ ├── test_DefaultServiceAccount.py
│ │ └── test_RunAsNonRoot.py
│ ├── examples/
│ │ ├── argo_cd_application.yaml
│ │ ├── hello_world.yaml
│ │ └── scripts_python.yaml
│ └── test_runner.py
├── arm/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ ├── parameter/
│ │ │ ├── __init__.py
│ │ │ ├── test_SecureStringParameterNoHardcodedValue/
│ │ │ │ └── test_parameters.json
│ │ │ └── test_SecureStringParameterNoHardcodedValue.py
│ │ └── resource/
│ │ ├── __init__.py
│ │ ├── example_ACRAdminAccountDisabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_ACRAnonymousPullDisabled/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ ├── pass2.json
│ │ │ ├── pass3.json
│ │ │ ├── pass4.json
│ │ │ ├── pass5.json
│ │ │ └── pass6.json
│ │ ├── example_ACRContainerScanEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_ACREnableImageQuarantine/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_ACREnableZoneRedundancy/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_ACRPublicNetworkAccessDisabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AKSApiServerAuthorizedIpRanges/
│ │ │ ├── aks-authIPRanges-preview-FAILED-3.json
│ │ │ ├── aks-authIPRanges-preview-FAILED.json
│ │ │ ├── aks-authIPRanges-preview-PASSED.json
│ │ │ ├── aks-authIPRanges-supported-FAILED-2.json
│ │ │ ├── aks-authIPRanges-supported-FAILED.json
│ │ │ ├── aks-authIPRanges-supported-PASSED.json
│ │ │ └── aks-authIPRanges-unsupported-FAILED.json
│ │ ├── example_AKSDashboardDisabled/
│ │ │ ├── AKSDashboardDisabled-FAILED.json
│ │ │ ├── AKSDashboardDisabled-FAILED2.json
│ │ │ ├── AKSDashboardDisabled-FAILED3.json
│ │ │ ├── AKSDashboardDisabled-FAILED4.json
│ │ │ └── AKSDashboardDisabled-PASSED.json
│ │ ├── example_AKSEncryptionAtHostEnabled/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ ├── failA1.json
│ │ │ ├── failA2.json
│ │ │ ├── pass.json
│ │ │ └── passA.json
│ │ ├── example_AKSEphemeralOSDisks/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AKSLocalAdminDisabled/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AKSLoggingEnabled/
│ │ │ ├── AKSLoggingEnabled-FAILED2.json
│ │ │ ├── aksLoggingEnabled-FAILED.json
│ │ │ ├── aksLoggingEnabled-FAILED3.json
│ │ │ └── aksLoggingEnabled-PASSED.json
│ │ ├── example_AKSMaxPodsMinimum/
│ │ │ ├── agentPoolProfiles_with_maxPods_fail4.json
│ │ │ ├── agentPoolProfiles_with_maxPods_pass.json
│ │ │ ├── agentPoolProfiles_without_maxPods_fail3.json
│ │ │ ├── properties_with_maxPods_fail2.json
│ │ │ ├── properties_with_maxPods_pass1.json
│ │ │ └── properties_without_maxPods_fail.json
│ │ ├── example_AKSNetworkPolicy/
│ │ │ ├── aksNetworkPolicy-FAILED.json
│ │ │ ├── aksNetworkPolicy-FAILED2.json
│ │ │ ├── aksNetworkPolicy-FAILED3.json
│ │ │ ├── aksNetworkPolicy-FAILED4.json
│ │ │ └── aksNetworkPolicy-PASSED.json
│ │ ├── example_AKSPoolTypeIsScaleSet/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass1.json
│ │ ├── example_AKSRbacEnabled/
│ │ │ ├── aksEnableRbac-FAILED.json
│ │ │ ├── aksEnableRbac-FAILED2.json
│ │ │ ├── aksEnableRbac-FAILED3.json
│ │ │ └── aksEnableRbac-PASSED.json
│ │ ├── example_AKSUpgradeChannel/
│ │ │ ├── fail.json
│ │ │ ├── fail1.json
│ │ │ └── pass.json
│ │ ├── example_APIManagementMinTLS12/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_APIManagementPublicAccess/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_APIServicesUseVirtualNetwork/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AkSSecretStoreRotation/
│ │ │ ├── fail.json
│ │ │ ├── fail1.json
│ │ │ └── pass.json
│ │ ├── example_AppGWDefinesSecureProtocols/
│ │ │ ├── empty_sslPolicy_fail1.json
│ │ │ ├── with_policyName_fail3.json
│ │ │ ├── with_policyName_pass1.json
│ │ │ ├── with_protocolversion_and_cipher_fail2.json
│ │ │ ├── with_protocolversion_and_cipher_pass.json
│ │ │ └── without_sslPolicy_fail.json
│ │ ├── example_AppGatewayWAFACLCVE202144228/
│ │ │ ├── empty_disabled_rules_pass.json
│ │ │ ├── owasp_3_0_fail.json
│ │ │ ├── owasp_3_1_default_pass.json
│ │ │ ├── owasp_3_1_disabled_different_pass.json
│ │ │ ├── owasp_3_1_disabled_fail.json
│ │ │ ├── owasp_3_2_default_pass.json
│ │ │ └── version_3_1_default_pass.json
│ │ ├── example_AppServiceAuthentication/
│ │ │ ├── appServiceAuthentication-FAILED.json
│ │ │ ├── appServiceAuthentication-PASSED.json
│ │ │ └── appServiceAuthentication-PASSED2.json
│ │ ├── example_AppServiceClientCertificate/
│ │ │ ├── appServiceClientCertificate-FAILED.json
│ │ │ ├── appServiceClientCertificate-FAILED2.json
│ │ │ ├── appServiceClientCertificate-PASSED.json
│ │ │ └── appServiceClientCertificate-PASSED2.json
│ │ ├── example_AppServiceDetailedErrorMessagesEnabled/
│ │ │ ├── AppServiceDetailedErrorMessagesEnabled-failed.json
│ │ │ ├── AppServiceDetailedErrorMessagesEnabled-failed2.json
│ │ │ └── AppServiceDetailedErrorMessagesEnabled-passed.json
│ │ ├── example_AppServiceDisallowCORS/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AppServiceDotnetFrameworkVersion/
│ │ │ ├── failed.json
│ │ │ └── passed.json
│ │ ├── example_AppServiceEnabledFailedRequest/
│ │ │ ├── AppServiceEnableFailedRequest-failed.json
│ │ │ └── AppServiceEnableFailedRequest-passed.json
│ │ ├── example_AppServiceFTPSState/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── fail3.json
│ │ │ ├── pass.json
│ │ │ ├── pass2.json
│ │ │ └── pass3.json
│ │ ├── example_AppServiceHTTPSOnly/
│ │ │ ├── appServiceHTTPSOnly-FAILED.json
│ │ │ ├── appServiceHTTPSOnly-FAILED2.json
│ │ │ ├── appServiceHTTPSOnly-PASSED.json
│ │ │ └── appServiceHTTPSOnly-PASSED2.json
│ │ ├── example_AppServiceHttpLoggingEnabled/
│ │ │ ├── AppServiceHttpLoggingEnabled-failed.json
│ │ │ ├── AppServiceHttpLoggingEnabled-failed2.json
│ │ │ └── AppServiceHttpLoggingEnabled-passed.json
│ │ ├── example_AppServiceHttps20Enabled/
│ │ │ ├── appServiceHttps20Enabled-FAILED.json
│ │ │ ├── appServiceHttps20Enabled-FAILED2.json
│ │ │ ├── appServiceHttps20Enabled-FAILED3.json
│ │ │ ├── appServiceHttps20Enabled-PASSED.json
│ │ │ └── appServiceHttps20Enabled-PASSED2.json
│ │ ├── example_AppServiceIdentity/
│ │ │ ├── appServiceIdentity-FAILED.json
│ │ │ ├── appServiceIdentity-PASSED.json
│ │ │ └── appServiceIdentity-PASSED2.json
│ │ ├── example_AppServiceIdentityProviderEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AppServiceInstanceMinimum/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ ├── pass2.json
│ │ │ ├── unknown.json
│ │ │ └── unknown2.json
│ │ ├── example_AppServiceJavaVersion/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AppServiceMinTLSVersion/
│ │ │ ├── appServiceMinTLSVersion-FAILED.json
│ │ │ ├── appServiceMinTLSVersion-FAILED2.json
│ │ │ ├── appServiceMinTLSVersion-FAILED3.json
│ │ │ ├── appServiceMinTLSVersion-PASSED.json
│ │ │ └── appServiceMinTLSVersion-PASSED2.json
│ │ ├── example_AppServicePHPVersion/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AppServicePlanZoneRedundant/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AppServicePublicAccessDisabled/
│ │ │ ├── configFail.json
│ │ │ ├── configPass.json
│ │ │ ├── linuxDefault.json
│ │ │ ├── linuxFail.json
│ │ │ ├── linuxPass.json
│ │ │ ├── slotFail.json
│ │ │ ├── slotPass.json
│ │ │ ├── windowsDefault.json
│ │ │ ├── windowsFail.json
│ │ │ └── windowsPass.json
│ │ ├── example_AppServicePythonVersion/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── unknown.json
│ │ ├── example_AppServiceRemoteDebuggingNotEnabled/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass1.json
│ │ ├── example_AppServiceSetHealthCheck/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_AppServiceSlotDebugDisabled/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_AppServiceSlotHTTPSOnly/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_AppServiceUsedAzureFiles/
│ │ │ ├── AppServiceEnableFailedRequest-failed.json
│ │ │ ├── AppServiceEnableFailedRequest-failed2.json
│ │ │ └── AppServiceUsedAzureFiles-passed.json
│ │ ├── example_AutomationEncrypted/
│ │ │ ├── fail.json
│ │ │ ├── fail1.json
│ │ │ └── pass.json
│ │ ├── example_AzureBatchAccountEndpointAccessDefaultAction.py/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureBatchAccountUsesKeyVaultEncryption/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureDataExplorerDoubleEncryptionEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureDefenderOnKeyVaults/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureDefenderOnKubernetes/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureDefenderOnSqlServersVMS/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureDefenderOnStorage/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureFirewallDenyThreatIntelMode/
│ │ │ ├── CKV_AZURE_216.fail.json
│ │ │ ├── CKV_AZURE_216.fail2.json
│ │ │ └── CKV_AZURE_216.pass.json
│ │ ├── example_AzureFrontDoorEnablesWAF/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_AzureInstanceExtensions/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AzureInstancePassword/
│ │ │ ├── FAILED.json
│ │ │ ├── PASSED.json
│ │ │ ├── UNKNOWN.json
│ │ │ └── UNKNOWN_1.json
│ │ ├── example_AzureMLWorkspacePrivateEndpoint/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_AzureManagedDiscEncryption/
│ │ │ ├── azureManagedDiscEncryption-FAILED.json
│ │ │ ├── azureManagedDiscEncryption-PASSED.json
│ │ │ ├── azureManagedDiscEncryption-PASSED_2.json
│ │ │ └── azureManagedDiscEncryption-PASSED_3.json
│ │ ├── example_AzureManagedDiskEncryptionSet/
│ │ │ ├── azureManagedDiskEncyptionSet-FAILED.json
│ │ │ └── azureManagedDiskEncyptionSet-PASSED.json
│ │ ├── example_AzureScaleSetPassword/
│ │ │ ├── FAILED.json
│ │ │ ├── PASSED.json
│ │ │ └── UNKNOWN.json
│ │ ├── example_AzureSearchSLAIndex/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AzureSearchSLAQueryUpdates/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AzureServiceFabricClusterProtectionLevel/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AzureSparkPoolIsolatedComputeEnabled/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AzureSynapseWorkspaceVAisEnabled/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_CognitiveServicesConfigureIdentity/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_CognitiveServicesDisablesPublicNetwork/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_CognitiveServicesEnableLocalAuth/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_CosmosDBAccountsRestrictedAccess/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── fail3.json
│ │ │ ├── fail4.json
│ │ │ ├── pass.json
│ │ │ ├── pass2.json
│ │ │ ├── pass3.json
│ │ │ └── pass4.json
│ │ ├── example_CosmosDBDisableAccessKeyWrite/
│ │ │ ├── CosmosDBDisableAccessKeyWrite-FAILED.json
│ │ │ └── CosmosDBDisableAccessKeyWrite-PASSED.json
│ │ ├── example_CosmosDBDisablesPublicNetwork/
│ │ │ ├── Fail.json
│ │ │ ├── Fail2.json
│ │ │ ├── Fail3.json
│ │ │ └── Pass.json
│ │ ├── example_CosmosDBHaveCMK/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_CosmosDBLocalAuthDisabled/
│ │ │ ├── fail.json
│ │ │ ├── fail1.json
│ │ │ ├── pass.json
│ │ │ └── unknown.json
│ │ ├── example_CustomRoleDefinitionSubscriptionOwner/
│ │ │ ├── example_customRoleDefinitionSubscriptionOwner-FAILED.json
│ │ │ └── example_customRoleDefinitionSubscriptionOwner-PASSED.json
│ │ ├── example_DataExplorerUsesDiskEncryption/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_DataFactoryNoPublicNetworkAccess/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_DataFactoryUsesGitRepository/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── unknown.json
│ │ ├── example_DataLakeStoreEncryption/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_DatabricksWorkspaceIsNotPublic/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_EventHubNamespaceMinTLS12/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_EventgridTopicIdentityProviderEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_EventgridTopicLocalAuthentication/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_EventgridTopicNetworkAccess/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_FrontDoorWAFACLCVE202144228/
│ │ │ ├── fail1.json
│ │ │ ├── fail3.json
│ │ │ ├── fail4.json
│ │ │ ├── pass1.json
│ │ │ ├── pass2.json
│ │ │ ├── pass3.json
│ │ │ └── pass4.json
│ │ ├── example_FrontdoorUseWAFMode/
│ │ │ ├── example_FrontdoorUseWAFMode-FAILED.json
│ │ │ └── example_FrontdoorUseWAFMode-PASSED.json
│ │ ├── example_FunctionAppDisallowCORS/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass_with_cors.json
│ │ ├── example_FunctionAppHttpVersionLatest/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_FunctionAppMinTLSVersion/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ ├── pass2.json
│ │ │ ├── pass3.json
│ │ │ └── pass4.json
│ │ ├── example_FunctionAppsAccessibleOverHttps/
│ │ │ ├── sites_config_fail.json
│ │ │ ├── sites_config_pass.json
│ │ │ ├── sites_config_pass1.json
│ │ │ ├── sites_fail.json
│ │ │ ├── sites_fail1.json
│ │ │ └── sites_pass.json
│ │ ├── example_FunctionAppsEnableAuthentication/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_KeyBackedByHSM/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_KeyExpirationDate/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_KeyVaultDisablesPublicNetworkAccess/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ ├── fail3.json
│ │ │ ├── fail4.json
│ │ │ ├── fail5.json
│ │ │ ├── pass1.json
│ │ │ ├── pass2.json
│ │ │ ├── pass3.json
│ │ │ └── pass4.json
│ │ ├── example_KeyVaultEnablesFirewallRulesSettings/
│ │ │ ├── KeyVaultEnablesFirewallRulesSettings-FAILED.json
│ │ │ └── KeyVaultEnablesFirewallRulesSettings-PASSED.json
│ │ ├── example_KeyVaultEnablesPurgeProtection/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_KeyVaultEnablesSoftDelete/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_KeyvaultRecoveryEnabled/
│ │ │ ├── keyvaultRecoveryEnabled-FAILED.json
│ │ │ ├── keyvaultRecoveryEnabled-FAILED2.json
│ │ │ └── keyvaultRecoveryEnabled-PASSED.json
│ │ ├── example_LinuxVMUsesSSH/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_MSSQLServerMinTLSVersion/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_MariaDBGeoBackupEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_MariaDBPublicAccessDisabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_MariaDBSSLEnforcementEnabled/
│ │ │ ├── FAILED.json
│ │ │ ├── FAILED_2.json
│ │ │ └── PASSED.json
│ │ ├── example_MonitorLogProfileCategories/
│ │ │ ├── monitorLogProfileCategories-FAILED.json
│ │ │ └── monitorLogProfileCategories-PASSED.json
│ │ ├── example_MonitorLogProfileRetentionDays/
│ │ │ ├── monitorLogProfileRetentionDays-FAILED.json
│ │ │ ├── monitorLogProfileRetentionDays-FAILED2.json
│ │ │ └── monitorLogProfileRetentionDays-PASSED.json
│ │ ├── example_MySQLEncryptionEnabled/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── unknown.json
│ │ ├── example_MySQLGeoBackupEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_MySQLServerMinTLSVersion/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_MySQLServerSSLEnforcementEnabled/
│ │ │ ├── mysqlSSLEnforcementEnabled-FAILED.json
│ │ │ ├── mysqlSSLEnforcementEnabled-FAILED2.json
│ │ │ └── mysqlSSLEnforcementEnabled-PASSED.json
│ │ ├── example_NSGRuleHTTPAccessRestricted/
│ │ │ ├── NSGRulePortAccessRestricted-FAILED.json
│ │ │ ├── NSGRulePortAccessRestricted-RULE-1Pass-1Fail.json
│ │ │ └── NSGRulePortAccessRestricted-RULE-PASSED.json
│ │ ├── example_NSGRuleRDPAccessRestricted/
│ │ │ ├── NSGRulePortAccessRestricted-FAILED.json
│ │ │ ├── NSGRulePortAccessRestricted-RULE-1Pass-1Fail.json
│ │ │ └── NSGRulePortAccessRestricted-RULE-PASSED.json
│ │ ├── example_NSGRuleSSHAccessRestricted/
│ │ │ ├── NSGRulePortAccessRestricted-FAILED.json
│ │ │ ├── NSGRulePortAccessRestricted-RULE-1Pass-1Fail.json
│ │ │ └── NSGRulePortAccessRestricted-RULE-PASSED.json
│ │ ├── example_NetworkWatcherFlowLogPeriod/
│ │ │ ├── networkWatcherFlowLogPeriod-FAILED.json
│ │ │ ├── networkWatcherFlowLogPeriod-FAILED2.json
│ │ │ ├── networkWatcherFlowLogPeriod-FAILED3.json
│ │ │ ├── networkWatcherFlowLogPeriod-FAILED4.json
│ │ │ └── networkWatcherFlowLogPeriod-PASSED.json
│ │ ├── example_PostgreSQLEncryptionEnabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_PostgreSQLServerConnectionThrottlingEnabled/
│ │ │ ├── postgreSQL-ConnectionThrottlingEnabled-FAILED.json
│ │ │ ├── postgreSQL-ConnectionThrottlingEnabled-PASSED.json
│ │ │ └── postgreSQL-ConnectionThrottlingEnabled-PASSED2.json
│ │ ├── example_PostgreSQLServerLogCheckpointsEnabled/
│ │ │ ├── postgreSQL-LogCheckpointsEnabled-FAILED.json
│ │ │ ├── postgreSQL-LogCheckpointsEnabled-PASSED.json
│ │ │ └── postgreSQL-LogCheckpointsEnabled-PASSED2.json
│ │ ├── example_PostgreSQLServerLogConnectionsEnabled/
│ │ │ ├── postgreSQL-LogConnectionsEnabled-FAILED.json
│ │ │ ├── postgreSQL-LogConnectionsEnabled-PASSED.json
│ │ │ └── postgreSQL-LogConnectionsEnabled-PASSED2.json
│ │ ├── example_PostgreSQLServerPublicAccessDisable/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_PostgreSQLServerSSLEnforcementEnabled/
│ │ │ ├── postgreSQL-SSL-FAILED.json
│ │ │ ├── postgreSQL-SSL-FAILED2.json
│ │ │ └── postgreSQL-SSL-PASSED.json
│ │ ├── example_PostgressSQLGeoBackupEnabled/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_PubsubSKUSLA/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_PubsubSpecifyIdentity/
│ │ │ ├── fail.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_RedisCachePublicNetworkAccessEnabled/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_SQLDatabaseZoneRedundant/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_SQLServerAuditingEnabled/
│ │ │ ├── sqlServerAuditingEnabled-PASSED.json
│ │ │ ├── sqlServerAuditingEnabled-TDE-FAILED.json
│ │ │ └── sqlServerDatabaseAuditingEnabled-PASSED.json
│ │ ├── example_SQLServerAuditingRetention90Days/
│ │ │ ├── sqlServerAuditingRetention90Days-2021-05-PASSED.json
│ │ │ ├── sqlServerAuditingRetention90Days-FAILED2.json
│ │ │ ├── sqlServerAuditingRetention90Days-FAILED3.json
│ │ │ ├── sqlServerAuditingRetention90Days-PASSED.json
│ │ │ ├── sqlServerAuditingRetention90Days-PASSED2.json
│ │ │ └── sqlServerAuditingRetention90Days-TDE-FAILED.json
│ │ ├── example_SQLServerEmailAlertsEnabled/
│ │ │ ├── sqlServerEmailAlertsEnabled-FAILED.json
│ │ │ └── sqlServerEmailAlertsEnabled-PASSED.json
│ │ ├── example_SQLServerEmailAlertsToAdminsEnabled/
│ │ │ ├── sqlServerEmailAlertsToAdminsEnabled-FAILED.json
│ │ │ └── sqlServerEmailAlertsToAdminsEnabled-PASSED.json
│ │ ├── example_SQLServerHasPublicAccessDisabled/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_SQLServerNoPublicAccess/
│ │ │ ├── sqlServerNoPublicAccess-TDE-FAILED.json
│ │ │ └── sqlServerNoPublicAccess-TDE-PASSED.json
│ │ ├── example_SQLServerThreatDetectionTypes/
│ │ │ ├── sqlServerThreatDetectionTypes-FAILED.json
│ │ │ ├── sqlServerThreatDetectionTypes-PASSED.json
│ │ │ └── sqlServerThreatDetectionTypes-PASSED2.json
│ │ ├── example_SQLServerUsesADAuth/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_SecretContentType/
│ │ │ ├── SecretExpirationDate-FAILED.json
│ │ │ └── SecretExpirationDate-PASSED.json
│ │ ├── example_SecretExpirationDate/
│ │ │ ├── SecretExpirationDate-FAILED.json
│ │ │ └── SecretExpirationDate-PASSED.json
│ │ ├── example_SecurityCenter/
│ │ │ ├── securityCenter-FAILED.json
│ │ │ └── securityCenter-PASSED.json
│ │ ├── example_SkipJsonRegex/
│ │ │ ├── skip1.json
│ │ │ ├── skip2/
│ │ │ │ ├── skip1.json
│ │ │ │ └── skip2.json
│ │ │ └── skip2.json
│ │ ├── example_StorageAccountAzureServicesAccessEnabled/
│ │ │ ├── storageAccountAzureServicesAccessEnabled-FAILED.json
│ │ │ ├── storageAccountAzureServicesAccessEnabled-FAILED2.json
│ │ │ ├── storageAccountAzureServicesAccessEnabled-PASSED.json
│ │ │ ├── storageAccountAzureServicesAccessEnabled-PASSED2.json
│ │ │ ├── storageAccountAzureServicesAccessEnabled-UNKNOWN.json
│ │ │ └── storageAccountAzureServicesAccessEnabled-VARIABLE.json
│ │ ├── example_StorageAccountDefaultNetworkAccessDeny/
│ │ │ ├── storageAccountDefaultNetworkAccessDeny-FAILED.json
│ │ │ ├── storageAccountDefaultNetworkAccessDeny-FAILED2.json
│ │ │ ├── storageAccountDefaultNetworkAccessDeny-PASSED.json
│ │ │ ├── storageAccountDefaultNetworkAccessDeny-PASSED2.json
│ │ │ └── storageAccountDefaultNetworkAccessDeny-UNKNOWN.json
│ │ ├── example_StorageAccountDisablePublicAccess/
│ │ │ ├── FAILED.json
│ │ │ ├── PASSED.json
│ │ │ └── PASSED_2.json
│ │ ├── example_StorageAccountLoggingQueueServiceEnabled/
│ │ │ ├── exampleStorageAccountLoggingQueueServiceEnabled-Failed.json
│ │ │ ├── exampleStorageAccountLoggingQueueServiceEnabled-Failed2.json
│ │ │ └── exampleStorageAccountLoggingQueueServiceEnabled-PASSED.json
│ │ ├── example_StorageAccountMinimumTlsVersion/
│ │ │ ├── exampleStorageAccountMinimumTlsVersion-fail1.json
│ │ │ ├── exampleStorageAccountMinimumTlsVersion-fail2.json
│ │ │ ├── exampleStorageAccountMinimumTlsVersion-fail3.json
│ │ │ └── exampleStorageAccountMinimumTlsVersion-passed.json
│ │ ├── example_StorageAccountName/
│ │ │ ├── camelCase.json
│ │ │ ├── kebabCase.json
│ │ │ ├── pass.json
│ │ │ ├── passNumber.json
│ │ │ ├── substring.bicep
│ │ │ └── tooLong.json
│ │ ├── example_StorageAccountsTransportEncryption/
│ │ │ ├── notes.txt
│ │ │ ├── storageAccount-FAILED.json
│ │ │ ├── storageAccount-FAILED2.json
│ │ │ ├── storageAccount-PASSED.json
│ │ │ ├── storageAccount-PASSED2.json
│ │ │ ├── storageAccount-PASSED3.json
│ │ │ ├── storageAccount-SKIPPED.json
│ │ │ ├── storageAccount-SKIPPED2.json
│ │ │ └── storageAccount-SKIPPED3.json
│ │ ├── example_StorageAccountsUseReplication/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_StorageBlobServiceContainerPrivateAccess/
│ │ │ ├── storageBlobServiceContainerPrivateAccess-FAILED.json
│ │ │ ├── storageBlobServiceContainerPrivateAccess-PASSED.json
│ │ │ └── storageBlobServiceContainerPrivateAccess-PASSED2.json
│ │ ├── example_StorageSyncPublicAccessDisabled/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_SynapseWorkspaceAdministratorLoginPasswordHidden/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_SynapseWorkspaceCMKEncryption/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_SynapseWorkspaceEnablesDataExfilProtection/
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── example_SynapseWorkspaceEnablesManagedVirtualNetworks/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_TestMySQLPublicAccessDisabled/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_VMCredsInCustomData/
│ │ │ ├── fail-secret.json
│ │ │ ├── pass-empty-os-profile.json
│ │ │ ├── pass-no-custom-date.json
│ │ │ ├── pass-no-os-profile.json
│ │ │ └── pass-no-secret.json
│ │ ├── example_VMDisablePasswordAuthentication/
│ │ │ ├── failed-vm.json
│ │ │ ├── failed.json
│ │ │ ├── passed-vm.json
│ │ │ └── passed.json
│ │ ├── example_VMEncryptionAtHostEnabled/
│ │ │ ├── scaleset-fail.json
│ │ │ ├── scaleset-fail2.json
│ │ │ ├── scaleset-pass.json
│ │ │ ├── vm-fail.json
│ │ │ ├── vm-fail2.json
│ │ │ └── vm-pass.json
│ │ ├── example_VMScaleSetsAutoOSImagePatchingEnabled/
│ │ │ ├── fail-windows.json
│ │ │ ├── fail-windows2.json
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass-windows.json
│ │ │ └── pass.json
│ │ ├── example_VMStorageOsDisk/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── pass.json
│ │ │ └── pass2.json
│ │ ├── example_VnetLocalDNS/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── fail3.json
│ │ │ ├── pass.json
│ │ │ ├── pass2.json
│ │ │ ├── unknown.json
│ │ │ └── unknown2.json
│ │ ├── example_VnetSingleDNSServer/
│ │ │ ├── fail.json
│ │ │ ├── fail2.json
│ │ │ ├── fail3.json
│ │ │ ├── pass.json
│ │ │ ├── pass2.json
│ │ │ ├── pass3.json
│ │ │ └── pass4.json
│ │ ├── example_WildcardEntities/
│ │ │ └── main.json
│ │ ├── example_WinVMAutomaticUpdates/
│ │ │ ├── fail.json
│ │ │ └── pass.json
│ │ ├── example_WinVMEncryptionAtHost/
│ │ │ ├── failed.json
│ │ │ └── passed.json
│ │ ├── test_ACRAdminAccountDisabled.py
│ │ ├── test_ACRAnonymousPullDisabled.py
│ │ ├── test_ACRContainerScanEnabled.py
│ │ ├── test_ACREnableImageQuarantine.py
│ │ ├── test_ACREnableZoneRedundancy.py
│ │ ├── test_ACRPublicNetworkAccessDisabled.py
│ │ ├── test_AKSApiServerAuthorizedIpRanges.py
│ │ ├── test_AKSDashboardDisabled.py
│ │ ├── test_AKSEncryptionAtHostEnabled.py
│ │ ├── test_AKSEphemeralOSDisks.py
│ │ ├── test_AKSLocalAdminDisabled.py
│ │ ├── test_AKSLoggingEnabled.py
│ │ ├── test_AKSMaxPodsMinimum.py
│ │ ├── test_AKSNetworkPolicy.py
│ │ ├── test_AKSPoolTypeIsScaleSet.py
│ │ ├── test_AKSRbacEnabled.py
│ │ ├── test_AKSUpgradeChannel.py
│ │ ├── test_APIManagementMinTLS12.py
│ │ ├── test_APIManagementPublicAccess.py
│ │ ├── test_APIServicesUseVirtualNetwork.py
│ │ ├── test_AkSSecretStoreRotation.py
│ │ ├── test_AppGWDefinesSecureProtocols.py
│ │ ├── test_AppGatewayWAFACLCVE202144228.py
│ │ ├── test_AppServiceAuthentication.py
│ │ ├── test_AppServiceClientCertificate.py
│ │ ├── test_AppServiceDetailedErrorMessagesEnabled.py
│ │ ├── test_AppServiceDisallowCORS.py
│ │ ├── test_AppServiceDotnetFrameworkVersion.py
│ │ ├── test_AppServiceEnabledFailedRequest.py
│ │ ├── test_AppServiceFTPSState.py
│ │ ├── test_AppServiceHTTPSOnly.py
│ │ ├── test_AppServiceHttpLoggingEnabled.py
│ │ ├── test_AppServiceHttps20Enabled.py
│ │ ├── test_AppServiceIdentity.py
│ │ ├── test_AppServiceIdentityProviderEnabled.py
│ │ ├── test_AppServiceInstanceMinimum.py
│ │ ├── test_AppServiceJavaVersion.py
│ │ ├── test_AppServiceMinTLSVersion.py
│ │ ├── test_AppServicePHPVersion.py
│ │ ├── test_AppServicePlanZoneRedundant.py
│ │ ├── test_AppServicePublicAccessDisabled.py
│ │ ├── test_AppServicePythonVersion.py
│ │ ├── test_AppServiceRemoteDebuggingNotEnabled.py
│ │ ├── test_AppServiceSetHealthCheck.py
│ │ ├── test_AppServiceSlotDebugDisabled.py
│ │ ├── test_AppServiceSlotHTTPSOnly.py
│ │ ├── test_AppServiceUsedAzureFiles.py
│ │ ├── test_AutomationEncrypted.py
│ │ ├── test_AzureBatchAccountEndpointAccessDefaultAction.py
│ │ ├── test_AzureBatchAccountUsesKeyVaultEncryption.py
│ │ ├── test_AzureDataExplorerDoubleEncryptionEnabled.py
│ │ ├── test_AzureDefenderOnKeyVaults.py
│ │ ├── test_AzureDefenderOnKubernetes.py
│ │ ├── test_AzureDefenderOnSqlServersVMS.py
│ │ ├── test_AzureDefenderOnStorage.py
│ │ ├── test_AzureFirewallDenyThreatIntelMode.py
│ │ ├── test_AzureFrontDoorEnablesWAF.py
│ │ ├── test_AzureInstanceExtensions.py
│ │ ├── test_AzureInstancePassword.py
│ │ ├── test_AzureMLWorkspacePrivateEndpoint.py
│ │ ├── test_AzureManagedDiscEncryption.py
│ │ ├── test_AzureManagedDiscEncryptionSet.py
│ │ ├── test_AzureScaleSetPassword.py
│ │ ├── test_AzureSearchSLAIndex.py
│ │ ├── test_AzureSearchSLAQueryUpdates.py
│ │ ├── test_AzureServiceFabricClusterProtectionLevel.py
│ │ ├── test_AzureSparkPoolIsolatedComputeEnabled.py
│ │ ├── test_AzureSynapseWorkspaceVAisEnabled.py
│ │ ├── test_AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py
│ │ ├── test_CognitiveServicesConfigureIdentity.py
│ │ ├── test_CognitiveServicesDisablesPublicNetwork.py
│ │ ├── test_CognitiveServicesEnableLocalAuth.py
│ │ ├── test_CosmosDBAccountsRestrictedAccess.py
│ │ ├── test_CosmosDBDisableAccessKeyWrite.py
│ │ ├── test_CosmosDBDisablesPublicNetwork.py
│ │ ├── test_CosmosDBHaveCMK.py
│ │ ├── test_CosmosDBLocalAuthDisabled.py
│ │ ├── test_CustomRoleDefinitionSubscriptionOwner.py
│ │ ├── test_DataExplorerUsesDiskEncryption.py
│ │ ├── test_DataFactoryNoPublicNetworkAccess.py
│ │ ├── test_DataFactoryUsesGitRepository.py
│ │ ├── test_DataLakeStoreEncryption.py
│ │ ├── test_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py
│ │ ├── test_DatabricksWorkspaceDataPlaneToControlPlaneCommunicateOverPrivateLink.py
│ │ ├── test_EventHubNamespaceMinTLS12.py
│ │ ├── test_EventgridTopicIdentityProviderEnabled.py
│ │ ├── test_EventgridTopicLocalAuthentication.py
│ │ ├── test_EventgridTopicNetworkAccess.py
│ │ ├── test_FrontDoorWAFACLCVE202144228.py
│ │ ├── test_FrontdoorUseWAFMode.py
│ │ ├── test_FunctionAppDisallowCORS.py
│ │ ├── test_FunctionAppHttpVersionLatest.py
│ │ ├── test_FunctionAppMinTLSVersion.py
│ │ ├── test_FunctionAppsAccessibleOverHttps.py
│ │ ├── test_FunctionAppsEnableAuthentication.py
│ │ ├── test_KeyBackedByHSM.py
│ │ ├── test_KeyExpirationDate.py
│ │ ├── test_KeyVaultDisablesPublicNetworkAccess.py
│ │ ├── test_KeyVaultEnablesFirewallRulesSettings.py
│ │ ├── test_KeyVaultEnablesPurgeProtection.py
│ │ ├── test_KeyVaultEnablesSoftDelete.py
│ │ ├── test_KeyvaultRecoveryEnabled.py
│ │ ├── test_LinuxVMUsesSSH.py
│ │ ├── test_MSSQLServerMinTLSVersion.py
│ │ ├── test_MariaDBGeoBackupEnabled.py
│ │ ├── test_MariaDBPublicAccessDisabled.py
│ │ ├── test_MariaDBSSLEnforcementEnabled.py
│ │ ├── test_MonitorLogProfileCategories.py
│ │ ├── test_MonitorLogRetentionDays.py
│ │ ├── test_MySQLEncryptionEnabled.py
│ │ ├── test_MySQLGeoBackupEnabled.py
│ │ ├── test_MySQLPublicAccessDisabled.py
│ │ ├── test_MySQLServerMinTLSVersion.py
│ │ ├── test_MySQLServerSSLEnforcementEnabled.py
│ │ ├── test_NSGRuleHTTPAccessRestricted.py
│ │ ├── test_NSGRuleRDPAccessRestricted.py
│ │ ├── test_NSGRuleSSHAccessRestricted.py
│ │ ├── test_NetworkWatcherFlowLogPeriod.py
│ │ ├── test_PostgreSQLEncryptionEnabled.py
│ │ ├── test_PostgreSQLServerConnectionThrottlingEnabled.py
│ │ ├── test_PostgreSQLServerLogCheckpointsEnabled.py
│ │ ├── test_PostgreSQLServerLogConnectionsEnabled.py
│ │ ├── test_PostgreSQLServerPublicAccessDisabled.py
│ │ ├── test_PostgreSQLServerSSLEnforcementEnabled.py
│ │ ├── test_PostgressSQLGeoBackupEnabled.py
│ │ ├── test_PubsubSKUSLA.py
│ │ ├── test_PubsubSpecifyIdentity.py
│ │ ├── test_RedisCachePublicNetworkAccessEnabled.py
│ │ ├── test_SQLDatabaseZoneRedundant.py
│ │ ├── test_SQLServerAuditingEnabled.py
│ │ ├── test_SQLServerAuditingRetention90Days.py
│ │ ├── test_SQLServerEmailAlertsEnabled.py
│ │ ├── test_SQLServerEmailAlertsToAdminsEnabled.py
│ │ ├── test_SQLServerHasPublicAccessDisabled.py
│ │ ├── test_SQLServerNoPublicAccess.py
│ │ ├── test_SQLServerThreatDetectionTypes.py
│ │ ├── test_SQLServerUsesADAuth.py
│ │ ├── test_SecretContentType.py
│ │ ├── test_SecretExpirationDate.py
│ │ ├── test_SecurityCenterContactEmailAlert.py
│ │ ├── test_SecurityCenterContactEmailAlertAdmins.py
│ │ ├── test_SecurityCenterContactPhone.py
│ │ ├── test_SecurityCenterStandardPricing.py
│ │ ├── test_SkipJsonRegexPattern.py
│ │ ├── test_StorageAccountAzureServicesAccessEnabled.py
│ │ ├── test_StorageAccountDefaultNetworkAccessDeny.py
│ │ ├── test_StorageAccountDisablePublicAccess.py
│ │ ├── test_StorageAccountLoggingQueueServiceEnabled.py
│ │ ├── test_StorageAccountMinimumTlsVersion.py
│ │ ├── test_StorageAccountName.py
│ │ ├── test_StorageAccountsTransportEncryption.py
│ │ ├── test_StorageAccountsUseReplication.py
│ │ ├── test_StorageBlobServiceContainerPrivateAccess.py
│ │ ├── test_StorageSyncPublicAccessDisabled.py
│ │ ├── test_SynapseWorkspaceAdministratorLoginPasswordHidden.py
│ │ ├── test_SynapseWorkspaceCMKEncryption.py
│ │ ├── test_SynapseWorkspaceEnablesDataExfilProtection.py
│ │ ├── test_SynapseWorkspaceEnablesManagedVirtualNetworks.py
│ │ ├── test_VMCredsInCustomData.py
│ │ ├── test_VMDisablePasswordAuthentication.py
│ │ ├── test_VMEncryptionAtHostEnabled.py
│ │ ├── test_VMScaleSetsAutoOSImagePatchingEnabled.py
│ │ ├── test_VMStorageOsDisk.py
│ │ ├── test_VnetLocalDNS.py
│ │ ├── test_VnetSingleDNSServer.py
│ │ ├── test_WinVMAutomaticUpdates.py
│ │ ├── test_WinVMEncryptionAtHost.py
│ │ └── test_wildcard_entities.py
│ ├── examples/
│ │ ├── ExplicitDepsResources/
│ │ │ ├── interface.json
│ │ │ ├── storage.json
│ │ │ └── subnet.json
│ │ ├── ImplicitDepsResources/
│ │ │ ├── interface.json
│ │ │ ├── storage.json
│ │ │ └── subnet.json
│ │ ├── container_instance.json
│ │ └── convert_def_test.json
│ ├── graph_builder/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── resources/
│ │ │ │ ├── AzureMLWorkspacePublicNetwork/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.json
│ │ │ │ │ ├── pass.json
│ │ │ │ │ └── pass2.json
│ │ │ │ ├── AzureSpringCloudConfigWithVnet/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.json
│ │ │ │ │ └── pass.json
│ │ │ │ ├── SynapseLogMonitoringEnabledForSQLPool/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.json
│ │ │ │ │ └── pass.json
│ │ │ │ ├── SynapseSQLPoolHasSecurityAlertPolicy/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail1.json
│ │ │ │ │ ├── fail2.json
│ │ │ │ │ └── pass.json
│ │ │ │ ├── SynapseSQLPoolHasVulnerabilityAssessment/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.json
│ │ │ │ │ ├── fail2.json
│ │ │ │ │ └── pass.json
│ │ │ │ └── SynapseWorkspaceHasExtendedAuditLogs/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail1.json
│ │ │ │ ├── fail2.json
│ │ │ │ └── pass.json
│ │ │ └── test_yaml_policies.py
│ │ └── test_local_graph.py
│ ├── parser/
│ │ ├── __init__.py
│ │ ├── examples/
│ │ │ └── json/
│ │ │ ├── mariadb.json
│ │ │ ├── normal.json
│ │ │ └── with_comments.json
│ │ └── test_parser.py
│ ├── rendering/
│ │ ├── __init__.py
│ │ ├── test_rendering.json
│ │ └── test_rendering.py
│ ├── runner/
│ │ ├── __init__.py
│ │ ├── resources/
│ │ │ ├── example.json
│ │ │ ├── invalid.json
│ │ │ └── no_resource.json
│ │ └── test_runner.py
│ ├── test_graph_manager.py
│ ├── test_scanner_registry.py
│ └── test_utils.py
├── azure_pipelines/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ └── jobs/
│ │ ├── __init__.py
│ │ ├── example_ContainerDigest/
│ │ │ └── azure-pipelines.yml
│ │ ├── example_ContainerLatestTag/
│ │ │ └── azure-pipelines.yml
│ │ ├── example_SetSecretVariable/
│ │ │ └── azure-pipelines.yml
│ │ ├── test_ContainerDigest.py
│ │ ├── test_ContainerLatestTag.py
│ │ └── test_SetSecretVariable.py
│ ├── conftest.py
│ ├── examples/
│ │ └── azure-pipelines.yml
│ ├── resources/
│ │ └── azure-pipelines.yaml
│ ├── test_resource_names.py
│ └── test_runner.py
├── bicep/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ ├── param/
│ │ │ ├── __init__.py
│ │ │ └── azure/
│ │ │ ├── __init__.py
│ │ │ ├── example_SecureStringParameterNoHardcodedValue/
│ │ │ │ └── main.bicep
│ │ │ └── test_SecureStringParameterNoHardcodedValue.py
│ │ └── resource/
│ │ ├── __init__.py
│ │ └── azure/
│ │ ├── __init__.py
│ │ ├── example_AKSApiServerAuthorizedIpRanges/
│ │ │ └── main.bicep
│ │ ├── example_AKSDashboardDisabled/
│ │ │ └── main.bicep
│ │ ├── example_AKSLoggingEnabled/
│ │ │ └── main.bicep
│ │ ├── example_AKSNetworkPolicy/
│ │ │ └── main.bicep
│ │ ├── example_AKSRbacEnabled/
│ │ │ └── main.bicep
│ │ ├── example_AzureFirewallDenyThreatIntelMode/
│ │ │ ├── CKV_AZURE_216.fail.bicep
│ │ │ ├── CKV_AZURE_216.fail2.bicep
│ │ │ └── CKV_AZURE_216.pass.bicep
│ │ ├── example_AzureFrontDoorEnablesWAF/
│ │ │ ├── fail.bicep
│ │ │ └── pass.bicep
│ │ ├── example_AzureManagedDiscEncryption/
│ │ │ └── main.bicep
│ │ ├── example_FrontdoorUseWAFMode/
│ │ │ ├── example_FrontdoorUseWAFMode-FAILED.bicep
│ │ │ └── example_FrontdoorUseWAFMode-PASSED.bicep
│ │ ├── example_MonitorLogProfileCategories/
│ │ │ └── main.bicep
│ │ ├── example_MonitorLogProfileRetentionDays/
│ │ │ └── main.bicep
│ │ ├── example_StorageAccountAzureServicesAccessEnabled/
│ │ │ └── main.bicep
│ │ ├── example_StorageAccountDefaultNetworkAccessDeny/
│ │ │ └── main.bicep
│ │ ├── example_StorageAccountsTransportEncryption/
│ │ │ └── main.bicep
│ │ ├── example_VMEncryptionAtHostEnabled/
│ │ │ └── main.bicep
│ │ ├── test_AKSApiServerAuthorizedIpRanges.py
│ │ ├── test_AKSDashboardDisabled.py
│ │ ├── test_AKSLoggingEnabled.py
│ │ ├── test_AKSNetworkPolicy.py
│ │ ├── test_AKSRbacEnabled.py
│ │ ├── test_AzureFirewallDenyThreatIntelMode.py
│ │ ├── test_AzureFrontDoorEnablesWAF.py
│ │ ├── test_AzureManagedDiscEncryption.py
│ │ ├── test_FrontdoorUseWAFMode.py
│ │ ├── test_MonitorLogProfileCategories.py
│ │ ├── test_MonitorLogProfileRetentionDays.py
│ │ ├── test_StorageAccountAzureServicesAccessEnabled.py
│ │ ├── test_StorageAccountDefaultNetworkAccessDeny.py
│ │ ├── test_StorageAccountsTransportEncryption.py
│ │ └── test_VMEncryptionAtHostEnabled.py
│ ├── examples/
│ │ ├── existing.bicep
│ │ ├── graph.bicep
│ │ ├── loop.bicep
│ │ ├── malformed.bicep
│ │ └── playground.bicep
│ ├── graph/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── resources/
│ │ │ │ ├── SQLServerAuditingEnabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.bicep
│ │ │ │ ├── SQLServerAuditingRetention90Days/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail1_less_90.bicep
│ │ │ │ │ ├── fail2_no_auditsettings.bicep
│ │ │ │ │ ├── fail3_not_enabled.bicep
│ │ │ │ │ └── pass1.bicep
│ │ │ │ ├── SQLServerThreatDetectionTypes/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.bicep
│ │ │ │ └── __init__.py
│ │ │ └── test_yaml_policies.py
│ │ ├── definitions_context/
│ │ │ ├── resources/
│ │ │ │ ├── definitions_example1.bicep
│ │ │ │ └── definitions_example2.bicep
│ │ │ └── test_definitions_context.py
│ │ └── graph_builder/
│ │ ├── __init__.py
│ │ ├── examples/
│ │ │ ├── mixed/
│ │ │ │ └── main.bicep
│ │ │ ├── parameter/
│ │ │ │ └── main.bicep
│ │ │ └── variable/
│ │ │ └── main.bicep
│ │ ├── test_local_graph.py
│ │ └── test_renderer.py
│ ├── image_referencer/
│ │ ├── __init__.py
│ │ ├── provider/
│ │ │ ├── __init__.py
│ │ │ └── test_azure.py
│ │ ├── resources/
│ │ │ └── azure/
│ │ │ ├── batch.bicep
│ │ │ ├── container_instance.bicep
│ │ │ └── web.bicep
│ │ ├── test_manager.py
│ │ └── test_runner_azure_resources.py
│ ├── test_graph_manager.py
│ ├── test_parser.py
│ ├── test_runner.py
│ └── test_utils.py
├── bitbucket/
│ ├── __init__.py
│ ├── resources/
│ │ └── bitbucket_conf/
│ │ ├── fail/
│ │ │ └── branch_restrictions.json
│ │ └── pass/
│ │ └── branch_restrictions.json
│ └── test_runner.py
├── bitbucket_pipelines/
│ ├── __init__.py
│ ├── resources/
│ │ └── bitbucket-pipelines.yml
│ └── test_runner.py
├── circleci_pipelines/
│ ├── __init__.py
│ ├── conftest.py
│ ├── resources/
│ │ └── .circleci/
│ │ └── config.yml
│ └── test_runner.py
├── cloudformation/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ ├── example_WildcardEntities/
│ │ │ └── main.yaml
│ │ ├── resource/
│ │ │ ├── __init__.py
│ │ │ └── aws/
│ │ │ ├── Cloudsplaining_IAMCredentialsExposure/
│ │ │ │ ├── FAILED.yml
│ │ │ │ └── PASSED.yml
│ │ │ ├── Cloudsplaining_IAMGroup/
│ │ │ │ ├── FAILED.yml
│ │ │ │ └── PASSED.yaml
│ │ │ ├── Cloudsplaining_IAMPermissionsManagement/
│ │ │ │ ├── FAILED.yml
│ │ │ │ └── PASSED.yaml
│ │ │ ├── Cloudsplaining_IAMRole/
│ │ │ │ ├── FAILED.yml
│ │ │ │ └── PASSED.yaml
│ │ │ ├── Cloudsplaining_IAMUser/
│ │ │ │ ├── FAILED.yml
│ │ │ │ └── PASSED.yaml
│ │ │ ├── Cloudsplaining_IAMWriteAccess/
│ │ │ │ ├── FAILED.yml
│ │ │ │ └── PASSED.yaml
│ │ │ ├── Cloudsplaining_ManagedPolicy/
│ │ │ │ ├── FAILED.yml
│ │ │ │ └── PASSED.yaml
│ │ │ ├── S3Templates/
│ │ │ │ └── ExampleS3.yaml
│ │ │ ├── __init__.py
│ │ │ ├── cloudsplaining.md
│ │ │ ├── example_ALBDropHttpHeaders/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ ├── PASS.yaml
│ │ │ │ └── UNKNOWN.yaml
│ │ │ ├── example_ALBListener/
│ │ │ │ ├── ALBListenerHTTPS-FAILED-HTTP.yaml
│ │ │ │ ├── ALBListenerHTTPS-PASSED-HTTPS.yaml
│ │ │ │ ├── ALBListenerHTTPS-PASSED-TCP.yaml
│ │ │ │ ├── ALBListenerHTTPS-PASSED-TCP_UDP.yaml
│ │ │ │ ├── ALBListenerHTTPS-PASSED-TLS.yaml
│ │ │ │ ├── ALBListenerHTTPS-PASSED-UDP.yaml
│ │ │ │ └── ALBListenerHTTPS-PASSED-redirect.yaml
│ │ │ ├── example_ALBListenerTLS12/
│ │ │ │ ├── ALBListenerTLS1.2-FAILED.yaml
│ │ │ │ ├── ALBListenerTLS1.2-PASSED.yaml
│ │ │ │ └── ALBListenerTLS1.3-PASSED.yaml
│ │ │ ├── example_APIGatewayAccessLogging/
│ │ │ │ ├── APIGatewayAccessLogging-FAILED.yaml
│ │ │ │ ├── APIGatewayAccessLogging-PASSED.yaml
│ │ │ │ └── sam.yaml
│ │ │ ├── example_APIGatewayAuthorization/
│ │ │ │ ├── APIGatewayAuthorization-FAILED.yaml
│ │ │ │ └── APIGatewayAuthorization-PASSED.yaml
│ │ │ ├── example_APIGatewayCacheEnable/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ ├── PASS.yaml
│ │ │ │ └── sam.yaml
│ │ │ ├── example_APIGatewayV2AccessLogging/
│ │ │ │ ├── APIGatewayV2AccessLogging-FAILED.yaml
│ │ │ │ ├── APIGatewayV2AccessLogging-PASSED.yaml
│ │ │ │ └── sam.yaml
│ │ │ ├── example_APIGatewayXray/
│ │ │ │ ├── APIGatewayXray-FAILED.yaml
│ │ │ │ ├── APIGatewayXray-PASSED.yaml
│ │ │ │ └── sam.yaml
│ │ │ ├── example_AmazonMQBrokerPublicAccess/
│ │ │ │ ├── AmazonMQBrokerPublicAccess-FAILED-1.yaml
│ │ │ │ ├── AmazonMQBrokerPublicAccess-FAILED-2.yaml
│ │ │ │ ├── AmazonMQBrokerPublicAccess-PASSED-1.yaml
│ │ │ │ └── AmazonMQBrokerPublicAccess-PASSED-2.yaml
│ │ │ ├── example_AppSyncFieldLevelLogs/
│ │ │ │ └── template.yaml
│ │ │ ├── example_AppSyncLogging/
│ │ │ │ └── template.yaml
│ │ │ ├── example_AthenaWorkgroupConfiguration/
│ │ │ │ ├── AthenaWorkgroupConfiguration-FAIL.yaml
│ │ │ │ └── AthenaWorkgroupConfiguration-PASSED.yaml
│ │ │ ├── example_AuroraEncryption/
│ │ │ │ ├── AuroraEncryption-FAIL.yaml
│ │ │ │ ├── AuroraEncryption-PASSED.yaml
│ │ │ │ └── AuroraEncryption-UNKNOWN.yaml
│ │ │ ├── example_BackupVaultEncrypted/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ └── PASS.yaml
│ │ │ ├── example_BedrockAgentEncrypted/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ └── PASS.yaml
│ │ │ ├── example_CloudFrontTLS12/
│ │ │ │ ├── CloudFrontTLS12-FAILED.yaml
│ │ │ │ └── CloudFrontTLS12-PASSED.yaml
│ │ │ ├── example_CloudWatchLogGroupKMSKey/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ └── PASS.yaml
│ │ │ ├── example_CloudWatchLogGroupRetention/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ └── PASS.yaml
│ │ │ ├── example_CloudfrontDistributionLogging/
│ │ │ │ ├── CloudfrontDistributionLogging-FAILED.yaml
│ │ │ │ └── CloudfrontDistributionLogging-PASSED.yaml
│ │ │ ├── example_CloudtrailEncryption/
│ │ │ │ ├── CloudTrailEncryption-FAILED.yaml
│ │ │ │ ├── CloudTrailEncryption-PASSED.json
│ │ │ │ └── CloudTrailEncryption-PASSED.yaml
│ │ │ ├── example_CloudtrailLogValidation/
│ │ │ │ ├── CloudTrailLogValidation-FAILED.yaml
│ │ │ │ └── CloudTrailLogValidation-PASSED.yaml
│ │ │ ├── example_CloudtrailMultiRegion/
│ │ │ │ ├── CloudtrailMultiRegion-FAILED.yaml
│ │ │ │ └── CloudtrailMultiRegion-PASSED.yaml
│ │ │ ├── example_CodeBuildProjectEncryption/
│ │ │ │ ├── CodeBuildProjectEncryption-FAILED.yaml
│ │ │ │ └── CodeBuildProjectEncryption-PASSED.yaml
│ │ │ ├── example_CognitoUnauthenticatedIdentities/
│ │ │ │ ├── FAILED.yml
│ │ │ │ └── PASSED.yaml
│ │ │ ├── example_DAXEncryption/
│ │ │ │ ├── DAXEncryption-FAILED.yml
│ │ │ │ └── DAXEncryption-PASSED.yml
│ │ │ ├── example_DMSReplicationInstancePubliclyAccessible/
│ │ │ │ ├── DMSReplicationInstancePubliclyAccessible-FAILED.yml
│ │ │ │ └── DMSReplicationInstancePubliclyAccessible-PASSED.yml
│ │ │ ├── example_DeprecatedLambdaRuntime/
│ │ │ │ ├── example.yaml
│ │ │ │ └── exampleSAM.yaml
│ │ │ ├── example_DocDBAuditLogs/
│ │ │ │ ├── DocDBAuditLogs-FAILED.yaml
│ │ │ │ └── DocDBAuditLogs-PASSED.yaml
│ │ │ ├── example_DocDBBackupRetention/
│ │ │ │ ├── DocDBBackupRetention-FAILED.yaml
│ │ │ │ └── DocDBBackupRetention-PASSED.yaml
│ │ │ ├── example_DocDBEncryption/
│ │ │ │ ├── DocDBEncryption-FAILED.yaml
│ │ │ │ └── DocDBEncryption-PASSED.yaml
│ │ │ ├── example_DocDBLogging/
│ │ │ │ ├── DocDBLogging-FAILED.yaml
│ │ │ │ └── DocDBLogging-PASSED.yaml
│ │ │ ├── example_DocDBTLS/
│ │ │ │ ├── DocDBTLS-FAILED.yaml
│ │ │ │ └── DocDBTLS-PASSED.yaml
│ │ │ ├── example_DynamoDBTablesEncrypted/
│ │ │ │ ├── FAILED.yaml
│ │ │ │ └── PASSED.yaml
│ │ │ ├── example_DynamodbGlobalTableRecovery/
│ │ │ │ ├── DynamodbGlobalTableRecovery-FAILED-2.yaml
│ │ │ │ ├── DynamodbGlobalTableRecovery-FAILED.yaml
│ │ │ │ └── DynamodbGlobalTableRecovery-PASSED.yaml
│ │ │ ├── example_DynamodbRecovery/
│ │ │ │ ├── DynamodbRecovery-FAILED-2.yaml
│ │ │ │ ├── DynamodbRecovery-FAILED.yaml
│ │ │ │ └── DynamodbRecovery-PASSED.yaml
│ │ │ ├── example_EBSEncryption/
│ │ │ │ ├── EBSEncryption-FAILED-2.yaml
│ │ │ │ ├── EBSEncryption-FAILED.yaml
│ │ │ │ └── EBSEncryption-PASSED.yaml
│ │ │ ├── example_EC2Credentials/
│ │ │ │ ├── EC2Credentials-FAILED.yaml
│ │ │ │ ├── EC2Credentials-FAILED_B64encoded.yaml
│ │ │ │ └── EC2Credentials-PASSED.yaml
│ │ │ ├── example_EC2PublicIP/
│ │ │ │ ├── EC2PublicIP-FAILED.yaml
│ │ │ │ ├── EC2PublicIP-PASSED.yaml
│ │ │ │ └── EC2PublicIP-UNKNOWN.yaml
│ │ │ ├── example_ECRImageScanning/
│ │ │ │ ├── FAILED.yml
│ │ │ │ └── PASSED.yml
│ │ │ ├── example_ECRImmutableTags/
│ │ │ │ ├── ECRImmutableTags-FAILED.yaml
│ │ │ │ └── ECRImmutableTags-PASSED.yaml
│ │ │ ├── example_ECRPolicy/
│ │ │ │ ├── ECRPolicy-FAILED.yaml
│ │ │ │ ├── ECRPolicy-PASSED-2.yaml
│ │ │ │ ├── ECRPolicy-PASSED.yaml
│ │ │ │ └── ECRPolicy_passed.json
│ │ │ ├── example_ECRRepositoryEncrypted/
│ │ │ │ ├── FAILED.yml
│ │ │ │ └── PASSED.yml
│ │ │ ├── example_ECSClusterContainerInsights/
│ │ │ │ ├── ECSClusterContainerInsights-FAILED-2.yaml
│ │ │ │ ├── ECSClusterContainerInsights-FAILED.yaml
│ │ │ │ ├── ECSClusterContainerInsights-PASSED.yaml
│ │ │ │ └── ECSClusterContainerInsights-PASSED2.yaml
│ │ │ ├── example_ECSTaskDefinitionEFSVolumeEncryption/
│ │ │ │ ├── ECSTaskDefinitionEFSVolumeEncryption-FAILED.yaml
│ │ │ │ └── ECSTaskDefinitionEFSVolumeEncryption-PASSED.yaml
│ │ │ ├── example_EFSEncryption/
│ │ │ │ ├── EFSEncrpytion-FAILED.yml
│ │ │ │ └── EFSEncrpytion-PASSED.yml
│ │ │ ├── example_EKSNodeGroupRemoteAccess/
│ │ │ │ ├── EKSNodeGroupRemoteAccess-FAILED.yml
│ │ │ │ └── EKSNodeGroupRemoteAccess-PASSED.yml
│ │ │ ├── example_EKSSecretEncryption/
│ │ │ │ ├── EKSSecretEncryption-FAILED.yml
│ │ │ │ └── EKSSecretEncryption-PASSED.yml
│ │ │ ├── example_ELBAccessLogs/
│ │ │ │ ├── ELBAccessLogs-FAILED.yml
│ │ │ │ └── ELBAccessLogs-PASSED.yml
│ │ │ ├── example_ELBv2AccessLogs/
│ │ │ │ ├── ELBv2AccessLogs-FAILED.yml
│ │ │ │ └── ELBv2AccessLogs-PASSED.yml
│ │ │ ├── example_ElasticacheReplicationGroupEncryptionAtRest/
│ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtRest-FAILED-2.yaml
│ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtRest-FAILED.yaml
│ │ │ │ └── ElasticacheReplicationGroupEncryptionAtRest-PASSED.yaml
│ │ │ ├── example_ElasticacheReplicationGroupEncryptionAtTransit/
│ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransit-FAILED-2.yaml
│ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransit-FAILED.yaml
│ │ │ │ └── ElasticacheReplicationGroupEncryptionAtTransit-PASSED.yaml
│ │ │ ├── example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/
│ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken-FAILED.yaml
│ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken-FAILED2.yaml
│ │ │ │ ├── ElasticacheReplicationGroupEncryptionAtTransitAuthToken-PASSED.yaml
│ │ │ │ └── ElasticacheReplicationGroupEncryptionAtTransitAuthToken-PASSED2.yaml
│ │ │ ├── example_ElasticsearchDomainAuditLogging/
│ │ │ │ ├── ElasticsearchDomainLogging-FAILED.yaml
│ │ │ │ ├── ElasticsearchDomainLogging-PASSED.yaml
│ │ │ │ ├── OpensearchDomainLogging-FAILED.yaml
│ │ │ │ └── OpensearchDomainLogging-PASSED.yaml
│ │ │ ├── example_ElasticsearchDomainEnforceHTTPS/
│ │ │ │ ├── ElasticsearchDomainEnforceHTTPS-FAILED.yaml
│ │ │ │ └── ElasticsearchDomainEnforceHTTPS-PASSED.yaml
│ │ │ ├── example_ElasticsearchDomainLogging/
│ │ │ │ ├── ElasticsearchDomainLogging-FAILED.yaml
│ │ │ │ ├── ElasticsearchDomainLogging-PASSED.yaml
│ │ │ │ ├── OpensearchDomainLogging-FAILED.yaml
│ │ │ │ └── OpensearchDomainLogging-PASSED.yaml
│ │ │ ├── example_ElasticsearchEncryption/
│ │ │ │ ├── ElasticsearchEncryption-FAILED-2.yaml
│ │ │ │ ├── ElasticsearchEncryption-FAILED.yaml
│ │ │ │ └── ElasticsearchEncryption-PASSED.yaml
│ │ │ ├── example_ElasticsearchNodeToNodeEncryption/
│ │ │ │ ├── ElasticsearchNodeToNodeEncryption-FAILED-2.yaml
│ │ │ │ ├── ElasticsearchNodeToNodeEncryption-FAILED.yaml
│ │ │ │ └── ElasticsearchNodeToNodeEncryption-PASSED.yaml
│ │ │ ├── example_GlueDataCatalogEncryption/
│ │ │ │ ├── GlueDataCatalogEncryption-FAILED.yml
│ │ │ │ └── GlueDataCatalogEncryption-PASSED.yml
│ │ │ ├── example_GlueSecurityConfiguration/
│ │ │ │ ├── GlueSecurityConfiguration-FAILED.yml
│ │ │ │ └── GlueSecurityConfiguration-PASSED.yml
│ │ │ ├── example_GlueSecurityConfigurationEnabled/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ └── PASS.yaml
│ │ │ ├── example_IAMAdminPolicyDocument/
│ │ │ │ ├── iam_group.fail.json
│ │ │ │ ├── iam_group.pass.json
│ │ │ │ ├── iam_policy.fail.json
│ │ │ │ ├── iam_policy.pass.json
│ │ │ │ ├── iam_role.fail.json
│ │ │ │ ├── iam_role.pass.json
│ │ │ │ ├── iam_role.unknown.yaml
│ │ │ │ ├── iam_user.fail.json
│ │ │ │ └── iam_user.pass.json
│ │ │ ├── example_IAMPolicyAttachedToGroupOrRoles/
│ │ │ │ ├── IAMPolicyAttachedToGroupOrRoles-FAILED.yml
│ │ │ │ └── IAMPolicyAttachedToGroupOrRoles-PASSED.yml
│ │ │ ├── example_IAMRoleAllowAssumeFromAccount/
│ │ │ │ ├── UNKNOWN.yml
│ │ │ │ ├── example_IAMRoleAllowAssumeFromAccount-FAILED.yml
│ │ │ │ ├── example_IAMRoleAllowAssumeFromAccount-PASSED-2.yml
│ │ │ │ └── example_IAMRoleAllowAssumeFromAccount-PASSED.yml
│ │ │ ├── example_IAMRoleAllowsPublicAssume/
│ │ │ │ ├── FAILED-2.yml
│ │ │ │ ├── FAILED.yml
│ │ │ │ ├── PASSED-2.yml
│ │ │ │ └── PASSED.yml
│ │ │ ├── example_IAMStarActionPolicyDocument/
│ │ │ │ ├── cfn_bad_iam_pass.yaml
│ │ │ │ ├── iam_group.fail.json
│ │ │ │ ├── iam_group.pass.json
│ │ │ │ ├── iam_policy.fail.json
│ │ │ │ ├── iam_policy.pass.json
│ │ │ │ ├── iam_role.fail.json
│ │ │ │ ├── iam_role.pass.json
│ │ │ │ ├── iam_role.unknown.yaml
│ │ │ │ ├── iam_user.fail.json
│ │ │ │ └── iam_user.pass.json
│ │ │ ├── example_IMDSv1Disabled/
│ │ │ │ ├── FAILED.yml
│ │ │ │ └── PASSED.yml
│ │ │ ├── example_KMSKeyWildCardPrincipal/
│ │ │ │ ├── KMSKeyWildCardPrincipal-FAILED-AWS-Wildcard.yaml
│ │ │ │ ├── KMSKeyWildCardPrincipal-FAILED-Wildcard.yaml
│ │ │ │ └── KMSKeyWildCardPrincipal-PASSED.yaml
│ │ │ ├── example_KMSRotation/
│ │ │ │ ├── KMSRotation-FAILED.yml
│ │ │ │ ├── KMSRotation-PASSED-Asymmetric.yml
│ │ │ │ └── KMSRotation-PASSED-Symmetric.yml
│ │ │ ├── example_KinesisStreamEncryptionType/
│ │ │ │ ├── FAILED.yml
│ │ │ │ └── PASSED.yml
│ │ │ ├── example_LambdaDLQConfigured/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ ├── PASS.yaml
│ │ │ │ └── sam.yaml
│ │ │ ├── example_LambdaEnvironmentCredentials/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ ├── PASS.yaml
│ │ │ │ ├── PASS2.yaml
│ │ │ │ ├── PASS3.yaml
│ │ │ │ └── sam.yaml
│ │ │ ├── example_LambdaEnvironmentEncryptionSettings/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ ├── PASS.yaml
│ │ │ │ └── sam.yaml
│ │ │ ├── example_LambdaFunctionLevelConcurrentExecutionLimit/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ ├── PASS.yaml
│ │ │ │ └── sam.yaml
│ │ │ ├── example_LambdaFunctionURLAuth/
│ │ │ │ ├── LambdaFunctionURLAuth_Fail.yml
│ │ │ │ └── LambdaFunctionURLAuth_Pass.yml
│ │ │ ├── example_LambdaInVPC/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ ├── PASS.yaml
│ │ │ │ └── sam.yaml
│ │ │ ├── example_LambdaServicePermission/
│ │ │ │ ├── LambdaServicePermission_Fail.yml
│ │ │ │ └── LambdaServicePermission_Pass.yml
│ │ │ ├── example_LaunchConfigurationEBSEncryption/
│ │ │ │ ├── LaunchConfigurationEBSEncryption-FAILED-no-enc.yml
│ │ │ │ ├── LaunchConfigurationEBSEncryption-PASSED-ephermal.yml
│ │ │ │ ├── LaunchConfigurationEBSEncryption-PASSED.yml
│ │ │ │ ├── LaunchConfigurationEBSEncryption-UNKNOWN.yml
│ │ │ │ └── LaunchConfigurationEBSEncryption-UNKNOWN_2.yml
│ │ │ ├── example_MQBrokerAuditLogging/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ ├── PASS.yaml
│ │ │ │ └── UNKNOWN.yaml
│ │ │ ├── example_MSKClusterEncryption/
│ │ │ │ ├── MSKClusterEncryption-FAIL.yaml
│ │ │ │ └── MSKClusterEncryption-PASS.yaml
│ │ │ ├── example_MSKClusterLogging/
│ │ │ │ ├── MSKClusterNodesArePrivate-FAIL.yaml
│ │ │ │ └── MSKClusterNodesArePrivate-PASS.yaml
│ │ │ ├── example_MSKClusterNodesArePrivate/
│ │ │ │ ├── MSKClusterNodesArePrivate-FAIL.yaml
│ │ │ │ └── MSKClusterNodesArePrivate-PASS.yaml
│ │ │ ├── example_NeptuneClusterBackupRetention/
│ │ │ │ ├── NeptuneClusterBackupRetention-FAILED.yml
│ │ │ │ └── NeptuneClusterBackupRetention-PASSED.yml
│ │ │ ├── example_NeptuneClusterLogging/
│ │ │ │ ├── NeptuneClusterLogging-FAILED.yml
│ │ │ │ └── NeptuneClusterLogging-PASSED.yml
│ │ │ ├── example_NeptuneClusterStorageEncrypted/
│ │ │ │ ├── NeptuneClusterStorageEncrypted-FAILED.yml
│ │ │ │ └── NeptuneClusterStorageEncrypted-PASSED.yml
│ │ │ ├── example_OpensearchDomainAuditLogging/
│ │ │ │ ├── ElasticsearchDomainLogging-FAILED.yaml
│ │ │ │ └── ElasticsearchDomainLogging-PASSED.yaml
│ │ │ ├── example_ParameterStoreCredentials/
│ │ │ │ ├── mix.yaml
│ │ │ │ └── no_crash.yaml
│ │ │ ├── example_QLDBLedgerDeletionProtection/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ └── PASS.yaml
│ │ │ ├── example_QLDBLedgerPermissionsMode/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ └── PASS.yaml
│ │ │ ├── example_RDSClusterIAMAuthentication/
│ │ │ │ ├── RDSClusterIAMAuthentication-FAIL.yaml
│ │ │ │ └── RDSClusterIAMAuthentication-PASSED.yaml
│ │ │ ├── example_RDSEncryption/
│ │ │ │ ├── RDSEncryption-FAIL.yaml
│ │ │ │ ├── RDSEncryption-PASSED.yaml
│ │ │ │ └── RDSEncryption-UNKNOWN.yaml
│ │ │ ├── example_RDSEnhancedMonitorEnabled/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ └── PASS.yaml
│ │ │ ├── example_RDSIAMAuthentication/
│ │ │ │ ├── RDSIAMAuthentication-FAIL.yaml
│ │ │ │ ├── RDSIAMAuthentication-PASSED.yaml
│ │ │ │ └── RDSIAMAuthentication-UNKNOWN.yaml
│ │ │ ├── example_RDSMultiAZEnabled/
│ │ │ │ ├── RDSMultiAZEnabled-FAILED-2.yaml
│ │ │ │ ├── RDSMultiAZEnabled-FAILED.yaml
│ │ │ │ ├── RDSMultiAZEnabled-PASSED.yaml
│ │ │ │ └── RDSMultiAZEnabled-UNKNOWN.yaml
│ │ │ ├── example_RDSPubliclyAccessible/
│ │ │ │ ├── RDSPubliclyAccessible-FAIL.yaml
│ │ │ │ ├── RDSPubliclyAccessible-PASSED-2.yaml
│ │ │ │ └── RDSPubliclyAccessible-PASSED.yaml
│ │ │ ├── example_RedShiftSSL/
│ │ │ │ ├── RedShiftSSL-FAILED.yaml
│ │ │ │ └── RedShiftSSL-PASSED.yaml
│ │ │ ├── example_RedshiftClusterEncryption/
│ │ │ │ ├── RedshiftClusterEncryption-FAILED.yaml
│ │ │ │ └── RedshiftClusterEncryption-PASSED.yaml
│ │ │ ├── example_RedshiftClusterLogging/
│ │ │ │ ├── RedshiftClusterLogging-FAILED.yaml
│ │ │ │ └── RedshiftClusterLogging-PASSED.yaml
│ │ │ ├── example_RedshiftClusterPubliclyAccessible/
│ │ │ │ ├── RedshiftClusterPubliclyAccessible-FAILED.yaml
│ │ │ │ └── RedshiftClusterPubliclyAccessible-PASSED.yaml
│ │ │ ├── example_RedshiftInEc2ClassicMode/
│ │ │ │ ├── RedshiftInEc2ClassicMode-FAILED.yaml
│ │ │ │ └── RedshiftInEc2ClassicMode-PASSED.yaml
│ │ │ ├── example_SNSTopicEncryption/
│ │ │ │ ├── test_SNSTopicEncryption-FAILED.yml
│ │ │ │ └── test_SNSTopicEncryption-PASSED.yml
│ │ │ ├── example_SQSQueueEncryption/
│ │ │ │ ├── test_SQSQueueEncryption-FAILED.yml
│ │ │ │ ├── test_SQSQueueEncryption-FAILED2.yml
│ │ │ │ └── test_SQSQueueEncryption-PASSED.yml
│ │ │ ├── example_SagemakerDataQualityJobDefinitionEncryption/
│ │ │ │ ├── SagemakerDataQualityJobDefinitionEncryption-FAILED.yaml
│ │ │ │ └── SagemakerDataQualityJobDefinitionEncryption-PASSED.yaml
│ │ │ ├── example_SagemakerDataQualityJobDefinitionTrafficEncryption/
│ │ │ │ ├── SagemakerDataQualityJobDefinitionTrafficEncryption-FAILED.yaml
│ │ │ │ └── SagemakerDataQualityJobDefinitionTrafficEncryption-PASSED.yaml
│ │ │ ├── example_SagemakerDataQualityJobDefinitionVolumeEncryption/
│ │ │ │ ├── SagemakerDataQualityJobDefinitionVolumeEncryption-FAILED.yaml
│ │ │ │ └── SagemakerDataQualityJobDefinitionVolumeEncryption-PASSED.yaml
│ │ │ ├── example_SagemakerModelWithNetworkIsolation/
│ │ │ │ ├── SagemakerModelWithNetworkIsolation-FAILED.yaml
│ │ │ │ └── SagemakerModelWithNetworkIsolation-PASSED.yaml
│ │ │ ├── example_SagemakerNotebookEncryptedWithCMK/
│ │ │ │ └── template.yaml
│ │ │ ├── example_SagemakerNotebookInstanceAllowsIMDSv2/
│ │ │ │ ├── SagemakerNotebookInstanceAllowsIMDSv2-FAILED.yaml
│ │ │ │ └── SagemakerNotebookInstanceAllowsIMDSv2-PASSED.yaml
│ │ │ ├── example_SecretManagerSecretEncrypted/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ └── PASS.yaml
│ │ │ ├── example_SecurityGroupRuleDescription/
│ │ │ │ ├── SecurityGroupRuleDescription-FAILED-2.yaml
│ │ │ │ ├── SecurityGroupRuleDescription-FAILED-3.yaml
│ │ │ │ ├── SecurityGroupRuleDescription-FAILED.yaml
│ │ │ │ ├── SecurityGroupRuleDescription-PASSED-2.yaml
│ │ │ │ ├── SecurityGroupRuleDescription-PASSED-3.yaml
│ │ │ │ ├── SecurityGroupRuleDescription-PASSED-4.yaml
│ │ │ │ └── SecurityGroupRuleDescription-PASSED.yaml
│ │ │ ├── example_SecurityGroupUnrestrictedIngress22/
│ │ │ │ ├── SecurityGroupQuotes-FAILED.yaml
│ │ │ │ ├── SecurityGroupRange-FAILED.yaml
│ │ │ │ ├── SecurityGroupRangeInvalid-PASSED.yaml
│ │ │ │ ├── SecurityGroupUnrestrictedIngress22-FAILED-2.yaml
│ │ │ │ ├── SecurityGroupUnrestrictedIngress22-FAILED-3.yaml
│ │ │ │ ├── SecurityGroupUnrestrictedIngress22-FAILED.yaml
│ │ │ │ ├── SecurityGroupUnrestrictedIngress22-PASSED.yaml
│ │ │ │ └── SecurityGroupUnrestrictedIngress22-UNKNOWN.yaml
│ │ │ ├── example_SecurityGroupUnrestrictedIngress3389/
│ │ │ │ ├── SecurityGroupUnrestrictedIngress3389-FAILED-2.yaml
│ │ │ │ ├── SecurityGroupUnrestrictedIngress3389-FAILED.yaml
│ │ │ │ └── SecurityGroupUnrestrictedIngress3389-PASSED.yaml
│ │ │ ├── example_SecurityGroupUnrestrictedIngress80/
│ │ │ │ ├── SecurityGroupUnrestrictedIngress80-FAILED-2.yaml
│ │ │ │ ├── SecurityGroupUnrestrictedIngress80-FAILED-3.yaml
│ │ │ │ ├── SecurityGroupUnrestrictedIngress80-FAILED.yaml
│ │ │ │ ├── SecurityGroupUnrestrictedIngress80-PASSED.yaml
│ │ │ │ └── SecurityGroupUnrestrictedIngress80-UNKNOWN.yaml
│ │ │ ├── example_TimestreamDatabaseKMSKey/
│ │ │ │ ├── TimestreamDatabaseKMSKey-FAILED.yaml
│ │ │ │ └── TimestreamDatabaseKMSKey-PASSED.yaml
│ │ │ ├── example_TransferServerIsPublic/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ └── PASS.yaml
│ │ │ ├── example_VPCEndpointAcceptanceConfigured/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ └── PASS.yaml
│ │ │ ├── example_WAFACLCVE202144228/
│ │ │ │ ├── FAILED.yaml
│ │ │ │ └── PASSED.yaml
│ │ │ ├── example_WAFEnabled/
│ │ │ │ ├── WAFEnabled-FAILED.yaml
│ │ │ │ └── WAFEnabled-PASSED.yaml
│ │ │ ├── example_WorkspaceRootVolumeEncrypted/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ └── PASS.yaml
│ │ │ ├── example_WorkspaceUserVolumeEncrypted/
│ │ │ │ ├── FAIL.yaml
│ │ │ │ └── PASS.yaml
│ │ │ ├── example_cloudfrontDistribution/
│ │ │ │ ├── CloudfrontDistributionEncryption-FAILED-2.yaml
│ │ │ │ ├── CloudfrontDistributionEncryption-FAILED.yaml
│ │ │ │ ├── CloudfrontDistributionEncryption-PASSED.yaml
│ │ │ │ └── CloudfrontDistributionEncryption-UNKNOWN.yaml
│ │ │ ├── test_ALBDropHttpHeaders.py
│ │ │ ├── test_ALBListenerHTTPS.py
│ │ │ ├── test_ALBListenerTLS12.py
│ │ │ ├── test_APIGatewayAccessLogging.py
│ │ │ ├── test_APIGatewayAuthorization.py
│ │ │ ├── test_APIGatewayCacheEnable.py
│ │ │ ├── test_APIGatewayV2AccessLogging.py
│ │ │ ├── test_APIGatewayXray.py
│ │ │ ├── test_AmazonMQBrokerPublicAccess.py
│ │ │ ├── test_AppSyncFieldLevelLogs.py
│ │ │ ├── test_AppSyncLogging.py
│ │ │ ├── test_AthenaWorkgroupConfiguration.py
│ │ │ ├── test_AuroraEncryption.py
│ │ │ ├── test_BackupVaultEncrypted.py
│ │ │ ├── test_BedrockAgentEncrypted.py
│ │ │ ├── test_CloudFrontTLS12.py
│ │ │ ├── test_CloudWatchLogGroupKMSKey.py
│ │ │ ├── test_CloudWatchLogGroupRetention.py
│ │ │ ├── test_CloudfrontDistributionEncryption.py
│ │ │ ├── test_CloudfrontDistributionLogging.py
│ │ │ ├── test_CloudsplainingIAMCredentialsExposure.py
│ │ │ ├── test_CloudsplainingIAMGroup.py
│ │ │ ├── test_CloudsplainingIAMRole.py
│ │ │ ├── test_CloudsplainingIAMUser.py
│ │ │ ├── test_CloudsplainingManagedPolicy.py
│ │ │ ├── test_CloudtrailEncryption.py
│ │ │ ├── test_CloudtrailLogValidation.py
│ │ │ ├── test_CloudtrailMultiRegion.py
│ │ │ ├── test_CodeBuildProjectEncryption.py
│ │ │ ├── test_CognitoUnauthenticatedIdentities.py
│ │ │ ├── test_DAXEncryption.py
│ │ │ ├── test_DMSReplicationInstancePubliclyAccessible.py
│ │ │ ├── test_DeprecatedLambdaRuntime.py
│ │ │ ├── test_DocDBAuditLogs.py
│ │ │ ├── test_DocDBBackupRetention.py
│ │ │ ├── test_DocDBEncryption.py
│ │ │ ├── test_DocDBLogging.py
│ │ │ ├── test_DocDBTLS.py
│ │ │ ├── test_DynamoDBTablesEncrypted.py
│ │ │ ├── test_DynamodbGlobalTableRecovery.py
│ │ │ ├── test_DynamodbRecovery.py
│ │ │ ├── test_EBSEncryption.py
│ │ │ ├── test_EC2Credentials.py
│ │ │ ├── test_EC2PublicIP.py
│ │ │ ├── test_ECRImageScanning.py
│ │ │ ├── test_ECRImmutableTags.py
│ │ │ ├── test_ECRPolicy.py
│ │ │ ├── test_ECRRepositoryEncrypted.py
│ │ │ ├── test_ECSClusterContainerInsights.py
│ │ │ ├── test_ECSTaskDefinitionEFSVolumeEncryption.py
│ │ │ ├── test_EFSEncryption.py
│ │ │ ├── test_EKSNodeGroupRemoteAccess.py
│ │ │ ├── test_EKSSecretEncryption.py
│ │ │ ├── test_ELBAccessLogs.py
│ │ │ ├── test_ELBv2AccessLogs.py
│ │ │ ├── test_ElasticacheReplicationGroupEncryptionAtRest.py
│ │ │ ├── test_ElasticacheReplicationGroupEncryptionAtTransit.py
│ │ │ ├── test_ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py
│ │ │ ├── test_ElasticsearchDomainAuditLogging.py
│ │ │ ├── test_ElasticsearchDomainEnforceHTTPS.py
│ │ │ ├── test_ElasticsearchDomainLogging.py
│ │ │ ├── test_ElastisearchEncryption.py
│ │ │ ├── test_ElastisearchNodeToNodeEncryption.py
│ │ │ ├── test_GlueDataCatalogEncryption.py
│ │ │ ├── test_GlueSecurityConfiguration.py
│ │ │ ├── test_GlueSecurityConfigurationEnabled.py
│ │ │ ├── test_IAMAdminPolicyDocument.py
│ │ │ ├── test_IAMPermissionsManagement.py
│ │ │ ├── test_IAMPolicyAttachedToGroupOrRoles.py
│ │ │ ├── test_IAMRoleAllowAssumeFromAccount.py
│ │ │ ├── test_IAMRoleAllowsPublicAssume.py
│ │ │ ├── test_IAMStarActionPolicyDocument.py
│ │ │ ├── test_IAMWriteAccess.py
│ │ │ ├── test_IMDSv1Disabled.py
│ │ │ ├── test_KMSKeyWildCardPrincipal.py
│ │ │ ├── test_KMSRotation.py
│ │ │ ├── test_KinesisStreamEncryptionType.py
│ │ │ ├── test_LambdaDLQConfigured.py
│ │ │ ├── test_LambdaEnvironmentCredentials.py
│ │ │ ├── test_LambdaEnvironmentEncryptionSettings.py
│ │ │ ├── test_LambdaFunctionLevelConcurrentExecutionLimit.py
│ │ │ ├── test_LambdaFunctionURLAuth.py
│ │ │ ├── test_LambdaInVPC.py
│ │ │ ├── test_LambdaServicePermission.py
│ │ │ ├── test_LaunchConfigurationEBSEncryption.py
│ │ │ ├── test_MQBrokerAuditLogging.py
│ │ │ ├── test_MSKClusterEncryption.py
│ │ │ ├── test_MSKClusterLogging.py
│ │ │ ├── test_MSKClusterNodesArePrivate.py
│ │ │ ├── test_NeptuneClusterBackupRetention.py
│ │ │ ├── test_NeptuneClusterLogging.py
│ │ │ ├── test_NeptuneClusterStorageEncrypted.py
│ │ │ ├── test_ParameterStoreCredentials.py
│ │ │ ├── test_QLDBLedgerDeletionProtection.py
│ │ │ ├── test_QLDBLedgerPermissionsMode.py
│ │ │ ├── test_RDSClusterIAMAuthentication.py
│ │ │ ├── test_RDSEncryption.py
│ │ │ ├── test_RDSEnhancedMonitorEnabled.py
│ │ │ ├── test_RDSIAMAuthentication.py
│ │ │ ├── test_RDSMultiAZEnabled.py
│ │ │ ├── test_RDSPubliclyAccessible.py
│ │ │ ├── test_RedShiftSSL.py
│ │ │ ├── test_RedshiftClusterEncryption.py
│ │ │ ├── test_RedshiftClusterLogging.py
│ │ │ ├── test_RedshiftClusterPubliclyAccessible.py
│ │ │ ├── test_RedshiftInEc2ClassicMode.py
│ │ │ ├── test_S3AccessLogs.py
│ │ │ ├── test_S3BlockPublicACLs.py
│ │ │ ├── test_S3BlockPublicPolicy.py
│ │ │ ├── test_S3Encryption.py
│ │ │ ├── test_S3IgnorePublicACLs.py
│ │ │ ├── test_S3PublicACLRead.py
│ │ │ ├── test_S3PublicACLWrite.py
│ │ │ ├── test_S3RestrictPublicBuckets.py
│ │ │ ├── test_S3Versioning.py
│ │ │ ├── test_SNSTopicEncryption.py
│ │ │ ├── test_SQSQueueEncryption.py
│ │ │ ├── test_SagemakerDataQualityJobDefinitionEncryption.py
│ │ │ ├── test_SagemakerDataQualityJobDefinitionTrafficEncryption.py
│ │ │ ├── test_SagemakerDataQualityJobDefinitionVolumeEncryption.py
│ │ │ ├── test_SagemakerModelWithNetworkIsolation.py
│ │ │ ├── test_SagemakerNotebookEncryptedWithCMK.py
│ │ │ ├── test_SagemakerNotebookInstanceAllowsIMDSv2.py
│ │ │ ├── test_SecretManagerSecretEncrypted.py
│ │ │ ├── test_SecurityGroupRuleDescription.py
│ │ │ ├── test_SecurityGroupUnrestrictedIngress22.py
│ │ │ ├── test_SecurityGroupUnrestrictedIngress3389.py
│ │ │ ├── test_SecurityGroupUnrestrictedIngress80.py
│ │ │ ├── test_TimestreamDatabaseKMSKey.py
│ │ │ ├── test_TransferServerIsPublic.py
│ │ │ ├── test_VPCEndpointAcceptanceConfigured.py
│ │ │ ├── test_WAFACLCVE202144228.py
│ │ │ ├── test_WAFEnabled.py
│ │ │ ├── test_WorkspaceRootVolumeEncrypted.py
│ │ │ ├── test_WorkspaceUserVolumeEncrypted.py
│ │ │ └── unused/
│ │ │ ├── EC2InstanceWithSecurityGroupSample-NoDesc.yaml
│ │ │ ├── EC2InstanceWithSecurityGroupSample.yaml
│ │ │ ├── EKSCluster.yaml
│ │ │ ├── ElasticsearchDomain.yaml
│ │ │ ├── ec2_instance_with_ebs_volume.yaml
│ │ │ ├── ec2_sec_group_2.json
│ │ │ ├── ec2_security_group.json
│ │ │ └── ec2_with_waitcondition_template.json
│ │ └── test_wildcard_entities.py
│ ├── file_formats/
│ │ ├── json_with_space/
│ │ │ └── test_json_with_space.json
│ │ ├── json_with_tabs/
│ │ │ └── test_json_with_tabs.json
│ │ ├── test_json_with_space.py
│ │ ├── test_json_with_tabs.py
│ │ ├── test_yaml.py
│ │ └── yaml/
│ │ └── test_yaml.yaml
│ ├── graph/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── resources/
│ │ │ │ ├── ACMWildcardDomainName/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── template.yaml
│ │ │ │ ├── ALBRedirectHTTPtoHTTPS/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── template.yaml
│ │ │ │ ├── AppSyncProtectedByWAF/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── template.yaml
│ │ │ │ ├── CloudfrontOriginNotHTTPSOnly/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── template.yaml
│ │ │ │ ├── LambdaFunction/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── template.yaml
│ │ │ │ ├── LambdaOpenCorsPolicy/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── template.yaml
│ │ │ │ ├── MSKClusterLogging/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── template.yaml
│ │ │ │ ├── RDSEncryptionInTransit/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── template.yaml
│ │ │ │ ├── SageMakerIAMPolicyOverlyPermissiveToAllTraffic/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── template.yaml
│ │ │ │ └── SagemakerNotebookEncryption/
│ │ │ │ ├── expected.yaml
│ │ │ │ └── template.yaml
│ │ │ ├── test_checks/
│ │ │ │ ├── ALBRedirectHTTPtoHTTPS.yaml
│ │ │ │ ├── LambdaFunction.yaml
│ │ │ │ ├── MSKClusterLogging.yaml
│ │ │ │ └── SagemakerNotebookEncryption.yaml
│ │ │ ├── test_yaml_policies.py
│ │ │ └── test_yaml_policies_with_runner.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── resources/
│ │ │ │ ├── conditioned_vertices/
│ │ │ │ │ ├── json/
│ │ │ │ │ │ └── test.json
│ │ │ │ │ └── yaml/
│ │ │ │ │ └── test.yaml
│ │ │ │ ├── edges_json/
│ │ │ │ │ └── test.json
│ │ │ │ ├── edges_yaml/
│ │ │ │ │ └── test.yaml
│ │ │ │ ├── encryption/
│ │ │ │ │ └── test.json
│ │ │ │ ├── sam/
│ │ │ │ │ └── template.yaml
│ │ │ │ ├── variable_rendering/
│ │ │ │ │ ├── render_findinmap/
│ │ │ │ │ │ ├── json/
│ │ │ │ │ │ │ └── test.json
│ │ │ │ │ │ └── yaml/
│ │ │ │ │ │ └── test.yaml
│ │ │ │ │ ├── render_getatt/
│ │ │ │ │ │ ├── json/
│ │ │ │ │ │ │ └── test.json
│ │ │ │ │ │ └── yaml/
│ │ │ │ │ │ └── test.yaml
│ │ │ │ │ ├── render_if/
│ │ │ │ │ │ ├── json/
│ │ │ │ │ │ │ └── test.json
│ │ │ │ │ │ └── yaml/
│ │ │ │ │ │ └── test.yaml
│ │ │ │ │ ├── render_join/
│ │ │ │ │ │ ├── json/
│ │ │ │ │ │ │ └── test.json
│ │ │ │ │ │ └── yaml/
│ │ │ │ │ │ └── test.yaml
│ │ │ │ │ ├── render_params/
│ │ │ │ │ │ └── yaml/
│ │ │ │ │ │ └── test.yaml
│ │ │ │ │ ├── render_ref/
│ │ │ │ │ │ ├── json/
│ │ │ │ │ │ │ └── test.json
│ │ │ │ │ │ └── yaml/
│ │ │ │ │ │ └── test.yaml
│ │ │ │ │ ├── render_select/
│ │ │ │ │ │ ├── json/
│ │ │ │ │ │ │ └── test.json
│ │ │ │ │ │ └── yaml/
│ │ │ │ │ │ └── test.yaml
│ │ │ │ │ ├── render_sub/
│ │ │ │ │ │ ├── json/
│ │ │ │ │ │ │ └── test.json
│ │ │ │ │ │ └── yaml/
│ │ │ │ │ │ └── test.yaml
│ │ │ │ │ └── render_subsequent_evals/
│ │ │ │ │ ├── json/
│ │ │ │ │ │ └── test.json
│ │ │ │ │ └── yaml/
│ │ │ │ │ └── test.yaml
│ │ │ │ └── vertices/
│ │ │ │ ├── test.json
│ │ │ │ └── test.yaml
│ │ │ ├── test_blocks.py
│ │ │ ├── test_local_graph.py
│ │ │ └── test_render.py
│ │ └── graph_runner/
│ │ ├── __init__.py
│ │ ├── external_graph_checks/
│ │ │ ├── complex_jsonpath_if_condition.yaml
│ │ │ ├── jsonpath_policy.yaml
│ │ │ └── simple_graph_check.yaml
│ │ ├── resources/
│ │ │ ├── LambdaFunction.json
│ │ │ ├── MSKClusterLogging.yaml
│ │ │ ├── SagemakerNotebookEncryption.yaml
│ │ │ ├── complex_jsonpath_if_condition/
│ │ │ │ └── example.yaml
│ │ │ ├── jsonpath_policy/
│ │ │ │ ├── fail_dict.json
│ │ │ │ ├── fail_str.json
│ │ │ │ └── pass_str.json
│ │ │ └── template_with_parameters_names_identical_to_default_values/
│ │ │ └── example.yaml
│ │ └── test_running_graph_checks.py
│ ├── image_referencer/
│ │ ├── __init__.py
│ │ ├── provider/
│ │ │ ├── __init__.py
│ │ │ └── test_aws.py
│ │ ├── resources/
│ │ │ └── aws/
│ │ │ ├── apprunner.yaml
│ │ │ ├── batch.yaml
│ │ │ ├── codebuild.yaml
│ │ │ ├── ecs.yaml
│ │ │ ├── lightsail.yaml
│ │ │ ├── sagemaker_image_version.yaml
│ │ │ └── sagemaker_model.yaml
│ │ ├── test_manager.py
│ │ └── test_runner_aws_resources.py
│ ├── parser/
│ │ ├── __init__.py
│ │ ├── cfn_bad_iam.yaml
│ │ ├── cfn_bad_name.yaml
│ │ ├── cfn_file.yaml
│ │ ├── cfn_file_circular.yaml
│ │ ├── cfn_file_resources.yaml
│ │ ├── cfn_newline_at_end.yaml
│ │ ├── cfn_nonewline_at_end.yaml
│ │ ├── cfn_with_ref.yaml
│ │ ├── cfn_with_ref_bad.yaml
│ │ ├── fail.json
│ │ ├── skip.yaml
│ │ ├── success.json
│ │ ├── success_triple_quotes_string.json
│ │ ├── test_cfn_json.py
│ │ ├── test_cfn_yaml.py
│ │ └── tfplan.json
│ ├── runner/
│ │ ├── __init__.py
│ │ ├── resources/
│ │ │ ├── cfn_newline_at_end.yaml
│ │ │ ├── double_statement_cloudsplaining.yml
│ │ │ ├── fail.yaml
│ │ │ ├── graph.yaml
│ │ │ ├── invalid.json
│ │ │ ├── invalid.yaml
│ │ │ ├── invalid_properties.json
│ │ │ ├── invalid_properties.yaml
│ │ │ ├── no_properties.json
│ │ │ ├── no_properties.yaml
│ │ │ ├── skip_sub_dict.json
│ │ │ ├── success.json
│ │ │ ├── suppress_graph_check.yaml
│ │ │ └── tags.yaml
│ │ └── test_runner.py
│ ├── test_graph_manager.py
│ ├── test_scanner_registry.py
│ └── utils/
│ ├── __init__.py
│ ├── file_formats/
│ │ ├── test.json
│ │ ├── test.yaml
│ │ └── test2.yaml
│ └── test_cfn_utils.py
├── common/
│ ├── __init__.py
│ ├── bridgecrew/
│ │ ├── __init__.py
│ │ ├── conftest.py
│ │ ├── test_wrapper.py
│ │ └── vulnerability_scanning/
│ │ ├── __init__.py
│ │ ├── conftest.py
│ │ ├── integrations/
│ │ │ ├── __init__.py
│ │ │ ├── test_docker_image_scanning.py
│ │ │ └── test_package_scanning.py
│ │ └── test_package_scanner.py
│ ├── check_assertion_utils.py
│ ├── checks/
│ │ ├── __init__.py
│ │ ├── extra_checks/
│ │ │ └── S3EnvironmentCheck.py
│ │ ├── extra_yaml_checks/
│ │ │ └── test_app.yaml
│ │ ├── test_base_check.py
│ │ ├── test_base_check_registry.py
│ │ └── test_graph_check_loading.py
│ ├── checks_infra/
│ │ ├── examples/
│ │ │ ├── invalid_definition.yaml
│ │ │ ├── missing_definition.yaml
│ │ │ ├── missing_metadata.yaml
│ │ │ ├── missing_metadata_category.yaml
│ │ │ ├── valid_check.yaml
│ │ │ ├── valid_check_tf.yaml
│ │ │ └── valid_check_tf_without_severity.yaml
│ │ ├── test-registry-data/
│ │ │ ├── invalid-yaml/
│ │ │ │ ├── data-not.yaml
│ │ │ │ └── empty.yaml
│ │ │ └── valid-yaml-invalid-check/
│ │ │ └── yaml.yaml
│ │ ├── test_checks_parser.py
│ │ ├── test_debug.py
│ │ └── test_registry.py
│ ├── conftest.py
│ ├── goget/
│ │ ├── __init__.py
│ │ ├── local_getter.py
│ │ ├── test_goget_base.py
│ │ └── test_goget_github.py
│ ├── graph/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── test_block.py
│ │ │ ├── test_policy_packaging.py
│ │ │ └── test_yaml_policies_base.py
│ │ └── graph_builder/
│ │ └── test_graph_builder_utils.py
│ ├── image_referencer/
│ │ └── test_utils.py
│ ├── images/
│ │ ├── __init__.py
│ │ └── test_base_image_referencer.py
│ ├── integration_features/
│ │ ├── __init__.py
│ │ ├── example_custom_policy_dir/
│ │ │ ├── cfn.yaml
│ │ │ ├── main.tf
│ │ │ └── msk.yaml
│ │ ├── resources/
│ │ │ └── main.tf
│ │ ├── test_custom_policies_integration.py
│ │ ├── test_fixes_integration.py
│ │ ├── test_integration_features.py
│ │ ├── test_licensing_integration.py
│ │ ├── test_policy_metadata_integration.py
│ │ ├── test_repo_config_integration.py
│ │ ├── test_suppressions_integration.py
│ │ └── test_vulnerabilities_integration.py
│ ├── output/
│ │ ├── __init__.py
│ │ ├── conftest.py
│ │ ├── fixtures/
│ │ │ ├── main.tf
│ │ │ └── main_2.tf
│ │ ├── test_baseline.py
│ │ ├── test_bom_report.py
│ │ ├── test_common.py
│ │ ├── test_cyclonedx_report.py
│ │ ├── test_get_exit_code.py
│ │ ├── test_gitlab_sast_report.py
│ │ ├── test_junit_report.py
│ │ ├── test_record.py
│ │ ├── test_report.py
│ │ ├── test_sarif_report.py
│ │ ├── test_secrets_get_exit_code.py
│ │ └── test_spdx.py
│ ├── resource_attr_to_omit_configs/
│ │ ├── combined.yml
│ │ ├── duplicated_key.yml
│ │ ├── first.yml
│ │ ├── multiple_keys.yml
│ │ ├── real_keys.yml
│ │ └── universal_key.yml
│ ├── runner_registry/
│ │ ├── __init__.py
│ │ ├── example_bicep_with_empty_resources/
│ │ │ └── playground.bicep
│ │ ├── example_empty_tf/
│ │ │ └── example_empty_file.tf
│ │ ├── example_empty_yaml/
│ │ │ └── example_empty_file.yaml
│ │ ├── example_multi_iac/
│ │ │ ├── cfn/
│ │ │ │ └── ExampleS3.yaml
│ │ │ ├── k8/
│ │ │ │ ├── nginx-statefulset-FAILED.yaml
│ │ │ │ └── scope-PASSED.yaml
│ │ │ └── tf/
│ │ │ ├── example.tf
│ │ │ └── terraform.tfvars
│ │ ├── example_s3_tf/
│ │ │ └── main.tf
│ │ ├── plan_module_skip_for_enrichment/
│ │ │ ├── mod_ref/
│ │ │ │ └── main.tf
│ │ │ └── tf/
│ │ │ ├── main.tf
│ │ │ └── tfplan.json
│ │ ├── plan_with_external_tf_modules_for_enrichment/
│ │ │ ├── log_group_external/
│ │ │ │ ├── main.tf
│ │ │ │ ├── outputs.tf
│ │ │ │ ├── variables.tf
│ │ │ │ └── versions.tf
│ │ │ ├── main.tf
│ │ │ ├── providers.tf
│ │ │ └── tfplan.json
│ │ ├── plan_with_for_each_for_enrichment/
│ │ │ ├── original/
│ │ │ │ └── main.tf
│ │ │ └── tf_plan.json
│ │ ├── plan_with_hcl_for_enrichment/
│ │ │ ├── dynamodb.tf
│ │ │ ├── iam.tf
│ │ │ ├── s3.tf
│ │ │ └── tfplan.json
│ │ ├── plan_with_tf_modules_for_enrichment/
│ │ │ ├── log_group/
│ │ │ │ └── main.tf
│ │ │ ├── main.tf
│ │ │ ├── providers.tf
│ │ │ └── tfplan.json
│ │ ├── test_runner_registry.py
│ │ └── test_runner_registry_plan_enrichment.py
│ ├── runners/
│ │ ├── filter_ignored_directories_by_values/
│ │ │ ├── dir1/
│ │ │ │ ├── dir2++/
│ │ │ │ │ └── file2.tf
│ │ │ │ ├── dir4/
│ │ │ │ │ └── file3.tf
│ │ │ │ └── file1.tf
│ │ │ ├── dir11/
│ │ │ │ └── dir2++/
│ │ │ │ └── file4.tf
│ │ │ └── dir33/
│ │ │ ├── dir2++/
│ │ │ │ └── file5.tf
│ │ │ └── file2.tf
│ │ ├── sample_dir/
│ │ │ ├── dir1/
│ │ │ │ ├── dir2/
│ │ │ │ │ └── file2.tf
│ │ │ │ ├── dir4/
│ │ │ │ │ └── file3.tf
│ │ │ │ └── file1.tf
│ │ │ ├── dir11/
│ │ │ │ └── dir2/
│ │ │ │ └── file4.tf
│ │ │ └── dir33/
│ │ │ ├── dir2/
│ │ │ │ └── file5.tf
│ │ │ └── file2.tf
│ │ └── test_base_runner.py
│ ├── sca/
│ │ ├── __init__.py
│ │ ├── reachability/
│ │ │ ├── __init__.py
│ │ │ ├── example_repo/
│ │ │ │ └── tsconfig.json
│ │ │ ├── nodejs/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── examples/
│ │ │ │ │ ├── babel/
│ │ │ │ │ │ ├── babel_config/
│ │ │ │ │ │ │ └── babel.config.js
│ │ │ │ │ │ └── babelrc/
│ │ │ │ │ │ └── .babelrc
│ │ │ │ │ ├── fake_file/
│ │ │ │ │ │ └── fake.babel.config.js
│ │ │ │ │ ├── mix/
│ │ │ │ │ │ ├── package_json_with_alias/
│ │ │ │ │ │ │ └── package.json
│ │ │ │ │ │ └── vite.config.js
│ │ │ │ │ ├── package_json/
│ │ │ │ │ │ ├── package_json_with_alias/
│ │ │ │ │ │ │ └── package.json
│ │ │ │ │ │ └── package_json_with_aliasify/
│ │ │ │ │ │ └── package.json
│ │ │ │ │ ├── rollup/
│ │ │ │ │ │ └── rollup.config.js
│ │ │ │ │ ├── snowpack/
│ │ │ │ │ │ └── snowpack.config.js
│ │ │ │ │ ├── tsconfig/
│ │ │ │ │ │ └── tsconfig.json
│ │ │ │ │ ├── vite/
│ │ │ │ │ │ └── vite.config.js
│ │ │ │ │ └── webpack/
│ │ │ │ │ └── webpack.config.js
│ │ │ │ └── test_javascript_alias_mapping_strategy.py
│ │ │ └── test_alias_mapping_creator.py
│ │ ├── test_commons.py
│ │ └── test_output.py
│ ├── secrets_omitter/
│ │ ├── __init__.py
│ │ └── test_secrets_omitter.py
│ ├── suppressions_resources/
│ │ └── suppressions.tf
│ ├── test_platform_integration.py
│ ├── test_resource_code_logger_filter.py
│ ├── test_runner_filter.py
│ └── utils/
│ ├── __init__.py
│ ├── conftest.py
│ ├── resources/
│ │ └── existing_file
│ ├── test_contextmanagers.py
│ ├── test_data_structures_utils.py
│ ├── test_docs_generator.py
│ ├── test_file_utils.py
│ ├── test_http_utils.py
│ ├── test_json_utils.py
│ ├── test_prompt.py
│ ├── test_secrets_utils.py
│ ├── test_str_utils.py
│ ├── test_tqdm_utils.py
│ ├── test_type_forcers.py
│ └── test_utils.py
├── config/
│ ├── TestCLIArgs.py
│ ├── TestConfigFile.py
│ ├── __init__.py
│ └── example_TestConfigFile/
│ └── config.yml
├── conftest.py
├── dockerfile/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ ├── example_AddExists/
│ │ │ └── failure/
│ │ │ └── Dockerfile
│ │ ├── example_AliasIsUnique/
│ │ │ ├── failure/
│ │ │ │ └── Dockerfile
│ │ │ ├── success/
│ │ │ │ └── Dockerfile
│ │ │ └── success_platform/
│ │ │ └── Dockerfile
│ │ ├── example_ExposePort22/
│ │ │ ├── failure/
│ │ │ │ └── Dockerfile
│ │ │ ├── failure_tcp/
│ │ │ │ └── Dockerfile
│ │ │ └── success/
│ │ │ └── Dockerfile
│ │ ├── example_HealthcheckExists/
│ │ │ ├── failure/
│ │ │ │ └── Dockerfile
│ │ │ └── success/
│ │ │ └── Dockerfile
│ │ ├── example_MaintainerExists/
│ │ │ └── failure/
│ │ │ └── Dockerfile
│ │ ├── example_ReferenceLatestTag/
│ │ │ ├── failure_default_version_tag/
│ │ │ │ └── Dockerfile
│ │ │ ├── failure_latest_version_tag/
│ │ │ │ └── Dockerfile
│ │ │ ├── success/
│ │ │ │ └── Dockerfile
│ │ │ ├── success_multi_stage/
│ │ │ │ └── Dockerfile
│ │ │ ├── success_multi_stage_capital/
│ │ │ │ └── Dockerfile
│ │ │ ├── success_multi_stage_platform/
│ │ │ │ └── Dockerfile
│ │ │ ├── success_multi_stage_scratch/
│ │ │ │ └── Dockerfile
│ │ │ └── success_scratch/
│ │ │ └── Dockerfile
│ │ ├── example_RootUser/
│ │ │ ├── failure/
│ │ │ │ └── Dockerfile
│ │ │ └── success/
│ │ │ └── Dockerfile
│ │ ├── example_RunUsingAPT/
│ │ │ ├── failure/
│ │ │ │ └── Dockerfile
│ │ │ ├── failure2/
│ │ │ │ └── Dockerfile
│ │ │ ├── failure3/
│ │ │ │ └── Dockerfile
│ │ │ ├── success/
│ │ │ │ └── Dockerfile
│ │ │ ├── success2/
│ │ │ │ └── Dockerfile
│ │ │ └── success3/
│ │ │ └── Dockerfile
│ │ ├── example_UpdateNotAlone/
│ │ │ ├── failure/
│ │ │ │ ├── Dockerfile
│ │ │ │ └── Dockerfile.simple
│ │ │ └── success/
│ │ │ └── Dockerfile
│ │ ├── example_UserExists/
│ │ │ ├── failure/
│ │ │ │ └── Dockerfile
│ │ │ └── success/
│ │ │ └── Dockerfile
│ │ ├── example_WorkdirIsAbsolute/
│ │ │ ├── failure/
│ │ │ │ ├── Dockerfile
│ │ │ │ └── Dockerfile.simple
│ │ │ └── success/
│ │ │ └── Dockerfile
│ │ ├── test_AddExists.py
│ │ ├── test_AliasIsUnique.py
│ │ ├── test_ExposePort22.py
│ │ ├── test_HealthcheckExists.py
│ │ ├── test_MaintainerExists.py
│ │ ├── test_ReferenceLatestTag.py
│ │ ├── test_RootUser.py
│ │ ├── test_RunUsingAPT.py
│ │ ├── test_UpdateNotAlone.py
│ │ ├── test_UserExists.py
│ │ └── test_WorkdirIsAbsolute.py
│ ├── graph_builder/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── resources/
│ │ │ │ ├── EnvGitSslNoVerify/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail/
│ │ │ │ │ │ ├── Dockerfile.basic
│ │ │ │ │ │ ├── Dockerfile.run.basic
│ │ │ │ │ │ ├── Dockerfile.run.quotes
│ │ │ │ │ │ ├── Dockerfile.run.shell
│ │ │ │ │ │ ├── Dockerfile.run.whitespace
│ │ │ │ │ │ └── Dockerfile.wilderness
│ │ │ │ │ └── pass/
│ │ │ │ │ └── Dockerfile
│ │ │ │ ├── EnvNodeTlsRejectUnauthorized/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail/
│ │ │ │ │ │ ├── Dockerfile.basic
│ │ │ │ │ │ ├── Dockerfile.run.basic
│ │ │ │ │ │ ├── Dockerfile.run.quotes
│ │ │ │ │ │ ├── Dockerfile.run.shell
│ │ │ │ │ │ └── Dockerfile.run.whitespace
│ │ │ │ │ └── pass/
│ │ │ │ │ └── Dockerfile
│ │ │ │ ├── EnvNpmConfigStrictSsl/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail/
│ │ │ │ │ │ ├── Dockerfile.basic
│ │ │ │ │ │ ├── Dockerfile.run.basic
│ │ │ │ │ │ ├── Dockerfile.run.quotes
│ │ │ │ │ │ ├── Dockerfile.run.shell
│ │ │ │ │ │ └── Dockerfile.run.whitespace
│ │ │ │ │ └── pass/
│ │ │ │ │ └── Dockerfile
│ │ │ │ ├── EnvPipTrustedHost/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail/
│ │ │ │ │ │ ├── Dockerfile.envvars
│ │ │ │ │ │ └── Dockerfile.run
│ │ │ │ │ └── pass/
│ │ │ │ │ └── Dockerfile
│ │ │ │ ├── EnvPythonHttpsVerify/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail/
│ │ │ │ │ │ ├── Dockerfile.basic
│ │ │ │ │ │ ├── Dockerfile.run.basic
│ │ │ │ │ │ ├── Dockerfile.run.quotes
│ │ │ │ │ │ ├── Dockerfile.run.shell
│ │ │ │ │ │ └── Dockerfile.run.whitespace
│ │ │ │ │ └── pass/
│ │ │ │ │ └── Dockerfile
│ │ │ │ ├── RunApkAllowUntrusted/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail/
│ │ │ │ │ │ └── Dockerfile
│ │ │ │ │ └── pass/
│ │ │ │ │ └── Dockerfile
│ │ │ │ ├── RunAptGetAllowUnauthenticated/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail/
│ │ │ │ │ │ └── Dockerfile
│ │ │ │ │ └── pass/
│ │ │ │ │ └── Dockerfile
│ │ │ │ ├── RunAptGetForceYes/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail/
│ │ │ │ │ │ └── Dockerfile
│ │ │ │ │ └── pass/
│ │ │ │ │ └── Dockerfile
│ │ │ │ ├── RunChpasswd/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail/
│ │ │ │ │ │ └── Dockerfile
│ │ │ │ │ └── pass/
│ │ │ │ │ └── Dockerfile
│ │ │ │ ├── RunNpmConfigSetStrictSsl/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail/
│ │ │ │ │ │ ├── Dockerfile.npm
│ │ │ │ │ │ ├── Dockerfile.wilderness
│ │ │ │ │ │ └── Dockerfile.yarn
│ │ │ │ │ └── pass/
│ │ │ │ │ └── Dockerfile
│ │ │ │ ├── RunPipTrustedHost/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail/
│ │ │ │ │ │ ├── Dockerfile.basic
│ │ │ │ │ │ ├── Dockerfile.multiline
│ │ │ │ │ │ └── Dockerfile.shell
│ │ │ │ │ └── pass/
│ │ │ │ │ └── Dockerfile
│ │ │ │ ├── RunRpmNoSignature/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail/
│ │ │ │ │ │ └── Dockerfile
│ │ │ │ │ └── pass/
│ │ │ │ │ └── Dockerfile
│ │ │ │ ├── RunUnsafeCurl/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail/
│ │ │ │ │ │ ├── Dockerfile.combo
│ │ │ │ │ │ ├── Dockerfile.long
│ │ │ │ │ │ ├── Dockerfile.multiline
│ │ │ │ │ │ ├── Dockerfile.shell
│ │ │ │ │ │ └── Dockerfile.short
│ │ │ │ │ └── pass/
│ │ │ │ │ └── Dockerfile
│ │ │ │ ├── RunUnsafeWget/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail/
│ │ │ │ │ │ ├── Dockerfile.basic
│ │ │ │ │ │ ├── Dockerfile.multiline
│ │ │ │ │ │ └── Dockerfile.shell
│ │ │ │ │ └── pass/
│ │ │ │ │ └── Dockerfile
│ │ │ │ ├── RunUsingSudo/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail/
│ │ │ │ │ │ └── Dockerfile
│ │ │ │ │ ├── fail_multiline/
│ │ │ │ │ │ └── Dockerfile
│ │ │ │ │ └── pass/
│ │ │ │ │ └── Dockerfile
│ │ │ │ ├── RunYumConfigManagerSslVerify/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail/
│ │ │ │ │ │ ├── Dockerfile.dnf-config-manager
│ │ │ │ │ │ ├── Dockerfile.whitespace
│ │ │ │ │ │ ├── Dockerfile.wilderness
│ │ │ │ │ │ └── Dockerfile.yum-config-manager
│ │ │ │ │ └── pass/
│ │ │ │ │ └── Dockerfile
│ │ │ │ └── RunYumNoGpgCheck/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail/
│ │ │ │ │ ├── Dockerfile.dnf
│ │ │ │ │ ├── Dockerfile.tdnf
│ │ │ │ │ ├── Dockerfile.wilderness
│ │ │ │ │ └── Dockerfile.yum
│ │ │ │ └── pass/
│ │ │ │ └── Dockerfile
│ │ │ └── test_yaml_policies.py
│ │ └── test_local_graph.py
│ ├── image_referencer/
│ │ ├── __init__.py
│ │ ├── resources/
│ │ │ ├── Dockerfile.multi_platform
│ │ │ ├── Dockerfile.multi_stage
│ │ │ └── Dockerfile.simple
│ │ ├── test_manager.py
│ │ ├── test_provider.py
│ │ └── test_runner_dockerfile_resources.py
│ ├── resources/
│ │ ├── __init__.py
│ │ ├── empty_dockerfile/
│ │ │ └── Dockerfile
│ │ ├── expose_port/
│ │ │ ├── fail/
│ │ │ │ └── Dockerfile
│ │ │ ├── pass/
│ │ │ │ └── Dockerfile
│ │ │ └── skip/
│ │ │ └── Dockerfile
│ │ ├── multiline_command/
│ │ │ └── Dockerfile
│ │ ├── name_variations/
│ │ │ ├── .Dockerfile
│ │ │ ├── Dockerfile.prod
│ │ │ └── prod.dockerfile
│ │ └── wildcard_skip/
│ │ └── Dockerfile
│ ├── test_graph_manager.py
│ ├── test_runner.py
│ └── test_utils.py
├── generic_json/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ ├── array/
│ │ │ ├── BarAndBazToggleIsTrue.py
│ │ │ └── __init__.py
│ │ ├── complex/
│ │ │ ├── ValueIsAtLeastTwo.py
│ │ │ └── __init__.py
│ │ ├── object/
│ │ │ ├── FooExists.py
│ │ │ ├── PropHasValue.py
│ │ │ └── __init__.py
│ │ └── result_config/
│ │ ├── FullEvaluatedKey.py
│ │ ├── NoEvaluatedKey.py
│ │ ├── PartialEvaluatedKey.py
│ │ └── __init__.py
│ ├── resources/
│ │ ├── array/
│ │ │ ├── fail/
│ │ │ │ ├── allFalse.json
│ │ │ │ └── oneFalse.json
│ │ │ └── pass/
│ │ │ └── pass.json
│ │ ├── complex/
│ │ │ ├── fail/
│ │ │ │ └── fail.json
│ │ │ └── pass/
│ │ │ └── pass.json
│ │ ├── object/
│ │ │ ├── fail/
│ │ │ │ ├── noFoo.json
│ │ │ │ ├── noProp.json
│ │ │ │ └── noValue.json
│ │ │ └── pass/
│ │ │ └── pass.json
│ │ └── result_config/
│ │ └── github_config.json
│ └── test_runner.py
├── generic_yaml/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ ├── array/
│ │ │ ├── BarAndBazToggleIsTrue.py
│ │ │ └── __init__.py
│ │ ├── complex/
│ │ │ ├── ValueIsAtLeastTwo.py
│ │ │ └── __init__.py
│ │ └── object/
│ │ ├── FooExists.py
│ │ ├── PropHasValue.py
│ │ └── __init__.py
│ ├── resources/
│ │ ├── array/
│ │ │ ├── fail/
│ │ │ │ ├── allFalse.yaml
│ │ │ │ └── oneFalse.yaml
│ │ │ └── pass/
│ │ │ └── pass.yaml
│ │ ├── complex/
│ │ │ ├── fail/
│ │ │ │ └── fail.yaml
│ │ │ └── pass/
│ │ │ └── pass.yaml
│ │ └── object/
│ │ ├── fail/
│ │ │ ├── noFoo.yaml
│ │ │ ├── noProp.yaml
│ │ │ └── noValue.yaml
│ │ ├── pass/
│ │ │ └── pass.yaml
│ │ └── skip/
│ │ └── skip.yaml
│ └── test_runner.py
├── github/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ ├── branch_security/
│ │ │ ├── GithubBranchDisallowDeletions/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.json
│ │ │ │ └── pass.json
│ │ │ ├── GithubBranchDismissStaleReviews/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.json
│ │ │ │ └── pass.json
│ │ │ ├── GithubBranchDismissalRestrictions/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.json
│ │ │ │ └── pass.json
│ │ │ ├── GithubBranchRequireCodeOwnerReviews/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.json
│ │ │ │ └── pass.json
│ │ │ ├── GithubBranchRequireConversationResolution/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.json
│ │ │ │ └── pass.json
│ │ │ ├── GithubBranchRequirePushRestrictions/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.json
│ │ │ │ └── pass.json
│ │ │ ├── GithubBranchRequireStatusChecks/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.json
│ │ │ │ └── pass.json
│ │ │ ├── GithubDisallowInactiveBranch60Days/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail.json
│ │ │ │ └── pass.json
│ │ │ ├── GithubRequire2Approvals/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail1.json
│ │ │ │ ├── fail2.json
│ │ │ │ ├── fail3.json
│ │ │ │ └── pass.json
│ │ │ └── GithubRequireUpdatedBranch/
│ │ │ ├── expected.yaml
│ │ │ ├── fail1.json
│ │ │ ├── fail2.json
│ │ │ └── pass.json
│ │ ├── contribution_access/
│ │ │ ├── GithubMinimumAdminsInOrganization/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail_org_admins.json
│ │ │ │ └── pass_org_admins.json
│ │ │ ├── GithubRequireOrganizationIsVerified/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail1_org_metadata.json
│ │ │ │ ├── fail2_org_metadata.json
│ │ │ │ └── pass_org_metadata.json
│ │ │ └── GithubRequireStrictBasePermissionsRepository/
│ │ │ ├── expected.yaml
│ │ │ ├── fail_org_metadata.json
│ │ │ └── pass_org_metadata.json
│ │ ├── repo_management/
│ │ │ ├── GithubInternalRepositoryCreationIsLimited/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail1.json
│ │ │ │ ├── fail1_org_metadata.json
│ │ │ │ ├── fail2.json
│ │ │ │ ├── fail2_org_metadata.json
│ │ │ │ ├── pass.json
│ │ │ │ └── pass_org_metadata.json
│ │ │ ├── GithubIssueDeletionIsLimited/
│ │ │ │ ├── expected.yaml
│ │ │ │ └── pass.json
│ │ │ ├── GithubPrivateRepositoryCreationIsLimited/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail1.json
│ │ │ │ ├── fail1_org_metadata.json
│ │ │ │ ├── fail2.json
│ │ │ │ ├── fail2_org_metadata.json
│ │ │ │ ├── pass.json
│ │ │ │ └── pass_org_metadata.json
│ │ │ ├── GithubPublicRepositoryCreationIsLimited/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail1.json
│ │ │ │ ├── fail1_org_metadata.json
│ │ │ │ ├── fail2.json
│ │ │ │ ├── fail2_org_metadata.json
│ │ │ │ ├── pass.json
│ │ │ │ └── pass_org_metadata.json
│ │ │ └── GithubRepositoryDeletionIsLimited/
│ │ │ ├── expected.yaml
│ │ │ └── pass.json
│ │ └── test_python_policies.py
│ ├── resources/
│ │ └── github_conf/
│ │ ├── collaborators/
│ │ │ └── repository_collaborators.json
│ │ ├── empty_collabs/
│ │ │ └── repository_collaborators.json
│ │ ├── fail/
│ │ │ └── org_security.json
│ │ ├── pass/
│ │ │ └── org_security.json
│ │ ├── repo/
│ │ │ └── branch_protection.json
│ │ ├── repo_no_rules/
│ │ │ └── branch_protection_rules.json
│ │ └── webhooks/
│ │ ├── org_webhooks.json
│ │ ├── org_webhooks_fail.json
│ │ └── repository_webhooks.json
│ ├── test_dal.py
│ └── test_runner.py
├── github_actions/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ ├── extra_yaml_checks/
│ │ │ ├── JobsStepsConnection.yaml
│ │ │ ├── OnPush.yaml
│ │ │ └── SimpleAttribute.yaml
│ │ ├── graph_checks/
│ │ │ ├── __init__.py
│ │ │ ├── resources/
│ │ │ │ ├── ReadOnlyTopLevelPermissions/
│ │ │ │ │ ├── .github/
│ │ │ │ │ │ └── workflows/
│ │ │ │ │ │ ├── default.yaml
│ │ │ │ │ │ ├── fail.yaml
│ │ │ │ │ │ ├── pass.yaml
│ │ │ │ │ │ └── scope.yaml
│ │ │ │ │ └── expected.yaml
│ │ │ │ └── __init__.py
│ │ │ └── test_yaml_policies.py
│ │ └── test_extra_checks.py
│ ├── conftest.py
│ ├── gha/
│ │ └── .github/
│ │ └── workflows/
│ │ ├── bad_workflows_dispatch.yaml
│ │ ├── failed.yaml
│ │ ├── multi_file.yaml
│ │ ├── multiple_on_descendants.yaml
│ │ └── on_list.yaml
│ ├── graph_builder/
│ │ ├── __init__.py
│ │ └── test_local_graph.py
│ ├── resources/
│ │ ├── .github/
│ │ │ └── workflows/
│ │ │ ├── bad_format.yaml
│ │ │ ├── docker-slsa.yaml
│ │ │ ├── empty_jobs.yaml
│ │ │ ├── include_none_steps.yml
│ │ │ ├── list_workflow_dispatch.yml
│ │ │ ├── nested_jobs.yaml
│ │ │ ├── netcatreverseshell.yaml
│ │ │ ├── off_value.yaml
│ │ │ ├── shell_injection.yaml
│ │ │ ├── slsa-gen.yaml
│ │ │ ├── supply_chain.yaml
│ │ │ ├── suspectcurl.yaml
│ │ │ ├── unsecure_command.yaml
│ │ │ ├── workflow_dispatch.yaml
│ │ │ ├── workflow_with_image.yml
│ │ │ └── workflow_with_string_container.yml
│ │ └── graph.pkl
│ ├── test_graph_manager.py
│ ├── test_runner.py
│ ├── test_runner_auxiliary.py
│ ├── test_runner_resource_names.py
│ ├── test_runner_with_graph.py
│ └── test_schema_validation.py
├── gitlab/
│ ├── __init__.py
│ ├── resources/
│ │ └── gitlab_conf/
│ │ ├── fail/
│ │ │ ├── groups.json
│ │ │ └── merge_request_approval_conf.json
│ │ └── pass/
│ │ ├── groups.json
│ │ └── merge_request_approval_conf.json
│ └── test_runner.py
├── gitlab_ci/
│ ├── __init__.py
│ ├── conftest.py
│ ├── resources/
│ │ ├── alternative/
│ │ │ └── .gitlab-ci.yml
│ │ ├── curl/
│ │ │ └── .gitlab-ci.yml
│ │ ├── images/
│ │ │ └── .gitlab-ci.yml
│ │ ├── resource_images/
│ │ │ └── .gitlab-ci.yml
│ │ ├── rules/
│ │ │ └── .gitlab-ci.yml
│ │ └── two/
│ │ └── .gitlab-ci.yml
│ ├── test_resource_names.py
│ └── test_runner.py
├── graph_utils/
│ ├── __init__.py
│ └── utils.py
├── helm/
│ ├── __init__.py
│ ├── runner/
│ │ └── resources/
│ │ ├── image_referencer/
│ │ │ ├── Chart.yaml
│ │ │ ├── templates/
│ │ │ │ ├── _helpers.tpl
│ │ │ │ ├── deployment.yaml
│ │ │ │ ├── service.yaml
│ │ │ │ └── serviceaccount.yaml
│ │ │ └── values.yaml
│ │ ├── infrastructure/
│ │ │ └── helm-tiller/
│ │ │ └── pwnchart/
│ │ │ ├── Chart.yaml
│ │ │ ├── templates/
│ │ │ │ ├── _helpers.tpl
│ │ │ │ ├── clusterrole.yaml
│ │ │ │ └── clusterrolebinding.yaml
│ │ │ └── values.yaml
│ │ └── schema-registry/
│ │ ├── Chart.yaml
│ │ ├── charts/
│ │ │ ├── common-2.0.0.tgz
│ │ │ └── kafka-18.1.2.tgz
│ │ └── values.yaml
│ ├── test_runner.py
│ ├── test_runner_image_referencer.py
│ └── utils.py
├── kubernetes/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ ├── example_AllowPrivilegeEscalation/
│ │ │ ├── ds-nginx-ingress-FAILED.yaml
│ │ │ ├── nginx-app-FAILED.json
│ │ │ ├── oc-deploymentConfig-FAILED.yml
│ │ │ ├── oc-deploymentConfig-PASSED.yml
│ │ │ ├── pod-runas1000-PASSED.yaml
│ │ │ ├── pod-runas1000-malformed-PASSED.yaml
│ │ │ ├── pod-to-node-FAILED.yaml
│ │ │ └── rootDeployment-PASSED.yaml
│ │ ├── example_AllowedCapabilities/
│ │ │ ├── cassandra-FAILED.yaml
│ │ │ ├── cronjob-PASSED.yaml
│ │ │ ├── cronjob-UNKOWN.yaml
│ │ │ └── nginx-deployment-PASSED.yaml
│ │ ├── example_AllowedCapabilitiesSysAdmin/
│ │ │ ├── cronjob-PASSED.yaml
│ │ │ ├── pod-FAILED.yaml
│ │ │ └── pod-FAILED2.yaml
│ │ ├── example_ApiServerAdmissionControlAlwaysAdmit/
│ │ │ ├── ApiServerAdmissionControlAlwaysAdmit-FAILED.yaml
│ │ │ └── ApiServerAdmissionControlAlwaysAdmit-PASSED.yaml
│ │ ├── example_ApiServerAdmissionControlEventRateLimit/
│ │ │ ├── ApiServerAdmissionControlEventRateLimit-FAILED.yaml
│ │ │ └── ApiServerAdmissionControlEventRateLimit-PASSED.yaml
│ │ ├── example_ApiServerAlwaysPullImagesPlugin/
│ │ │ ├── ApiServerAlwaysPullImagesPlugin-FAILED.yaml
│ │ │ └── ApiServerAlwaysPullImagesPlugin-PASSED.yaml
│ │ ├── example_ApiServerAnonymousAuth/
│ │ │ ├── ApiServer-AnonymousAuth-False-PASSED.yaml
│ │ │ ├── ApiServer-AnonymousAuth-Missing-FAILED.yaml
│ │ │ └── ApiServer-AnonymousAuth-True-FAILED.yaml
│ │ ├── example_ApiServerAuditLog/
│ │ │ ├── ApiServer-FAILED.yaml
│ │ │ └── ApiServer-PASSED.yaml
│ │ ├── example_ApiServerAuditLogMaxAge/
│ │ │ ├── ApiServer-FAILED.yaml
│ │ │ └── ApiServer-PASSED.yaml
│ │ ├── example_ApiServerAuditLogMaxBackup/
│ │ │ ├── ApiServer-FAILED-2.yaml
│ │ │ ├── ApiServer-FAILED.yaml
│ │ │ └── ApiServer-PASSED.yaml
│ │ ├── example_ApiServerAuditLogMaxSize/
│ │ │ ├── ApiServer-FAILED-2.yaml
│ │ │ ├── ApiServer-FAILED.yaml
│ │ │ └── ApiServer-PASSED.yaml
│ │ ├── example_ApiServerAuthorizationModeNode/
│ │ │ ├── ApiServer-FAILED-2.yaml
│ │ │ ├── ApiServer-FAILED.yaml
│ │ │ └── ApiServer-PASSED.yaml
│ │ ├── example_ApiServerAuthorizationModeNotAlwaysAllow/
│ │ │ ├── ApiServer-FAILED-2.yaml
│ │ │ ├── ApiServer-FAILED.yaml
│ │ │ ├── ApiServer-PASSED-2.yaml
│ │ │ └── ApiServer-PASSED.yaml
│ │ ├── example_ApiServerAuthorizationModeRBAC/
│ │ │ ├── ApiServer-FAILED-2.yaml
│ │ │ ├── ApiServer-FAILED.yaml
│ │ │ ├── ApiServer-PASSED-2.yaml
│ │ │ └── ApiServer-PASSED.yaml
│ │ ├── example_ApiServerBasicAuthFile/
│ │ │ ├── ApiServerBasicAuthFile-FAILED.yaml
│ │ │ └── ApiServerBasicAuthFile-PASSED.yaml
│ │ ├── example_ApiServerEncryptionProviders/
│ │ │ ├── ApiServerEncryptionProviders-FAILED.yaml
│ │ │ └── ApiServerEncryptionProviders-PASSED.yaml
│ │ ├── example_ApiServerEtcdCaFile/
│ │ │ ├── example_ApiServerEtcdCaFile-FAILED.yaml
│ │ │ └── example_ApiServerEtcdCaFile-PASSED.yaml
│ │ ├── example_ApiServerEtcdCertAndKey/
│ │ │ ├── ApiServer-FAILED-2.yaml
│ │ │ ├── ApiServer-FAILED.yaml
│ │ │ └── ApiServer-PASSED.yaml
│ │ ├── example_ApiServerInsecureBindAddress/
│ │ │ ├── api-server-insecure-bind-address-FAILED.yaml
│ │ │ └── api-server-secure-bind-address-PASSED.yaml
│ │ ├── example_ApiServerInsecurePort/
│ │ │ ├── api-server-insecure-port-FAILED.yaml
│ │ │ └── api-server-insecure-port-PASSED.yaml
│ │ ├── example_ApiServerKubeletClientCertAndKey/
│ │ │ ├── ApiServer-FAILED-2.yaml
│ │ │ ├── ApiServer-FAILED.yaml
│ │ │ └── ApiServer-PASSED.yaml
│ │ ├── example_ApiServerKubeletHttps/
│ │ │ ├── ApiServer-FAILED.yaml
│ │ │ ├── ApiServer-PASSED-2.yaml
│ │ │ └── ApiServer-PASSED.yaml
│ │ ├── example_ApiServerNamespaceLifecyclePlugin/
│ │ │ ├── ApiServerNamespaceLifecyclePlugin-FAILED.yaml
│ │ │ └── ApiServerNamespaceLifecyclePlugin-PASSED.yaml
│ │ ├── example_ApiServerNodeRestrictionPlugin/
│ │ │ ├── ApiServerNodeRestrictionPlugin-FAILED.yaml
│ │ │ └── ApiServerNodeRestrictionPlugin-PASSED.yaml
│ │ ├── example_ApiServerPodSecurityPolicyPlugin/
│ │ │ ├── ApiServerPodSecurityPolicyPlugin-FAILED.yaml
│ │ │ └── ApiServerPodSecurityPolicyPlugin-PASSED.yaml
│ │ ├── example_ApiServerProfiling/
│ │ │ ├── ApiServer-FAILED-2.yaml
│ │ │ ├── ApiServer-FAILED.yaml
│ │ │ └── ApiServer-PASSED.yaml
│ │ ├── example_ApiServerRequestTimeout/
│ │ │ ├── api-server-request-timeout-FAILED.yaml
│ │ │ └── api-server-request-timeout-PASSED.yaml
│ │ ├── example_ApiServerSecurePort/
│ │ │ ├── api-server-secure-port-FAILED.yaml
│ │ │ ├── api-server-secure-port-PASSED.yaml
│ │ │ └── api-server-secure-port-PASSED_2.yaml
│ │ ├── example_ApiServerSecurityContextDenyPlugin/
│ │ │ ├── ApiServerSecurityContextDenyPlugin-FAILED.yaml
│ │ │ └── ApiServerSecurityContextDenyPlugin-PASSED.yaml
│ │ ├── example_ApiServerServiceAccountKeyFile/
│ │ │ ├── ApiServerServiceAccountKeyFile-FAILED.yaml
│ │ │ └── ApiServerServiceAccountKeyFile-PASSED.yaml
│ │ ├── example_ApiServerServiceAccountLookup/
│ │ │ ├── ApiServer-FAILED-2.yaml
│ │ │ ├── ApiServer-FAILED.yaml
│ │ │ └── ApiServer-PASSED.yaml
│ │ ├── example_ApiServerServiceAccountPlugin/
│ │ │ ├── ApiServerServiceAccountPlugin-FAILED.yaml
│ │ │ └── ApiServerServiceAccountPlugin-PASSED.yaml
│ │ ├── example_ApiServerStrongCryptographicCiphers/
│ │ │ ├── ApiServerStrongCryptographicCiphers-FAILED.yaml
│ │ │ └── ApiServerStrongCryptographicCiphers-PASSED.yaml
│ │ ├── example_ApiServerTlsCertAndKey/
│ │ │ ├── ApiServer-FAILED-2.yaml
│ │ │ ├── ApiServer-FAILED-3.yaml
│ │ │ ├── ApiServer-FAILED.yaml
│ │ │ └── ApiServer-PASSED.yaml
│ │ ├── example_ApiServerTokenAuthFile/
│ │ │ ├── ApiServerTokenAuthFile-FAILED.yaml
│ │ │ └── ApiServerTokenAuthFile-PASSED.yaml
│ │ ├── example_ApiServerkubeletCertificateAuthority/
│ │ │ ├── ApiServerkubeletCertificateAuthority-FAILED.yaml
│ │ │ └── ApiServerkubeletCertificateAuthority-PASSED.yaml
│ │ ├── example_ControllerManagerBindAddress/
│ │ │ ├── ControllerManagerBindAddress-FAILED-2.yaml
│ │ │ ├── ControllerManagerBindAddress-FAILED.yaml
│ │ │ └── ControllerManagerBindAddress-PASSED.yaml
│ │ ├── example_DangerousGitSync/
│ │ │ ├── Deployment-FAILED.yaml
│ │ │ ├── Deployment-PASSED.yaml
│ │ │ └── Deployment2-FAILED.yaml
│ │ ├── example_DefaultNamespace/
│ │ │ ├── default-k8s-service-and-sa-PASSED2.yaml
│ │ │ ├── nginx-statefulset-FAILED.yaml
│ │ │ └── scope-PASSED.yaml
│ │ ├── example_DefaultServiceAccount/
│ │ │ ├── DefaultServiceAccount-FAILED.yaml
│ │ │ ├── DefaultServiceAccount-FAILED2.yaml
│ │ │ └── DefaultServiceAccount-PASSED.yaml
│ │ ├── example_DefaultServiceAccountBinding/
│ │ │ ├── DefaultServiceAccountBinding-FAILED.yaml
│ │ │ └── DefaultServiceAccountBinding-PASSED.yaml
│ │ ├── example_DockerSocketVolume/
│ │ │ ├── CronJob-pass.yaml
│ │ │ ├── cloudwatch-agent-1PASSED-1FAILED.yaml
│ │ │ ├── scope-2PASSED-1FAILED.yaml
│ │ │ └── scope-UNKNOWN.yaml
│ │ ├── example_DropCapabilities/
│ │ │ ├── pod-drop-NET_RAW-capabilities-FAILED-MISSING.yaml
│ │ │ ├── pod-drop-NET_RAW-capabilities-PASSED.yaml
│ │ │ ├── pod-drop-all-capabilities-PASSED.yaml
│ │ │ ├── pod-drop-all-capabilities-PASSED2.yaml
│ │ │ └── pod-drop-none-FAILED.yaml
│ │ ├── example_EtcdAutoTls/
│ │ │ ├── Etcd-FAILED.yaml
│ │ │ ├── Etcd-PASSED-2.yaml
│ │ │ └── Etcd-PASSED.yaml
│ │ ├── example_EtcdCertAndKey/
│ │ │ ├── Etcd-FAILED-2.yaml
│ │ │ ├── Etcd-FAILED.yaml
│ │ │ └── Etcd-PASSED.yaml
│ │ ├── example_EtcdClientCertAuth/
│ │ │ ├── Etcd-FAILED-2.yaml
│ │ │ ├── Etcd-FAILED.yaml
│ │ │ └── Etcd-PASSED.yaml
│ │ ├── example_EtcdPeerFiles/
│ │ │ ├── EtcdPeerFiles-FAILED.yaml
│ │ │ └── EtcdPeerFiles-PASSED.yaml
│ │ ├── example_HostPort/
│ │ │ ├── DS-node-exporter-FAILED.yaml
│ │ │ ├── nginx-app-FAILED.yaml
│ │ │ └── nginx-app-PASSED.yaml
│ │ ├── example_ImageDigest/
│ │ │ ├── imageWithTagAndDigest-PASSED.yaml
│ │ │ ├── job-ImageTagLatest-FAILED.yaml
│ │ │ ├── kafka-PASSED.yaml
│ │ │ ├── kafka-withrepo-PASSED.yaml
│ │ │ └── storm-zookeeper-FAILED.json
│ │ ├── example_ImagePullPolicy/
│ │ │ ├── cassandra-PullPolicyAlways-PASSED.yaml
│ │ │ ├── imageWithDigest-DefaultPullPolicy-PASSED.yaml
│ │ │ ├── imageWithDigest-PullPolicyAlways-PASSED.yaml
│ │ │ ├── job-ImageTagLatest-PASSED.yaml
│ │ │ ├── kafka-PullPolicyAlways-PASSED.yaml
│ │ │ ├── replctrl-PullIfNotPresent-FAILED.yaml
│ │ │ ├── storm-nimbus-ImageUntagged-PASSED.json
│ │ │ └── wordpress-ImageTagged-DefaultPullPolicy-FAILED.yaml
│ │ ├── example_ImageTagFixed/
│ │ │ ├── imageWithDigest-PASSED.yaml
│ │ │ ├── imageWithTagAndDigest-PASSED.yaml
│ │ │ ├── job-ImageTagLatest-FAILED.yaml
│ │ │ ├── kafka-ImageWithRepo-PASSED.yaml
│ │ │ ├── kafka-PASSED.yaml
│ │ │ └── storm-zookeeper-FAILED.json
│ │ ├── example_KubeControllerManagerBlockProfiles/
│ │ │ ├── ApiServer-FAILED.yaml
│ │ │ ├── ApiServer-FAILED_2.yaml
│ │ │ └── ApiServer-PASSED.yaml
│ │ ├── example_KubeControllerManagerRootCAFile/
│ │ │ ├── ApiServer-FAILED.yaml
│ │ │ ├── ApiServer-PASSED.yaml
│ │ │ └── ApiServer-PASSED_2.yaml
│ │ ├── example_KubeControllerManagerServiceAccountCredentials/
│ │ │ ├── ApiServer-FAILED-2.yaml
│ │ │ ├── ApiServer-FAILED.yaml
│ │ │ └── ApiServer-PASSED.yaml
│ │ ├── example_KubeControllerManagerServiceAccountPrivateKeyFile/
│ │ │ ├── ApiServer-FAILED.yaml
│ │ │ ├── ApiServer-PASSED-2.yaml
│ │ │ └── ApiServer-PASSED.yaml
│ │ ├── example_KubeControllerManagerTerminatedPods/
│ │ │ ├── ApiServer-FAILED-2.yaml
│ │ │ ├── ApiServer-FAILED.yaml
│ │ │ ├── ApiServer-PASSED-2.yaml
│ │ │ └── ApiServer-PASSED.yaml
│ │ ├── example_KubeletAnonymousAuth/
│ │ │ ├── KubeletAnonymousAuth-FAILED.yaml
│ │ │ └── KubeletAnonymousAuth-PASSED.yaml
│ │ ├── example_KubeletAuthorizationModeNotAlwaysAllow/
│ │ │ ├── KubeletAuthorizationModeNotAlwaysAllow-FAILED.yaml
│ │ │ └── KubeletAuthorizationModeNotAlwaysAllow-PASSED.yaml
│ │ ├── example_KubeletClientCa/
│ │ │ ├── KubeletClientCa-FAILED.yaml
│ │ │ └── KubeletClientCa-PASSED.yaml
│ │ ├── example_KubeletCryptographicCiphers/
│ │ │ ├── KubeletCryptographicCiphers-FAILED.yaml
│ │ │ └── KubeletCryptographicCiphers-PASSED.yaml
│ │ ├── example_KubeletHostnameOverride/
│ │ │ ├── KubeletHostnameOverride-FAILED.yaml
│ │ │ └── KubeletHostnameOverride-PASSED.yaml
│ │ ├── example_KubeletKeyFilesSetAppropriate/
│ │ │ ├── KubeletKeyFilesSetAppropriate-FAILED.yaml
│ │ │ └── KubeletKeyFilesSetAppropriate-PASSED.yaml
│ │ ├── example_KubeletMakeIptablesUtilChains/
│ │ │ ├── KubeletMakeIptablesUtilChains-FAILED.yaml
│ │ │ └── KubeletMakeIptablesUtilChains-PASSED.yaml
│ │ ├── example_KubeletProtectKernelDefaults/
│ │ │ ├── KubeletProtectKernelDefaults-FAILED.yaml
│ │ │ └── KubeletProtectKernelDefaults-PASSED.yaml
│ │ ├── example_KubeletReadOnlyPort/
│ │ │ ├── KubeletReadOnlyPort-FAILED.yaml
│ │ │ └── KubeletReadOnlyPort-PASSED.yaml
│ │ ├── example_KubeletStreamingConnectionIdleTimeout/
│ │ │ ├── KubeletStreamingConnectionIdleTimeout-FAILED.yaml
│ │ │ └── KubeletStreamingConnectionIdleTimeout-PASSED.yaml
│ │ ├── example_KubernetesDashboard/
│ │ │ ├── kube-dashboard-FAILED.yaml
│ │ │ ├── kube-dashboard-no-image-FAILED.yaml
│ │ │ ├── kube-dashboard-no-image-PASSED.yaml
│ │ │ ├── kubernetes-dashboard-deployment.yaml
│ │ │ ├── nginx-deployment-FAILED.yaml
│ │ │ └── nginx-deployment-PASSED.yaml
│ │ ├── example_KubletEventCapture/
│ │ │ ├── KubletEventCapture-FAILED.yaml
│ │ │ └── KubletEventCapture-PASSED.yaml
│ │ ├── example_KubletRotateCertificates/
│ │ │ ├── KubletRotateCertificates-FAILED.yaml
│ │ │ └── KubletRotateCertificates-PASSED.yaml
│ │ ├── example_LivenessReadiness/
│ │ │ ├── pod-liveness-readiness-2pods.yaml
│ │ │ └── pod-liveness-readiness-PASSED.yaml
│ │ ├── example_NginxIngressCVE202125742/
│ │ │ ├── annotation1-FAILED.yaml
│ │ │ ├── annotation2-nollua-PASSESONEFAILSONE.yaml
│ │ │ ├── annotation3-alias.yaml
│ │ │ └── noannotations-PASSED.yaml
│ │ ├── example_NoDefaultNamespace/
│ │ │ └── Dev-PASSED.yaml
│ │ ├── example_PSP/
│ │ │ ├── psp-most-insecure-FAILED.yaml
│ │ │ ├── psp-no-annotations-FAILED.yml
│ │ │ └── psp-restricted-PASSED.yaml
│ │ ├── example_PeerClientCertAuthTrue/
│ │ │ ├── PeerClientCertAuthTrue-FAILED.yaml
│ │ │ ├── PeerClientCertAuthTrue-FAILED2.yaml
│ │ │ ├── PeerClientCertAuthTrue-PASSED.yaml
│ │ │ └── PeerClientCertAuthTrue-UNKNOWN.yaml
│ │ ├── example_PrivilegedContainers/
│ │ │ ├── nginx-deployment-PASSED.yaml
│ │ │ ├── privilegedDaemonSet-FAILED.yaml
│ │ │ └── privilegedPod-FAILED.yaml
│ │ ├── example_RbacApproveCertificateSigningRequests/
│ │ │ ├── clusterrole-failed-1.yaml
│ │ │ ├── clusterrole-failed-2.yaml
│ │ │ ├── clusterrole-failed-3.yaml
│ │ │ ├── clusterrole-passed-1.yaml
│ │ │ └── clusterrole-passed-2.yaml
│ │ ├── example_RbacBindRoleBindings/
│ │ │ ├── clusterrole-failed-1.yaml
│ │ │ ├── clusterrole-passed-1.yaml
│ │ │ ├── role-failed-2.yaml
│ │ │ └── role-passed-2.yaml
│ │ ├── example_RbacControlWebhooks/
│ │ │ ├── clusterrole-failed-1.yaml
│ │ │ ├── clusterrole-failed-2.yaml
│ │ │ ├── clusterrole-passed-1.yaml
│ │ │ └── clusterrole-passed-2.yaml
│ │ ├── example_RbacEscalateRoles/
│ │ │ ├── clusterrole-failed-1.yaml
│ │ │ ├── clusterrole-passed-1.yaml
│ │ │ ├── role-failed-2.yaml
│ │ │ └── role-passed-2.yaml
│ │ ├── example_ReadOnlyFilesystem/
│ │ │ ├── frontend-replicaset-FAILED.yaml
│ │ │ ├── pod-readonly-PASSED.yaml
│ │ │ └── pod-readonly-false-FAILED.yaml
│ │ ├── example_Requests_Limits/
│ │ │ ├── cronjob-request-limit-1FAILED.yaml
│ │ │ ├── pod-requests-limits-1FAILED1PASSED.yaml
│ │ │ ├── pod-requests-limits-2PASSED.yaml
│ │ │ ├── pod-requests-limits-UNKNOWN.yaml
│ │ │ └── pod-requests-limits-UNKNOWN2.yaml
│ │ ├── example_RootContainers/
│ │ │ ├── rootContainersFAILED-malformed-spec.yaml
│ │ │ ├── rootContainersFAILED.yaml
│ │ │ ├── rootContainersFAILED_2.yaml
│ │ │ ├── rootContainersPASSED.yaml
│ │ │ └── rootContainersUNKNOWN.yaml
│ │ ├── example_RootContainersHighUID/
│ │ │ ├── rootContainersHighUIDFAILED.yaml
│ │ │ ├── rootContainersHighUIDPASSED.yaml
│ │ │ └── rootContainersHighUIDUNKNOWN.yaml
│ │ ├── example_RootContainersPSP/
│ │ │ ├── MustRunAsNonRoot-PASSED.yaml
│ │ │ ├── RunAsUserRange-FAILED.yaml
│ │ │ ├── RunAsUserRange-PASSED.yaml
│ │ │ └── psp-most-insecure-FAILED.yaml
│ │ ├── example_RotateKubeletServerCertificate/
│ │ │ ├── KubeControllerManagerRotateKubeletServerCertificate-FAILED.yaml
│ │ │ ├── KubeControllerManagerRotateKubeletServerCertificate-PASSED.yaml
│ │ │ ├── KubletRotateKubeletServerCertificate-FAILED.yaml
│ │ │ └── KubletRotateKubeletServerCertificate-PASSED.yaml
│ │ ├── example_SchedulerBindAddress/
│ │ │ ├── SchedulerBindAddress-FAILED-2.yaml
│ │ │ ├── SchedulerBindAddress-FAILED.yaml
│ │ │ └── SchedulerBindAddress-PASSED.yaml
│ │ ├── example_SchedulerProfiling/
│ │ │ ├── SchedulerProfiling-FAILED.yaml
│ │ │ └── SchedulerProfiling-PASSED.yaml
│ │ ├── example_Seccomp/
│ │ │ ├── cronjob-seccomp-FAILED.yaml
│ │ │ ├── cronjob-seccomp-PASSED.yaml
│ │ │ ├── cronjob-seccomp-PASSED2.yaml
│ │ │ ├── cronjob-seccomp-PASSED3.yaml
│ │ │ ├── cronjob-seccomp-securityContext-PASSED.yaml
│ │ │ ├── pod-seccomp-FAILED.yaml
│ │ │ ├── pod-seccomp-FAILED2.yaml
│ │ │ ├── pod-seccomp-FAILED3.yaml
│ │ │ ├── pod-seccomp-PASSED.yaml
│ │ │ ├── pod-seccomp-PASSED2.yaml
│ │ │ ├── pod-seccomp-PASSED3.yaml
│ │ │ ├── pod-seccomp-PASSED4.yaml
│ │ │ ├── pod-seccomp-PASSED5.yaml
│ │ │ ├── pod-seccomp-PASSED6.yaml
│ │ │ ├── pod-seccomp-PASSED7.yaml
│ │ │ └── template.yaml
│ │ ├── example_Secrets/
│ │ │ ├── nginx-NoSecret-PASSED.yaml
│ │ │ ├── pod-secretEnvironment-FAILED.yaml
│ │ │ ├── pod-secretVolume-PASSED.yaml
│ │ │ └── pod-secretsEnvironment-UNKNOWN.yaml
│ │ ├── example_SecurityContexts/
│ │ │ ├── frontend-replicaset-both-FAILED.yaml
│ │ │ ├── pod-container-FAILED_malformed_spec.yaml
│ │ │ ├── pod-container-both-PASSED.yaml
│ │ │ ├── podFAILED-containerPASSED.yaml
│ │ │ └── podPassed-containerFailed.yaml
│ │ ├── example_ServiceAccountTokens/
│ │ │ ├── ServiceAccountTokensFAILED.yaml
│ │ │ ├── ServiceAccountTokensPASSED.yaml
│ │ │ └── ServiceAccountTokensUNKNOWN.yaml
│ │ ├── example_ShareHost/
│ │ │ ├── cronjob-hostresources-FAILED.yaml
│ │ │ ├── jenkinsDeployment-PASSED.yaml
│ │ │ ├── memcachedStatefulSet-PASSED.yaml
│ │ │ ├── privilegedDaemonSet-FAILED.yaml
│ │ │ ├── privilegedPod-FAILED.yaml
│ │ │ └── privilegedPod-PASS.yaml
│ │ ├── example_Suppressed/
│ │ │ └── suppress-checks-PASSED.yaml
│ │ ├── example_Tiller/
│ │ │ ├── nginx-deployment-PASSED.yaml
│ │ │ └── tiller-deployment.json
│ │ ├── example_TillerDeploymentListener/
│ │ │ ├── nginx-deployment-UNKNOWN.yaml
│ │ │ ├── tiller-deployment_FAILED.json
│ │ │ ├── tiller-deployment_FAILED_WRONGARG.yaml
│ │ │ ├── tiller-deployment_PASSED_LOCALHOST.json
│ │ │ └── tiller-deployment_PASSED_LOOPBACK.json
│ │ ├── example_TillerService/
│ │ │ └── tiller-services.yaml
│ │ ├── example_WildcardEntities/
│ │ │ └── nginx-app.yaml
│ │ ├── example_WildcardRoles/
│ │ │ ├── role-failed-1.yaml
│ │ │ ├── role-failed-2.yaml
│ │ │ ├── role-failed-3.yaml
│ │ │ ├── role-passed-1.yaml
│ │ │ └── role-passed-2.yaml
│ │ ├── test_AllowPrivilegeEscalationPSP.py
│ │ ├── test_AllowProvilegeEscalation.py
│ │ ├── test_AllowedCapabilities.py
│ │ ├── test_AllowedCapabilitiesPSP.py
│ │ ├── test_AllowedCapabilitiesSysAdmin.py
│ │ ├── test_ApiServerAdmissionControlAlwaysAdmit.py
│ │ ├── test_ApiServerAdmissionControlEventRateLimit.py
│ │ ├── test_ApiServerAlwaysPullImagesPlugin.py
│ │ ├── test_ApiServerAnonymousAuth.py
│ │ ├── test_ApiServerAuditLog.py
│ │ ├── test_ApiServerAuditLogMaxAge.py
│ │ ├── test_ApiServerAuditLogMaxBackup.py
│ │ ├── test_ApiServerAuditLogMaxSize.py
│ │ ├── test_ApiServerAuthorizationModeNode.py
│ │ ├── test_ApiServerAuthorizationModeNotAlwaysAllow.py
│ │ ├── test_ApiServerAuthorizationModeRBAC.py
│ │ ├── test_ApiServerBasicAuthFile.py
│ │ ├── test_ApiServerEncryptionProviders.py
│ │ ├── test_ApiServerEtcdCaFile.py
│ │ ├── test_ApiServerEtcdCertAndKey.py
│ │ ├── test_ApiServerInsecureBindAddress.py
│ │ ├── test_ApiServerInsecurePort.py
│ │ ├── test_ApiServerKubeletClientCertAndKey.py
│ │ ├── test_ApiServerKubeletHttps.py
│ │ ├── test_ApiServerNamespaceLifecyclePlugin.py
│ │ ├── test_ApiServerNodeRestrictionPlugin.py
│ │ ├── test_ApiServerPodSecurityPolicyPlugin.py
│ │ ├── test_ApiServerProfiling.py
│ │ ├── test_ApiServerRequestTimeout.py
│ │ ├── test_ApiServerSecurePort.py
│ │ ├── test_ApiServerSecurityContextDenyPlugin.py
│ │ ├── test_ApiServerServiceAccountKeyFile.py
│ │ ├── test_ApiServerServiceAccountLookup.py
│ │ ├── test_ApiServerServiceAccountPlugin.py
│ │ ├── test_ApiServerStrongCryptographicCiphers.py
│ │ ├── test_ApiServerTlsCertAndKey.py
│ │ ├── test_ApiServerTokenAuthFile.py
│ │ ├── test_ApiServerkubeletCertificateAuthority.py
│ │ ├── test_CPULimits.py
│ │ ├── test_CPURequests.py
│ │ ├── test_ContainerSecurityContext.py
│ │ ├── test_ControllerManagerBindAddress.py
│ │ ├── test_DangerousGitSync.py
│ │ ├── test_DefaultNamespace.py
│ │ ├── test_DefaultServiceAccount.py
│ │ ├── test_DefaultServiceAccountBinding.py
│ │ ├── test_DockerSocketVolume.py
│ │ ├── test_DropCapabilities.py
│ │ ├── test_DropCapabilitiesPSP.py
│ │ ├── test_EtcdAutoTls.py
│ │ ├── test_EtcdCertAndKey.py
│ │ ├── test_EtcdClientCertAuth.py
│ │ ├── test_EtcdPeerFiles.py
│ │ ├── test_HostPort.py
│ │ ├── test_ImageDigest.py
│ │ ├── test_ImagePullPolicyAlways.py
│ │ ├── test_ImageTagFixed.py
│ │ ├── test_KubeControllerManagerBlockProfiles.py
│ │ ├── test_KubeControllerManagerRootCAFile.py
│ │ ├── test_KubeControllerManagerServiceAccountCredentials.py
│ │ ├── test_KubeControllerManagerServiceAccountPrivateKeyFile.py
│ │ ├── test_KubeControllerManagerTerminatedPods.py
│ │ ├── test_KubeletAnonymousAuth.py
│ │ ├── test_KubeletAuthorizationModeNotAlwaysAllow.py
│ │ ├── test_KubeletClientCa.py
│ │ ├── test_KubeletCryptographicCiphers.py
│ │ ├── test_KubeletHostnameOverride.py
│ │ ├── test_KubeletKeyFilesSetAppropriate.py
│ │ ├── test_KubeletMakeIptablesUtilChains.py
│ │ ├── test_KubeletProtectKernelDefaults.py
│ │ ├── test_KubeletReadOnlyPort.py
│ │ ├── test_KubeletStreamingConnectionIdleTimeout.py
│ │ ├── test_KubernetesDashboard.py
│ │ ├── test_KubletEventCapture.py
│ │ ├── test_KubletRotateCertificates.py
│ │ ├── test_LivenessProbe.py
│ │ ├── test_MemoryLimits.py
│ │ ├── test_MemoryRequests.py
│ │ ├── test_MinimizeCapabilities.py
│ │ ├── test_MinimizeCapabilitiesPSP.py
│ │ ├── test_NginxIngressCVE202125742Alias.py
│ │ ├── test_NginxIngressCVE202125742AllSnippets.py
│ │ ├── test_NginxIngressCVE202125742Lua.py
│ │ ├── test_PeerClientCertAuthTrue.py
│ │ ├── test_PodSecurityContext.py
│ │ ├── test_PrivilegedContainers.py
│ │ ├── test_PrivilegedContainersPSP.py
│ │ ├── test_RbacApproveCertificateSigningRequests.py
│ │ ├── test_RbacBindRoleBindings.py
│ │ ├── test_RbacControlWebhooks.py
│ │ ├── test_RbacEscalateRoles.py
│ │ ├── test_ReadOnlyFilesystem.py
│ │ ├── test_ReadinessProbe.py
│ │ ├── test_RootContainers.py
│ │ ├── test_RootContainersHighUID.py
│ │ ├── test_RootContainersPSP.py
│ │ ├── test_RotateKubeletServerCertificate.py
│ │ ├── test_SchedulerBindAddressy.py
│ │ ├── test_SchedulerProfiling.py
│ │ ├── test_Seccomp.py
│ │ ├── test_SeccompPSP.py
│ │ ├── test_Secrets.py
│ │ ├── test_ServiceAccountTokens.py
│ │ ├── test_ShareHostIPC.py
│ │ ├── test_ShareHostIPCPSP.py
│ │ ├── test_ShareHostPID.py
│ │ ├── test_ShareHostPIDPSP.py
│ │ ├── test_SharedHostNetworkNamespace.py
│ │ ├── test_SharedHostNetworkNamespacePSP.py
│ │ ├── test_SuppressedAnnotations.py
│ │ ├── test_Tiller.py
│ │ ├── test_TillerDeploymentListener.py
│ │ ├── test_TillerService.py
│ │ ├── test_WildcardRoles.py
│ │ ├── test_k8s_check_utils.py
│ │ └── test_wildcard_entities.py
│ ├── graph/
│ │ ├── __init__.py
│ │ ├── base_graph_tests.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── resources/
│ │ │ │ ├── AllowPrivilegeEscalation/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── template.yaml
│ │ │ │ ├── AllowedCapabilities/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── template.yaml
│ │ │ │ ├── ImpersonatePermissions/
│ │ │ │ │ ├── Failing/
│ │ │ │ │ │ ├── 1/
│ │ │ │ │ │ │ ├── clusterrole1.yaml
│ │ │ │ │ │ │ └── clusterrolebinding1.yaml
│ │ │ │ │ │ ├── 2/
│ │ │ │ │ │ │ ├── clusterrole2.yaml
│ │ │ │ │ │ │ └── clusterrolebinding2.yaml
│ │ │ │ │ │ └── 3/
│ │ │ │ │ │ ├── Role.yaml
│ │ │ │ │ │ └── RoleBinding.yaml
│ │ │ │ │ ├── Passing/
│ │ │ │ │ │ └── 1/
│ │ │ │ │ │ ├── clusterrole1.yaml
│ │ │ │ │ │ └── clusterrolebinding1.yaml
│ │ │ │ │ └── expected.yaml
│ │ │ │ ├── IsNotEmpty/
│ │ │ │ │ ├── Failing/
│ │ │ │ │ │ └── deployment.yaml
│ │ │ │ │ ├── Passing/
│ │ │ │ │ │ └── deployment.yaml
│ │ │ │ │ └── expected.yaml
│ │ │ │ ├── ModifyServicesStatus/
│ │ │ │ │ ├── Failing/
│ │ │ │ │ │ ├── 1/
│ │ │ │ │ │ │ ├── FailingClusterRole.yaml
│ │ │ │ │ │ │ └── FailingClusterRoleBinding.yaml
│ │ │ │ │ │ └── 2/
│ │ │ │ │ │ ├── FailingClusterRole.yaml
│ │ │ │ │ │ └── FailingClusterRoleBinding.yaml
│ │ │ │ │ ├── Passing/
│ │ │ │ │ │ ├── 1/
│ │ │ │ │ │ │ ├── PassingClusterRole.yaml
│ │ │ │ │ │ │ └── PassingClusterRoleBinding.yaml
│ │ │ │ │ │ └── 2/
│ │ │ │ │ │ ├── PassingClusterRole.yaml
│ │ │ │ │ │ └── PassingClusterRoleBinding.yaml
│ │ │ │ │ └── expected.yaml
│ │ │ │ ├── NoCreateNodesProxyOrPodsExec/
│ │ │ │ │ ├── Failing/
│ │ │ │ │ │ ├── 1/
│ │ │ │ │ │ │ ├── clusterrole1.yaml
│ │ │ │ │ │ │ └── clusterrolebinding1.yaml
│ │ │ │ │ │ ├── 2/
│ │ │ │ │ │ │ ├── clusterrole2.yaml
│ │ │ │ │ │ │ └── clusterrolebinding2.yaml
│ │ │ │ │ │ ├── 3/
│ │ │ │ │ │ │ ├── role3.yaml
│ │ │ │ │ │ │ └── rolebinding3.yaml
│ │ │ │ │ │ └── 4/
│ │ │ │ │ │ ├── clusterrole4.yaml
│ │ │ │ │ │ ├── clusterrolebinding4.yaml
│ │ │ │ │ │ └── pod4.yaml
│ │ │ │ │ ├── Passing/
│ │ │ │ │ │ ├── 1/
│ │ │ │ │ │ │ ├── clusterrole1.yaml
│ │ │ │ │ │ │ └── clusterrolebinding1.yaml
│ │ │ │ │ │ └── 2/
│ │ │ │ │ │ ├── clusterrole2.yaml
│ │ │ │ │ │ └── clusterrolebinding2.yaml
│ │ │ │ │ └── expected.yaml
│ │ │ │ ├── NoDefaultNamespace/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── template.yaml
│ │ │ │ ├── PodIsPubliclyAccessibleExample/
│ │ │ │ │ ├── Failing/
│ │ │ │ │ │ ├── Pod.yaml
│ │ │ │ │ │ └── Service.yaml
│ │ │ │ │ ├── Passing/
│ │ │ │ │ │ ├── Pod.yaml
│ │ │ │ │ │ └── Service.yaml
│ │ │ │ │ └── expected.yaml
│ │ │ │ ├── ReadAllSecrets/
│ │ │ │ │ ├── Failing/
│ │ │ │ │ │ ├── ClusterRole.yaml
│ │ │ │ │ │ └── ClusterRoleBinding.yaml
│ │ │ │ │ ├── Passing/
│ │ │ │ │ │ ├── ClusterRole.yaml
│ │ │ │ │ │ ├── ClusterRoleBinding.yaml
│ │ │ │ │ │ └── RoleResourceName.yaml
│ │ │ │ │ └── expected.yaml
│ │ │ │ ├── RequireAllPodsToHaveNetworkPolicy/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── template.yaml
│ │ │ │ └── RoleBindingPE/
│ │ │ │ ├── Failing1/
│ │ │ │ │ ├── FailingClusterRole.yaml
│ │ │ │ │ └── FailingClusterRoleBinding.yaml
│ │ │ │ ├── Failing2/
│ │ │ │ │ ├── FailingClusterRole.yaml
│ │ │ │ │ └── FailingClusterRoleBinding.yaml
│ │ │ │ ├── Failing3/
│ │ │ │ │ ├── FailingRole.yaml
│ │ │ │ │ └── FailingRoleBinding.yaml
│ │ │ │ ├── Passing1/
│ │ │ │ │ ├── PassingClusterRole.yaml
│ │ │ │ │ └── PassingClusterRoleBinding.yaml
│ │ │ │ ├── Passing2/
│ │ │ │ │ ├── PassingClusterRole.yaml
│ │ │ │ │ └── PassingClusterRoleBinding.yaml
│ │ │ │ ├── Passing3/
│ │ │ │ │ └── PassingClusterRoleBinding.yaml
│ │ │ │ └── expected.yaml
│ │ │ ├── test_checks/
│ │ │ │ ├── AllowPrivilegeEscalation.yaml
│ │ │ │ ├── AllowedCapabilities.yaml
│ │ │ │ ├── DefaultNamespace.yaml
│ │ │ │ ├── IsNotEmpty.yaml
│ │ │ │ ├── NoDefaultNamespace.yaml
│ │ │ │ └── PodIsPubliclyAccessibleExample.yaml
│ │ │ └── test_yaml_policies.py
│ │ ├── resources/
│ │ │ ├── Keyword/
│ │ │ │ ├── clusterrolebinding.yaml
│ │ │ │ ├── network-policy-attached.yaml
│ │ │ │ └── pod_service_account.yaml
│ │ │ ├── LabelSelector/
│ │ │ │ ├── label_selector_match.yaml
│ │ │ │ ├── label_selector_multiple_resources.yaml
│ │ │ │ └── label_selector_non_match.yaml
│ │ │ ├── custom_resource.yaml
│ │ │ ├── definitions/
│ │ │ │ ├── .hidden/
│ │ │ │ │ └── graph_check.yaml
│ │ │ │ └── custom_resource.yaml
│ │ │ ├── faulty_resources/
│ │ │ │ ├── deployment_missing_metadata.yaml
│ │ │ │ ├── incompatible_clusterrolebinding.yaml
│ │ │ │ └── incompatible_selector.yaml
│ │ │ ├── graph_check.yaml
│ │ │ ├── nested_resource.yaml
│ │ │ └── statefulstate_nested_resource.yaml
│ │ ├── test_graph_manager.py
│ │ ├── test_kubernetes_utils.py
│ │ ├── test_local_graph.py
│ │ └── test_running_graph_checks.py
│ ├── image_referencer/
│ │ ├── __init__.py
│ │ ├── provider/
│ │ │ ├── __init__.py
│ │ │ └── test_k8s.py
│ │ ├── resources/
│ │ │ └── k8s/
│ │ │ ├── cron_job.yaml
│ │ │ ├── daemon_set.yaml
│ │ │ ├── deployment.yaml
│ │ │ ├── deployment_config.yaml
│ │ │ ├── job.yaml
│ │ │ ├── pod.yaml
│ │ │ ├── pod_template.yaml
│ │ │ ├── replica_set.yaml
│ │ │ ├── replication_controller.yaml
│ │ │ └── stateful_set.yaml
│ │ ├── test_manager.py
│ │ └── test_runner_k8s_resources.py
│ ├── parser/
│ │ ├── __init__.py
│ │ ├── examples/
│ │ │ ├── json/
│ │ │ │ ├── mongo-pod.json
│ │ │ │ └── normal.json
│ │ │ └── yaml/
│ │ │ ├── busybox.yaml
│ │ │ ├── busybox_utf8_bom.yaml
│ │ │ ├── helm.yaml
│ │ │ ├── helm2.yaml
│ │ │ ├── normal.yaml
│ │ │ └── not_helm_configmap.yaml
│ │ ├── test_k8_json.py
│ │ ├── test_k8_valicator.py
│ │ └── test_k8_yaml.py
│ ├── runner/
│ │ ├── __init__.py
│ │ ├── list_annotation/
│ │ │ └── example.yaml
│ │ ├── resources/
│ │ │ ├── example.yaml
│ │ │ ├── example_multiple.yaml
│ │ │ └── graph.yaml
│ │ └── test_runner.py
│ ├── test_base_registry.py
│ ├── test_kubernetes_utils.py
│ └── test_scanner_registry.py
├── kustomize/
│ ├── __init__.py
│ ├── graph/
│ │ ├── __init__.py
│ │ ├── resources/
│ │ │ ├── empty_resources/
│ │ │ │ ├── graph_check.yaml
│ │ │ │ └── kustomization.yaml
│ │ │ └── example_checks/
│ │ │ ├── graph_check.yaml
│ │ │ └── kustomization.yaml
│ │ └── test_running_graph_checks.py
│ ├── runner/
│ │ ├── __init__.py
│ │ └── resources/
│ │ ├── example/
│ │ │ ├── base/
│ │ │ │ ├── deployment.yaml
│ │ │ │ ├── kustomization.yaml
│ │ │ │ └── service.yaml
│ │ │ ├── no_type/
│ │ │ │ └── kustomization.yaml
│ │ │ └── overlays/
│ │ │ ├── dev/
│ │ │ │ ├── custom-env.yaml
│ │ │ │ ├── database-secret.yaml
│ │ │ │ ├── kustomization.yaml
│ │ │ │ └── replica-and-rollout-strategy.yaml
│ │ │ ├── empty/
│ │ │ │ └── kustomization.yaml
│ │ │ ├── prod/
│ │ │ │ ├── custom-env.yaml
│ │ │ │ ├── database-secret.yaml
│ │ │ │ ├── kustomization.yaml
│ │ │ │ └── replica-and-rollout-strategy.yaml
│ │ │ ├── prod-2/
│ │ │ │ ├── custom-env.yaml
│ │ │ │ ├── database-secret.yaml
│ │ │ │ ├── kustomization.yml
│ │ │ │ └── replica-and-rollout-strategy.yaml
│ │ │ ├── prod-3/
│ │ │ │ ├── custom-env.yaml
│ │ │ │ ├── database-secret.yaml
│ │ │ │ ├── kustomization.yaml
│ │ │ │ └── replica-and-rollout-strategy.yaml
│ │ │ ├── prod-4/
│ │ │ │ ├── custom-env.yaml
│ │ │ │ ├── database-secret.yaml
│ │ │ │ ├── kustomization.yaml
│ │ │ │ └── replica-and-rollout-strategy.yaml
│ │ │ └── test/
│ │ │ ├── custom-env.yaml
│ │ │ ├── database-secret.yaml
│ │ │ ├── kustomization.yaml
│ │ │ └── replica-and-rollout-strategy.yaml
│ │ └── image_referencer/
│ │ ├── base/
│ │ │ ├── deployment.yaml
│ │ │ ├── kustomization.yaml
│ │ │ └── service.yaml
│ │ └── overlays/
│ │ └── prod/
│ │ └── kustomization.yaml
│ ├── test_runner.py
│ ├── test_runner_image_referencer.py
│ ├── test_utils.py
│ └── utils.py
├── logger_streams/
│ ├── __init__.py
│ └── test_logger_streams.py
├── openapi/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ ├── resource/
│ │ │ ├── __init__.py
│ │ │ ├── generic/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── example_ClearTextAPIKey/
│ │ │ │ │ ├── fail.json
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── fail2.json
│ │ │ │ │ ├── fail2.yaml
│ │ │ │ │ ├── fail3.json
│ │ │ │ │ ├── fail3.yaml
│ │ │ │ │ ├── fail4.json
│ │ │ │ │ ├── fail4.yaml
│ │ │ │ │ ├── fail5.json
│ │ │ │ │ ├── fail5.yaml
│ │ │ │ │ ├── pass.json
│ │ │ │ │ ├── pass.yaml
│ │ │ │ │ ├── pass2.json
│ │ │ │ │ ├── pass2.yaml
│ │ │ │ │ ├── pass3.json
│ │ │ │ │ ├── pass3.yaml
│ │ │ │ │ ├── pass4.json
│ │ │ │ │ ├── pass4.yaml
│ │ │ │ │ ├── pass5.json
│ │ │ │ │ ├── pass5.yaml
│ │ │ │ │ ├── pass6.json
│ │ │ │ │ └── pass6.yaml
│ │ │ │ ├── example_GlobalSecurityFieldIsEmpty/
│ │ │ │ │ ├── fail.json
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.json
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── example_NoMaximumNumberItems/
│ │ │ │ │ ├── fail.json
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── fail2.json
│ │ │ │ │ ├── fail2.yaml
│ │ │ │ │ ├── fail3.json
│ │ │ │ │ ├── fail3.yaml
│ │ │ │ │ ├── pass.json
│ │ │ │ │ ├── pass.yaml
│ │ │ │ │ ├── pass2.json
│ │ │ │ │ ├── pass2.yaml
│ │ │ │ │ ├── pass3.json
│ │ │ │ │ └── pass3.yaml
│ │ │ │ ├── example_SecurityOperations/
│ │ │ │ │ ├── fail1.json
│ │ │ │ │ ├── fail1.yaml
│ │ │ │ │ ├── fail2.json
│ │ │ │ │ ├── fail2.yaml
│ │ │ │ │ ├── fail3.json
│ │ │ │ │ ├── fail3.yaml
│ │ │ │ │ ├── fail4.json
│ │ │ │ │ ├── fail4.yaml
│ │ │ │ │ ├── pass1.json
│ │ │ │ │ ├── pass1.yaml
│ │ │ │ │ ├── pass2.json
│ │ │ │ │ ├── pass2.yaml
│ │ │ │ │ ├── pass3.json
│ │ │ │ │ └── pass3.yaml
│ │ │ │ ├── test_ClearTextAPIKey.py
│ │ │ │ ├── test_GlobalSecurityFieldIsEmpty.py
│ │ │ │ ├── test_NoMaximumNumberItems.py
│ │ │ │ └── test_SecurityOperations.py
│ │ │ ├── v2/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── example_GlobalSchemeDefineHTTP/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.json
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.json
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── example_GlobalSecurityScopeUndefined/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail1.json
│ │ │ │ │ ├── fail1.yaml
│ │ │ │ │ ├── pass1.json
│ │ │ │ │ └── pass1.yaml
│ │ │ │ ├── example_Oauth2OperationObjectPasswordFlow/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.json
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.json
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── example_Oauth2SecurityDefinitionImplicitFlow/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.json
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.json
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── example_Oauth2SecurityDefinitionPasswordFlow/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.json
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.json
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── example_Oauth2SecurityPasswordFlow/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.json
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.json
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── example_Oauth2SecurityRequirement/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.json
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── fail2.yaml
│ │ │ │ │ ├── pass.json
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── example_OperationObjectBasicAuth/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.json
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.json
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── example_OperationObjectConsumesUndefined/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.json
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.json
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── example_OperationObjectImplicitFlow/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.json
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.json
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── example_OperationObjectProducesUndefined/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.json
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.json
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── example_OperationObjectSecurityScopeUndefined/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail1.json
│ │ │ │ │ ├── fail1.yaml
│ │ │ │ │ ├── pass1.json
│ │ │ │ │ ├── pass1.yaml
│ │ │ │ │ ├── pass2.json
│ │ │ │ │ └── pass2.yaml
│ │ │ │ ├── example_PathSchemeDefineHTTP/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.json
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.json
│ │ │ │ │ ├── pass.yaml
│ │ │ │ │ └── pass2.yaml
│ │ │ │ ├── example_SecurityDefinitionBasicAuth/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail.json
│ │ │ │ │ ├── fail.yaml
│ │ │ │ │ ├── pass.json
│ │ │ │ │ └── pass.yaml
│ │ │ │ ├── example_SecurityDefinitions/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── fail1.json
│ │ │ │ │ ├── fail1.yaml
│ │ │ │ │ ├── fail2.json
│ │ │ │ │ ├── fail2.yaml
│ │ │ │ │ ├── pass1.json
│ │ │ │ │ └── pass1.yaml
│ │ │ │ └── example_SecurityRequirement/
│ │ │ │ ├── expected.yaml
│ │ │ │ ├── fail1.json
│ │ │ │ ├── fail1.yaml
│ │ │ │ ├── fail2.json
│ │ │ │ ├── fail2.yaml
│ │ │ │ ├── pass1.json
│ │ │ │ ├── pass1.yaml
│ │ │ │ ├── pass2.json
│ │ │ │ ├── pass2.yaml
│ │ │ │ └── pass3.json
│ │ │ └── v3/
│ │ │ ├── __init__.py
│ │ │ ├── example_CleartextCredsOverUnencryptedChannel/
│ │ │ │ ├── fail.json
│ │ │ │ ├── fail.yaml
│ │ │ │ ├── pass.json
│ │ │ │ ├── pass.yaml
│ │ │ │ ├── pass2.json
│ │ │ │ ├── pass2.yaml
│ │ │ │ ├── pass3.json
│ │ │ │ └── pass3.yaml
│ │ │ └── test_CleartextCredsOverUnencryptedChannel.py
│ │ └── test_python_policies.py
│ └── runner/
│ ├── __init__.py
│ ├── resources/
│ │ ├── runner_results/
│ │ │ ├── results.sarif
│ │ │ └── unrealted_yaml.yaml
│ │ ├── v2/
│ │ │ ├── example.json
│ │ │ ├── example.yaml
│ │ │ ├── example.yml
│ │ │ ├── example1.json
│ │ │ ├── incompatible_json.json
│ │ │ ├── invalid.json
│ │ │ └── swagger_empty_paths.yaml
│ │ └── v3/
│ │ ├── example.json
│ │ ├── example.yaml
│ │ ├── example1.json
│ │ └── example1.yaml
│ └── test_runner.py
├── parallel/
│ ├── __init__.py
│ └── test_parallel.py
├── policies_3d/
│ ├── __init__.py
│ ├── conftest.py
│ ├── syntax/
│ │ ├── cves_syntax/
│ │ │ └── test_cves_syntax.py
│ │ ├── iac_syntax/
│ │ │ └── test_iac_syntax.py
│ │ └── test_predicament.py
│ ├── test_output.py
│ ├── test_parser.py
│ └── test_runner.py
├── sast/
│ ├── __init__.py
│ ├── checks/
│ │ ├── python_rule.yaml
│ │ └── temp_parsed_rules/
│ │ └── temp_semgrep_rules.yaml
│ ├── external_checks/
│ │ └── v01/
│ │ ├── SuperuserPort.yaml
│ │ └── java_rule.yaml
│ ├── source_code/
│ │ ├── __init__.py
│ │ ├── external_check/
│ │ │ ├── fail.java
│ │ │ └── fail.py
│ │ └── js_filtered_build_ts/
│ │ ├── example1/
│ │ │ ├── app.ts
│ │ │ └── tsconfig.json
│ │ ├── example2/
│ │ │ ├── app.ts
│ │ │ ├── needTScan/
│ │ │ │ └── app.js
│ │ │ └── tsconfig.json
│ │ └── example3/
│ │ ├── main.js
│ │ └── main.ts
│ ├── test_filter_files_manager.py
│ ├── test_report.py
│ └── test_runner.py
├── sca_image/
│ ├── __init__.py
│ ├── conftest.py
│ ├── examples/
│ │ ├── .github/
│ │ │ └── workflows/
│ │ │ └── vulnerable_container.yaml
│ │ ├── dockerfile/
│ │ │ └── Dockerfile
│ │ └── kubernetes/
│ │ └── deployment.yaml
│ ├── mocks.py
│ ├── outputs/
│ │ └── results_cyclonedx.xml
│ ├── test_output_reports.py
│ └── test_runner.py
├── sca_package_2/
│ ├── __init__.py
│ ├── conftest.py
│ ├── examples/
│ │ ├── Microsoft.NET.Sdk.csproj
│ │ ├── go.mod
│ │ ├── go.sum
│ │ ├── package.json
│ │ └── requirements.txt
│ ├── outputs/
│ │ ├── cli_outputs/
│ │ │ └── test_create_cli_table_for_package_with_reachability_data.txt
│ │ ├── results_cyclonedx_1_0.xml
│ │ ├── results_cyclonedx_1_1.xml
│ │ ├── results_cyclonedx_1_2.xml
│ │ ├── results_cyclonedx_1_3.xml
│ │ ├── results_cyclonedx_1_4.xml
│ │ └── results_cyclonedx_with_comma_in_licenses.xml
│ ├── test_output.py
│ ├── test_output_reports.py
│ ├── test_runner.py
│ └── test_runner_dependency_tree.py
├── secrets/
│ ├── __init__.py
│ ├── build_log_prefix/
│ │ └── plain_private_key.txt
│ ├── conftest.py
│ ├── custom_and_entropy/
│ │ └── main.tf
│ ├── custom_regex_detector/
│ │ └── Dockerfile
│ ├── git_history/
│ │ ├── __init__.py
│ │ ├── test_utils.py
│ │ └── testing_repo/
│ │ ├── README.md
│ │ ├── foobar.py
│ │ ├── git_to_change/
│ │ │ ├── COMMIT_EDITMSG
│ │ │ ├── HEAD
│ │ │ ├── config
│ │ │ ├── description
│ │ │ ├── hooks/
│ │ │ │ ├── applypatch-msg.sample
│ │ │ │ ├── commit-msg.sample
│ │ │ │ ├── fsmonitor-watchman.sample
│ │ │ │ ├── post-update.sample
│ │ │ │ ├── pre-applypatch.sample
│ │ │ │ ├── pre-commit.sample
│ │ │ │ ├── pre-merge-commit.sample
│ │ │ │ ├── pre-push.sample
│ │ │ │ ├── pre-rebase.sample
│ │ │ │ ├── pre-receive.sample
│ │ │ │ ├── prepare-commit-msg.sample
│ │ │ │ ├── push-to-checkout.sample
│ │ │ │ └── update.sample
│ │ │ ├── index
│ │ │ ├── info/
│ │ │ │ └── exclude
│ │ │ ├── logs/
│ │ │ │ ├── HEAD
│ │ │ │ └── refs/
│ │ │ │ └── heads/
│ │ │ │ ├── master
│ │ │ │ └── test_git
│ │ │ ├── objects/
│ │ │ │ ├── 29/
│ │ │ │ │ └── 22a3a6792a04710b79f8a36d25999c9132adb0
│ │ │ │ ├── 2c/
│ │ │ │ │ └── eb8230f2e2b563cf667ec2acc45eee95be9f94
│ │ │ │ ├── 45/
│ │ │ │ │ └── eb17330f88d105e18520b624cafd35778f4d69
│ │ │ │ ├── 51/
│ │ │ │ │ └── 8bf059756d932da372d77ca9a4a9371c2d210d
│ │ │ │ ├── 56/
│ │ │ │ │ └── a8b042461d934c13fd3bbec446aaab37479181
│ │ │ │ ├── 57/
│ │ │ │ │ └── 4e4e06ab81938095bd5f35412b3da3d47393e4
│ │ │ │ ├── 6e/
│ │ │ │ │ └── d0de5eedd5d5d3fbee78e708604d7271ba952c
│ │ │ │ ├── 77/
│ │ │ │ │ └── 9153df7f6636c0e4cb625b5e39dc088b061924
│ │ │ │ ├── 7d/
│ │ │ │ │ └── a2a86863a535ea355b8c8cd7525e2cb2f922d0
│ │ │ │ ├── 81/
│ │ │ │ │ └── 47cdd7190b6f25c61f3f911d1c1d4f3f9a336d
│ │ │ │ ├── 8b/
│ │ │ │ │ └── fb94d8d2cdbac5d789409768f6d02a81e305a0
│ │ │ │ ├── 96/
│ │ │ │ │ └── 7d3bf7bdb1a5d8fd5e419d8fe47d754a156237
│ │ │ │ ├── 9e/
│ │ │ │ │ └── 823e1d049f39db026ba46ca34757613ba59e55
│ │ │ │ ├── ce/
│ │ │ │ │ └── 2549b85dff66121ab2ef685f043e86e7241614
│ │ │ │ └── e9/
│ │ │ │ └── 5677e839e67e685138aeba087d7deec0879919
│ │ │ └── refs/
│ │ │ └── heads/
│ │ │ ├── master
│ │ │ └── test_git
│ │ ├── main.py
│ │ └── pass.py
│ ├── json_multiline/
│ │ ├── pomerium_compose.json
│ │ └── test-multiline-secrets.json
│ ├── long_line_custom_regex_detector/
│ │ └── Dockerfile
│ ├── masking_secrets/
│ │ ├── assets_report_with_pass.json
│ │ └── findings_report_with_pass.json
│ ├── multiline_custom_regex_detector/
│ │ └── Dockerfile.mine
│ ├── multiline_finding/
│ │ └── Dockerfile.mine
│ ├── omit_multiple_secrets/
│ │ └── test/
│ │ └── multiple_secrets_one_line.txt
│ ├── resources/
│ │ ├── cfn/
│ │ │ ├── secret-no-false-positive.yml
│ │ │ ├── secret-no-false-positive2.yml
│ │ │ └── secret.yml
│ │ ├── file_type/
│ │ │ ├── Dockerfile
│ │ │ ├── Dockerfile.simple
│ │ │ ├── test.py
│ │ │ └── test.ts
│ │ ├── k8s/
│ │ │ └── secret-name.yaml
│ │ ├── terraform/
│ │ │ └── main.tf
│ │ ├── terraform_failed/
│ │ │ └── main.tf
│ │ └── terraform_skip/
│ │ └── main.tf
│ ├── sanity/
│ │ ├── iac_fp/
│ │ │ ├── main.json
│ │ │ └── main.tf
│ │ ├── non_iac_fp/
│ │ │ └── a.py
│ │ ├── non_secrets/
│ │ │ └── true_negative.json
│ │ └── secrets/
│ │ └── true_positive.json
│ ├── skip_test/
│ │ ├── skip_test1/
│ │ │ ├── skip1.json
│ │ │ ├── skip2.json
│ │ │ └── skip_test2/
│ │ │ ├── skip1.json
│ │ │ └── skip2.json
│ │ └── skip_test2/
│ │ ├── skip1.json
│ │ └── skip2.json
│ ├── suppressions/
│ │ ├── metadata_suppression.yaml
│ │ ├── metadata_suppression_array.json
│ │ └── metadata_suppression_object.json
│ ├── terraform_multiline/
│ │ ├── cfn_heredoc.tf
│ │ ├── data.tf
│ │ ├── ecs_heredoc.tf
│ │ ├── ecs_jsonencode.tf
│ │ └── pod.tf
│ ├── test_coordinator.py
│ ├── test_entropy_source_files/
│ │ └── db-conn.js
│ ├── test_load_detectors.py
│ ├── test_log_prefix_stripper.py
│ ├── test_masking_secrets.py
│ ├── test_multiline_finding_line_number.py
│ ├── test_multiline_parser_json.py
│ ├── test_multiline_parser_yml.py
│ ├── test_plugin.py
│ ├── test_plugin_multiline_json.py
│ ├── test_plugin_multiline_terraform.py
│ ├── test_plugin_multiline_yml.py
│ ├── test_prioritise_secrets.py
│ ├── test_runner.py
│ ├── test_secret_git_history.py
│ ├── test_secrets_verification.py
│ ├── test_secrets_verification_suppressions.py
│ ├── test_skip_check_in_json.py
│ ├── test_utils.py
│ ├── test_vault_secrets.py
│ ├── utils_for_test.py
│ └── yml_multiline/
│ ├── pomerium_compose.yml
│ └── test-multiline-secrets.yml
├── serverless/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ ├── aws/
│ │ │ ├── __init__.py
│ │ │ ├── example_AWSCredentials/
│ │ │ │ ├── AWSCredentials-FAILED-func_level/
│ │ │ │ │ └── serverless.yml
│ │ │ │ ├── AWSCredentials-FAILED-provider_level/
│ │ │ │ │ └── serverless.yml
│ │ │ │ └── AWSCredentials-PASSED/
│ │ │ │ └── serverless.yml
│ │ │ ├── example_AdminPolicyDocument/
│ │ │ │ ├── AdminPolicyDocument-FAILED-func_level/
│ │ │ │ │ └── serverless.yml
│ │ │ │ ├── AdminPolicyDocument-FAILED-provider_level/
│ │ │ │ │ └── serverless.yml
│ │ │ │ ├── AdminPolicyDocument-FAILED-provider_level_with_env_var/
│ │ │ │ │ └── serverless.yml
│ │ │ │ ├── AdminPolicyDocument-FAILED-provider_level_with_ext_json_var/
│ │ │ │ │ ├── customVars.json
│ │ │ │ │ └── serverless.yml
│ │ │ │ ├── AdminPolicyDocument-FAILED-provider_level_with_ext_yaml_var/
│ │ │ │ │ ├── customVars.yml
│ │ │ │ │ └── serverless.yml
│ │ │ │ ├── AdminPolicyDocument-FAILED-provider_level_with_var/
│ │ │ │ │ └── serverless.yml
│ │ │ │ └── AdminPolicyDocument-PASSED/
│ │ │ │ └── serverless.yml
│ │ │ ├── example_S3PublicACLRead/
│ │ │ │ ├── S3PublicACLRead-FAILED/
│ │ │ │ │ └── serverless.yml
│ │ │ │ ├── S3PublicACLRead-PASSED/
│ │ │ │ │ └── serverless.yml
│ │ │ │ └── S3PublicACLRead-PASSED-incl/
│ │ │ │ ├── resources.yaml
│ │ │ │ └── serverless.yml
│ │ │ ├── example_StarActionPolicyDocument/
│ │ │ │ ├── StarActionPolicyDocument-FAILED-func_level/
│ │ │ │ │ └── serverless.yml
│ │ │ │ ├── StarActionPolicyDocument-FAILED-provider_level/
│ │ │ │ │ └── serverless.yml
│ │ │ │ ├── StarActionPolicyDocument-PASSED/
│ │ │ │ │ └── serverless.yml
│ │ │ │ └── StarActionPolicyDocument-PASSED-2/
│ │ │ │ └── serverless.yml
│ │ │ ├── test_AWSCredentials.py
│ │ │ ├── test_AdminPolicyDocument.py
│ │ │ ├── test_S3PublicACLRead.py
│ │ │ └── test_StarActionPolicyDocument.py
│ │ ├── example_CheckTypes/
│ │ │ └── serverless.yml
│ │ ├── example_WildcardEntities/
│ │ │ └── serverless.yml
│ │ ├── test_check_types.py
│ │ └── test_wildcard_entities.py
│ ├── graph_builder/
│ │ ├── __init__.py
│ │ ├── resources/
│ │ │ ├── serverless.yaml
│ │ │ └── serverless.yml
│ │ └── test_local_graph.py
│ ├── runner/
│ │ ├── __init__.py
│ │ ├── example_with_resources_from_file/
│ │ │ ├── Resources.yaml
│ │ │ └── serverless.yaml
│ │ ├── resources/
│ │ │ ├── serverless.yaml
│ │ │ └── serverless.yml
│ │ └── test_runner.py
│ ├── test_parser.py
│ └── test_scanner_registry.py
├── terraform/
│ ├── __init__.py
│ ├── checks/
│ │ ├── __init__.py
│ │ ├── data/
│ │ │ ├── __init__.py
│ │ │ ├── aws/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── example_AdminPolicyDocument/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudSplainingCredentialsExposure/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudSplainingDataExfiltration/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudSplainingPrivilegeEscalation/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudsplainingIAMWrite/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudsplainingPermissionsManagement/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GithubActionsOIDCTrustPolicy/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── tfplan.json
│ │ │ │ ├── example_IAMManagedAdminPolicy/
│ │ │ │ │ └── IAMManagedAdminPolicy.tf
│ │ │ │ ├── example_IAMPublicActionsPolicy/
│ │ │ │ │ └── public_actions.tf
│ │ │ │ ├── example_ModuleProvider/
│ │ │ │ │ ├── example/
│ │ │ │ │ │ └── main.tf
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ResourcePolicyDocument/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_StarActionPolicyDocument/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_WhoAMI/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_module_with_one_provider/
│ │ │ │ │ ├── example/
│ │ │ │ │ │ └── main.tf
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_provider_edge_case/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ ├── nesting/
│ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ ├── nesting_l2/
│ │ │ │ │ │ │ └── main.tf
│ │ │ │ │ │ └── nesting_l2_2/
│ │ │ │ │ │ └── main.tf
│ │ │ │ │ ├── nesting_2/
│ │ │ │ │ │ └── main.tf
│ │ │ │ │ └── readme.md
│ │ │ │ ├── example_provider_with_nested_module/
│ │ │ │ │ ├── example/
│ │ │ │ │ │ ├── example2/
│ │ │ │ │ │ │ └── main.tf
│ │ │ │ │ │ └── main.tf
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_provider_with_nested_module_assign_provider/
│ │ │ │ │ ├── example/
│ │ │ │ │ │ ├── example2/
│ │ │ │ │ │ │ └── main.tf
│ │ │ │ │ │ └── main.tf
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_provider_without_module/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_AdminPolicyDocument.py
│ │ │ │ ├── test_CloudSplainingCredentialsExposure.py
│ │ │ │ ├── test_CloudSplainingDataExfiltration.py
│ │ │ │ ├── test_CloudSplainingPrivilegeEscalation.py
│ │ │ │ ├── test_CloudsplainingIAMWrite.py
│ │ │ │ ├── test_CloudsplainingPermissionsManagement.py
│ │ │ │ ├── test_GithubActionsOIDCTrustPolicy.py
│ │ │ │ ├── test_IAMManagedAdminPolicy.py
│ │ │ │ ├── test_IAMPublicActionsPolicy.py
│ │ │ │ ├── test_ModuleProvider.py
│ │ │ │ ├── test_ResourcePolicyDocument.py
│ │ │ │ ├── test_StarActionPolicyDocument.py
│ │ │ │ └── test_WhoAMI.py
│ │ │ ├── example_external_dir/
│ │ │ │ └── extra_checks/
│ │ │ │ ├── DummyExternalDataCheck.py
│ │ │ │ └── __init__.py
│ │ │ ├── external/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── example_external_data/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── wrapper.py
│ │ │ │ ├── external_check/
│ │ │ │ │ ├── ExternalData.py
│ │ │ │ │ └── __init__.py
│ │ │ │ └── test_external_data.py
│ │ │ ├── gcp/
│ │ │ │ ├── example_GooglePolicyIsPrivate/
│ │ │ │ │ └── main.tf
│ │ │ │ └── test_GooglePolicyIsPrivate.py
│ │ │ ├── test_base_data_check.py
│ │ │ └── test_registry.py
│ │ ├── example_WildcardEntities/
│ │ │ └── main.tf
│ │ ├── module/
│ │ │ ├── __init__.py
│ │ │ ├── generic/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── example_RevisionHash/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RevisionVersionTag/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_RevisionHash.py
│ │ │ │ └── test_RevisionVersionTag.py
│ │ │ └── registry/
│ │ │ ├── __init__.py
│ │ │ ├── example_external_dir/
│ │ │ │ └── extra_checks/
│ │ │ │ ├── ModuleCheck.py
│ │ │ │ └── __init__.py
│ │ │ ├── example_external_dir_with_module_version_check/
│ │ │ │ └── extra_checks/
│ │ │ │ ├── ModuleSourceHashCheck.py
│ │ │ │ ├── ModuleVersionCheck.py
│ │ │ │ └── __init__.py
│ │ │ ├── resources/
│ │ │ │ └── main.tf
│ │ │ ├── test_ModuleCheck.py
│ │ │ └── test_registry.py
│ │ ├── provider/
│ │ │ ├── __init__.py
│ │ │ ├── aws/
│ │ │ │ ├── __init__.py
│ │ │ │ └── test_credentials.py
│ │ │ ├── bridgecrew/
│ │ │ │ ├── __init__.py
│ │ │ │ └── test_credentials.py
│ │ │ ├── linode/
│ │ │ │ ├── __init__.py
│ │ │ │ └── test_credentials.py
│ │ │ ├── ncp/
│ │ │ │ ├── __init__.py
│ │ │ │ └── test_credentials.py
│ │ │ ├── oci/
│ │ │ │ ├── __init__.py
│ │ │ │ └── test_credentials.py
│ │ │ ├── openstack/
│ │ │ │ ├── __init__.py
│ │ │ │ └── test_credentials.py
│ │ │ └── panos/
│ │ │ ├── __init__.py
│ │ │ ├── resources/
│ │ │ │ └── api_key/
│ │ │ │ ├── fail1.tf
│ │ │ │ ├── fail2.tf
│ │ │ │ ├── pass.tf
│ │ │ │ └── variables.tf
│ │ │ └── test_credentials.py
│ │ ├── resource/
│ │ │ ├── __init__.py
│ │ │ ├── alicloud/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── example_ALBACLIsUnrestricted/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_APIGatewayProtocolHTTPS/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AbsSecurityGroupUnrestrictedIngress/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ActionTrailLogAllEvents/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ActionTrailLogAllRegions/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DiskEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DiskIsEncrypted/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_K8sEnableNetworkPolicies/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_K8sNodePoolAutoRepair/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_KMSKeyIsEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_KMSKeyRotationIsEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LaunchTemplateDisksAreEncrypted/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LogAuditRDSEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MongoDBInsideVPC/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MongoDBInstanceSSL/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MongoDBIsPublic/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MongoDBTransparentDataEncryptionEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_OSSBucketAccessLogs/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_OSSBucketEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_OSSBucketPublic/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_OSSBucketTransferAcceleration/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_OSSBucketVersioning/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PasswordPolicyExpiration/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PasswordPolicyLength/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PasswordPolicyLowercaseLetter/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PasswordPolicyMaxLogin/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PasswordPolicyNumber/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PasswordPolicyReuse/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PasswordPolicySymbol/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PasswordPolicyUppcaseLetter/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RAMSecurityEnforceMFA/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSInstanceAutoUpgrade/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSInstanceLogConnections/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSInstanceLogDisconnections/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSInstanceLogsEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSInstanceSSL/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSIsPublic/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSRetention/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSTransparentDataEncryptionEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_TLSPoliciesAreSecure/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_ALBACLIsUnrestricted.py
│ │ │ │ ├── test_APIGatewayProtocolHTTPS.py
│ │ │ │ ├── test_ActionTrailLogAllEvents.py
│ │ │ │ ├── test_ActionTrailLogAllRegions.py
│ │ │ │ ├── test_DiskEncryptedWithCMK.py
│ │ │ │ ├── test_DiskIsEncrypted.py
│ │ │ │ ├── test_K8sEnableNetworkPolicies.py
│ │ │ │ ├── test_K8sNodePoolAutoRepair.py
│ │ │ │ ├── test_KMSKeyIsEnabled.py
│ │ │ │ ├── test_KMSKeyRotationIsEnabled.py
│ │ │ │ ├── test_LaunchTemplateDiskAreEncrypted.py
│ │ │ │ ├── test_LogAuditRDSEnabled.py
│ │ │ │ ├── test_MongoDBInsideVPC.py
│ │ │ │ ├── test_MongoDBInstanceSSL.py
│ │ │ │ ├── test_MongoDBIsPublic.py
│ │ │ │ ├── test_MongoDBTransparentDataEncryption.py
│ │ │ │ ├── test_OSSBucketAccessLogs.py
│ │ │ │ ├── test_OSSBucketEncryptedWithCMK.py
│ │ │ │ ├── test_OSSBucketTransferAcceleration.py
│ │ │ │ ├── test_OSSBucketVersioning.py
│ │ │ │ ├── test_PasswordPolicyExpiration.py
│ │ │ │ ├── test_PasswordPolicyLength.py
│ │ │ │ ├── test_PasswordPolicyLowercaseLetter.py
│ │ │ │ ├── test_PasswordPolicyMaxLogin.py
│ │ │ │ ├── test_PasswordPolicyNumber.py
│ │ │ │ ├── test_PasswordPolicyReuse.py
│ │ │ │ ├── test_PasswordPolicySymbol.py
│ │ │ │ ├── test_PasswordPolicyUppcaseLetter.py
│ │ │ │ ├── test_RAMSecurityEnforceMFA.py
│ │ │ │ ├── test_RDSInstanceAutoUpgrade.py
│ │ │ │ ├── test_RDSInstanceLogConnections.py
│ │ │ │ ├── test_RDSInstanceLogDisconnections.py
│ │ │ │ ├── test_RDSInstanceLogsEnabled.py
│ │ │ │ ├── test_RDSInstanceSSL.py
│ │ │ │ ├── test_RDSIsPublic.py
│ │ │ │ ├── test_RDSRetention.py
│ │ │ │ ├── test_RDSTransparentDataEncryption.py
│ │ │ │ ├── test_SecurityGroupUnrestrictedIngress22.py
│ │ │ │ ├── test_SecurityGroupUnrestrictedIngress3389.py
│ │ │ │ └── test_TLSPoliciesAreSecure.py
│ │ │ ├── aws/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── example_ACMCertCreateBeforeDestroy/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ACMCertSetLoggingPreference/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ALBDesyncMode/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ALBDropHttpHeaders/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AMICopyIsEncrypted/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AMICopyUsesCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AMIEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AMILaunchIsShared/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_APIGatewayCacheEnable/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_APIGatewayCreateBeforeDestroy/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_APIGatewayDeploymentCreateBeforeDestroy/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_APIGatewayDomainNameTLS/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_APIGatewayMethodSettingsCacheEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_APIGatewayMethodSettingsCacheEncrypted/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_APIGatewayMethodSettingsDataTrace/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_APIGatewayV2RouteDefinesAuthorizationType/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AWSCodeGuruHasCMK/
│ │ │ │ │ └── AWSCodeGuruHasCMK.tf
│ │ │ │ ├── example_AppFlowConnectorProfileUsesCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppFlowUsesCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppSyncFieldLevelLogs/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppSyncLogging/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppsyncAPICacheEncryptionAtRest/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppsyncAPICacheEncryptionInTransit/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AthenaWorkgroupEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AutoScalingGroupWithPublicAccess/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AutoScalingLaunchTemplate/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AutoScalingTagging/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_BackupVaultEncrypted/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_BatchJobIsNotPrivileged/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_BedrockAgentEncrypted/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_BedrockGuardrails/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudFrontGeoRestrictionDisabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudFrontResponseHeaderStrictTransportSecurity/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudWatchAlarmsEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudWatchLogGroupKMSKey/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudWatchLogGroupRetention/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudWatchLogGroupRetentionYear/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudfrontDistributionDefaultRoot/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudfrontDistributionEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudfrontDistributionOriginFailover/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudfrontTLS12/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudsearchDomainEnforceHttps/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudsearchDomainTLS/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudtrailDefinesSNSTopic/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudtrailEnableLogging/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudtrailEncryptedWithCMK/
│ │ │ │ │ └── aws_cloudtrail.tf
│ │ │ │ ├── example_CloudtrailEventDataStoreUsesCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CodeArtifactDomainEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CodeBuildPrivilegedMode/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CodeBuildProjectEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CodePipelineArtifactsEncrypted/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CodebuildHasLogs/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CodebuildS3LogsEncrypted/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CodebuildUsesCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CodecommitApprovalsRulesRequireMin2/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CognitoUnauthenticatedIdentities/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ComprehendEntityRecognizerModelUsesCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ComprehendEntityRecognizerVolumeUsesCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ConnectInstanceS3StorageConfigUsesCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DAXEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DAXEndpointTLS/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DBInstanceBackupRetentionPeriod/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DBInstanceLogging/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DBInstanceMinorUpgrade/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DBSnapshotCopyUsesCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DBSnapshotsArePrivate/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DLMEventsCrossRegionEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DLMEventsCrossRegionEncryptionWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DLMScheduleCrossRegionEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DLMScheduleCrossRegionEncryptionWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DMSEndpointUsesCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DMSReplicationInstanceEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DMSReplicationInstanceMinorUpgrade/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DMSS3UsesCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DatasyncLocationExposesSecrets/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DeprecatedLambdaRuntime/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DocDBBackupRetention/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DocDBEncryptedWithCMK/
│ │ │ │ │ └── aws_docdb_cluster.tf
│ │ │ │ ├── example_DocDBGlobalClusterEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DocDBLogging/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DynamoDBTableReplicaKMSUsesCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DynamoDBTablesEncrypted/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EBSDefaultEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EBSEncryption/
│ │ │ │ │ └── aws_ebs_volume.tf
│ │ │ │ ├── example_EBSSnapshotCopyEncryptedWithCMK/
│ │ │ │ │ └── aws_ebs_snapshot_copy.tf
│ │ │ │ ├── example_EBSVolumeEncryptedWithCMK/
│ │ │ │ │ └── aws_ebs_volume.tf
│ │ │ │ ├── example_EC2Credentials/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EC2PublicIP/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EC2PublicIP_foreach/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── module/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ECRImmutableTags/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ECRPolicy/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ECSClusterLoggingEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ECSClusterLoggingEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ECSContainerHostProcess/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ECSContainerPrivilege/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ECSContainerReadOnlyRoot/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ECSServiceFargateLatest/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ECSServicePublicIP/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ECSTaskDefinitionRoleCheck/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EFSAccessPointRoot/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EFSAccessUserIdentity/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EFSEncryptionEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EFSFileSystemEncryptedWithCMK/
│ │ │ │ │ └── aws_efs_file_system.tf
│ │ │ │ ├── example_EKSControlPlaneLogging/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EKSPlatformVersion/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EKSPublicAccess/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EKSPublicAccessCIDR/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ELBPolicyUsesSecureProtocols/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ELBv2AccessLogs/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ELBwListenerNotTLSSSL/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EMRClusterConfEncryptsEBS/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EMRClusterConfEncryptsInTransit/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EMRClusterConfEncryptsLocalDisk/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EMRClusterIsEncryptedKMS/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EMRPubliclyAccessible/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_Ec2TransitGatewayAutoAccept/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ElastiCacheHasCustomSubnet/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ElasticBeanstalkUseEnhancedHealthChecks/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ElasticBeanstalkUseManagedUpdates/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ElasticCacheAutomaticBackup/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ElasticCacheAutomaticMinorUpgrades/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ElasticacheHasSecurityGroup/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ElasticacheReplicationGroupEncryptedWithCMK/
│ │ │ │ │ └── aws_elasticache_replication_group.tf
│ │ │ │ ├── example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ElasticsearchDefaultSG/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── opensearch.tf
│ │ │ │ ├── example_ElasticsearchDomainAuditLogging/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── opensearch.tf
│ │ │ │ ├── example_ElasticsearchDomainEnforceHTTPS/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── opensearch.tf
│ │ │ │ ├── example_ElasticsearchDomainHA/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── opensearch.tf
│ │ │ │ ├── example_ElasticsearchDomainLogging/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── opensearch.tf
│ │ │ │ ├── example_ElasticsearchEncryption/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── opensearch.tf
│ │ │ │ ├── example_ElasticsearchEncryptionWithCMK/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── opensearch.tf
│ │ │ │ ├── example_ElasticsearchInVPC/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── opensearch.tf
│ │ │ │ ├── example_ElasticsearchNodeToNodeEncryption/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── opensearch.tf
│ │ │ │ ├── example_ElasticsearchTLSPolicy/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── opensearch.tf
│ │ │ │ ├── example_FSXOntapFSEncryptedWithCMK/
│ │ │ │ │ └── aws_fsx_ontap_file_system.tf
│ │ │ │ ├── example_FSXOpenZFSFileSystemEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_FSXWindowsFSEncryptedWithCMK/
│ │ │ │ │ └── aws_fsx_windows_file_system.tf
│ │ │ │ ├── example_GlacierVaultAnyPrincipal/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GlueSecurityConfigurationEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GuarddutyDetectorEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_IAMAdminPolicyDocument/
│ │ │ │ │ └── iam.tf
│ │ │ │ ├── example_IAMCredentialsExposure/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_IAMDataExfiltration/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_IAMManagedAdminPolicy/
│ │ │ │ │ └── IAMManagedAdminPolicy.tf
│ │ │ │ ├── example_IAMPermissionsManagement/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_IAMPolicyAttachedToGroupOrRoles/
│ │ │ │ │ └── iam.tf
│ │ │ │ ├── example_IAMPrivilegeEscalation/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_IAMRoleAllowAssumeFromAccount/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_IAMStarResourcePolicyDocument/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_IAMUserNotUsedForAccess/
│ │ │ │ │ └── iam.tf
│ │ │ │ ├── example_IAMUserRootAccessKeys/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_IAMWriteAccess/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_IMDSv1Disabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ImagebuilderComponentEncryptedWithCMK/
│ │ │ │ │ └── aws_imagebuilder_component.tf
│ │ │ │ ├── example_ImagebuilderDistributionConfigurationEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ImagebuilderImageRecipeEBSEncrypted/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_KMSKeyIsEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_KMSKeyWildcardPrincipal/
│ │ │ │ │ ├── fail.tf
│ │ │ │ │ └── pass.tf
│ │ │ │ ├── example_KMSRotation/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_KendraIndexSSEUsesCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_KeyspacesTableUsesCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_KinesisFirehoseDeliveryStreamSSE/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_KinesisFirehoseDeliveryStreamUsesCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_KinesisStreamEncryptedWithCMK/
│ │ │ │ │ └── aws_kinesis_stream.tf
│ │ │ │ ├── example_KinesisStreamEncryptionType/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_KinesisVideoEncryptedWithCMK/
│ │ │ │ │ └── aws_kinesis_video_stream.tf
│ │ │ │ ├── example_LBCrossZone/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LBDeletionProtection/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LBTargetGroupDefinesHealthcheck/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LambdaCodeSigningConfigured/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LambdaEnvironmentCredentials/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LambdaEnvironmentEncryptionSettings/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LambdaFunctionIsNotPublic/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LambdaFunctionURLAuth/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LambdaServicePermission/
│ │ │ │ │ └── LambdaServicePermission.tf
│ │ │ │ ├── example_LambdaXrayEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LaunchConfigurationEBSEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LaunchTemplateMetadataHop/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LustreFSEncryptedWithCMK/
│ │ │ │ │ └── aws_fsx_lustre_file_system.tf
│ │ │ │ ├── example_MQBrokerAuditLogging/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MQBrokerEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MQBrokerLogging/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MQBrokerMinorAutoUpgrade/
│ │ │ │ │ └── main/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MQBrokerVersion/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MSKClusterNodesArePrivate/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MWAASchedulerLogsEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MWAAWebserverLogsEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MWAAWorkerLogsEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MemoryDBClusterIntransitEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MemoryDBEncryptionWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MemoryDBSnapshotEncryptionWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NeptuneClusterBackupRetention/
│ │ │ │ │ └── NeptuneClusterBackupRetention.tf
│ │ │ │ ├── example_NeptuneClusterEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NeptuneClusterSnapshotEncrypted/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NeptuneClusterSnapshotEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NeptuneClusterStorageEncrypted/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NeptuneDBClustersCopyTagsToSnapshots/
│ │ │ │ │ └── NeptuneDBClustersCopyTagsToSnapshots.tf
│ │ │ │ ├── example_NeptuneDBClustersIAMDatabaseAuthenticationEnabled/
│ │ │ │ │ └── NeptuneDBClustersIAMDatabaseAuthenticationEnabled.tf
│ │ │ │ ├── example_NetworkACLUnrestricted/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NetworkACLUnrestrictedIngress20/
│ │ │ │ │ ├── dynamic_blocks_map_brackets/
│ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ └── variables.tf
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NetworkACLUnrestrictedIngress21/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NetworkACLUnrestrictedIngress22/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NetworkACLUnrestrictedIngress3389/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── variables.tf
│ │ │ │ ├── example_NetworkFirewallDeletionProtection/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NetworkFirewallPolicyDefinesCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NetworkFirewallUsesCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_QLDBLedgerDeletionProtection/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_QLDBLedgerPermissionsMode/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSCACertIsRecent/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSClusterActivityStreamEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSClusterAuditLogging/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSClusterAuroraBacktrack/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSClusterCopyTags/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSClusterEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSClusterIAMAuthentication/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSClusterLogging/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSHasSecurityGroup/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSIAMAuthentication/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSInstanceAutoBackupEncryptionWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSInstanceDeletionProtection/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSInstancePerfInsightsEncryptionWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSInstancePerformanceInsights/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSMultiAZEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RDSPostgreSQLLogFDWExtension/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RedShiftSSL/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RedshiftClusterAutoSnap/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RedshiftClusterDatabaseName/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RedshiftClusterUseEnhancedVPCRouting/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RedshiftClusterWithCommonUsernameAndPublicAccess/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RedshiftInEc2ClassicMode/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RedshiftServerlessNamespaceKMSKey/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RedshiftSnapshotCopyGrantEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_Route53TransferLock/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_S3AbortIncompleteUploads/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_S3AccessPointPubliclyAccessible/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_S3AllowsAnyPrincipal/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_S3BucketObjectEncryptedWithCMK/
│ │ │ │ │ └── aws_s3_bucket_object.tf
│ │ │ │ ├── example_S3BucketObjectLock/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_S3GlobalViewACL/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_S3ObjectCopyEncryptedWithCMK/
│ │ │ │ │ └── aws_s3_object_copy.tf
│ │ │ │ ├── example_S3ProtectAgainstPolicyLockout/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_S3SecureDataTransport/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SNSCrossAccountAccess/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SNSTopicEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SNSTopicPolicyAnyPrincipal/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SQSOverlyPermissive/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SQSPolicy/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SQSQueueEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SQSQueuePolicyAnyPrincipal/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SSMDocumentsArePrivate/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SSMParameterUsesCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SSMSessionManagerDocumentEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SSMSessionManagerDocumentLogging/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SagemakerDataQualityJobDefinitionEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SagemakerDataQualityJobDefinitionTrafficEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SagemakerDataQualityJobDefinitionVolumeEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SagemakerDomainEncryptedWithCMK/
│ │ │ │ │ ├── aws_sagemaker_domain.tf
│ │ │ │ │ └── aws_sagemaker_notebook_instance.tf
│ │ │ │ ├── example_SagemakerFlowDefinitionUsesKMS/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SagemakerModelWithNetworkIsolation/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SagemakerNotebookInCustomVPC/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SagemakerNotebookInstanceAllowsIMDSv2/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SagemakerNotebookRoot/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SchedulerScheduleUsesCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SecretManagerSecret90days/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SecretManagerSecretEncrypted/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── tfplan.json
│ │ │ │ ├── example_SecurityGroupRuleDescription/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SecurityGroupUnrestrictedEgressAny/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SecurityGroupUnrestrictedIngress22/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SecurityGroupUnrestrictedIngress3389/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SecurityGroupUnrestrictedIngress80/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SecurityGroupUnrestrictedIngressAny/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SesConfigurationSetDefinesTLS/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_StateMachineLoggingExecutionHistory/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_StateMachineXray/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_TimestreamDatabaseKMSKey/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_TransferServerAllowsOnlySecureProtocols/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_TransferServerIsPublic/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_TransferServerLatestPolicy/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_UnpatchedAuroraPostgresDB/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_WAFACLCVE202144228/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_WAFEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_WAFHasLogs/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_WAFRuleHasAnyActions/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_WafHasAnyRules/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── waf2.tf
│ │ │ │ ├── example_WorkspaceRootVolumeEncrypted/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_WorkspaceUserVolumeEncrypted/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_ACMCertCreateBeforeDestroy.py
│ │ │ │ ├── test_ACMCertSetLoggingPreference.py
│ │ │ │ ├── test_ALBDesyncMode.py
│ │ │ │ ├── test_ALBDropHttpHeaders.py
│ │ │ │ ├── test_ALBListenerHTTPS.py
│ │ │ │ ├── test_AMICopyIsEncrypted.py
│ │ │ │ ├── test_AMICopyUsesCMK.py
│ │ │ │ ├── test_AMIEncryption.py
│ │ │ │ ├── test_AMILaunchIsShared.py
│ │ │ │ ├── test_APIGatewayAccessLogging.py
│ │ │ │ ├── test_APIGatewayAuthorization.py
│ │ │ │ ├── test_APIGatewayCacheEnable.py
│ │ │ │ ├── test_APIGatewayCreateBeforeDestroy.py
│ │ │ │ ├── test_APIGatewayDeploymentCreateBeforeDestroy.py
│ │ │ │ ├── test_APIGatewayDomainNameTLS.py
│ │ │ │ ├── test_APIGatewayMethodSettingCacheEncrypted.py
│ │ │ │ ├── test_APIGatewayMethodSettingsCacheEnabled.py
│ │ │ │ ├── test_APIGatewayMethodSettingsDataTrace.py
│ │ │ │ ├── test_APIGatewayV2RouteDefinesAuthorizationType.py
│ │ │ │ ├── test_APIGatewayXray.py
│ │ │ │ ├── test_AWSCodeGuruHasCMK.py
│ │ │ │ ├── test_AppFlowConnectorProfileUsesCMK.py
│ │ │ │ ├── test_AppFlowUsesCMK.py
│ │ │ │ ├── test_AppSyncFieldLevelLogs.py
│ │ │ │ ├── test_AppSyncLogging.py
│ │ │ │ ├── test_AppsyncAPICacheEncryptionAtRest.py
│ │ │ │ ├── test_AppsyncAPICacheEncryptionInTransit.py
│ │ │ │ ├── test_AthenaDatabaseEncryption.py
│ │ │ │ ├── test_AthenaWorkgroupConfiguration.py
│ │ │ │ ├── test_AthenaWorkgroupEncryption.py
│ │ │ │ ├── test_AuroraEncryption.py
│ │ │ │ ├── test_AutoScalingGroupWithPublicAccess.py
│ │ │ │ ├── test_AutoScalingLaunchTemplate.py
│ │ │ │ ├── test_AutoScalingTagging.py
│ │ │ │ ├── test_BackupVaultEncrypted.py
│ │ │ │ ├── test_BatchJobIsNotPrivileged.py
│ │ │ │ ├── test_BedrockAgentEncrypted.py
│ │ │ │ ├── test_BedrockGuardrails.py
│ │ │ │ ├── test_CloudFrontGeoRestrictionDisabled.py
│ │ │ │ ├── test_CloudFrontResponseHeaderStrictTransportSecurity.py
│ │ │ │ ├── test_CloudFrontTLS12.py
│ │ │ │ ├── test_CloudWatchAlarmsEnabled.py
│ │ │ │ ├── test_CloudWatchLogGroupKMSKey.py
│ │ │ │ ├── test_CloudWatchLogGroupRetention.py
│ │ │ │ ├── test_CloudWatchLogGroupRetentionYear.py
│ │ │ │ ├── test_CloudformationStackNotificationArns.py
│ │ │ │ ├── test_CloudfrontDistributionDefaultRoot.py
│ │ │ │ ├── test_CloudfrontDistributionEnabled.py
│ │ │ │ ├── test_CloudfrontDistributionEncryption.py
│ │ │ │ ├── test_CloudfrontDistributionLogging.py
│ │ │ │ ├── test_CloudfrontDistributionOriginFailover.py
│ │ │ │ ├── test_CloudsearchDomainEnforceHttps.py
│ │ │ │ ├── test_CloudsearchDomainTLS.py
│ │ │ │ ├── test_CloudtrailDefinesSNSTopic.py
│ │ │ │ ├── test_CloudtrailEnableLogging.py
│ │ │ │ ├── test_CloudtrailEncryptedWithCMK.py
│ │ │ │ ├── test_CloudtrailEventDataStoreUsesCMK.py
│ │ │ │ ├── test_CloudtrailLogValidation.py
│ │ │ │ ├── test_CloudtrailMultiRegion.py
│ │ │ │ ├── test_CodeArtifactDomainEncryptedWithCMK.py
│ │ │ │ ├── test_CodeBuildPrivilegedMode.py
│ │ │ │ ├── test_CodeBuildProjectEncryption.py
│ │ │ │ ├── test_CodePipelineArtifactsEncrypted.py
│ │ │ │ ├── test_CodebuildHasLogs.py
│ │ │ │ ├── test_CodebuildS3LogsEncrypted.py
│ │ │ │ ├── test_CodebuildUsesCMK.py
│ │ │ │ ├── test_CodecommitApprovalRulesRequireMin2.py
│ │ │ │ ├── test_CognitoUnauthenticatedIdentities.py
│ │ │ │ ├── test_ComprehendEntityRecognizerModelUsesCMK.py
│ │ │ │ ├── test_ComprehendEntityRecognizerVolumeUsesCMK.py
│ │ │ │ ├── test_ConfigConfigurationAggregator.py
│ │ │ │ ├── test_ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py
│ │ │ │ ├── test_ConnectInstanceS3StorageConfigUsesCMK.py
│ │ │ │ ├── test_DAXEncryption.py
│ │ │ │ ├── test_DAXEndpointTLS.py
│ │ │ │ ├── test_DBInstanceBackupRetentionPeriod.py
│ │ │ │ ├── test_DBInstanceLogging.py
│ │ │ │ ├── test_DBInstanceMinorUpgrade.py
│ │ │ │ ├── test_DBSnapshotCopyUsesCMK.py
│ │ │ │ ├── test_DBSnapshotsArePrivate.py
│ │ │ │ ├── test_DLMEventsCrossRegionEncryption.py
│ │ │ │ ├── test_DLMEventsCrossRegionEncryptionWithCMK.py
│ │ │ │ ├── test_DLMScheduleCrossRegionEncryption.py
│ │ │ │ ├── test_DLMScheduleCrossRegionEncryptionWithCMK.py
│ │ │ │ ├── test_DMSEndpointUsesCMK.py
│ │ │ │ ├── test_DMSReplicationInstanceEncryptedWithCMK.py
│ │ │ │ ├── test_DMSReplicationInstanceMinorUpgrade.py
│ │ │ │ ├── test_DMSReplicationInstancePubliclyAccessible.py
│ │ │ │ ├── test_DMSS3UsesCMK.py
│ │ │ │ ├── test_DatasyncLocationExposesSecrets.py
│ │ │ │ ├── test_DeprecatedLambdaRuntime.py
│ │ │ │ ├── test_DocDBAuditLogs.py
│ │ │ │ ├── test_DocDBBackupRetention.py
│ │ │ │ ├── test_DocDBEncryptedWithCMK.py
│ │ │ │ ├── test_DocDBEncryption.py
│ │ │ │ ├── test_DocDBGlobalClusterEncryption.py
│ │ │ │ ├── test_DocDBLogging.py
│ │ │ │ ├── test_DocDBTLS.py
│ │ │ │ ├── test_DynamoDBTableReplicaKMSUsesCMK.py
│ │ │ │ ├── test_DynamoDBTablesEncrypted.py
│ │ │ │ ├── test_DynamodbRecovery.py
│ │ │ │ ├── test_EBSDefaultEncryption.py
│ │ │ │ ├── test_EBSEncryption.py
│ │ │ │ ├── test_EBSSnapshotCopyEncryptedWithCMK.py
│ │ │ │ ├── test_EBSVolumeEncryptedWithCMK.py
│ │ │ │ ├── test_EC2Credentials.py
│ │ │ │ ├── test_EC2DetailedMonitoringEnabled.py
│ │ │ │ ├── test_EC2EBSOptimized.py
│ │ │ │ ├── test_EC2PublicIP.py
│ │ │ │ ├── test_ECRImageScanning.py
│ │ │ │ ├── test_ECRImmutableTags.py
│ │ │ │ ├── test_ECRPolicy.py
│ │ │ │ ├── test_ECRRepositoryEncrypted.py
│ │ │ │ ├── test_ECSClusterContainerInsights.py
│ │ │ │ ├── test_ECSClusterLoggingEnabled.py
│ │ │ │ ├── test_ECSClusterLoggingEncryptedWithCMK.py
│ │ │ │ ├── test_ECSContainerHostProcess.py
│ │ │ │ ├── test_ECSContainerPrivilege.py
│ │ │ │ ├── test_ECSContainerReadOnlyRoot.py
│ │ │ │ ├── test_ECSServiceFargateLatest.py
│ │ │ │ ├── test_ECSServicePublicIP.py
│ │ │ │ ├── test_ECSTaskDefinitionEFSVolumeEncryption.py
│ │ │ │ ├── test_ECSTaskDefinitionRoleCheck.py
│ │ │ │ ├── test_EFSAccessPointRoot.py
│ │ │ │ ├── test_EFSAccessUserIdentity.py
│ │ │ │ ├── test_EFSEncryptionEnabled.py
│ │ │ │ ├── test_EFSFileSystemEncryptedWithCMK.py
│ │ │ │ ├── test_EKSControlPlaneLogging.py
│ │ │ │ ├── test_EKSNodeGroupRemoteAccess.py
│ │ │ │ ├── test_EKSPlatformVersion.py
│ │ │ │ ├── test_EKSPublicAccess.py
│ │ │ │ ├── test_EKSPublicAccessCIDR.py
│ │ │ │ ├── test_EKSSecretsEncryption.py
│ │ │ │ ├── test_ELBAccessLogs.py
│ │ │ │ ├── test_ELBCrossZoneEnable.py
│ │ │ │ ├── test_ELBPolicyUsesSecureProtocols.py
│ │ │ │ ├── test_ELBUsesSSL.py
│ │ │ │ ├── test_ELBv2AccessLogs.py
│ │ │ │ ├── test_ELBwListenerNotTLSSSL.py
│ │ │ │ ├── test_EMRClusterConfEncryptsEBS.py
│ │ │ │ ├── test_EMRClusterConfEncryptsInTransit.py
│ │ │ │ ├── test_EMRClusterConfEncryptsLocalDisk.py
│ │ │ │ ├── test_EMRClusterIsEncryptedKMS.py
│ │ │ │ ├── test_EMRClusterKerberosAttributes.py
│ │ │ │ ├── test_EMRPubliclyAccessible.py
│ │ │ │ ├── test_Ec2TransitGatewayAutoAccept.py
│ │ │ │ ├── test_ElastiCacheHasCustomSubnet.py
│ │ │ │ ├── test_ElasticBeanstalkUseEnhancedHealthChecks.py
│ │ │ │ ├── test_ElasticBeanstalkUseManagedUpdates.py
│ │ │ │ ├── test_ElasticCacheAutomaticBackup.py
│ │ │ │ ├── test_ElasticCacheAutomaticMinorUpgrades.py
│ │ │ │ ├── test_ElasticCacheHasSecurityGroup.py
│ │ │ │ ├── test_ElasticacheReplicationGroupEncryptedWithCMK.py
│ │ │ │ ├── test_ElasticacheReplicationGroupEncryptionAtRest.py
│ │ │ │ ├── test_ElasticacheReplicationGroupEncryptionAtTransit.py
│ │ │ │ ├── test_ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py
│ │ │ │ ├── test_ElasticsearchDefaultSG.py
│ │ │ │ ├── test_ElasticsearchDomainAuditLogging.py
│ │ │ │ ├── test_ElasticsearchDomainEnforceHTTPS.py
│ │ │ │ ├── test_ElasticsearchDomainHA.py
│ │ │ │ ├── test_ElasticsearchDomainLogging.py
│ │ │ │ ├── test_ElasticsearchEncryption.py
│ │ │ │ ├── test_ElasticsearchEncryptionWithCMK.py
│ │ │ │ ├── test_ElasticsearchInVPC.py
│ │ │ │ ├── test_ElasticsearchNodeToNodeEncryption.py
│ │ │ │ ├── test_ElasticsearchTLSPolicy.py
│ │ │ │ ├── test_FSXOntapFSEncryptedWithCMK.py
│ │ │ │ ├── test_FSXOpenZFSFileSystemEncryptedWithCMK.py
│ │ │ │ ├── test_FSXWindowsFSEncryptedWithCMK.py
│ │ │ │ ├── test_GlacierVaultAnyPrincipal.py
│ │ │ │ ├── test_GlobalAcceleratorAcceleratorFlowLogs.py
│ │ │ │ ├── test_GlueDataCatalogEncryption.py
│ │ │ │ ├── test_GlueSecurityConfiguration.py
│ │ │ │ ├── test_GlueSecurityConfigurationEnabled.py
│ │ │ │ ├── test_GuarddutyDetectorEnabled.py
│ │ │ │ ├── test_IAMAdminPolicyDocument.py
│ │ │ │ ├── test_IAMCredentialsExposure.py
│ │ │ │ ├── test_IAMDataExfiltration.py
│ │ │ │ ├── test_IAMManagedAdminPolicy.py
│ │ │ │ ├── test_IAMPermissionsManagement.py
│ │ │ │ ├── test_IAMPolicyAttachedToGroupOrRoles.py
│ │ │ │ ├── test_IAMPrivilegeEscalation.py
│ │ │ │ ├── test_IAMRoleAllowAssumeFromAccount.py
│ │ │ │ ├── test_IAMRoleAllowsPublicAssume.py
│ │ │ │ ├── test_IAMStarActionPolicyDocument.py
│ │ │ │ ├── test_IAMStarResourcePolicyDocument.py
│ │ │ │ ├── test_IAMUserNotUsedForAccess.py
│ │ │ │ ├── test_IAMUserRootAccessKeys.py
│ │ │ │ ├── test_IAMWriteAccess.py
│ │ │ │ ├── test_IMDSv1Disabled.py
│ │ │ │ ├── test_ImagebuilderComponentEncryptedWithCMK.py
│ │ │ │ ├── test_ImagebuilderDistributionConfigurationEncryptedWithCMK.py
│ │ │ │ ├── test_ImagebuilderImageRecipeEBSEncrypted.py
│ │ │ │ ├── test_KMSKeyIsEnabled.py
│ │ │ │ ├── test_KMSKeyWildcardPrincipal.py
│ │ │ │ ├── test_KMSRotation.py
│ │ │ │ ├── test_KendraIndexSSEUsesCMK.py
│ │ │ │ ├── test_KeyspacesTableUsesCMK.py
│ │ │ │ ├── test_KinesisFirehoseDeliveryStreamSSE.py
│ │ │ │ ├── test_KinesisFirehoseDeliveryStreamUsesCMK.py
│ │ │ │ ├── test_KinesisStreamEncryptedWithCMK.py
│ │ │ │ ├── test_KinesisStreamEncryptionType.py
│ │ │ │ ├── test_KinesisVideoEncryptedWithCMK.py
│ │ │ │ ├── test_LBCrossZone.py
│ │ │ │ ├── test_LBDeletionProtection.py
│ │ │ │ ├── test_LBTargetGroupDefinesHealthCheck.py
│ │ │ │ ├── test_LambdaCodeSigningConfigured.py
│ │ │ │ ├── test_LambdaDLQConfigured.py
│ │ │ │ ├── test_LambdaEnvironmentCredentials.py
│ │ │ │ ├── test_LambdaEnvironmentEncryptionSettings.py
│ │ │ │ ├── test_LambdaFunctionIsNotPublic.py
│ │ │ │ ├── test_LambdaFunctionLevelConcurrentExecutionLimit.py
│ │ │ │ ├── test_LambdaFunctionURLAuth.py
│ │ │ │ ├── test_LambdaInVPC.py
│ │ │ │ ├── test_LambdaServicePermission.py
│ │ │ │ ├── test_LambdaXrayEnabled.py
│ │ │ │ ├── test_LaunchConfigurationEBSEncryption.py
│ │ │ │ ├── test_LaunchTemplateMetadataHop.py
│ │ │ │ ├── test_LustreFSEncryptedWithCMK.py
│ │ │ │ ├── test_MQBrokerAuditLogging.py
│ │ │ │ ├── test_MQBrokerEncryptedWithCMK.py
│ │ │ │ ├── test_MQBrokerLogging.py
│ │ │ │ ├── test_MQBrokerMinorAutoUpgrade.py
│ │ │ │ ├── test_MQBrokerNotPubliclyExposed.py
│ │ │ │ ├── test_MQBrokerVersion.py
│ │ │ │ ├── test_MSKClusterEncryption.py
│ │ │ │ ├── test_MSKClusterLogging.py
│ │ │ │ ├── test_MSKClusterNodesArePrivate.py
│ │ │ │ ├── test_MWAASchedulerLogsEnabled.py
│ │ │ │ ├── test_MWAAWebserverLogsEnabled.py
│ │ │ │ ├── test_MWAAWorkerLogsEnabled.py
│ │ │ │ ├── test_MemoryDBClusterIntransitEncryption.py
│ │ │ │ ├── test_MemoryDBEncryptionWithCMK.py
│ │ │ │ ├── test_MemoryDBSnapshotEncryptionWithCMK.py
│ │ │ │ ├── test_NeptuneClusterBackupRetention.py
│ │ │ │ ├── test_NeptuneClusterEncryptedWithCMK.py
│ │ │ │ ├── test_NeptuneClusterLogging.py
│ │ │ │ ├── test_NeptuneDBClustersCopyTagsToSnapshots.py
│ │ │ │ ├── test_NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py
│ │ │ │ ├── test_NeptuneInstancePublic.py
│ │ │ │ ├── test_NeptuneSnapshotEncrypted.py
│ │ │ │ ├── test_NeptuneSnapshotEncryptedWithCMK.py
│ │ │ │ ├── test_NeptuneStorageEncrypted.py
│ │ │ │ ├── test_NetworkACLUnrestricted.py
│ │ │ │ ├── test_NetworkACLUnrestrictedIngress20.py
│ │ │ │ ├── test_NetworkACLUnrestrictedIngress21.py
│ │ │ │ ├── test_NetworkACLUnrestrictedIngress22.py
│ │ │ │ ├── test_NetworkACLUnrestrictedIngress3389.py
│ │ │ │ ├── test_NetworkFirewallDeletionProtection.py
│ │ │ │ ├── test_NetworkFirewallPolicyDefinesCMK.py
│ │ │ │ ├── test_NetworkFirewallUsesCMK.py
│ │ │ │ ├── test_PasswordPolicyExpiration.py
│ │ │ │ ├── test_PasswordPolicyLength.py
│ │ │ │ ├── test_PasswordPolicyLowercaseLetter.py
│ │ │ │ ├── test_PasswordPolicyNumber.py
│ │ │ │ ├── test_PasswordPolicyReuse.py
│ │ │ │ ├── test_PasswordPolicySymbol.py
│ │ │ │ ├── test_PasswordPolicyUppercaseLetter.py
│ │ │ │ ├── test_QLDBLedgerDeletionProtection.py
│ │ │ │ ├── test_QLDBLedgerPermissionsMode.py
│ │ │ │ ├── test_RDSCACertIsRecent.py
│ │ │ │ ├── test_RDSClusterActivityStreamEncryptedWithCMK.py
│ │ │ │ ├── test_RDSClusterAuditLogging.py
│ │ │ │ ├── test_RDSClusterAuroraBacktrack.py
│ │ │ │ ├── test_RDSClusterCopyTags.py
│ │ │ │ ├── test_RDSClusterEncrypted.py
│ │ │ │ ├── test_RDSClusterEncryptedWithCMK.py
│ │ │ │ ├── test_RDSClusterIAMAuthentication.py
│ │ │ │ ├── test_RDSClusterLogging.py
│ │ │ │ ├── test_RDSClusterSnapshotEncrypted.py
│ │ │ │ ├── test_RDSDeletionProtection.py
│ │ │ │ ├── test_RDSEncryption.py
│ │ │ │ ├── test_RDSEnhancedMonitorEnabled.py
│ │ │ │ ├── test_RDSHasSecurityGroup.py
│ │ │ │ ├── test_RDSIAMAuthentication.py
│ │ │ │ ├── test_RDSInstanceAutoBackupEncryptionWithCMK.py
│ │ │ │ ├── test_RDSInstanceDeletionProtection.py
│ │ │ │ ├── test_RDSInstancePerfInsightsEncryptionWithCMK.py
│ │ │ │ ├── test_RDSInstancePerformanceInsights.py
│ │ │ │ ├── test_RDSMultiAZEnabled.py
│ │ │ │ ├── test_RDSPostgreSQLLogFDWExtension.py
│ │ │ │ ├── test_RDSPubliclyAccessible.py
│ │ │ │ ├── test_RedShiftSSL.py
│ │ │ │ ├── test_RedshiftClusterAllowVersionUpgrade.py
│ │ │ │ ├── test_RedshiftClusterAutoSnap.py
│ │ │ │ ├── test_RedshiftClusterDatabaseName.py
│ │ │ │ ├── test_RedshiftClusterEncryption.py
│ │ │ │ ├── test_RedshiftClusterKMSKey.py
│ │ │ │ ├── test_RedshiftClusterLogging.py
│ │ │ │ ├── test_RedshiftClusterPubliclyAccessible.py
│ │ │ │ ├── test_RedshiftClusterUseEnhancedVPCRouting.py
│ │ │ │ ├── test_RedshiftClusterWithCommonUsernameAndPublicAccess.py
│ │ │ │ ├── test_RedshiftInEc2ClassicMode.py
│ │ │ │ ├── test_RedshiftServerlessNamespaceKMSKey.py
│ │ │ │ ├── test_RedshiftSnapshotCopyGrantEncryptedWithCMK.py
│ │ │ │ ├── test_Route53TransferLock.py
│ │ │ │ ├── test_S3AbortIncompleteUploads.py
│ │ │ │ ├── test_S3AccessPointPubliclyAccessible.py
│ │ │ │ ├── test_S3AllowsAnyPrincipal.py
│ │ │ │ ├── test_S3BlockPublicACLs.py
│ │ │ │ ├── test_S3BlockPublicPolicy.py
│ │ │ │ ├── test_S3BucketObjectEncryptedWithCMK.py
│ │ │ │ ├── test_S3BucketObjectLock.py
│ │ │ │ ├── test_S3GlobalViewACL.py
│ │ │ │ ├── test_S3IgnorePublicACLs.py
│ │ │ │ ├── test_S3ObjectCopyEncryptedWithCMK.py
│ │ │ │ ├── test_S3ProtectAgainstPolicyLockout.py
│ │ │ │ ├── test_S3RestrictPublicBuckets.py
│ │ │ │ ├── test_S3SecureDataTransport.py
│ │ │ │ ├── test_SNSCrossAccountAccess.py
│ │ │ │ ├── test_SNSTopicEncryption.py
│ │ │ │ ├── test_SNSTopicPolicyAnyPrincipal.py
│ │ │ │ ├── test_SQSOverlyPermissive.py
│ │ │ │ ├── test_SQSPolicy.py
│ │ │ │ ├── test_SQSQueueEncryption.py
│ │ │ │ ├── test_SQSQueuePolicyAnyPrincipal.py
│ │ │ │ ├── test_SSMDocumentsArePrivate.py
│ │ │ │ ├── test_SSMParameterUsesCMK.py
│ │ │ │ ├── test_SSMSessionManagerDocumentEncryption.py
│ │ │ │ ├── test_SSMSessionManagerDocumentLogging.py
│ │ │ │ ├── test_SageMakerInternetAccessDisabled.py
│ │ │ │ ├── test_SagemakerDataQualityJobDefinitionEncryption.py
│ │ │ │ ├── test_SagemakerDataQualityJobDefinitionTrafficEncryption.py
│ │ │ │ ├── test_SagemakerDataQualityJobDefinitionVolumeEncryption.py
│ │ │ │ ├── test_SagemakerDomainEncryptedWithCMK.py
│ │ │ │ ├── test_SagemakerEndpoinConfigurationEncryption.py
│ │ │ │ ├── test_SagemakerFlowDefinitionUsesKMS.py
│ │ │ │ ├── test_SagemakerModelWithNetworkIsolation.py
│ │ │ │ ├── test_SagemakerNotebookEncryption.py
│ │ │ │ ├── test_SagemakerNotebookInCustomVPC.py
│ │ │ │ ├── test_SagemakerNotebookInstanceAllowsIMDSv2.py
│ │ │ │ ├── test_SagemakerNotebookRoot.py
│ │ │ │ ├── test_SchedulerScheduleUsesCMK.py
│ │ │ │ ├── test_SecretManagerSecret90days.py
│ │ │ │ ├── test_SecretManagerSecretEncrypted.py
│ │ │ │ ├── test_SecurityGroupRuleDescription.py
│ │ │ │ ├── test_SecurityGroupUnrestrictedEgressAny.py
│ │ │ │ ├── test_SecurityGroupUnrestrictedIngress22.py
│ │ │ │ ├── test_SecurityGroupUnrestrictedIngress3389.py
│ │ │ │ ├── test_SecurityGroupUnrestrictedIngress80.py
│ │ │ │ ├── test_SecurityGroupUnrestrictedIngressAny.py
│ │ │ │ ├── test_SesConfigurationSetDefinesTLS.py
│ │ │ │ ├── test_StateMachineLoggingExecutionHistory.py
│ │ │ │ ├── test_StateMachineXray.py
│ │ │ │ ├── test_SubnetPublicIP.py
│ │ │ │ ├── test_TimestreamDatabaseKMSKey.py
│ │ │ │ ├── test_TransferServerAllowsOnlySecureProtocols.py
│ │ │ │ ├── test_TransferServerIsPublic.py
│ │ │ │ ├── test_TransferServerLatestPolicy.py
│ │ │ │ ├── test_UnpatchedAuroraPostgresDB.py
│ │ │ │ ├── test_VPCDefaultNetwork.py
│ │ │ │ ├── test_VPCEndpointAcceptanceConfigured.py
│ │ │ │ ├── test_WAFACLCVE202144228.py
│ │ │ │ ├── test_WAFEnabled.py
│ │ │ │ ├── test_WAFHasAnyRules.py
│ │ │ │ ├── test_WAFHasLogs.py
│ │ │ │ ├── test_WAFRuleHasAnyActions.py
│ │ │ │ ├── test_WorkspaceRootVolumeEncrypted.py
│ │ │ │ └── test_WorkspaceUserVolumeEncrypted.py
│ │ │ ├── azure/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── example_ACRAdminAccountDisabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ACRAnonymousPullDisabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ACRContainerScanEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ACRDedicatedDataEndpointEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ACREnableImageQuarantine/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ACREnableRetentionPolicy/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ACREnableZoneRedundancy/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ACRGeoreplicated/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ACRPublicNetworkAccessDisabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ACRUseSignedImages/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AKSApiServerAuthorizedIpRanges/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AKSDashboardDisabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AKSEncryptionAtHostEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AKSEphemeralOSDisks/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AKSIsPaidSku/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AKSLocalAdminDisabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AKSMaxPodsMinimum/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AKSNodePublicIpDisabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AKSOnlyCriticalPodsOnSystemNodes/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AKSPoolTypeIsScaleSet/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AKSSecretStoreRotation/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AKSUpgradeChannel/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_APIManagementBackendHTTPS/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_APIManagementCertsEnforced/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_APIManagementMinTLS12/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_APIManagementPublicAccess/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppConfigEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppConfigLocalAuth/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppConfigPublicAccess/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppConfigPurgeProtection/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppConfigSku/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppGWDefinesSecureProtocols/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ ├── terraform.auto.tfvars
│ │ │ │ │ └── variables.tf
│ │ │ │ ├── example_AppGWUsesHttps/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppGatewayWAFACLCVE202144228/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceAlwaysOn/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceAuthentication/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceClientCertificate/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceDetailedErrorMessagesEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceDisallowCORS/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceDotnetFrameworkVersion/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceEnableFailedRequest/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceEnvironmentZoneRedundant/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceFTPSState/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceHTTPSOnly/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceHttpLoggingEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceHttps20Enabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceIdentity/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceIdentityProviderEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceInstanceMinimum/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceJavaVersion/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceMinTLSVersion/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ ├── terraform.tfvars
│ │ │ │ │ └── variables.tf
│ │ │ │ ├── example_AppServicePHPVersion/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServicePlanZoneRedundant/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServicePublicAccessDisabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServicePythonVersion/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceRemoteDebuggingNotEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceSetHealthCheck/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceSkuMinimum/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceSlotDebugDisabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceSlotHTTPSOnly/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceSlotMinTLS/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AppServiceUsedAzureFiles/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureBatchAccountEndpointAccessDefaultAction/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureContainerGroupDeployedIntoVirtualNetwork/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureContainerInstanceEnvVarSecureValueType/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureContainerInstancePublicIPAddressType/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureDefenderDisabledForResManager/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureFirewallDefinesPolicy/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureFirewallDenyThreatIntelMode/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureFirewallPolicyIDPSDeny/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureFrontDoorEnablesWAF/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureInstanceExtensions/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureManagedDiskEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureManagedDiskEncryptionSet/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureSearchAllowedIPsNotGlobal/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureSearchManagedIdentity/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureSearchPublicNetworkAccessDisabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureSearchSLAIndex/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureSearchSLAQueryUpdates/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureServicebusDoubleEncryptionEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureServicebusHasCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureServicebusIdentityProviderEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureServicebusLocalAuthDisabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureServicebusMinTLSVersion/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureServicebusPublicAccessDisabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AzureSparkPoolIsolatedComputeEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CDNDisableHttpEndpoints/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CDNEnableHttpsEndpoints/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CDNTLSProtocol12/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CognitiveServicesConfigureIdentity/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CognitiveServicesEnableLocalAuth/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CosmosDBHaveCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CosmosDBLocalAuthDisabled/
│ │ │ │ │ └── CosmosDBLocalAuthDisabled.tf
│ │ │ │ ├── example_DataExplorerSKUHasSLA/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DataExplorerServiceIdentity/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DataExplorerUsesDiskEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DataFactoryUsesGitRepository/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DatabricksWorkspaceIsNotPublic/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EventHubNamespaceMinTLS12/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EventHubNamespaceZoneRedundant/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EventgridDomainIdentityProviderEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EventgridDomainLocalAuthentication/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EventgridDomainNetworkAccess/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EventgridTopicIdentityProviderEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EventgridTopicLocalAuthentication/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_EventgridTopicNetworkAccess/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_FrontDoorWAFACLCVE202144228/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_FunctionAppAccessibleOverHttps/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_FunctionAppAccessibleOverHttps_tfplan/
│ │ │ │ │ └── example_fua_for_fail_ckv_azure_70.tf
│ │ │ │ ├── example_FunctionAppEnableLogging/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_FunctionAppHttpVersionLatest/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_FunctionAppMinTLSVersion/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_FunctionAppPublicAccessDisabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GithubActionsOIDCTrustPolicy/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_KeyVaultDisablesPublicNetworkAccess/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_KubernetesClusterHTTPApplicationRouting/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LinuxVMUsesSSH/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MLCCLADisabled/
│ │ │ │ │ └── MLCCLADisabled.tf
│ │ │ │ ├── example_MLComputeClusterMinNodes/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MLPublicAccess/
│ │ │ │ │ └── MLPublicAccess.tf
│ │ │ │ ├── example_MSSQLServerAuditPolicyLogMonitor/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MySQLGeoBackupEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NSGRuleHTTPAccessRestricted/
│ │ │ │ │ ├── dynamic_block_map_example/
│ │ │ │ │ │ ├── dynamic.tf
│ │ │ │ │ │ ├── terraform.tfvars
│ │ │ │ │ │ └── variables.tf
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NSGRuleRDPAccessRestricted/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NSGRuleSSHAccessRestricted/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NSGRuleUDPAccessRestricted/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_OpenAICognitiveServicesRestrictOutboundNetwork/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PostgreSQLFlexiServerGeoBackupEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PostgreSQLMinTLSVersion/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PostgreSQLServerLogRetentionEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PubsubSKUSLA/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PubsubSpecifyIdentity/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RedisCacheMinTLSVersion/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RedisCacheStandardReplicationEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SQLDatabaseLedgerEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SQLDatabaseZoneRedundant/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SQLServerNoPublicAccess/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SignalRSKUSLA/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SpringCloudAPIPortalHTTPSOnly/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SpringCloudAPIPortalPublicAccessIsDisabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_StorageAccountDefaultNetworkAccessDeny/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_StorageAccountDisablePublicAccess/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_StorageAccountName/
│ │ │ │ │ ├── azurecaf.tf
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_StorageAccountsTransportEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_StorageAccountsUseReplication/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_StorageBlobRestrictPublicAccess/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_StorageLocalUsers/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_StorageSyncServicePermissiveAccess/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SynapseSQLPoolDataEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SynapseWorkspaceAdministratorLoginPasswordHidden/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SynapseWorkspaceCMKEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SynapseWorkspaceEnablesDataExfilProtection/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_VMAgentIsInstalled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_VMCredsInCustomData/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_VMDisablePasswordAuthentication/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_VMDiskWithPublicAccess/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_VMStorageOsDisk/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_VnetLocalDNS/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_VnetSingleDNSServer/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_WinVMAutomaticUpdates/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_WinVMEncryptionAtHost/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_ACRAdminAccountDisabled.py
│ │ │ │ ├── test_ACRAnonymousPullDisabled.py
│ │ │ │ ├── test_ACRContainerScanEnabled.py
│ │ │ │ ├── test_ACRDedicatedDataEndpointEnabled.py
│ │ │ │ ├── test_ACREnableImageQuarantine.py
│ │ │ │ ├── test_ACREnableRetentionPolicy.py
│ │ │ │ ├── test_ACREnableZoneRedundancy.py
│ │ │ │ ├── test_ACRGeoreplicated.py
│ │ │ │ ├── test_ACRPublicNetworkAccessDisabled.py
│ │ │ │ ├── test_ACRUseSignedImages.py
│ │ │ │ ├── test_AKSApiServerAuthorizedIpRanges.py
│ │ │ │ ├── test_AKSDashboardDisabled.py
│ │ │ │ ├── test_AKSEnablesPrivateClusters.py
│ │ │ │ ├── test_AKSEncryptionAtHostEnabled.py
│ │ │ │ ├── test_AKSEphemeralOSDisks.py
│ │ │ │ ├── test_AKSIsPaidSku.py
│ │ │ │ ├── test_AKSLocalAdminDisabled.py
│ │ │ │ ├── test_AKSLoggingEnabled.py
│ │ │ │ ├── test_AKSMaxPodsMinimum.py
│ │ │ │ ├── test_AKSNetworkPolicy.py
│ │ │ │ ├── test_AKSNodePublicIpDisabled.py
│ │ │ │ ├── test_AKSOnlyCriticalPodsOnSystemNodes.py
│ │ │ │ ├── test_AKSPoolTypeIsScaleSet.py
│ │ │ │ ├── test_AKSRbacEnabled.py
│ │ │ │ ├── test_AKSSecretStoreRotation.py
│ │ │ │ ├── test_AKSUpgradeChannel.py
│ │ │ │ ├── test_AKSUsesAzurePoliciesAddon.py
│ │ │ │ ├── test_AKSUsesDiskEncryptionSet.py
│ │ │ │ ├── test_APIManagementBackendHTTPS.py
│ │ │ │ ├── test_APIManagementCertsEnforced.py
│ │ │ │ ├── test_APIManagementMinTLS12.py
│ │ │ │ ├── test_APIManagementPublicAccess.py
│ │ │ │ ├── test_APIServicesUseVirtualNetwork.py
│ │ │ │ ├── test_ActiveDirectoryUsedAuthenticationServiceFabric.py
│ │ │ │ ├── test_AppConfigEncryption.py
│ │ │ │ ├── test_AppConfigLocalAuth.py
│ │ │ │ ├── test_AppConfigPublicAccess.py
│ │ │ │ ├── test_AppConfigPurgeProtection.py
│ │ │ │ ├── test_AppConfigSku.py
│ │ │ │ ├── test_AppGWDefinesSecureProtocols.py
│ │ │ │ ├── test_AppGWUsesHttps.py
│ │ │ │ ├── test_AppGatewayWAFACLCVE202144228.py
│ │ │ │ ├── test_AppServiceAlwaysOn.py
│ │ │ │ ├── test_AppServiceAuthentication.py
│ │ │ │ ├── test_AppServiceClientCertificate.py
│ │ │ │ ├── test_AppServiceDetailedErrorMessagesEnabled.py
│ │ │ │ ├── test_AppServiceDisallowedCORS.py
│ │ │ │ ├── test_AppServiceDotnetFrameworkVersion.py
│ │ │ │ ├── test_AppServiceEnableFailedRequest.py
│ │ │ │ ├── test_AppServiceEnvironmentZoneRedundant.py
│ │ │ │ ├── test_AppServiceFTPSState.py
│ │ │ │ ├── test_AppServiceHTTPSOnly.py
│ │ │ │ ├── test_AppServiceHttpLoggingEnabled.py
│ │ │ │ ├── test_AppServiceHttps20Enabled.py
│ │ │ │ ├── test_AppServiceIdentity.py
│ │ │ │ ├── test_AppServiceIdentityProviderEnabled.py
│ │ │ │ ├── test_AppServiceInstanceMinimum.py
│ │ │ │ ├── test_AppServiceJavaVersion.py
│ │ │ │ ├── test_AppServiceMinTLSVersion.py
│ │ │ │ ├── test_AppServicePHPVersion.py
│ │ │ │ ├── test_AppServicePlanZoneRedundant.py
│ │ │ │ ├── test_AppServicePublicAccessDisabled.py
│ │ │ │ ├── test_AppServicePythonVersion.py
│ │ │ │ ├── test_AppServiceRemoteDebuggingNotEnabled.py
│ │ │ │ ├── test_AppServiceSetHealthCheck.py
│ │ │ │ ├── test_AppServiceSkuMinimum.py
│ │ │ │ ├── test_AppServiceSlotDebugDisabled.py
│ │ │ │ ├── test_AppServiceSlotHTTPSOnly.py
│ │ │ │ ├── test_AppServiceSlotMinTLSVersion.py
│ │ │ │ ├── test_AppServiceUsedAzureFiles.py
│ │ │ │ ├── test_AutomationEncrypted.py
│ │ │ │ ├── test_AzureBatchAccountEndpointAccessDefaultAction.py
│ │ │ │ ├── test_AzureBatchAccountUsesKeyVaultEncryption.py
│ │ │ │ ├── test_AzureContainerGroupDeployedIntoVirtualNetwork.py
│ │ │ │ ├── test_AzureContainerInstanceEnvVarSecureValueType.py
│ │ │ │ ├── test_AzureContainerInstancePublicIPAddressType.py
│ │ │ │ ├── test_AzureDataExplorerDoubleEncryptionEnabled.py
│ │ │ │ ├── test_AzureDefenderDisabledForResManager.py
│ │ │ │ ├── test_AzureDefenderOnAppServices.py
│ │ │ │ ├── test_AzureDefenderOnContainerRegistry.py
│ │ │ │ ├── test_AzureDefenderOnKeyVaults.py
│ │ │ │ ├── test_AzureDefenderOnKubernetes.py
│ │ │ │ ├── test_AzureDefenderOnServers.py
│ │ │ │ ├── test_AzureDefenderOnSqlServers.py
│ │ │ │ ├── test_AzureDefenderOnSqlServersVMS.py
│ │ │ │ ├── test_AzureDefenderOnStorage.py
│ │ │ │ ├── test_AzureFirewallDefinesPolicy.py
│ │ │ │ ├── test_AzureFirewallDenyThreatIntelMode.py
│ │ │ │ ├── test_AzureFirewallPolicyIDPSDeny.py
│ │ │ │ ├── test_AzureFrontDoorEnablesWAF.py
│ │ │ │ ├── test_AzureInstanceExtensions.py
│ │ │ │ ├── test_AzureInstancePassword.py
│ │ │ │ ├── test_AzureManagedDiscEncryption.py
│ │ │ │ ├── test_AzureManagedDiskEncryptionSet.py
│ │ │ │ ├── test_AzureScaleSetPassword.py
│ │ │ │ ├── test_AzureSearchAllowedIPsNotGlobal.py
│ │ │ │ ├── test_AzureSearchManagedIdentity.py
│ │ │ │ ├── test_AzureSearchPublicNetworkAccessDisabled.py
│ │ │ │ ├── test_AzureSearchSLAIndex.py
│ │ │ │ ├── test_AzureSearchSLAQueryUpdates.py
│ │ │ │ ├── test_AzureServiceFabricClusterProtectionLevel.py
│ │ │ │ ├── test_AzureServicebusDoubleEncryptionEnabled.py
│ │ │ │ ├── test_AzureServicebusHasCMK.py
│ │ │ │ ├── test_AzureServicebusIdentityProviderEnabled.py
│ │ │ │ ├── test_AzureServicebusLocalAuthDisabled.py
│ │ │ │ ├── test_AzureServicebusMinTLSVersion.py
│ │ │ │ ├── test_AzureServicebusPublicAccessDisabled.py
│ │ │ │ ├── test_AzureSparkPoolIsolatedComputeEnabled.py
│ │ │ │ ├── test_CDNDisableHttpEndpoints.py
│ │ │ │ ├── test_CDNEnableHttpsEndpoints.py
│ │ │ │ ├── test_CDNTLSProtocol12.py
│ │ │ │ ├── test_CognitiveServicesConfigureIdentity.py
│ │ │ │ ├── test_CognitiveServicesDisablesPublicNetwork.py
│ │ │ │ ├── test_CognitiveServicesEnableLocalAuth.py
│ │ │ │ ├── test_CosmosDBAccountsRestrictedAccess.py
│ │ │ │ ├── test_CosmosDBDisableAccessKeyWrite.py
│ │ │ │ ├── test_CosmosDBDisablesPublicNetwork.py
│ │ │ │ ├── test_CosmosDBHaveCMK.py
│ │ │ │ ├── test_CosmosDBLocalAuthDisabled.py
│ │ │ │ ├── test_CustomRoleDefinitionSubscriptionOwner.py
│ │ │ │ ├── test_DataExplorerSKUHasSLA.py
│ │ │ │ ├── test_DataExplorerServiceIdentity.py
│ │ │ │ ├── test_DataExplorerUsesDiskEncryption.py
│ │ │ │ ├── test_DataFactoryNoPublicNetworkAccess.py
│ │ │ │ ├── test_DataFactoryUsesGitRepository.py
│ │ │ │ ├── test_DataLakeStoreEncryption.py
│ │ │ │ ├── test_DatabricksWorkspaceIsNotPublic.py
│ │ │ │ ├── test_EventHubNamespaceMinTLS12.py
│ │ │ │ ├── test_EventHubNamespaceZoneRedundant.py
│ │ │ │ ├── test_EventgridDomainIdentityProviderEnabled.py
│ │ │ │ ├── test_EventgridDomainLocalAuthentication.py
│ │ │ │ ├── test_EventgridDomainNetworkAccess.py
│ │ │ │ ├── test_EventgridTopicIdentityProviderEnabled.py
│ │ │ │ ├── test_EventgridTopicLocalAuthentication.py
│ │ │ │ ├── test_EventgridTopicNetworkAccess.py
│ │ │ │ ├── test_FrontDoorWAFACLCVE202144228.py
│ │ │ │ ├── test_FrontdoorUseWAFMode.py
│ │ │ │ ├── test_FunctionAppDisallowCORS.py
│ │ │ │ ├── test_FunctionAppEnableLogging.py
│ │ │ │ ├── test_FunctionAppHttpVersionLatest.py
│ │ │ │ ├── test_FunctionAppMinTLSVersion.py
│ │ │ │ ├── test_FunctionAppPublicAccessDisabled.py
│ │ │ │ ├── test_FunctionAppsAccessibleOverHttps.py
│ │ │ │ ├── test_FunctionAppsEnableAuthentication.py
│ │ │ │ ├── test_GithubActionsOIDCTrustPolicy.py
│ │ │ │ ├── test_IoTNoPublicNetworkAccess.py
│ │ │ │ ├── test_KeyBackedByHSM.py
│ │ │ │ ├── test_KeyExpirationDate.py
│ │ │ │ ├── test_KeyVaultDisablesPublicNetworkAccess.py
│ │ │ │ ├── test_KeyVaultEnablesFirewallRulesSettings.py
│ │ │ │ ├── test_KeyVaultEnablesPurgeProtection.py
│ │ │ │ ├── test_KeyVaultEnablesSoftDelete.py
│ │ │ │ ├── test_KeyVaultRecoveryEnabled.py
│ │ │ │ ├── test_KubernetesClusterHTTPApplicationRouting.py
│ │ │ │ ├── test_LinuxVMUsesSSH.py
│ │ │ │ ├── test_MLCCLADisabled.py
│ │ │ │ ├── test_MLComputeClusterMinNodes.py
│ │ │ │ ├── test_MLPublicAccess.py
│ │ │ │ ├── test_MSSQLServerAuditPolicyLogMonitor.py
│ │ │ │ ├── test_MSSQLServerMinTLSVersion.py
│ │ │ │ ├── test_MariaDBGeoBackupEnabled.py
│ │ │ │ ├── test_MariaDBPublicAccessDisabled.py
│ │ │ │ ├── test_MariaDBSSLEnforcementEnabled.py
│ │ │ │ ├── test_MonitorLogProfileCategories.py
│ │ │ │ ├── test_MonitorLogProfileRetentionDays.py
│ │ │ │ ├── test_MySQLEncryptionEnabled.py
│ │ │ │ ├── test_MySQLGeoBackupEnabled.py
│ │ │ │ ├── test_MySQLPublicAccessDisabled.py
│ │ │ │ ├── test_MySQLServerMinTLSVersion.py
│ │ │ │ ├── test_MySQLServerSSLEnforcementEnabled.py
│ │ │ │ ├── test_MySQLTreatDetectionEnabled.py
│ │ │ │ ├── test_NSGRuleHTTPAccessRestricted.py
│ │ │ │ ├── test_NSGRuleRDPAccessRestricted.py
│ │ │ │ ├── test_NSGRuleSSHAccessRestricted.py
│ │ │ │ ├── test_NSGRuleUDPAccessRestricted.py
│ │ │ │ ├── test_NetworkInterfaceEnableIPForwarding.py
│ │ │ │ ├── test_NetworkWatcherFlowLogPeriod.py
│ │ │ │ ├── test_OpenAICognitiveServicesRestrictedOutboundNetwork.py
│ │ │ │ ├── test_PostgreSQLEncryptionEnabled.py
│ │ │ │ ├── test_PostgreSQLFlexiServerGeoBackupEnabled.py
│ │ │ │ ├── test_PostgreSQLMinTLSVersion.py
│ │ │ │ ├── test_PostgreSQLServerConnectionThrottlingEnabled.py
│ │ │ │ ├── test_PostgreSQLServerLogCheckpointEnabled.py
│ │ │ │ ├── test_PostgreSQLServerLogConnectionsEnabled.py
│ │ │ │ ├── test_PostgreSQLServerLogRetentionEnabled.py
│ │ │ │ ├── test_PostgreSQLServerPublicAccessDisabled.py
│ │ │ │ ├── test_PostgreSQLServerSSLEnforcementEnabled.py
│ │ │ │ ├── test_PostgresSQLGeoBackupEnabled.py
│ │ │ │ ├── test_PostgresSQLTreatDetectionEnabled.py
│ │ │ │ ├── test_PubsubSKUSLA.py
│ │ │ │ ├── test_PubsubSpecifyIdentity.py
│ │ │ │ ├── test_RedisCacheEnableNonSSLPort.py
│ │ │ │ ├── test_RedisCacheMinTLSVersion.py
│ │ │ │ ├── test_RedisCachePublicNetworkAccessEnabled.py
│ │ │ │ ├── test_RedisCacheStandardReplicationEnabled.py
│ │ │ │ ├── test_SQLDatabaseLedgerEnabled.py
│ │ │ │ ├── test_SQLDatabaseZoneRedundant.py
│ │ │ │ ├── test_SQLServerEmailAlertsEnabled.py
│ │ │ │ ├── test_SQLServerEmailAlertsToAdminsEnabled.py
│ │ │ │ ├── test_SQLServerNoPublicAccess.py
│ │ │ │ ├── test_SQLServerPublicAccessDisabled.py
│ │ │ │ ├── test_SQLServerThreatDetectionTypes.py
│ │ │ │ ├── test_SecretContentType.py
│ │ │ │ ├── test_SecretExpirationDate.py
│ │ │ │ ├── test_SecurityCenterContactEmails.py
│ │ │ │ ├── test_SecurityCenterContactPhone.py
│ │ │ │ ├── test_SecurityCenterEmailAlert.py
│ │ │ │ ├── test_SecurityCenterEmailAlertAdmins.py
│ │ │ │ ├── test_SecurityCenterStandardPricing.py
│ │ │ │ ├── test_SignalRSJUSLA.py
│ │ │ │ ├── test_SpringCloudAPIPortalHTTPSOnly.py
│ │ │ │ ├── test_SpringCloudAPIPortalPublicAccessIsDisabled.py
│ │ │ │ ├── test_StorageAccountAzureServicesAccessEnabled.py
│ │ │ │ ├── test_StorageAccountDefaultNetworkAccessDeny.py
│ │ │ │ ├── test_StorageAccountDisablePublicAccess.py
│ │ │ │ ├── test_StorageAccountLoggingQueueServiceEnabled.py
│ │ │ │ ├── test_StorageAccountMinimumTlsVersion.py
│ │ │ │ ├── test_StorageAccountName.py
│ │ │ │ ├── test_StorageAccountsTransportEncryption.py
│ │ │ │ ├── test_StorageAccountsUseReplication.py
│ │ │ │ ├── test_StorageBlobRestrictPublicAccess.py
│ │ │ │ ├── test_StorageBlobServiceContainerPrivateAccess.py
│ │ │ │ ├── test_StorageLocalUsers.py
│ │ │ │ ├── test_StorageSyncPublicAccessDisabled.py
│ │ │ │ ├── test_StorageSyncServicePermissiveAccess.py
│ │ │ │ ├── test_SynapseSQLPoolDataEncryption.py
│ │ │ │ ├── test_SynapseWorkspaceAdministratorLoginPasswordHidden.py
│ │ │ │ ├── test_SynapseWorkspaceCMKEncryption.py
│ │ │ │ ├── test_SynapseWorkspaceEnablesDataExfilProtection.py
│ │ │ │ ├── test_SynapseWorkspaceEnablesManagedVirtualNetworks.py
│ │ │ │ ├── test_VMAgentIsInstalled.py
│ │ │ │ ├── test_VMCredsInCustomData.py
│ │ │ │ ├── test_VMDisablePasswordAuthentication.py
│ │ │ │ ├── test_VMDiskWithPublicAccess.py
│ │ │ │ ├── test_VMEncryptionAtHostEnabled.py
│ │ │ │ ├── test_VMScaleSetsAutoOSImagePatchingEnabled.py
│ │ │ │ ├── test_VMStorageOsDisk.py
│ │ │ │ ├── test_VnetLocalDNS.py
│ │ │ │ ├── test_VnetSingleDNSServer.py
│ │ │ │ ├── test_WAFSpecifiedModeAppGW.py
│ │ │ │ ├── test_WinVMAutomaticUpdates.py
│ │ │ │ └── test_WinVMEncryptionAtHost.py
│ │ │ ├── digitalocean/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── example_DropletSSHKeys/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_FirewallIngressOpen/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SpaceBucketPublicRead/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SpaceBucketVersioning/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_DropletSSHKeys.py
│ │ │ │ ├── test_FirewallIngressOpen.py
│ │ │ │ ├── test_SpaceBucketPublicRead.py
│ │ │ │ └── test_SpaceBucketVersioning.py
│ │ │ ├── gcp/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── example_ArtifactRegistryEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ArtifactRegistryPrivateRepo/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_BigQueryDatasetEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_BigQueryPrivateTable/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_BigQueryTableDeletionProtection/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_BigQueryTableEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_BigTableInstanceDeletionProtection/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_BigTableInstanceEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudArmorWAFACLCVE202144228/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudBuildWorkersArePrivate/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudFunctionPermissiveIngress/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudFunctionsShouldNotBePublic/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudMySqlLocalInfileOff/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudPostgreSQLLogDisconnection/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudPostgreSQLLogMinMessage/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudPostgreSQLLogTemp/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudPostgreSqlLogLockWaits/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudPostgreSqlLogMinDuration/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudPostgreSqlLogStatement/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudPubSubEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudSQLServerContainerDBAuthentication/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudSQLServerCrossDBOwnershipChaining/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudSQLServerNoPublicIP/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudSqlMajorVersion/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudStorageSelfLogging/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CloudStorageVersioningEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DataFusionPrivateInstance/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DataFusionStackdriverLogs/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DataFusionStackdriverMonitoring/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DataflowJobEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DataflowPrivateJob/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DataprocClusterEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DataprocPrivateCluster/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DataprocPublicIpCluster/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GCPCloudRunPrivateService/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GKEDontUseNodePools/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GKENetworkPolicyEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GKEPodSecurityPolicyEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GKEUseCosImage/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GithubActionsOIDCTrustPolicy/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleBigQueryDatasetPublicACL/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleCloudPostgreSqlEnablePgaudit/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleCloudPostgreSqlLogCheckpoints/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleCloudPostgreSqlLogConnection/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleCloudPostgreSqlLogHostname/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleCloudPostgreSqlLogMinErrorStatement/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleCloudSqlDatabasePubliclyAccessible/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleComputeBootDiskEncryption/
│ │ │ │ │ ├── bad.json
│ │ │ │ │ └── example1.tf
│ │ │ │ ├── example_GoogleComputeDefaultServiceAccount/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleComputeDefaultServiceAccountFullAccess/
│ │ │ │ │ ├── bad.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleComputeExternalIP/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleComputeFirewallUnrestrictedIngress20/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleComputeFirewallUnrestrictedIngress21/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleComputeFirewallUnrestrictedIngress22/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleComputeFirewallUnrestrictedIngress3306/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleComputeFirewallUnrestrictedIngress80/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleComputeProjectOSLogin/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleFolderBasicRole/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleIAMWorkloadIdentityConditional/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleKMSKeyIsPublic/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleKMSPreventDestroy/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleKMSRotationPeriod/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleOrgBasicRole/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleProjectBasicRole/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleStorageBucketUniformAccess/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleStoragePublicAccessPrevention/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleSubnetworkIPV6PrivateGoogleEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleSubnetworkLoggingEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleSubnetworkPrivateGoogleEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_GoogleVertexAINotebookShieldedVM/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MemorystoreForRedisAuthEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MemorystoreForRedisInTransitEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PubSubPrivateTopic/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SpannerDatabaseDeletionProtection/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SpannerDatabaseDropProtection/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SpannerDatabaseEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_VertexAIDatasetEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_VertexAIMetadataStoreEncryptedWithCMK/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_VertexAINotebookEnsureIntegrityMonitoring/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_VertexAIPrivateInstance/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_ArtifactRegistryEncryptedWithCMK.py
│ │ │ │ ├── test_ArtifactRegistryPrivateRepo.py
│ │ │ │ ├── test_BigQueryDatasetEncryptedWithCMK.py
│ │ │ │ ├── test_BigQueryPrivateTable.py
│ │ │ │ ├── test_BigQueryTableDeletionProtection.py
│ │ │ │ ├── test_BigQueryTableEncryptedWithCMK.py
│ │ │ │ ├── test_BigTableInstanceDeletionProtection.py
│ │ │ │ ├── test_BigTableInstanceEncryptedWithCMK.py
│ │ │ │ ├── test_CloudArmorWAFACLCVE202144228.py
│ │ │ │ ├── test_CloudBuildWorkerArePrivate.py
│ │ │ │ ├── test_CloudFunctionPermissiveIngress.py
│ │ │ │ ├── test_CloudFunctionsShouldNotbePublic.py
│ │ │ │ ├── test_CloudPubSubEncryptedWithCMK.py
│ │ │ │ ├── test_CloudSqlMajorVersion.py
│ │ │ │ ├── test_CloudStorageLogging.py
│ │ │ │ ├── test_CloudStorageSelfLogging.py
│ │ │ │ ├── test_DataFusionPrivateInstance.py
│ │ │ │ ├── test_DataFusionStackdriverLogs.py
│ │ │ │ ├── test_DataFusionStackdriverMonitoring.py
│ │ │ │ ├── test_DataflowJobEncryptedWithCMK.py
│ │ │ │ ├── test_DataflowPrivateJob.py
│ │ │ │ ├── test_DataprocClusterEncryptedWithCMK.py
│ │ │ │ ├── test_DataprocPrivateCluster.py
│ │ │ │ ├── test_DataprocPublicIpCluster.py
│ │ │ │ ├── test_GCPCloudRunPrivateService.py
│ │ │ │ ├── test_GKEAliasIpEnabled.py
│ │ │ │ ├── test_GKEBinaryAuthorization/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_GKEBinaryAuthorization.py
│ │ │ │ ├── test_GKEClientCertificateDisabled.py
│ │ │ │ ├── test_GKEClusterLogging.py
│ │ │ │ ├── test_GKEDisableLegacyAuth.py
│ │ │ │ ├── test_GKEDontUseNodePools.py
│ │ │ │ ├── test_GKEEnableShieldedNodes/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_GKEEnableShieldedNodes.py
│ │ │ │ ├── test_GKEEnableVPCFlowLogs/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_GKEEnableVPCFlowLogs.py
│ │ │ │ ├── test_GKEEnsureIntegrityMonitoring/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_GKEEnsureIntegrityMonitoring.py
│ │ │ │ ├── test_GKEHasLabels.py
│ │ │ │ ├── test_GKEKubernetesRBACGoogleGroups/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_GKEKubernetesRBACGoogleGroups.py
│ │ │ │ ├── test_GKEMasterAuthorizedNetworksEnabled.py
│ │ │ │ ├── test_GKEMetadataServerIsEnabled.py
│ │ │ │ ├── test_GKEMetadataServerisEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_GKEMonitoringEnabled.py
│ │ │ │ ├── test_GKENetworkPolicyEnabled.py
│ │ │ │ ├── test_GKENodePoolAutoRepairEnabled.py
│ │ │ │ ├── test_GKENodePoolAutoUpgradeEnabled.py
│ │ │ │ ├── test_GKEPodSecurityPolicyEnabled.py
│ │ │ │ ├── test_GKEPrivateClusterConfig.py
│ │ │ │ ├── test_GKEPrivateNodes/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_GKEPrivateNodes.py
│ │ │ │ ├── test_GKEPublicControlPlane.py
│ │ │ │ ├── test_GKEReleaseChannel/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_GKEReleaseChannel.py
│ │ │ │ ├── test_GKESecureBootforShieldedNodes/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_GKESecureBootforShieldedNodes.py
│ │ │ │ ├── test_GKEUseCosImage.py
│ │ │ │ ├── test_GithubActionsOIDCTrustPolicy.py
│ │ │ │ ├── test_GoogleBigQueryDatasetPublicACL.py
│ │ │ │ ├── test_GoogleCloudDNSKeySpecsRSASHA1.py
│ │ │ │ ├── test_GoogleCloudDNSSECEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_GoogleCloudDNSSECEnabled.py
│ │ │ │ ├── test_GoogleCloudMySqlLocalInfileOff.py
│ │ │ │ ├── test_GoogleCloudPostgreSqlEnablePgaudit.py
│ │ │ │ ├── test_GoogleCloudPostgreSqlLogCheckpoints.py
│ │ │ │ ├── test_GoogleCloudPostgreSqlLogConnection.py
│ │ │ │ ├── test_GoogleCloudPostgreSqlLogDisconnection.py
│ │ │ │ ├── test_GoogleCloudPostgreSqlLogHostname.py
│ │ │ │ ├── test_GoogleCloudPostgreSqlLogLockWaits.py
│ │ │ │ ├── test_GoogleCloudPostgreSqlLogMinDuration.py
│ │ │ │ ├── test_GoogleCloudPostgreSqlLogMinErrorStatement.py
│ │ │ │ ├── test_GoogleCloudPostgreSqlLogMinMessage.py
│ │ │ │ ├── test_GoogleCloudPostgreSqlLogStatement.py
│ │ │ │ ├── test_GoogleCloudPostgreSqlLogTemp.py
│ │ │ │ ├── test_GoogleCloudSqlBackupConfiguration.py
│ │ │ │ ├── test_GoogleCloudSqlDatabasePublicallyAccessible.py
│ │ │ │ ├── test_GoogleCloudSqlDatabaseRequireSsl.py
│ │ │ │ ├── test_GoogleCloudSqlServerContainedDBAuthentication.py
│ │ │ │ ├── test_GoogleCloudSqlServerCrossDBOwnershipChaining.py
│ │ │ │ ├── test_GoogleCloudSqlServerNoPublicIP.py
│ │ │ │ ├── test_GoogleComputeBlockProjectSSH/
│ │ │ │ │ ├── google_compute_instance.tf
│ │ │ │ │ ├── google_compute_instance_from_template.tf
│ │ │ │ │ └── google_compute_instance_template.tf
│ │ │ │ ├── test_GoogleComputeBlockProjectSSH.py
│ │ │ │ ├── test_GoogleComputeBootDiskEncryption.py
│ │ │ │ ├── test_GoogleComputeDefaultServiceAccount.py
│ │ │ │ ├── test_GoogleComputeDefaultServiceAccountFullAccess.py
│ │ │ │ ├── test_GoogleComputeDiskEncryption.py
│ │ │ │ ├── test_GoogleComputeExternalIP.py
│ │ │ │ ├── test_GoogleComputeFirewallUnrestrictedIngress20.py
│ │ │ │ ├── test_GoogleComputeFirewallUnrestrictedIngress21.py
│ │ │ │ ├── test_GoogleComputeFirewallUnrestrictedIngress22.py
│ │ │ │ ├── test_GoogleComputeFirewallUnrestrictedIngress3306.py
│ │ │ │ ├── test_GoogleComputeFirewallUnrestrictedIngress3389.py
│ │ │ │ ├── test_GoogleComputeFirewallUnrestrictedIngress80.py
│ │ │ │ ├── test_GoogleComputeIPForward.py
│ │ │ │ ├── test_GoogleComputeInstanceOSLogin.py
│ │ │ │ ├── test_GoogleComputeProjectOSLogin.py
│ │ │ │ ├── test_GoogleComputeSSLPolicy.py
│ │ │ │ ├── test_GoogleComputeSerialPorts.py
│ │ │ │ ├── test_GoogleComputeShieldedVM.py
│ │ │ │ ├── test_GoogleFolderBasicRole.py
│ │ │ │ ├── test_GoogleFolderImpersonationRolesd.py
│ │ │ │ ├── test_GoogleFolderMemberDefaultServiceAccount.py
│ │ │ │ ├── test_GoogleIAMWorkloadIdentityConditional.py
│ │ │ │ ├── test_GoogleKMSKeyIsPublic.py
│ │ │ │ ├── test_GoogleKMSKeyRotationPeriod.py
│ │ │ │ ├── test_GoogleKMSPreventDestroy.py
│ │ │ │ ├── test_GoogleOrgBasicRole.py
│ │ │ │ ├── test_GoogleOrgImpersonationRolest.py
│ │ │ │ ├── test_GoogleOrgMemberDefaultServiceAccount.py
│ │ │ │ ├── test_GoogleProjectAdminServiceAccount.py
│ │ │ │ ├── test_GoogleProjectBasicRole.py
│ │ │ │ ├── test_GoogleProjectDefaultNetwork.py
│ │ │ │ ├── test_GoogleProjectImpersonationRoles.py
│ │ │ │ ├── test_GoogleProjectMemberDefaultServiceAccount.py
│ │ │ │ ├── test_GoogleRoleServiceAccountUser.py
│ │ │ │ ├── test_GoogleStorageBucketNotPublic.py
│ │ │ │ ├── test_GoogleStorageBucketUniformAccess.py
│ │ │ │ ├── test_GoogleStoragePublicAccessPrevention.py
│ │ │ │ ├── test_GoogleStorageVersioningEnabled.py
│ │ │ │ ├── test_GoogleSubnetworkIPV6PrivateGoogleEnabled.py
│ │ │ │ ├── test_GoogleSubnetworkLoggingEnabled.py
│ │ │ │ ├── test_GoogleSubnetworkPrivateGoogleEnabled.py
│ │ │ │ ├── test_GoogleVertexAINotebookShieldedVM.py
│ │ │ │ ├── test_MemorystoreForRedisAuthEnabled.py
│ │ │ │ ├── test_MemorystoreForRedisInTransitEncryption.py
│ │ │ │ ├── test_PubSubPrivateTopic.py
│ │ │ │ ├── test_SpannerDatabaseDeletionProtection.py
│ │ │ │ ├── test_SpannerDatabaseDropProtection.py
│ │ │ │ ├── test_SpannerDatabaseEncryptedWithCMK.py
│ │ │ │ ├── test_VertexAIDatasetEncryptedWithCMK.py
│ │ │ │ ├── test_VertexAIMetadataStoreEncryptedWithCMK.py
│ │ │ │ ├── test_VertexAINotebookEnsureIntegrityMonitoring.py
│ │ │ │ └── test_VertexAIPrivateInstance.py
│ │ │ ├── github/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── example_BranchProtectionRequireSignedCommits/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_BranchProtectionReviewNumTwo/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RepositoryEnableVulnerabilityAlerts/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SecretsEncrypted/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_BranchProtectionRequiredSignedCommits.py
│ │ │ │ ├── test_BranchProtectionReviewNumTwo.py
│ │ │ │ ├── test_PrivateRepo.py
│ │ │ │ ├── test_RepositoryVulnerabilityAlerts.py
│ │ │ │ ├── test_SecretsEncrypted.py
│ │ │ │ └── test_WebhookInsecureSsl.py
│ │ │ ├── gitlab/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── example_ForcePushDisabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PreventSecretsEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RejectUnsignedCommits/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RequireTwoApprovalsToMerge/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_ForcePushDisabled.py
│ │ │ │ ├── test_PreventSecretsEnabled.py
│ │ │ │ ├── test_RejectUnsignedCommits.py
│ │ │ │ └── test_RequireTwoApprovalsToMerge.py
│ │ │ ├── kubernetes/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── example_AllowPrivilegeEscalation/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AllowPrivilegeEscalationPSP/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AllowedCapabilities/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AllowedCapabilitiesPSP/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AllowedCapabilitiesSysAdmin/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CPULimits/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_CPURequests/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ ├── main2.tf
│ │ │ │ │ └── main3.tf
│ │ │ │ ├── example_ContainerSecurityContext/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DangerousGitSync/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DefaultNamespace/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DefaultServiceAccount/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DefaultServiceAccountBinding/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DockerSocketVolume/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DropCapabilities/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_DropCapabilitiesPSP/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_HostPort/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── main3.tf
│ │ │ │ ├── example_ImageDigest/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── main3.tf
│ │ │ │ ├── example_ImagePullPolicyAlways/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── main3.tf
│ │ │ │ ├── example_ImageTagFixed/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LivenessProbe/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── main3.tf
│ │ │ │ ├── example_MemoryLimits/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ ├── main2.tf
│ │ │ │ │ └── main3.tf
│ │ │ │ ├── example_MemoryRequests/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ ├── main2.tf
│ │ │ │ │ └── main3.tf
│ │ │ │ ├── example_MinimiseCapabilities/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_MinimiseCapabilitiesPSP/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PodSecurityContext/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PrivilegedContainers/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PrivilegedContainersPSP/
│ │ │ │ │ └── psp.tf
│ │ │ │ ├── example_ReadinessProbe/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── main3.tf
│ │ │ │ ├── example_ReadonlyRootFilesystem/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RootContainerPSP/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SeccompPSP/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_Secrets/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ShareHostIPC/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ShareHostIPCPSP/
│ │ │ │ │ └── psp.tf
│ │ │ │ ├── example_ShareHostPID/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ShareHostPIDPSP/
│ │ │ │ │ └── psp.tf
│ │ │ │ ├── example_SharedHostNetworkNamespace/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SharedHostNetworkNamespacePSP/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_Tiller/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_TillerService/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_WildcardRoles/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_AllowPrivilegeEscalation.py
│ │ │ │ ├── test_AllowPrivilegeEscalationPSP.py
│ │ │ │ ├── test_AllowedCapabilities.py
│ │ │ │ ├── test_AllowedCapabilitiesPSP.py
│ │ │ │ ├── test_AllowedCapabilitiesSysAdmin.py
│ │ │ │ ├── test_CPULimits.py
│ │ │ │ ├── test_CPURequests.py
│ │ │ │ ├── test_ContainerSecurityContext.py
│ │ │ │ ├── test_DangerousGitSync.py
│ │ │ │ ├── test_DefaultNamespace.py
│ │ │ │ ├── test_DefaultServiceAccount.py
│ │ │ │ ├── test_DefaultServiceAccountBinding.py
│ │ │ │ ├── test_DockerSocketVolume.py
│ │ │ │ ├── test_DropCapabilities.py
│ │ │ │ ├── test_DropCapabilitiesPSP.py
│ │ │ │ ├── test_HostPort.py
│ │ │ │ ├── test_ImageDigest.py
│ │ │ │ ├── test_ImagePullPolicyAlways.py
│ │ │ │ ├── test_ImageTagFixed.py
│ │ │ │ ├── test_LivenessProbe.py
│ │ │ │ ├── test_MemoryLimits.py
│ │ │ │ ├── test_MemoryRequests.py
│ │ │ │ ├── test_MinimiseCapabilities.py
│ │ │ │ ├── test_MinimiseCapabilitiesPSP.py
│ │ │ │ ├── test_PodSecurityContext.py
│ │ │ │ ├── test_PrivilegedContainers.py
│ │ │ │ ├── test_PrivilegedContainersPSP.py
│ │ │ │ ├── test_ReadinessProbe.py
│ │ │ │ ├── test_ReadonlyRootFilesystem.py
│ │ │ │ ├── test_RootContainerPSP.py
│ │ │ │ ├── test_SeccompPSP.py
│ │ │ │ ├── test_Secrets.py
│ │ │ │ ├── test_ShareHostIPC.py
│ │ │ │ ├── test_ShareHostIPCPSP.py
│ │ │ │ ├── test_ShareHostNetworkNamespace.py
│ │ │ │ ├── test_ShareHostNetworkNamespacePSP.py
│ │ │ │ ├── test_ShareHostPID.py
│ │ │ │ ├── test_ShareHostPIDPSP.py
│ │ │ │ ├── test_Tiller.py
│ │ │ │ ├── test_TillerService.py
│ │ │ │ └── test_WildcardRoles.py
│ │ │ ├── linode/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── test_authorised_keys.py
│ │ │ │ ├── test_firewall_inbound_policy.py
│ │ │ │ ├── test_firewall_outbound_policy.py
│ │ │ │ ├── test_user_email_set.py
│ │ │ │ └── test_user_username_set.py
│ │ │ ├── ncp/
│ │ │ │ ├── example_AccessControlGroupInboundRulePort22/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AccessControlGroupInboundRulePort3389/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AccessControlGroupInboundRulePort80/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AccessControlGroupOutboundRule/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_AccessControlGroupRuleDescription/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LBListenerUsesSecureProtocols/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LBListenerUsingHTTPS/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LBNetworkPrivate/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LBTargetGroupDefinesHealthCheck/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LBTargetGroupUsingHTTPS/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_LaunchConfigurationEncryptionVPC/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NACLInbound20/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NACLInbound21/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NACLInbound22/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NACLInbound3389/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NACLPortCheck/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NASEncryptionEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NKSControlPlaneLogging/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NKSPublicAccess/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_RouteTableNATGatewayDefault/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ServerEncryptionVPC/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ServerPublicIP/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_AccessControlGroupInboundRulePort22.py
│ │ │ │ ├── test_AccessControlGroupInboundRulePort3389.py
│ │ │ │ ├── test_AccessControlGroupInboundRulePort80.py
│ │ │ │ ├── test_AccessControlGroupOutboundRule.py
│ │ │ │ ├── test_AccessControlGroupRuleDescription.py
│ │ │ │ ├── test_LBListenerUsesSecureProtocols.py
│ │ │ │ ├── test_LBListenerUsingHTTPS.py
│ │ │ │ ├── test_LBNetworkPrivate.py
│ │ │ │ ├── test_LBTargetGroupDefinesHealthCheck.py
│ │ │ │ ├── test_LBTargetGroupUsingHTTPS.py
│ │ │ │ ├── test_LaunchConfigurationEncryptionVPC.py
│ │ │ │ ├── test_NACLInbound20.py
│ │ │ │ ├── test_NACLInbound21.py
│ │ │ │ ├── test_NACLInbound22.py
│ │ │ │ ├── test_NACLInbound3389.py
│ │ │ │ ├── test_NACLPortCheck.py
│ │ │ │ ├── test_NASEncryptionEnabled.py
│ │ │ │ ├── test_NKSControlPlaneLogging.py
│ │ │ │ ├── test_NKSPublicAccess.py
│ │ │ │ ├── test_RouteTableNATGatewayDefault.py
│ │ │ │ ├── test_ServerEncryptionVPC.py
│ │ │ │ └── test_ServerPublicIP.py
│ │ │ ├── oci/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── example_DataCatalogWithPublicAccess/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_FileSystemEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_IAMPasswordLength/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_IAMPasswordPolicyLowerCase/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_IAMPasswordPolicyNumeric/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_IAMPasswordPolicySpecialCharacters/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_IAMPasswordPolicyUpperCase/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_InstanceBootVolumeIntransitEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_InstanceMetadataServiceEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_InstanceMonitoringEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ObjectStorageEmitEvents/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ObjectStorageEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ObjectStoragePublic/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ObjectStorageVersioning/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SecurityGroupUnrestrictedIngress22/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SecurityGroupsIngressStatelessSecurityRules/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SecurityListIngress/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SecurityListIngressStateless/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SecurityListIngressStatelessListSyntax/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SecurityListUnrestrictedIngress22/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_SecurityListUnrestrictedIngress3389/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_StorageBlockBackupEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_StorageBlockEncryption/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_DataCatalogWithPublicAccess.py
│ │ │ │ ├── test_FileSystemEncryption.py
│ │ │ │ ├── test_IAMPasswordLength.py
│ │ │ │ ├── test_IAMPasswordPolicyLowerCase.py
│ │ │ │ ├── test_IAMPasswordPolicyNumeric.py
│ │ │ │ ├── test_IAMPasswordPolicySpecialCharacters.py
│ │ │ │ ├── test_IAMPasswordPolicyUpperCase.py
│ │ │ │ ├── test_InstanceBootVolumeIntransitEncryption.py
│ │ │ │ ├── test_InstanceMetadataServiceEnabled.py
│ │ │ │ ├── test_InstanceMonitoringEnabled.py
│ │ │ │ ├── test_ObjectStorageEmitEvents.py
│ │ │ │ ├── test_ObjectStorageEncryption.py
│ │ │ │ ├── test_ObjectStoragePublic.py
│ │ │ │ ├── test_ObjectStorageVersioning.py
│ │ │ │ ├── test_SecurityGroupUnrestrictedIngress22.py
│ │ │ │ ├── test_SecurityGroupsIngressStatelessSecurityRules.py
│ │ │ │ ├── test_SecurityListIngress.py
│ │ │ │ ├── test_SecurityListIngressStateless.py
│ │ │ │ ├── test_SecurityListIngressStatelessListSyntax.py
│ │ │ │ ├── test_SecurityListUnrestrictedIngress22.py
│ │ │ │ ├── test_SecurityListUnrestrictedIngress3389.py
│ │ │ │ ├── test_StorageBlockBackupEnabled.py
│ │ │ │ └── test_StorageBlockEncryption.py
│ │ │ ├── okta/
│ │ │ │ ├── example_TwoFASignOnPolicyRule/
│ │ │ │ │ └── main.tf
│ │ │ │ └── test_TwoFASignOnPolicyRule.py
│ │ │ ├── openstack/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── example_ComputeInstanceAdminPassword/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_FirewallRuleSetDestinationIP/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_ComputeInstanceAdminPassword.py
│ │ │ │ ├── test_FirewallRuleSetDestinationIP.py
│ │ │ │ ├── test_SecurityGroupUnrestrictedIngress22.py
│ │ │ │ └── test_SecurityGroupUnrestrictedIngress3389.py
│ │ │ ├── panos/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── example_InterfaceMgmtProfileNoHTTP/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_InterfaceMgmtProfileNoTelnet/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NetworkIPsecAlgorithms/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NetworkIPsecAuthAlgorithms/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_NetworkIPsecProtocols/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PolicyDescription/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PolicyLogForwarding/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PolicyLoggingEnabled/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PolicyNoApplicationAny/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PolicyNoDSRI/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PolicyNoServiceAny/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_PolicyNoSrcAnyDstAny/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ZoneProtectionProfile/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── example_ZoneUserIDIncludeACL/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── test_InterfaceMgmtProfileNoHTTP.py
│ │ │ │ ├── test_InterfaceMgmtProfileNoTelnet.py
│ │ │ │ ├── test_NetworkIPsecAlgorithms.py
│ │ │ │ ├── test_NetworkIPsecAuthAlgorithms.py
│ │ │ │ ├── test_NetworkIPsecProtocols.py
│ │ │ │ ├── test_PolicyDescription.py
│ │ │ │ ├── test_PolicyLogForwarding.py
│ │ │ │ ├── test_PolicyLoggingEnabled.py
│ │ │ │ ├── test_PolicyNoApplicationAny.py
│ │ │ │ ├── test_PolicyNoDSRI.py
│ │ │ │ ├── test_PolicyNoServiceAny.py
│ │ │ │ ├── test_PolicyNoSrcAnyDstAny.py
│ │ │ │ ├── test_ZoneProtectionProfile.py
│ │ │ │ └── test_ZoneUserIDIncludeACL.py
│ │ │ ├── registry/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── example_external_dir/
│ │ │ │ │ └── extra_checks/
│ │ │ │ │ ├── S3PCIPrivateACL.py
│ │ │ │ │ └── __init__.py
│ │ │ │ └── test_registry.py
│ │ │ ├── tencentcloud/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── example_CBSEncryption/
│ │ │ │ │ └── tencentcloud_cbs_storage.tf
│ │ │ │ ├── example_CDBInternetService/
│ │ │ │ │ └── tencentcloud_mysql_instance.tf
│ │ │ │ ├── example_CDBIntranetPort/
│ │ │ │ │ └── tencentcloud_mysql_instance.tf
│ │ │ │ ├── example_CLBInstanceLog/
│ │ │ │ │ └── tencentcloud_clb_instance.tf
│ │ │ │ ├── example_CLBListenerProtocol/
│ │ │ │ │ └── tencentcloud_clb_listener.tf
│ │ │ │ ├── example_CVMAllocatePublicIp/
│ │ │ │ │ └── tencentcloud_instance.tf
│ │ │ │ ├── example_CVMDisableMonitorService/
│ │ │ │ │ └── tencentcloud_instance.tf
│ │ │ │ ├── example_CVMUseDefaultSecurityGroup/
│ │ │ │ │ └── tencentcloud_instance.tf
│ │ │ │ ├── example_CVMUseDefaultVPC/
│ │ │ │ │ └── tencentcloud_instance.tf
│ │ │ │ ├── example_CVMUserData/
│ │ │ │ │ └── tencentcloud_instance.tf
│ │ │ │ ├── example_TKELogAgentEnable/
│ │ │ │ │ └── tencentcloud_kubernetes_cluster.tf
│ │ │ │ ├── example_TKEPublicIpAssigned/
│ │ │ │ │ └── tencentcloud_kubernetes_cluster.tf
│ │ │ │ ├── example_VPCFlowLogConfigEnable/
│ │ │ │ │ └── tencentcloud_vpc_flow_log_config.tf
│ │ │ │ ├── example_VPCSecurityGroupRuleSet/
│ │ │ │ │ └── tencentcloud_security_group_rule_set.tf
│ │ │ │ ├── test_CBSEncryption.py
│ │ │ │ ├── test_CDBInternetService.py
│ │ │ │ ├── test_CDBIntranetPort.py
│ │ │ │ ├── test_CLBInstanceLog.py
│ │ │ │ ├── test_CLBListenerProtocol.py
│ │ │ │ ├── test_CVMAllocatePublicIp.py
│ │ │ │ ├── test_CVMDisableMonitorService.py
│ │ │ │ ├── test_CVMUseDefaultSecurityGroup.py
│ │ │ │ ├── test_CVMUseDefaultVPC.py
│ │ │ │ ├── test_CVMUserData.py
│ │ │ │ ├── test_TKELogAgentEnable.py
│ │ │ │ ├── test_TKEPublicIpAssigned.py
│ │ │ │ ├── test_VPCFlowLogConfigEnable.py
│ │ │ │ └── test_VPCSecurityGroupRuleSet.py
│ │ │ ├── test_base_resource_check.py
│ │ │ ├── test_base_resource_dynamic_value_check.py
│ │ │ ├── test_base_resource_negative_value_check.py
│ │ │ ├── test_base_resource_value_check.py
│ │ │ └── yandexcloud/
│ │ │ ├── __init__.py
│ │ │ ├── example_ComputeInstanceGroupPublicIP/
│ │ │ │ └── main.tf
│ │ │ ├── example_ComputeInstanceGroupSecurityGroup/
│ │ │ │ └── main.tf
│ │ │ ├── example_ComputeVMPublicIP/
│ │ │ │ └── main.tf
│ │ │ ├── example_ComputeVMSecurityGroup/
│ │ │ │ └── main.tf
│ │ │ ├── example_ComputeVMSerialConsole/
│ │ │ │ └── main.tf
│ │ │ ├── example_IAMCloudElevatedMembers/
│ │ │ │ └── main.tf
│ │ │ ├── example_IAMFolderElevatedMembers/
│ │ │ │ └── main.tf
│ │ │ ├── example_IAMOrganizationElevatedMembers/
│ │ │ │ └── main.tf
│ │ │ ├── example_IAMPassportAccountUsage/
│ │ │ │ └── main.tf
│ │ │ ├── example_K8SAutoUpgrade/
│ │ │ │ └── main.tf
│ │ │ ├── example_K8SEtcdKMSEncryption/
│ │ │ │ └── main.tf
│ │ │ ├── example_K8SNetworkPolicy/
│ │ │ │ └── main.tf
│ │ │ ├── example_K8SNodeGroupAutoUpgrade/
│ │ │ │ └── main.tf
│ │ │ ├── example_K8SNodeGroupPublicIP/
│ │ │ │ └── main.tf
│ │ │ ├── example_K8SNodeGroupSecurityGroup/
│ │ │ │ └── main.tf
│ │ │ ├── example_K8SPublicIP/
│ │ │ │ └── main.tf
│ │ │ ├── example_K8SSecurityGroup/
│ │ │ │ └── main.tf
│ │ │ ├── example_KMSSymmetricKeyRotation/
│ │ │ │ └── main.tf
│ │ │ ├── example_MDBPublicIP/
│ │ │ │ └── main.tf
│ │ │ ├── example_MDBSecurityGroup/
│ │ │ │ └── main.tf
│ │ │ ├── example_ObjectStorageBucketEncryption/
│ │ │ │ └── main.tf
│ │ │ ├── example_ObjectStorageBucketPublicAccess/
│ │ │ │ └── main.tf
│ │ │ ├── example_VPCSecurityGroupAllowAll/
│ │ │ │ └── main.tf
│ │ │ ├── example_VPCSecurityGroupRuleAllowAll/
│ │ │ │ └── main.tf
│ │ │ ├── test_ComputeInstanceGroupPublicIP.py
│ │ │ ├── test_ComputeInstanceGroupSecurityGroup.py
│ │ │ ├── test_ComputeVMPublicIP.py
│ │ │ ├── test_ComputeVMSecurityGroup.py
│ │ │ ├── test_ComputeVMSerialConsole.py
│ │ │ ├── test_IAMCloudElevatedMembers.py
│ │ │ ├── test_IAMFolderElevatedMembers.py
│ │ │ ├── test_IAMOrganizationElevatedMembers.py
│ │ │ ├── test_IAMPassportAccountUsage.py
│ │ │ ├── test_K8SAutoUpgrade.py
│ │ │ ├── test_K8SEtcdKMSEncryption.py
│ │ │ ├── test_K8SNetworkPolicy.py
│ │ │ ├── test_K8SNodeGroupAutoUpgrade.py
│ │ │ ├── test_K8SNodeGroupPublicIP.py
│ │ │ ├── test_K8SNodeGroupSecurityGroup.py
│ │ │ ├── test_K8SPublicIP.py
│ │ │ ├── test_K8SSecurityGroup.py
│ │ │ ├── test_KMSSymmetricKeyRotation.py
│ │ │ ├── test_MDBPublicIP.py
│ │ │ ├── test_MDBSecurityGroup.py
│ │ │ ├── test_ObjectStorageBucketEncryption.py
│ │ │ ├── test_ObjectStorageBucketPublicAccess.py
│ │ │ ├── test_VPCSecurityGroupAllowAll.py
│ │ │ └── test_VPCSecurityGroupRuleAllowAll.py
│ │ ├── terraform/
│ │ │ └── terraform/
│ │ │ └── resources/
│ │ │ └── lock/
│ │ │ ├── fail.cdk.tf.json
│ │ │ ├── pass.cdk.tf.json
│ │ │ └── unknown_partialconfig.tf
│ │ ├── test_base_resource_check.py
│ │ └── test_wildcard_entities.py
│ ├── context_parsers/
│ │ ├── __init__.py
│ │ ├── mock_context_parser.py
│ │ ├── mock_tf_files/
│ │ │ ├── inline_suppression.tf
│ │ │ └── mock.tf
│ │ ├── test_base_parser.py
│ │ ├── test_locals_parser.py
│ │ ├── test_parser_registry.py
│ │ ├── test_variable_context_parser.py
│ │ └── test_variable_context_parser2.py
│ ├── evaluation/
│ │ ├── __init__.py
│ │ └── resources/
│ │ ├── default_evaluation/
│ │ │ ├── main.tf
│ │ │ └── variables.tf
│ │ └── locals_evaluation/
│ │ └── main.tf
│ ├── graph/
│ │ ├── __init__.py
│ │ ├── checks/
│ │ │ ├── __init__.py
│ │ │ ├── custom_policies/
│ │ │ │ ├── CustomAwsEMRSecurityConfiguration.yaml
│ │ │ │ ├── CustomPolicy1.yaml
│ │ │ │ └── CustomPolicy2.yaml
│ │ │ ├── resources/
│ │ │ │ ├── ACMWildcardDomainName/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── ADORepositoryHasMinTwoReviewers/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── ALBProtectedByWAF/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── ALBRedirectsHTTPToHTTPS/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── ALBWebACLConfiguredWIthLog4jVulnerability/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AMRClustersNotOpenToInternet/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── APIGWLoggingLevelsDefinedProperly/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── APIGatewayEndpointsUsesCertificateForAuthentication/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── APIGatewayMethodWOAuth/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── APIGatewayRequestParameterValidationEnabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── APIGatewayWebACLConfiguredWIthLog4jVulnerability/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── APIProtectedByWAF/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AWSConfigRecorderEnabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AWSNATGatewaysshouldbeutilized/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AWSSSMParametershouldbeEncrypted/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AWS_private_MWAA_environment/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AWSdisableS3ACL/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AccessControlGroupRuleDefine/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AccessToPostgreSQLFromAzureServicesIsDisabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AdministratorUserNotAssociatedWithAPIKey/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AppLoadBalancerTLS12/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AppSyncProtectedByWAF/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── ApplicationGatewayEnablesWAF/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AppsyncWebACLConfiguredWIthLog4jVulnerability/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AutoScalingEnableOnDynamoDBTables/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AutoScalingEnabledLB/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AutoScallingEnabledELB/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureACR_HTTPSwebhook/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureAKSclusterAzureCNIEnabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureActiveDirectoryAdminIsConfigured/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureAutomationAccConfigManagedIdentity/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureAutomationAccNotOverlyPermissiveNetAccess/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureCognitiveServicesCustomerManagedKey/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureConfigMSSQLwithAD/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureContainerInstanceconfigManagedIdentity/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureDataFactoriesEncryptedWithCustomerManagedKey/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureKeyVaultConfigPrivateEndpoint/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureMLWorkspaceHBIPublicNetwork/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureMLWorkspacePublicNetwork/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureMSSQLServerHasSecurityAlertPolicy/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureMSSQLserverConfigPrivEndpt/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureMariaDBserverConfigPrivEndpt/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureMariaDBserverUsingTLS_1_2/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureMySQLFlexibleServerConfigPrivEndpt/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureMySQLserverConfigPrivEndpt/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureNetworkInterfacePublicIPAddressId/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzurePostgreSQLFlexServerNotOverlyPermissive/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzurePostgreSQLFlexibleServerConfigPrivEndpt/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzurePostgreSQLserverConfigPrivEndpt/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureRecoveryServicesvaultConfigManagedIdentity/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureSQLserverNotOverlyPermissive/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureSpringCloudConfigWithVnet/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureSpringCloudTLSDisabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureSqlDbEnableTransparentDataEncryption/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureStorageAccConfigSharedKeyAuth/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureStorageAccConfigWithPrivateEndpoint/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureStorageAccConfigWithoutBlobAnonymousAccess/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureStorageAccConfig_SAS_expirePolicy/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureStorageAccountEnableSoftDelete/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureSubnetConfigWithNSG/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureSynapseWorkspaceVAisEnabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureUnattachedDisksAreEncrypted/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── AzureVMconfigPublicIP_SerialConsoleAccess/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── CLoudFrontS3OriginConfigWithOAI/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── CloudFrontHasCustomSSLCertificate/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── CloudFrontHasResponseHeadersPolicy/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── CloudFrontUsesSecureProtocolsForHTTPS/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── CloudFrontWebACLConfiguredWIthLog4jVulnerability/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── CloudFunctionSecureHTTPTrigger/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── CloudfrontOriginNotHTTPSOnly/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── CloudtrailHasCloudwatch/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── CodecommitApprovalRulesAttached/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── ConfigRecorderRecordsAllGlobalResources/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── CustomAwsEMRSecurityConfiguration/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── CustomPolicy1/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── CustomPolicy2/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── DMSEndpointHaveSSLConfigured/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── DataExplorerEncryptionUsesCustomKey/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── DisableAccessToSqlDBInstanceForRootUsersWithoutPassword/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── EBSAddedBackup/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── EC2InstanceHasIAMRoleAttached/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── EFSAddedBackup/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── EFSAddedBackupSuppress/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── EIPAllocatedToVPCAttachedEC2/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── EMRClusterHasSecurityConfiguration/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── ElastiCacheRedisConfiguredAutomaticFailOver/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── ElasticSearchDedicatedMasterEnabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── EncryptedEBSVolumeOnlyConnectedToEC2s/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPAuditLogsConfiguredForAllServicesAndUsers/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPComputeFirewallOverlyPermissiveToAllTraffic/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPComputeGlobalForwardingRuleCheck/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPComputeRegionalForwardingRuleCheck/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPContainerRegistryReposAreNotPubliclyAccessible/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPDialogFlowAgentLoggingEnabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPDialogFlowCxAgentLoggingEnabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPDialogFlowCxWebhookLoggingEnabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPDocumentAIProcessorEncryptedWithCMK/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPDocumentAIWarehouseLocationEncryptedWithCMK/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPKMSCryptoKeysAreNotPubliclyAccessible/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPKMSKeyRingsAreNotPubliclyAccessible/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPLogBucketsConfiguredUsingLock/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPNetworkDoesNotUseDefaultFirewall/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPPostgreSQLDatabaseFlaglog_durationIsSetToON/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPProjectHasNoLegacyNetworks/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPTpuV2VmPrivateEndpoint/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPVertexAIEndpointEncryptedWithCMK/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPVertexAIFeaturestoreEncryptedWithCMK/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPVertexAIPrivateEndpoint/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPVertexAIPrivateIndexEndpoint/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPVertexAITensorboardEncryptedWithCMK/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPVertexInstanceEncryptedWithCMK/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPVertexRuntimeEncryptedWithCMK/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPVertexRuntimePrivate/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPVertexWorkbenchInstanceEncryptedWithCMK/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPVertexWorkbenchInstanceNoPublicIp/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCPdisableAlphaClusterFeatureInKubernetesEngineClusters/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GCRContainerVulnerabilityScanningEnabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GKEClustersAreNotUsingDefaultServiceAccount/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── GuardDutyIsEnabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── HTTPNotSendingPasswords/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── IAMGroupHasAtLeastOneUser/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── IAMManagedIAMFullAccessPolicy/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── IAMPolicyNotAllowFullIAMAccess/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── IAMUserHasNoConsoleAccess/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── IAMUsersAreMembersAtLeastOneGroup/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── IBM_DatabasesNWaccessRestrictedToSpecificIPrange/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── IBM_EnableMFAatAccountLevel/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── IBM_K8sClustersAccessibleViaPrivateEndPt/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── IBM_LoadBalancerforVPCisPrivate/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── IBM_RestrictAPIkeyCreationInAccountSettings/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── IBM_RestrictServiceIDCreationInAccountSettings/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── IBM_VPCclassicAccessIsDisabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── KmsKeyPolicyIsDefined/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── LBTargetGroup/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── LBWeakCiphers/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── LambdaOpenCorsPolicy/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── MSQLenablesCustomerManagedKey/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── NeptuneDeletionProtectionEnabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── NetworkFirewallHasLogging/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── OCI_K8EngineClusterBootVolConfigInTransitEncryption/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── OCI_K8EngineClusterPodSecPolicyEnforced/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── OCI_KubernetesEngineClusterEndpointConfigWithNSG/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── OCI_NFSaccessRestrictedToRootUsers/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── OCI_NSGNotAllowRDP/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── OSSBucketPublic/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── OpenSearchDomainHasFineGrainedControl/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── PGSQLenablesCustomerManagedKey/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── PostgresDBHasQueryLoggingEnabled/
│ │ │ │ │ ├── db.tf
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── rds.tf
│ │ │ │ ├── PostgresRDSHasQueryLoggingEnabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── rds.tf
│ │ │ │ ├── RDSClusterHasBackupPlan/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── RDSEnableCopyTagsToSnapshot/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── RDSEncryptionInTransit/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── RepositoryHasBranchProtection/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── Route53ARecordAttachedResource/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── Route53ZoneEnableDNSSECSigning/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── Route53ZoneHasMatchingQueryLog/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── RouteTablePublicSubnetConnection/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── S3BucketEncryption/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── S3BucketEventNotifications/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── S3BucketHasPublicAccessBlock/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── S3BucketLifecycle/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── S3BucketLogging/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── S3BucketReplicationConfiguration/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── S3BucketVersioning/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── S3KMSEncryptedByDefault/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── S3NotAllowAccessToAllAuthenticatedUsers/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── S3PublicACLRead/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── same_resource_name/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── S3PublicACLWrite/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── SGAttachedToResource/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── SQLServerAuditingEnabled/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── SQLServerAuditingRetention90Days/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── SQSEncryptionCMK/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── SageMakerIAMPolicyOverlyPermissiveToAllTraffic/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── SecretsAreRotated/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── ServiceAccountHasGCPmanagedKey/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── StorageContainerActivityLogsNotPublic/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── StorageCriticalDataEncryptedCMK/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── StorageLoggingIsEnabledForBlobService/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── StorageLoggingIsEnabledForTableService/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── SubnetHasACL/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── SynapseLogMonitoringEnabledForSQLPool/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── SynapseSQLPoolHasSecurityAlertPolicy/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── SynapseSQLPoolHasVulnerabilityAssessment/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── SynapseWorkspaceHasExtendedAuditLogs/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── VAconfiguredToSendReports/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── VAconfiguredToSendReportsToAdmins/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── VAisEnabledInStorageAccount/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── VAsetPeriodicScansOnSQL/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── VMHasBackUpMachine/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── VPCHasFlowLog/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── VPCHasOneOfWantedFlowLogs/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── VPCHasRestrictedSG/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── VPCPeeringRouteTableOverlyPermissive/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── VirtualMachinesUtilizingManagedDisks/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ ├── WAF2HasLogs/
│ │ │ │ │ ├── expected.yaml
│ │ │ │ │ └── main.tf
│ │ │ │ └── connected_nodes/
│ │ │ │ └── main.tf
│ │ │ ├── test_custom_yaml_policies.py
│ │ │ ├── test_yaml_connected_nodes.py
│ │ │ └── test_yaml_policies.py
│ │ ├── checks_infra/
│ │ │ ├── __init__.py
│ │ │ ├── attribute_solvers/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── cidr_range_not_subset_solver/
│ │ │ │ │ ├── CIDRRangeNotSubsetList.yaml
│ │ │ │ │ ├── CIDRRangeNotSubsetString.yaml
│ │ │ │ │ ├── IPV6CIDRRangeNotSubsetList.yaml
│ │ │ │ │ ├── JsonPathCIDRRangeNotSubsetList.yaml
│ │ │ │ │ ├── JsonPathCIDRRangeNotSubsetString.yaml
│ │ │ │ │ ├── JsonPathIPV6CIDRRangeNotSubsetList.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── resources/
│ │ │ │ │ │ └── main.tf
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── cidr_range_subset_solver/
│ │ │ │ │ ├── CIDRRangeSubsetList.yaml
│ │ │ │ │ ├── CIDRRangeSubsetString.yaml
│ │ │ │ │ ├── IPV6CIDRRangeSubsetList.yaml
│ │ │ │ │ ├── JsonPathCIDRRangeSubsetList.yaml
│ │ │ │ │ ├── JsonPathCIDRRangeSubsetString.yaml
│ │ │ │ │ ├── JsonPathIPV6CIDRRangeSubsetList.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── resources/
│ │ │ │ │ │ └── main.tf
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── contains_solver/
│ │ │ │ │ ├── NetworkAclsIPs.yaml
│ │ │ │ │ ├── PublicSG.yaml
│ │ │ │ │ ├── PublicSGMultipleIngress.yaml
│ │ │ │ │ ├── PublicVMs.yaml
│ │ │ │ │ ├── PublicVMsWithJsonpath.yaml
│ │ │ │ │ ├── SpecificBlockSG.yaml
│ │ │ │ │ ├── TagIncludes.yaml
│ │ │ │ │ ├── VariableDependentPolicy.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── ending_with_solver/
│ │ │ │ │ ├── AmiEndingWith.yaml
│ │ │ │ │ ├── AmiEndingWithJsonpath.yaml
│ │ │ │ │ ├── UnrenderedVar.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── equals_ignore_case_solver/
│ │ │ │ │ ├── BooleanString.yaml
│ │ │ │ │ ├── EncryptedResources.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── equals_solver/
│ │ │ │ │ ├── BooleanString.yaml
│ │ │ │ │ ├── Complex.yaml
│ │ │ │ │ ├── EncryptedResources.yaml
│ │ │ │ │ ├── PublicDBSG.yaml
│ │ │ │ │ ├── SGPorts.yaml
│ │ │ │ │ ├── UnrenderedVar.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── exists_solver/
│ │ │ │ │ ├── TagEnvironmentExists.yaml
│ │ │ │ │ ├── TagEnvironmentExistsAll.yaml
│ │ │ │ │ ├── VersioningEnabledExists.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── greater_than_solver/
│ │ │ │ │ ├── GT.yaml
│ │ │ │ │ ├── GTE.yaml
│ │ │ │ │ ├── LT.yaml
│ │ │ │ │ ├── LTE.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── resources/
│ │ │ │ │ │ └── main.tf
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── intersects_solver/
│ │ │ │ │ ├── ArrayIntersect.yaml
│ │ │ │ │ ├── MivedValue.yaml
│ │ │ │ │ ├── NoneAttribute.yaml
│ │ │ │ │ ├── PublicVMs.yaml
│ │ │ │ │ ├── StringAttribute.yaml
│ │ │ │ │ ├── TagsIntersect.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── is_empty_solver/
│ │ │ │ │ ├── SGPorts.yaml
│ │ │ │ │ ├── SGPortsJsonpath.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── is_false_solver/
│ │ │ │ │ ├── FalseValue.yaml
│ │ │ │ │ ├── TrueValue.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── is_not_empty_solver/
│ │ │ │ │ ├── SGPorts.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── is_true_solver/
│ │ │ │ │ ├── FalseValue.yaml
│ │ │ │ │ ├── TrueValue.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── jsonpath_equals_solver/
│ │ │ │ │ ├── AzureSecureRule.yaml
│ │ │ │ │ ├── CkSshPortOpenForAll.yaml
│ │ │ │ │ ├── EcsWithMerge.yaml
│ │ │ │ │ ├── PublicDBSG.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── example.tf
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── jsonpath_exists_solver/
│ │ │ │ │ ├── AzureSecureRule.yaml
│ │ │ │ │ ├── CkSshPortOpenForAll.yaml
│ │ │ │ │ ├── PublicDBSG.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── example.tf
│ │ │ │ │ ├── example.yaml
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── jsonpath_not_equals_solver/
│ │ │ │ │ ├── AzureSecureRule.yaml
│ │ │ │ │ ├── CkSshPortOpenForAll.yaml
│ │ │ │ │ ├── PublicDBSG.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── jsonpath_not_exists_solver/
│ │ │ │ │ ├── AzureSecureRule.yaml
│ │ │ │ │ ├── CkSshPortOpenForAll.yaml
│ │ │ │ │ ├── PublicDBSG.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── example.tf
│ │ │ │ │ ├── example.yaml
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── length_equals_solver/
│ │ │ │ │ ├── ArrayLengthEquals.yaml
│ │ │ │ │ ├── DictLength.yaml
│ │ │ │ │ ├── StringLengthEquals.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── length_greater_than_or_equal_solver/
│ │ │ │ │ ├── ArrayLength.yaml
│ │ │ │ │ ├── DictLength.yaml
│ │ │ │ │ ├── StringLength.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── length_greater_than_solver/
│ │ │ │ │ ├── ArrayLength.yaml
│ │ │ │ │ ├── DictLength.yaml
│ │ │ │ │ ├── StringLength.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── length_less_than_or_equal_solver/
│ │ │ │ │ ├── ArrayLength.yaml
│ │ │ │ │ ├── DictLength.yaml
│ │ │ │ │ ├── StringLength.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── length_less_than_solver/
│ │ │ │ │ ├── ArrayLength.yaml
│ │ │ │ │ ├── DictLength.yaml
│ │ │ │ │ ├── StringLength.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── length_not_equals_solver/
│ │ │ │ │ ├── ArrayLengthNotEquals.yaml
│ │ │ │ │ ├── DictLengthNotEquals.yaml
│ │ │ │ │ ├── StringLengthNotEquals.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── not_contains_solver/
│ │ │ │ │ ├── PublicSG.yaml
│ │ │ │ │ ├── PublicVMs.yaml
│ │ │ │ │ ├── SpecificBlockSG.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── not_ending_with_solver/
│ │ │ │ │ ├── AmiEndingWith.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── not_equals_ignore_case_solver/
│ │ │ │ │ ├── BooleanString.yaml
│ │ │ │ │ ├── EncryptedResources.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── not_equals_solver/
│ │ │ │ │ ├── PublicDBSG.yaml
│ │ │ │ │ ├── SGPorts.yaml
│ │ │ │ │ ├── UnrenderedVar.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── not_exists_solver/
│ │ │ │ │ ├── SecureTransportExist.yaml
│ │ │ │ │ ├── TagEnvironmentExists.yaml
│ │ │ │ │ ├── VersioningEnabledExists.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── resources/
│ │ │ │ │ │ └── main.tf
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── not_intersects_solver/
│ │ │ │ │ ├── ArrayNotIntersect.yaml
│ │ │ │ │ ├── PublicVMs.yaml
│ │ │ │ │ ├── TagsNotIntersect.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── not_regex_match_solver/
│ │ │ │ │ ├── TagPrefix.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── not_starting_with_solver/
│ │ │ │ │ ├── NameStartingWith.yaml
│ │ │ │ │ ├── NameStartingWithJsonpath.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── not_subset_solver/
│ │ │ │ │ ├── Subset1.yaml
│ │ │ │ │ ├── SubsetJsonpath.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── not_within_solver/
│ │ │ │ │ ├── NameNotWithin.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── number_of_words_equals_solver/
│ │ │ │ │ ├── NumberOfWordsEquals.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── number_of_words_greater_than_or_equal_solver/
│ │ │ │ │ ├── NumberOfWordsGreaterThanOrEqual.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── number_of_words_greater_than_solver/
│ │ │ │ │ ├── NumberOfWordsGreaterThan.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── number_of_words_less_than_or_equal_solver/
│ │ │ │ │ ├── NumberOfWordsLessThanOrEqual.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── number_of_words_less_than_solver/
│ │ │ │ │ ├── NumberOfWordsLessThan.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── number_of_words_not_equals_solver/
│ │ │ │ │ ├── NumberOfWordsEquals.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── range_includes_solver/
│ │ │ │ │ ├── JsonPathRangeIncludesInt.yaml
│ │ │ │ │ ├── JsonPathRangeIncludesList.yaml
│ │ │ │ │ ├── JsonPathRangeIncludesListWRange.yaml
│ │ │ │ │ ├── JsonPathRangeIncludesString.yaml
│ │ │ │ │ ├── RangeIncludesInt.yaml
│ │ │ │ │ ├── RangeIncludesList.yaml
│ │ │ │ │ ├── RangeIncludesListWRange.yaml
│ │ │ │ │ ├── RangeIncludesString.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── resources/
│ │ │ │ │ │ └── main.tf
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── range_not_includes_solver/
│ │ │ │ │ ├── JsonPathRangeNotIncludesInt.yaml
│ │ │ │ │ ├── JsonPathRangeNotIncludesList.yaml
│ │ │ │ │ ├── JsonPathRangeNotIncludesListWRange.yaml
│ │ │ │ │ ├── JsonPathRangeNotIncludesString.yaml
│ │ │ │ │ ├── RangeNotIncludesInt.yaml
│ │ │ │ │ ├── RangeNotIncludesList.yaml
│ │ │ │ │ ├── RangeNotIncludesListWRange.yaml
│ │ │ │ │ ├── RangeNotIncludesString.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── resources/
│ │ │ │ │ │ └── main.tf
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── regex_match_solver/
│ │ │ │ │ ├── TagPrefix.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── starting_with_solver/
│ │ │ │ │ ├── NameStartingWith.yaml
│ │ │ │ │ ├── UnrenderedVar.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── subset_solver/
│ │ │ │ │ ├── Subset1.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ └── within_solver/
│ │ │ │ ├── NameWithin.yaml
│ │ │ │ ├── UnrenderedVar.yaml
│ │ │ │ ├── WildcardWithin.yaml
│ │ │ │ ├── __init__.py
│ │ │ │ └── test_solver.py
│ │ │ ├── complex_solvers/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── and_solver/
│ │ │ │ │ ├── BucketsWithDevEnvAndPrivateACL.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── not_solver/
│ │ │ │ │ ├── BucketsWithDevEnvAndPrivateACL.yaml
│ │ │ │ │ ├── NotWithNestedDict.yaml
│ │ │ │ │ ├── NotWithNestedList.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ └── or_solver/
│ │ │ │ ├── BucketsWithEnvTag.yaml
│ │ │ │ ├── __init__.py
│ │ │ │ └── test_solver.py
│ │ │ ├── connection_solvers/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── and_connection_solver/
│ │ │ │ │ ├── ALBConnectedToHTTPS.yaml
│ │ │ │ │ ├── AndComplexConnection.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── connection_exist_solver/
│ │ │ │ │ ├── NetworkInterfaceForInstance.yaml
│ │ │ │ │ ├── S3BucketPolicyDataSource.yaml
│ │ │ │ │ ├── VPCForSubnet.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── connection_not_exist_solver/
│ │ │ │ │ ├── NoNetworkInterfaceForInstance.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ ├── connection_one_exists/
│ │ │ │ │ ├── VPCHasOneOfWantedFlowLogs.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ └── or_connection_solver/
│ │ │ │ ├── SpecificInstanceComplexConnection.yaml
│ │ │ │ ├── __init__.py
│ │ │ │ └── test_solver.py
│ │ │ ├── resource_solvers/
│ │ │ │ ├── __init__.py
│ │ │ │ ├── exists_solver/
│ │ │ │ │ ├── ResourceAllowList.yaml
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_solver.py
│ │ │ │ └── not_exists_solver/
│ │ │ │ ├── ResourceDenyList.yaml
│ │ │ │ ├── __init__.py
│ │ │ │ └── test_solver.py
│ │ │ ├── test_base.py
│ │ │ └── test_base_attribute_solver.py
│ │ ├── db_connector/
│ │ │ ├── __init__.py
│ │ │ └── test_graph_connector.py
│ │ ├── graph_builder/
│ │ │ ├── __init__.py
│ │ │ ├── graph_components/
│ │ │ │ ├── __init__.py
│ │ │ │ └── test_blocks.py
│ │ │ ├── test_graph_builder.py
│ │ │ ├── test_local_graph.py
│ │ │ ├── test_oci_policy.py
│ │ │ ├── test_terraform_graph_parser.py
│ │ │ └── test_utils.py
│ │ ├── resources/
│ │ │ ├── array_test/
│ │ │ │ └── main.tf
│ │ │ ├── arrays/
│ │ │ │ └── main.tf
│ │ │ ├── azure_secure_rule/
│ │ │ │ └── main.tf
│ │ │ ├── boolean_test/
│ │ │ │ └── main.tf
│ │ │ ├── complex/
│ │ │ │ └── main.tf
│ │ │ ├── cross_modules/
│ │ │ │ ├── main.tf
│ │ │ │ └── module/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── cross_modules2/
│ │ │ │ ├── inner_module/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── variables.tf
│ │ │ │ ├── main.tf
│ │ │ │ └── module/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── cross_variables/
│ │ │ │ └── main.tf
│ │ │ ├── cross_variables2/
│ │ │ │ ├── main/
│ │ │ │ │ └── main.tf
│ │ │ │ └── module/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── dynamic_lambda_function/
│ │ │ │ └── lambda.tf
│ │ │ ├── ec2_instance_network_interfaces/
│ │ │ │ └── main.tf
│ │ │ ├── ecs_with_merge/
│ │ │ │ └── main.tf
│ │ │ ├── encryption/
│ │ │ │ └── main.tf
│ │ │ ├── encryption_test/
│ │ │ │ └── main.tf
│ │ │ ├── for_each/
│ │ │ │ └── main.tf
│ │ │ ├── general_example/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── graph_files_test/
│ │ │ │ ├── more_vars.tf
│ │ │ │ ├── pass_s3.tf
│ │ │ │ └── variables.tf
│ │ │ ├── k8_service/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── lb/
│ │ │ │ └── main.tf
│ │ │ ├── lengths/
│ │ │ │ └── main.tf
│ │ │ ├── malformed_provider/
│ │ │ │ └── main.tf
│ │ │ ├── module_rendering/
│ │ │ │ └── example/
│ │ │ │ ├── modules/
│ │ │ │ │ ├── mock/
│ │ │ │ │ │ └── main.tf
│ │ │ │ │ └── second-mock/
│ │ │ │ │ └── main.tf
│ │ │ │ └── stacks/
│ │ │ │ ├── s1/
│ │ │ │ │ └── main.tf
│ │ │ │ └── s2/
│ │ │ │ └── main.tf
│ │ │ ├── modules/
│ │ │ │ ├── git_module/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── linked_modules/
│ │ │ │ │ └── external_modules/
│ │ │ │ │ └── terraform-aws-modules/
│ │ │ │ │ ├── lambda/
│ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ └── outputs.tf
│ │ │ │ │ └── s3-bucket/
│ │ │ │ │ ├── examples/
│ │ │ │ │ │ └── notification/
│ │ │ │ │ │ └── main.tf
│ │ │ │ │ ├── main.tf
│ │ │ │ │ ├── outputs.tf
│ │ │ │ │ └── variables.tf
│ │ │ │ ├── nested_modules_instances/
│ │ │ │ │ ├── another_one/
│ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ └── variable.tf
│ │ │ │ │ ├── example.tfcloud/
│ │ │ │ │ │ └── main.tf
│ │ │ │ │ ├── expected_local_graph.json
│ │ │ │ │ ├── main.tf
│ │ │ │ │ ├── module/
│ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ └── variable.tf
│ │ │ │ │ ├── module2/
│ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ └── variable.tf
│ │ │ │ │ └── module3/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── variable.tf
│ │ │ │ ├── registry_security_group_inner_module/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── s3_inner_modules/
│ │ │ │ │ ├── inner/
│ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ └── variables.tf
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── variables.tf
│ │ │ │ ├── same_var_names/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ ├── module1/
│ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ └── variables.tf
│ │ │ │ │ ├── module2/
│ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ └── variables.tf
│ │ │ │ │ ├── submodule1/
│ │ │ │ │ │ └── variables.tf
│ │ │ │ │ └── submodule2/
│ │ │ │ │ └── variables.tf
│ │ │ │ ├── stacks/
│ │ │ │ │ ├── prod/
│ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ └── sub-prod/
│ │ │ │ │ │ └── main.tf
│ │ │ │ │ ├── stage/
│ │ │ │ │ │ └── main.tf
│ │ │ │ │ └── test/
│ │ │ │ │ └── main.tf
│ │ │ │ └── violation_example/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── modules-and-vars/
│ │ │ │ ├── context.tf
│ │ │ │ ├── examples/
│ │ │ │ │ └── complete/
│ │ │ │ │ ├── context.tf
│ │ │ │ │ ├── main.tf
│ │ │ │ │ ├── outputs.tf
│ │ │ │ │ └── variables.tf
│ │ │ │ ├── main.tf
│ │ │ │ ├── outputs.tf
│ │ │ │ ├── replication.tf
│ │ │ │ └── variables.tf
│ │ │ ├── modules_edges_tfplan/
│ │ │ │ ├── s3module.tf
│ │ │ │ └── tfplan.json
│ │ │ ├── nested_modules_address/
│ │ │ │ ├── main.tf
│ │ │ │ └── module/
│ │ │ │ ├── main.tf
│ │ │ │ ├── module2/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── variable.tf
│ │ │ │ └── variable.tf
│ │ │ ├── nested_modules_double_call/
│ │ │ │ ├── examples/
│ │ │ │ │ └── complete/
│ │ │ │ │ ├── fixtures.us-west-1.tfvars
│ │ │ │ │ ├── main.tf
│ │ │ │ │ ├── outputs.tf
│ │ │ │ │ └── variables.tf
│ │ │ │ ├── four/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ ├── output.tf
│ │ │ │ │ └── variable.tf
│ │ │ │ ├── main.tf
│ │ │ │ ├── outputs.tf
│ │ │ │ ├── third/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ ├── outputs.tf
│ │ │ │ │ └── variable.tf
│ │ │ │ ├── variables.tf
│ │ │ │ └── versions.tf
│ │ │ ├── none_contains/
│ │ │ │ └── main.tf
│ │ │ ├── number_of_words/
│ │ │ │ └── main.tf
│ │ │ ├── oci_policies/
│ │ │ │ └── main.tf
│ │ │ ├── output_example/
│ │ │ │ ├── main.tf
│ │ │ │ └── submodule/
│ │ │ │ ├── main.tf
│ │ │ │ └── outputs.tf
│ │ │ ├── public_security_groups/
│ │ │ │ ├── main.tf
│ │ │ │ └── output.tf
│ │ │ ├── public_virtual_machines/
│ │ │ │ └── main.tf
│ │ │ ├── reset_edges/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── s3_bucket/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── s3_bucket_2/
│ │ │ │ └── main.tf
│ │ │ ├── s3_bucket_grant/
│ │ │ │ └── main.tf
│ │ │ ├── s3_bucket_policy/
│ │ │ │ └── main.tf
│ │ │ ├── security_group_list_cidr_blocks/
│ │ │ │ └── main.tf
│ │ │ ├── security_group_multiple_rules/
│ │ │ │ └── main.tf
│ │ │ ├── security_group_multiple_rules2/
│ │ │ │ └── main.tf
│ │ │ ├── security_group_multiple_rules3/
│ │ │ │ └── main.tf
│ │ │ ├── tag_includes/
│ │ │ │ └── main.tf
│ │ │ ├── terraform_block/
│ │ │ │ └── main.tf
│ │ │ ├── tf_parsing_comparison/
│ │ │ │ ├── modifications_diff/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── tf_old/
│ │ │ │ │ └── main.tf
│ │ │ │ └── tf_regular/
│ │ │ │ └── main.tf
│ │ │ ├── variable_dependent_policy/
│ │ │ │ └── main.tf
│ │ │ └── variable_rendering/
│ │ │ ├── complex_var/
│ │ │ │ └── main.tf
│ │ │ ├── render_complex_keys/
│ │ │ │ └── main.tf
│ │ │ ├── render_deep_nesting/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── render_dictionary_tfvars/
│ │ │ │ ├── main.tf
│ │ │ │ └── terraform.tfvars
│ │ │ ├── render_from_module_def_sg/
│ │ │ │ ├── main.tf
│ │ │ │ └── modules/
│ │ │ │ └── security_group/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── render_from_module_vpc/
│ │ │ │ ├── main.tf
│ │ │ │ └── vpc/
│ │ │ │ └── variables.tf
│ │ │ ├── render_lambda/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── render_local/
│ │ │ │ └── main.tf
│ │ │ ├── render_local_from_variable/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── render_module_postgresql/
│ │ │ │ ├── auto_values.tf
│ │ │ │ ├── main.tf
│ │ │ │ ├── outputs.tf
│ │ │ │ ├── variables.tf
│ │ │ │ └── versions.tf
│ │ │ ├── render_nested_modules/
│ │ │ │ ├── child/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── main.tf
│ │ │ │ ├── outputs.tf
│ │ │ │ └── variables.tf
│ │ │ ├── render_terragoat_db_app/
│ │ │ │ ├── consts.tf
│ │ │ │ └── main.tf
│ │ │ ├── render_variable/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── terraform-aws-eks-master/
│ │ │ │ ├── eks.tf
│ │ │ │ └── variables.tf
│ │ │ └── unrendered/
│ │ │ └── main.tf
│ │ ├── runner/
│ │ │ ├── __init__.py
│ │ │ ├── test_graph_builder.py
│ │ │ └── test_runner.py
│ │ ├── utils/
│ │ │ ├── __init__.py
│ │ │ └── test_utils.py
│ │ └── variable_rendering/
│ │ ├── __init__.py
│ │ ├── expected_data.py
│ │ ├── expected_data_foreach.json
│ │ ├── expected_foreach_module_dup_foreach.json
│ │ ├── expected_foreach_modules_tf_definitions.json
│ │ ├── resources/
│ │ │ ├── bad_ref_fallbacks_expected.json
│ │ │ ├── colon_expected.json
│ │ │ ├── count_examples/
│ │ │ │ ├── module_foreach_module_foreach_resource_count/
│ │ │ │ │ ├── level1_module/
│ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ └── variables.tf
│ │ │ │ │ ├── level2_module/
│ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ └── variables.tf
│ │ │ │ │ └── main.tf
│ │ │ │ └── simple_count/
│ │ │ │ └── main.tf
│ │ │ ├── data_simple/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── data_with_resource/
│ │ │ │ ├── data.tf
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── doc_evaluations_verify_expected.json
│ │ │ ├── foreach_examples/
│ │ │ │ ├── count_dup_resources/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── variables.tf
│ │ │ │ ├── depend_resources/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── variable.tf
│ │ │ │ ├── foreach_dup_resources/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── variables.tf
│ │ │ │ ├── foreach_lookup/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── foreach_tfvars/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── terraform.tfvars
│ │ │ │ ├── module_foreach_module_foreach_resource_foreach/
│ │ │ │ │ ├── level1_module/
│ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ └── variables.tf
│ │ │ │ │ ├── level2_module/
│ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ └── variables.tf
│ │ │ │ │ └── main.tf
│ │ │ │ └── nested_foreach_based_on_module_locals/
│ │ │ │ ├── main.tf
│ │ │ │ └── s3_files/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── foreach_module/
│ │ │ │ ├── main.tf
│ │ │ │ └── module/
│ │ │ │ ├── main.tf
│ │ │ │ └── module2/
│ │ │ │ └── main.tf
│ │ │ ├── foreach_module_and_resource/
│ │ │ │ ├── main.tf
│ │ │ │ └── module/
│ │ │ │ └── main.tf
│ │ │ ├── foreach_module_dup_foreach/
│ │ │ │ ├── main.tf
│ │ │ │ ├── module/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── module2/
│ │ │ │ │ └── main.tf
│ │ │ │ └── variable.tf
│ │ │ ├── foreach_module_with_more_than_two_resources/
│ │ │ │ ├── main.tf
│ │ │ │ └── module/
│ │ │ │ ├── main.tf
│ │ │ │ └── module2/
│ │ │ │ └── main.tf
│ │ │ ├── foreach_resources/
│ │ │ │ ├── dynamic_foreach_value/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── variable.tf
│ │ │ │ └── static_foreach_value/
│ │ │ │ └── main.tf
│ │ │ ├── merge_function_unresolved_var_expected.json
│ │ │ ├── os_example_large_count_with_nested_module/
│ │ │ │ ├── child/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── modules.tf
│ │ │ │ └── parent/
│ │ │ │ └── main.tf
│ │ │ └── parser_dup_nested/
│ │ │ ├── main.tf
│ │ │ ├── module/
│ │ │ │ ├── main.tf
│ │ │ │ └── module2/
│ │ │ │ └── main.tf
│ │ │ └── variable.tf
│ │ ├── test_foreach_renderer.py
│ │ ├── test_render_scenario.py
│ │ ├── test_renderer.py
│ │ ├── test_resources/
│ │ │ ├── default_map_value/
│ │ │ │ └── main.tf
│ │ │ ├── dynamic_block_map_example/
│ │ │ │ ├── dynamic.tf
│ │ │ │ ├── terraform.tfvars
│ │ │ │ └── variables.tf
│ │ │ ├── dynamic_block_nesting_attribute/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── dynamic_blocks_map/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── dynamic_blocks_map_brackets/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── dynamic_blocks_null_lookup/
│ │ │ │ ├── examples/
│ │ │ │ │ └── simple/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── variables.tf
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── dynamic_blocks_resource/
│ │ │ │ └── dynamic_block_with_list.tf
│ │ │ ├── dynamic_blocks_tfvars/
│ │ │ │ ├── main.tf
│ │ │ │ ├── terraform.tfvars
│ │ │ │ └── variables.tf
│ │ │ ├── dynamic_blocks_tfvars_merge/
│ │ │ │ ├── main.tf
│ │ │ │ ├── terraform.tfvars
│ │ │ │ └── variables.tf
│ │ │ ├── dynamic_blocks_variable_rendering/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── dynamic_blocks_with_nested/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── dynamic_nested_with_lookup_foreach/
│ │ │ │ ├── aws_iam_role.pipeline.tf
│ │ │ │ ├── aws_kms_key.example.tf
│ │ │ │ ├── data.aws_region.current.tf
│ │ │ │ ├── examplea.auto.tfvars
│ │ │ │ ├── locals.tf
│ │ │ │ ├── main.tf
│ │ │ │ ├── module.codepipeline.tf
│ │ │ │ └── variables.tf
│ │ │ ├── dynamic_with_conditional_expression/
│ │ │ │ ├── cosmosdb_account_main.tf
│ │ │ │ └── cosmosdb_account_vars.tf
│ │ │ ├── list_entry_module_var/
│ │ │ │ └── module/
│ │ │ │ └── main.tf
│ │ │ ├── lookup_from_var/
│ │ │ │ └── main.tf
│ │ │ ├── multiple_dynamic_blocks/
│ │ │ │ └── main.tf
│ │ │ ├── provider_alias/
│ │ │ │ └── main.tf
│ │ │ ├── skip_renderer/
│ │ │ │ └── ellipsis.tf
│ │ │ └── tfvar_module_variables/
│ │ │ ├── install_airpods.tf
│ │ │ ├── modules/
│ │ │ │ └── instance/
│ │ │ │ ├── main.tf
│ │ │ │ ├── outputs.tf
│ │ │ │ └── variables.tf
│ │ │ ├── outputs.tf
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tfvars
│ │ │ └── variables.tf
│ │ └── test_string_evaluation.py
│ ├── image_referencer/
│ │ ├── __init__.py
│ │ ├── provider/
│ │ │ ├── __init__.py
│ │ │ ├── test_aws.py
│ │ │ ├── test_azure.py
│ │ │ └── test_gcp.py
│ │ ├── resources/
│ │ │ ├── aws/
│ │ │ │ ├── apprunner.tf
│ │ │ │ ├── apprunner_tfplan.json
│ │ │ │ ├── batch.tf
│ │ │ │ ├── batch_tfplan.json
│ │ │ │ ├── codebuild.tf
│ │ │ │ ├── codebuild_tfplan.json
│ │ │ │ ├── ecs.tf
│ │ │ │ ├── ecs_tfplan.json
│ │ │ │ ├── lightsail.tf
│ │ │ │ ├── lightsail_tfplan.json
│ │ │ │ ├── sagemaker_image_version.tf
│ │ │ │ └── sagemaker_model.tf
│ │ │ ├── azure/
│ │ │ │ ├── app_service_linux_function.tf
│ │ │ │ ├── app_service_linux_web.tf
│ │ │ │ ├── app_service_windows_web.tf
│ │ │ │ ├── batch.tf
│ │ │ │ ├── containers.tf
│ │ │ │ └── spring_cloud.tf
│ │ │ └── gcp/
│ │ │ ├── cloud_run.tf
│ │ │ ├── cloud_run_v2.tf
│ │ │ └── cloudbuild.tf
│ │ ├── test_manager.py
│ │ ├── test_plan_runner_aws_resources.py
│ │ ├── test_runner_aws_resources.py
│ │ ├── test_runner_azure_resources.py
│ │ └── test_runner_gcp_resources.py
│ ├── module_loading/
│ │ ├── __init__.py
│ │ ├── data/
│ │ │ ├── nested_modules/
│ │ │ │ └── main.tf
│ │ │ ├── tf_managed_modules/
│ │ │ │ └── main.tf
│ │ │ ├── tf_managed_submodules/
│ │ │ │ └── main.tf
│ │ │ └── tf_module_downloader/
│ │ │ ├── private_registry_modules/
│ │ │ │ └── main.tf
│ │ │ └── public_modules/
│ │ │ └── main.tf
│ │ ├── loaders/
│ │ │ ├── __init__.py
│ │ │ ├── resources/
│ │ │ │ └── README.txt
│ │ │ ├── test_git_loader.py
│ │ │ ├── test_local_path_loader.py
│ │ │ ├── test_registry_loader.py
│ │ │ └── test_version_parser.py
│ │ ├── test_registry.py
│ │ ├── test_runner.py
│ │ └── test_tf_module_finder.py
│ ├── parser/
│ │ ├── __init__.py
│ │ ├── resources/
│ │ │ ├── double_slash.tf
│ │ │ ├── failing_module_address/
│ │ │ │ └── registry_security_group.tf
│ │ │ ├── file_bom/
│ │ │ │ ├── with_bom.tf
│ │ │ │ └── without_bom.tf
│ │ │ ├── hcl_timeout/
│ │ │ │ └── main.tf
│ │ │ ├── local_module/
│ │ │ │ ├── main.tf
│ │ │ │ └── module/
│ │ │ │ └── main.tf
│ │ │ ├── malformed_outputs/
│ │ │ │ └── main.tf
│ │ │ ├── parse_backtrack_module/
│ │ │ │ ├── example/
│ │ │ │ │ └── main.tf
│ │ │ │ └── main.tf
│ │ │ ├── parse_file_vs_dir/
│ │ │ │ └── main.tf
│ │ │ ├── parser_dup_nested/
│ │ │ │ ├── main.tf
│ │ │ │ └── module/
│ │ │ │ ├── main.tf
│ │ │ │ └── module2/
│ │ │ │ └── main.tf
│ │ │ ├── parser_nested_modules/
│ │ │ │ ├── main.tf
│ │ │ │ └── module/
│ │ │ │ ├── main.tf
│ │ │ │ ├── module2/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── variable.tf
│ │ │ │ └── variable.tf
│ │ │ ├── parser_scenarios/
│ │ │ │ ├── README.md
│ │ │ │ ├── account_dirs_and_modules/
│ │ │ │ │ ├── envs/
│ │ │ │ │ │ ├── myaccount/
│ │ │ │ │ │ │ └── us-east-1/
│ │ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ │ ├── terraform.tfvars
│ │ │ │ │ │ │ └── variables.tf
│ │ │ │ │ │ └── myotheraccount/
│ │ │ │ │ │ └── us-east-1/
│ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ ├── terraform.tfvars
│ │ │ │ │ │ └── variables.tf
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── modules/
│ │ │ │ │ └── db/
│ │ │ │ │ ├── db.tf
│ │ │ │ │ └── variables.tf
│ │ │ │ ├── bad_ref_fallbacks/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── bad_tf_nested_modules_enable/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── skip_bad_tf_example.tf
│ │ │ │ ├── bogus_function/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── colon/
│ │ │ │ │ ├── colon.tf
│ │ │ │ │ └── expected.json
│ │ │ │ ├── compound_local/
│ │ │ │ │ ├── checkov.tf
│ │ │ │ │ └── expected.json
│ │ │ │ ├── concat_function/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── count_eval/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ ├── modules/
│ │ │ │ │ │ ├── fabric-net-firewall/
│ │ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ │ ├── outputs.tf
│ │ │ │ │ │ │ └── variables.tf
│ │ │ │ │ │ ├── fabric-net-svpc-access/
│ │ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ │ ├── outputs.tf
│ │ │ │ │ │ │ └── variables.tf
│ │ │ │ │ │ ├── network-peering/
│ │ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ │ ├── outputs.tf
│ │ │ │ │ │ │ └── variables.tf
│ │ │ │ │ │ ├── routes/
│ │ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ │ ├── outputs.tf
│ │ │ │ │ │ │ └── variables.tf
│ │ │ │ │ │ ├── routes-beta/
│ │ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ │ ├── outputs.tf
│ │ │ │ │ │ │ └── variables.tf
│ │ │ │ │ │ ├── subnets/
│ │ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ │ ├── outputs.tf
│ │ │ │ │ │ │ └── variables.tf
│ │ │ │ │ │ ├── subnets-beta/
│ │ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ │ ├── outputs.tf
│ │ │ │ │ │ │ └── variables.tf
│ │ │ │ │ │ └── vpc/
│ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ ├── outputs.tf
│ │ │ │ │ │ └── variables.tf
│ │ │ │ │ ├── outputs.tf
│ │ │ │ │ └── variables.tf
│ │ │ │ ├── default_evaluation/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── variables.tf
│ │ │ │ ├── default_var_types/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── doc_evaluations_verify/
│ │ │ │ │ ├── README.md
│ │ │ │ │ ├── eval.json
│ │ │ │ │ ├── expected.json
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── variables.tf
│ │ │ │ ├── empty_file/
│ │ │ │ │ ├── evaluation.json
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── formatting/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── json_807/
│ │ │ │ │ ├── cdk.tf.json
│ │ │ │ │ └── expected.json
│ │ │ │ ├── list_default_622/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── test.tf
│ │ │ │ ├── local_block/
│ │ │ │ │ ├── eval.json
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── name_doesnt_matter.tf
│ │ │ │ ├── local_bool_string_conversion/
│ │ │ │ │ ├── eval.json
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── name_doesnt_matter.tf
│ │ │ │ ├── map_function/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── maze_of_variables/
│ │ │ │ │ ├── bucket/
│ │ │ │ │ │ └── bucket.tf
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── maze.tf
│ │ │ │ ├── merge_function/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── merge_function_unresolved_var/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── module_matryoshka_nested_module_enable/
│ │ │ │ │ ├── bucket1/
│ │ │ │ │ │ ├── bucket.tf
│ │ │ │ │ │ └── bucket2/
│ │ │ │ │ │ ├── bucket.tf
│ │ │ │ │ │ └── bucket3/
│ │ │ │ │ │ └── bucket.tf
│ │ │ │ │ ├── buckets.tf
│ │ │ │ │ └── expected.json
│ │ │ │ ├── module_multiple_usage/
│ │ │ │ │ ├── bucket/
│ │ │ │ │ │ └── bucket.tf
│ │ │ │ │ ├── buckets.tf
│ │ │ │ │ └── expected.json
│ │ │ │ ├── module_output_reference/
│ │ │ │ │ ├── bucket/
│ │ │ │ │ │ └── bucket.tf
│ │ │ │ │ ├── common/
│ │ │ │ │ │ └── common.tf
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── module_reference/
│ │ │ │ │ ├── bucket/
│ │ │ │ │ │ └── bucket.tf
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── module_simple/
│ │ │ │ │ ├── bucket/
│ │ │ │ │ │ └── bucket.tf
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── module_simple_up_dir_ref/
│ │ │ │ │ ├── bucket/
│ │ │ │ │ │ └── bucket.tf
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── tf/
│ │ │ │ │ └── main.tf
│ │ │ │ ├── nested_modules_instances_enable/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── tf_module/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── module/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ ├── module2/
│ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ └── variable.tf
│ │ │ │ │ └── variable.tf
│ │ │ │ ├── null_variables_651/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── simple_bucket_single_file/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── ternaries/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── ternary_793/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── tfvars/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ ├── main.tf
│ │ │ │ │ ├── other1.tfvars
│ │ │ │ │ ├── other2.tfvars
│ │ │ │ │ ├── other3.tfvars
│ │ │ │ │ ├── terraform.tfvars
│ │ │ │ │ ├── x.auto.tfvars
│ │ │ │ │ └── y.auto.tfvars
│ │ │ │ ├── tfvars_outside_dir/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── tobool_function/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── tolist_function/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── tomap_function/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── tonumber_function/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── toset_function/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── tostring_function/
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── main.tf
│ │ │ │ ├── variable_defaults/
│ │ │ │ │ ├── eval.json
│ │ │ │ │ ├── expected.json
│ │ │ │ │ └── name_doesnt_matter.tf
│ │ │ │ └── variable_defaults_separate_files/
│ │ │ │ ├── eval.json
│ │ │ │ ├── expected.json
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── parser_tfvars/
│ │ │ │ ├── main.tf
│ │ │ │ └── other.tfvars
│ │ │ ├── plan_after_unknown/
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_booleans/
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_encodings/
│ │ │ │ ├── tfplan_mac_utf8.json
│ │ │ │ ├── tfplan_win_utf16.json
│ │ │ │ └── tfplan_win_utf8.json
│ │ │ ├── plan_module_with_connected_resources/
│ │ │ │ ├── s3module.tf
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_multiple_providers/
│ │ │ │ ├── multiple_providers.tf
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_provisioners/
│ │ │ │ ├── tfplan.json
│ │ │ │ └── tfplan2.json
│ │ │ ├── plan_tags/
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_tags_variety/
│ │ │ │ ├── tags.tf
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_vpc_endpoint/
│ │ │ │ └── tfplan.json
│ │ │ ├── registry_security_group/
│ │ │ │ └── registry_security_group.tf
│ │ │ └── registry_security_group_inner_module/
│ │ │ └── main.tf
│ │ ├── skip_bad_tf_example.tf
│ │ ├── test_hcl2_load_assumptions.py
│ │ ├── test_module.py
│ │ ├── test_new_parser_modules.py
│ │ ├── test_parse_file_vs_dir.py
│ │ ├── test_parser_internals.py
│ │ ├── test_parser_var_blocks.py
│ │ └── test_plan_parser.py
│ ├── runner/
│ │ ├── __init__.py
│ │ ├── extra_checks/
│ │ │ ├── S3EnvironmentCheck.py
│ │ │ ├── __init__.py
│ │ │ └── nested/
│ │ │ ├── S3EnvironmentCheck2.py
│ │ │ └── __init__.py
│ │ ├── extra_tf_plan_checks/
│ │ │ ├── __init__.py
│ │ │ ├── modules.json
│ │ │ ├── nsg_rule_connection.yaml
│ │ │ ├── secret_not_deleted.py
│ │ │ ├── secret_not_deleted.yaml
│ │ │ └── security_group_rule_protocol_changed.py
│ │ ├── extra_yaml_checks/
│ │ │ ├── aws_provider_check.yaml
│ │ │ ├── bucket_versioned_owned.yaml
│ │ │ ├── module_source.yaml
│ │ │ ├── policy_violations.yaml
│ │ │ └── test_tag.yaml
│ │ ├── py_check_tf_plan/
│ │ │ ├── __init__.py
│ │ │ └── check_tf_plan.py
│ │ ├── py_graph_check/
│ │ │ ├── __init__.py
│ │ │ └── py_graph_check.py
│ │ ├── resources/
│ │ │ ├── definition_context_path_nested_modules/
│ │ │ │ ├── main.tf
│ │ │ │ └── module/
│ │ │ │ ├── main.tf
│ │ │ │ ├── module2/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── variable.tf
│ │ │ │ └── variable.tf
│ │ │ ├── duplicate_violations/
│ │ │ │ ├── modules/
│ │ │ │ │ └── main.tf
│ │ │ │ └── src/
│ │ │ │ ├── main1.tf
│ │ │ │ └── main2.tf
│ │ │ ├── empty_locals/
│ │ │ │ └── locals.tf
│ │ │ ├── example/
│ │ │ │ ├── example.tf
│ │ │ │ └── invalid.tf
│ │ │ ├── extra_check_test/
│ │ │ │ └── s3.tf
│ │ │ ├── for_each/
│ │ │ │ ├── main.tf
│ │ │ │ └── simple/
│ │ │ │ ├── alerts.tf
│ │ │ │ ├── main.tf
│ │ │ │ └── outputs.tf
│ │ │ ├── get_graph_resource_entity_config/
│ │ │ │ ├── main.tf
│ │ │ │ └── variables.tf
│ │ │ ├── hcl_0.11/
│ │ │ │ └── main.tf
│ │ │ ├── hcl_timeout/
│ │ │ │ └── main.tf
│ │ │ ├── hidden_dir/
│ │ │ │ ├── .dir/
│ │ │ │ │ └── .example1.tf
│ │ │ │ ├── .example2.tf
│ │ │ │ ├── dir1/
│ │ │ │ │ ├── .example1.tf
│ │ │ │ │ └── example.tf
│ │ │ │ └── example.tf
│ │ │ ├── invalid_terraform_syntax/
│ │ │ │ ├── bad_tf_1.tf
│ │ │ │ └── bad_tf_2.tf
│ │ │ ├── list_of_routes/
│ │ │ │ └── list_of_routes.tf
│ │ │ ├── malformed_857/
│ │ │ │ └── main.tf
│ │ │ ├── many_providers/
│ │ │ │ └── main.tf
│ │ │ ├── merge_operator/
│ │ │ │ ├── main.tf
│ │ │ │ └── query/
│ │ │ │ └── TagsQuery.yaml
│ │ │ ├── module_check/
│ │ │ │ └── main.tf
│ │ │ ├── module_failure_reporting_772/
│ │ │ │ ├── main.tf
│ │ │ │ └── module/
│ │ │ │ └── module.tf
│ │ │ ├── module_skip/
│ │ │ │ ├── another/
│ │ │ │ │ └── module/
│ │ │ │ │ ├── module-3/
│ │ │ │ │ │ └── module.tf
│ │ │ │ │ └── module.tf
│ │ │ │ ├── main.tf
│ │ │ │ └── module/
│ │ │ │ └── module.tf
│ │ │ ├── multi_line_ternary/
│ │ │ │ └── main.tf
│ │ │ ├── multiple_module_versions/
│ │ │ │ ├── main.tf
│ │ │ │ └── main_2.tf
│ │ │ ├── nested_dir/
│ │ │ │ ├── dir1/
│ │ │ │ │ └── example.tf
│ │ │ │ └── example.tf
│ │ │ ├── nested_modules_caller_file/
│ │ │ │ ├── main.tf
│ │ │ │ └── module/
│ │ │ │ └── module.tf
│ │ │ ├── plan/
│ │ │ │ ├── corrupted-tfplan.json
│ │ │ │ ├── tf_plan_filtered_rule_fail.json
│ │ │ │ ├── tf_plan_filtered_rule_success.json
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_and_tf_combine_graph/
│ │ │ │ ├── source/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ ├── module/
│ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ └── variable.tf
│ │ │ │ │ └── module2/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── variable.tf
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_and_tf_combine_graph_with_missing_resources/
│ │ │ │ ├── source/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ ├── module/
│ │ │ │ │ │ ├── main.tf
│ │ │ │ │ │ └── variable.tf
│ │ │ │ │ └── module2/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── variable.tf
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_change_keys/
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_data_resource_partial_values/
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_nested_child_modules/
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_nested_child_modules_with_connections/
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_resources_ids/
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_resources_ids_with_nested_modules/
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_root_module_resources_no_values/
│ │ │ │ ├── tfplan.json
│ │ │ │ └── tfplan_route53.json
│ │ │ ├── plan_with_child_modules/
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_with_deleted_resources/
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_with_iam_data_block/
│ │ │ │ ├── main.tf
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_with_iam_policies/
│ │ │ │ ├── main.tf
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_with_lifecycle_check/
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_with_providers/
│ │ │ │ ├── main.tf
│ │ │ │ └── tfplan.json
│ │ │ ├── plan_with_resource_reference/
│ │ │ │ ├── tfplan.json
│ │ │ │ ├── tfplan_extra_ref.json
│ │ │ │ └── tfplan_graph.json
│ │ │ ├── plan_with_utf_16_encoding/
│ │ │ │ └── tfplan.json
│ │ │ ├── provider_blocks/
│ │ │ │ └── main.tf
│ │ │ ├── py_graph_check/
│ │ │ │ └── main.tf
│ │ │ ├── py_graph_check_tf_plan/
│ │ │ │ └── py_graph_check_paln.json
│ │ │ ├── resource_ids_nested_modules/
│ │ │ │ ├── main.tf
│ │ │ │ └── module/
│ │ │ │ ├── main.tf
│ │ │ │ ├── module2/
│ │ │ │ │ ├── main.tf
│ │ │ │ │ └── variable.tf
│ │ │ │ └── variable.tf
│ │ │ ├── resource_negative_value_without_var/
│ │ │ │ ├── main.tf
│ │ │ │ ├── variables.tf
│ │ │ │ └── variables_unscoped.tf
│ │ │ ├── resource_value_without_var/
│ │ │ │ ├── main.tf
│ │ │ │ ├── variables.tf
│ │ │ │ └── variables_unscoped.tf
│ │ │ ├── tf_raw_resource/
│ │ │ │ └── main.tf
│ │ │ ├── tf_with_hcl_files/
│ │ │ │ ├── example_acl_fail.hcl
│ │ │ │ └── example_acl_fail.tf
│ │ │ ├── unbalanced_eval_brackets/
│ │ │ │ └── main.tf
│ │ │ ├── unexpected/
│ │ │ │ ├── eks_node_group_remote_access.json
│ │ │ │ └── unexpected.md
│ │ │ ├── unrendered_vars/
│ │ │ │ ├── bucket_equals.yaml
│ │ │ │ ├── bucket_exists.yaml
│ │ │ │ ├── component_equals.yaml
│ │ │ │ ├── component_exists.yaml
│ │ │ │ ├── nested.tf
│ │ │ │ └── simple.tf
│ │ │ ├── valid_tf_only_failed_checks/
│ │ │ │ └── example_acl_fail.tf
│ │ │ ├── valid_tf_only_module_usage/
│ │ │ │ └── example.tf
│ │ │ ├── valid_tf_only_passed_checks/
│ │ │ │ ├── example.tf
│ │ │ │ └── example_skip_acl.tf
│ │ │ └── valid_tf_only_resource_usage/
│ │ │ └── example.tf
│ │ ├── test_plan_runner.py
│ │ ├── test_runner.py
│ │ ├── tf_plan_skip_check_regex/
│ │ │ ├── resource/
│ │ │ │ ├── skip_directory/
│ │ │ │ │ └── tfplan2.json
│ │ │ │ └── tfplan1.json
│ │ │ └── test_tf_plan_skip_check_regex.py
│ │ └── tfplan2.json
│ ├── test_provider_tags.py
│ ├── test_scanner_registry.py
│ └── util/
│ ├── __init__.py
│ ├── test_doc_generator.py
│ └── test_iam_converter.py
├── terraform_json/
│ ├── __init__.py
│ ├── examples/
│ │ └── cdk.tf.json
│ ├── test_graph_manager.py
│ ├── test_parser.py
│ └── test_runner.py
├── test_contributor_metrics.py
├── test_main.py
├── test_runner_filter.py
└── unit/
├── __init__.py
└── test_secrets.py
================================================
FILE CONTENTS
================================================
================================================
FILE: .cfnlintrc
================================================
templates:
- tests/cloudformation/checks/resource/aws/**/*.json
- tests/cloudformation/checks/resource/aws/**/*.yaml
ignore_templates:
- tests/cloudformation/checks/resource/aws/unused/*
# https://github.com/aws-cloudformation/cfn-python-lint/issues/1577
- tests/cloudformation/checks/resource/aws/example_AthenaWorkgroupConfiguration/*
# added resource with Properties, which is not supported by cfn-lint
- tests/cloudformation/checks/resource/aws/example_LambdaEnvironmentCredentials/sam.yaml
# includes tests with booleans as strings
- tests/cloudformation/checks/resource/aws/example_ECRImageScanning/*
- tests/cloudformation/checks/resource/aws/example_ALBDropHttpHeaders/*
- tests/cloudformation/checks/resource/aws/example_ELBv2AccessLogs/*
- tests/cloudformation/checks/resource/aws/example_RedShiftSSL/*
- tests/cloudformation/checks/resource/aws/example_LambdaEnvironmentCredentials/*
- tests/cloudformation/checks/resource/aws/example_SecurityGroupRuleDescription/*
- tests/cloudformation/checks/resource/aws/example_SecurityGroupRuleDescription
- tests/cloudformation/checks/resource/aws/example_SecurityGroupUnrestrictedIngress22/SecurityGroupUnrestrictedIngress22-UNKNOWN.yaml
- tests/cloudformation/checks/resource/aws/example_SecurityGroupUnrestrictedIngress80/SecurityGroupUnrestrictedIngress80-UNKNOWN.yaml
- tests/cloudformation/checks/resource/*
- tests/cloudformation/checks/resource/aws/example_IAMStarActionPolicyDocument/cfn_bad_iam_pass.yaml
- tests/cloudformation/checks/resource/aws/example_IAMRoleAllowAssumeFromAccount/UNKNOWN.yml
- tests/cloudformation/checks/resource/aws/example_cloudfrontDistribution/CloudfrontDistributionEncryption-UNKNOWN.yaml
- tests/cloudformation/checks/resource/aws/example_ALBListenerTLS12/ALBListenerTLS1.2-FAILED.yaml
ignore_checks:
- W
================================================
FILE: .coveragerc
================================================
[run]
branch = True
[report]
omit =
tests/*
*/.pytest_cache/*
*/.local/*
docs/*
hooks/*
================================================
FILE: .dockerignore
================================================
bin/
checkov/
docs/
integration_tests/
tests/
================================================
FILE: .flake8
================================================
# can be moved to pyproject.toml some day
# https://github.com/PyCQA/flake8/issues/234
[flake8]
max-line-length = 120
# E203,E501 don't work with black together
ignore = E203,E501,E731,W503,W504,DUO107,DUO104,DUO130,DUO109,DUO116,B028,B950,TC001,TC003,TC006,B907,B038,B909
select = C,E,F,W,B,B9,A,TC
extend-exclude = .github, .pytest_cache, docs/*, venv/*, tests/*, flake8_plugins/*, cdk_integration_tests/src/python/*
[flake8:local-plugins]
extension =
CCE = flake8_plugins.flake8_class_attributes_plugin.flake8_class_attributes.checker:ClassAttributesChecker
paths =
. flake8_plugins/flake8_class_attributes_plugin/flake8_class_attributes
================================================
FILE: .github/ISSUE_TEMPLATE/best_practices_issue.md
================================================
---
name: Best practices improvement
about: Issues that will help achieve best practices using checkov.
title: ''
labels: 'best practices'
assignees: ''
---
**Describe the issue**
If it is related to an existing check, please note the relevant check ID.
Also, explain the logic for this addition / change.
**Examples**
Please share an example code sample (in the IaC of your choice) + the expected outcomes.
**Version (please complete the following information):**
- Checkov Version [e.g. 22]
**Additional context**
Add any other context about the problem here.
================================================
FILE: .github/ISSUE_TEMPLATE/checks_issue.md
================================================
---
name: Checks Issue
about: Create an issue regarding a check (existing or missing)
title: ''
labels: 'checks'
assignees: ''
---
**Describe the issue**
If it is related to an existing check, please note the relevant check ID.
Also, explain the logic for this addition / change.
**Examples**
Please share an example code sample (in the IaC of your choice) + the expected outcomes.
**Version (please complete the following information):**
- Checkov Version [e.g. 22]
**Additional context**
Add any other context about the problem here.
================================================
FILE: .github/ISSUE_TEMPLATE/crash_report.md
================================================
---
name: Crash report
about: Create an issue for cases causing checkov to crash
title: ''
labels: 'crash'
assignees: ''
---
**Describe the issue**
Explain what you expected to happen when checkov crashed.
**Examples**
Please share an example code sample (in the IaC of your choice) + the expected outcomes.
**Exception Trace**
Please share the trace for the exception and all relevant output by checkov.
To maximize the understanding, please run checkov with LOG_LEVEL set to debug
as follows:
```sh
LOG_LEVEL=DEBUG checkov ...
```
**Desktop (please complete the following information):**
- OS: [e.g. iOS]
- Checkov Version [e.g. 22]
**Additional context**
Add any other context about the problem here (e.g. code snippets).
================================================
FILE: .github/ISSUE_TEMPLATE/feature_request.md
================================================
---
name: Feature request
about: Feature requests or requests for enhancements that are not bugs.
title: ''
labels: 'contribution requested'
assignees: ''
---
**Describe the feature**
Explain the feature in detail. Note that feature requests are always reviewed, but prioritized based on popularity, effort, and impact. We also welcome contributions.
**Examples**
Please share an example code sample (in the IaC of your choice) + expected inputs and outputs from Checkov + the expected outcomes.
**Additional context**
Add any other context about the problem here.
================================================
FILE: .github/ISSUE_TEMPLATE/graph_issue.md
================================================
---
name: Graph Issue
about: Create an issue regarding the graph creation and querying
title: ''
labels: 'graph'
assignees: ''
---
**Describe the issue**
Please explain what is missing or malfunctioning in the graph (creation or querying).
Also detail what is the expected behavior for this use case.
**Examples**
Please share an example code sample (in the IaC of your choice) + the expected outcomes.
**Desktop (please complete the following information):**
- OS: [e.g. iOS]
- Checkov Version [e.g. 22]
**Additional context**
Add any other context about the problem here (e.g. code snippets).
================================================
FILE: .github/ISSUE_TEMPLATE/integrations_issue.md
================================================
---
name: Integrations Issue
about: Create an issue regarding the integration of checkov with other tools.
title: ''
labels: 'integrations'
assignees: ''
---
**Describe the issue**
If an existing integration is malfunctioning, please describe the current state and
what you expect to be happening.
For new integrations, please share an example use case this integration will help
checkov support.
================================================
FILE: .github/ISSUE_TEMPLATE/languages_issue.md
================================================
---
name: Languages Issue
about: Create an issue regarding the frameworks and languages supported by checkov
title: ''
labels: 'languages'
assignees: ''
---
**Describe the issue**
Describe the framework / feature that is missing in a supported framework that you
would like to add and explain what the use case is.
**Example Value**
Please share an example check / use case that this issue will allow checkov to support.
================================================
FILE: .github/ISSUE_TEMPLATE/noise_issue.md
================================================
---
name: Noise Issue
about: Create an issue regarding checkov's output and noise it generates.
title: ''
labels: 'noise'
assignees: ''
---
**Describe the issue**
Please explain the use case that leads to this noise being generated.
**Examples**
Please share an example code sample (in the IaC of your choice) + the expected outcomes.
**Version (please complete the following information):**
- Checkov Version [e.g. 22]
**Additional context**
Add any other context about the problem here.
================================================
FILE: .github/ISSUE_TEMPLATE/outputs_issue.md
================================================
---
name: Outputs Issue
about: Create an issue regarding checkov's output (addition or fix)
title: ''
labels: 'outputs'
assignees: ''
---
**Describe the issue**
If regarding an existing output (json, junit-xml etc.) please note what is the current state
and what is the expected state. For new outputs - please describe the use case to add it.
**Additional context**
Add any other context about the problem here.
================================================
FILE: .github/ISSUE_TEMPLATE/skips_issue.md
================================================
---
name: Skipping Issue
about: Create an issue regarding checkov's skipping mechanism
title: ''
labels: 'skips'
assignees: ''
---
**Describe the issue**
Please explain the functionality that is missing for you, what you did and
what was the actual output.
**Examples**
Please share an example code sample (in the IaC of your choice) + the expected outcomes.
**Version (please complete the following information):**
- Checkov Version [e.g. 22]
**Additional context**
Add any other context about the problem here.
================================================
FILE: .github/PULL_REQUEST_TEMPLATE.md
================================================
**By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.**
[//]: # "
# PR Title
We use the title to create changelog automatically and therefore only allow specific prefixes
- break: to indicate a breaking change, this supersedes any of the other types
- feat: to indicate new features or checks
- fix: to indicate a bugfix or handling of edge cases of existing checks
- docs: to indicate an update to our documentation
- chore: to indicate adjustments to workflow files or dependency updates
- platform: to indicate a change needed for the platform
Each prefix should be accompanied by a scope that specifies the targeted framework. If uncertain, use 'general'.
#
Allowed prefixs:
ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sast|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json
#
ex.
feat(terraform): add CKV_AWS_123 to ensure that VPC Endpoint Service is configured for Manual Acceptance
"
## Description
*Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.*
Fixes # (issue)
## New/Edited policies (Delete if not relevant)
### Description
*Include a description of what makes it a violation and any relevant external links.*
### Fix
*How does someone fix the issue in code and/or in runtime?*
## Checklist:
- [ ] I have performed a self-review of my own code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [ ] I have added tests that prove my feature, policy, or fix is effective and works
- [ ] New and existing tests pass locally with my changes
================================================
FILE: .github/actionlint.yaml
================================================
self-hosted-runner:
labels:
- public
================================================
FILE: .github/checkov.yaml
================================================
enable-secret-scan-all-files: true
framework:
- secrets
quiet: true
skip-path:
- docs
- tests/arm/checks/resource/example_AzureScaleSetPassword/FAILED.json
- tests/arm/checks/resource/example_AzureScaleSetPassword/UNKNOWN.json
- tests/arm/checks/resource/example_StorageAccountAzureServicesAccessEnabled/storageAccountAzureServicesAccessEnabled-FAILED2.json
- tests/arm/checks/resource/example_StorageAccountDefaultNetworkAccessDeny/storageAccountDefaultNetworkAccessDeny-FAILED2.json
- tests/terraform/checks/resource/azure/example_AzureInstanceExtensions/main.tf
- tests/common/utils/conftest.py
- tests/common/utils/test_secrets_utils.py
- tests/sca_image/conftest.py
- tests/sca_package_2/conftest.py
- tests/secrets
- tests/terraform/checks/provider
- tests/terraform/parser/resources/plan_tags/tfplan.json
- tests/terraform/runner/resources/plan/tfplan.json
- tests/terraform/runner/tf_plan_skip_check_regex/resource/skip_directory/tfplan2.json
- tests/terraform/runner/tf_plan_skip_check_regex/resource/tfplan1.json
- tests/terraform/runner/tfplan2.json
- tests/unit/test_secrets.py
- tests/terraform/runner/resources/example/example.tf
- tests/terraform/graph
- tests/terraform/checks
- /checkov/secrets/plugins/entropy_keyword_combinator.py
- /checkov/secrets/plugins/detector_utils.py
- /cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/pass.py
- /cdk_integration_tests/src/python/RedshiftClusterEncryption/pass.py
- /cdk_integration_tests/src/python/RedshiftClusterEncryption/fail__1__.py
- /cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/fail__1__.py
- /cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/fail__2__.py
- /cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass.py
- /cdk_integration_tests/src/typescript
- /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml
- /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml
- /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml
- /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml
- tests/terraform/runner/resources/plan_with_providers
summary-position: bottom
================================================
FILE: .github/codeql-config.yml
================================================
name: "CodeQL config"
paths-ignore:
- tests
================================================
FILE: .github/dependabot.yml
================================================
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
================================================
FILE: .github/exclude-patterns.txt
================================================
checkov/terraform/module_loading/loaders/github_access_token_loader.py
checkov/terraform/module_loading/loaders/git_loader.py
docs/2.Basics/Scanning Credentials and Secrets.md
docs/5.Contribution/New-Provider.md
github_action_resources/entrypoint.sh
tests/serverless/checks/aws/example_AWSCredentials/AWSCredentials-FAILED-func_level/serverless.yml
tests/serverless/checks/aws/example_AWSCredentials/AWSCredentials-FAILED-provider_level/serverless.yml
tests/serverless/checks/aws/example_AWSCredentials/AWSCredentials-FAILED-provider_level/serverless.yml
tests/serverless/checks/aws/example_AWSCredentials/AWSCredentials-FAILED-func_level/serverless.yml
tests/serverless/checks/aws/example_AWSCredentials/AWSCredentials-FAILED-provider_level/serverless.yml
tests/cloudformation/checks/resource/aws/example_EC2Credentials/EC2Credentials-FAILED.yaml
tests/cloudformation/checks/resource/aws/example_AWSCredentials/EC2Credentials-FAILED.yaml
tests/cloudformation/checks/resource/aws/example_LambdaEnvironmentCredentials/sam.yaml
tests/cloudformation/checks/resource/aws/example_LambdaEnvironmentCredentials/FAIL.yaml
tests/cloudformation/graph/checks/resources/LambdaFunction/template.yaml
tests/common/suppressions_resources/suppressions.tf
tests/secrets/.*
tests/common/utils/test_secrets_utils.py
tests/terraform/runner/resources/example/example.tf
tests/terraform/checks/resource/aws/example_EC2Credentials/main.tf
tests/terraform/checks/resource/aws/example_LambdaEnvironmentCredentials/main.tf
tests/terraform/checks/provider/aws/test_credentials.py
tests/terraform/checks/resource/aws/test_EC2Credentials.py
tests/terraform/checks/provider/ncp/test_credentials.py
tests/terraform/checks/provider/openstack/test_credentials.py
tests/terraform/module_loading/test_registry.py
tests/terraform/checks/resource/azure/example_AzureInstanceExtensions/main.tf
tests/unit/test_secrets.py
tests/terraform/runner/resources/plan/tfplan.json
tests/terraform/parser/resources/plan_tags/tfplan.json
tests/terraform/image_referencer/resources/aws/batch_tfplan.json
tests/helm/runner/resources/schema-registry
tests/common/utils/conftest.py
tests/terraform/runner/resources/get_graph_resource_entity_config/main.tf
tests/terraform/runner/tf_plan_skip_check_regex/resource/.*
tests/terraform/runner/tfplan2.json
tests/terraform/runner/resources/plan_with_providers/tfplan.json
tests/terraform/runner/resources/plan_with_providers/main.tf
.*Scans.md
.*Pipfile.lock
================================================
FILE: .github/pr-title-checker-config.json
================================================
{
"LABEL": {
"name": "title needs adjustment",
"color": "EEEEEE"
},
"CHECKS": {
"prefixes": [
"chore: "
],
"regexp": "^(fix|feat|break|docs|chore|platform)\\((ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sast|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json)\\): "
},
"MESSAGES": {
"success": "PR title is valid",
"failure": "PR title is invalid",
"notice": "Title needs to pass regex '(fix|feat|break|docs|chore|platform)\\((ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sast|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json)\\): '"
}
}
================================================
FILE: .github/release-changelog-config.json
================================================
{
"categories": [
{
"title": "## Breaking Change",
"labels": ["break"]
},
{
"title": "## Feature",
"labels": ["feat"]
},
{
"title": "## Bug Fix",
"labels": ["fix"]
},
{
"title": "## Platform",
"labels": ["platform"]
},
{
"title": "## Documentation",
"labels": ["docs"]
}
],
"sort": {
"order": "ASC",
"on_property": "title"
},
"template": "${{CHANGELOG}}",
"pr_template": "- ${{TITLE}} - [#${{NUMBER}}](${{URL}})",
"empty_template": "- no noteworthy changes",
"label_extractor": [
{
"pattern": "([^\\(]+)\\(.+\\): .+",
"on_property": "title",
"target": "$1"
}
],
"transformers": [
{
"pattern": "([^\\(]+)\\(?([^\\)]+)?\\)?: (.+)",
"target": "- **$2:** $3"
}
],
"max_pull_requests": 100,
"max_back_track_time_days": 7
}
================================================
FILE: .github/stale.yml
================================================
# Configuration for probot-stale - https://github.com/probot/stale
# Number of days of inactivity before an Issue or Pull Request becomes stale
daysUntilStale: 180
# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
daysUntilClose: 14
# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled)
onlyLabels: []
# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
exemptLabels:
- pinned
- security
- nostale
# Set to true to ignore issues in a project (defaults to false)
exemptProjects: false
# Set to true to ignore issues in a milestone (defaults to false)
exemptMilestones: false
# Set to true to ignore issues with an assignee (defaults to false)
exemptAssignees: false
# Label to use when marking as stale
staleLabel: stale
# Comment to post when marking as stale. Set to `false` to disable
markComment: >
Thanks for contributing to Checkov!
We've automatically marked this issue as stale to keep our issues list tidy,
because it has not had any activity for 6 months.
It will be closed in 14 days if no further activity occurs.
Commenting on this issue will remove the stale tag.
If you want to talk through the issue or help us understand the priority and context,
feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com
Thanks!
# Comment to post when removing the stale label.
# unmarkComment: >
# Your comment here.
# Comment to post when closing a stale Issue or Pull Request.
closeComment: >
Closing issue due to inactivity.
If you feel this is in error, please re-open, or reach out to the community via slack:
codifiedsecurity.slack.com
Thanks!
# Limit the number of actions per hour, from 1-30. Default is 30
limitPerRun: 30
# Limit to only `issues` or `pulls`
# only: issues
# Optionally, specify configuration settings that are specific to just 'issues' or 'pulls':
# pulls:
# daysUntilStale: 30
# markComment: >
# This pull request has been automatically marked as stale because it has not had
# recent activity. It will be closed if no further activity occurs. Thank you
# for your contributions.
# issues:
# exemptLabels:
# - confirmed
================================================
FILE: .github/workflows/build.yml
================================================
name: build
on:
workflow_dispatch:
inputs:
versionBump:
description: 'The part of the version to bump'
required: true
default: 'patch'
type: choice
options:
- patch
- minor
- major
push:
branches:
- main
paths-ignore:
- 'docs/**'
- 'INTHEWILD.md'
- 'README.md'
- 'CHANGELOG.md'
- '.github/**'
- checkov/version.py
- kubernetes/requirements.txt
- coverage.svg
- '.swm/**'
- '.pre-commit-config.yaml'
permissions:
contents: read
concurrency:
group: 'build'
cancel-in-progress: true
jobs:
security:
uses: ./.github/workflows/security-shared.yml
secrets: inherit
integration-tests:
strategy:
fail-fast: true
matrix:
python: ["3.10", "3.11", "3.12", "3.13"]
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v3
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
version: "v3.19.1"
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
if: ${{ runner.os != 'windows' }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone Terragoat - vulnerable terraform
run: git clone https://github.com/bridgecrewio/terragoat
- name: Clone Cfngoat - vulnerable cloudformation
run: git clone https://github.com/bridgecrewio/cfngoat
- name: Clone Kubernetes-goat - vulnerable kubernetes
run: git clone https://github.com/madhuakula/kubernetes-goat
- name: Clone kustomize-goat - vulnerable kustomize
run: git clone https://github.com/bridgecrewio/kustomizegoat
- name: Create checkov reports
run: |
# Just making sure the API key tests don't run on PRs
bash -c './integration_tests/prepare_data.sh "${{ matrix.os }}" "${{ matrix.python }}"'
env:
LOG_LEVEL: INFO
BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
TF_REGISTRY_TOKEN: ${{ secrets.TFC_TOKEN }}
GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
- name: Run integration tests
run: |
pipenv run pytest integration_tests
integration-tests-old-python:
strategy:
fail-fast: true
matrix:
python: ["3.9"]
os: [ubuntu-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v3
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
version: "v3.19.1"
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
if: ${{ runner.os != 'windows' }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone Terragoat - vulnerable terraform
run: git clone https://github.com/bridgecrewio/terragoat
- name: Clone Cfngoat - vulnerable cloudformation
run: git clone https://github.com/bridgecrewio/cfngoat
- name: Clone Kubernetes-goat - vulnerable kubernetes
run: git clone https://github.com/madhuakula/kubernetes-goat
- name: Clone kustomize-goat - vulnerable kustomize
run: git clone https://github.com/bridgecrewio/kustomizegoat
- name: Create checkov reports
run: |
# Just making sure the API key tests don't run on PRs
bash -c './integration_tests/prepare_data.sh "${{ matrix.os }}" "${{ matrix.python }}"'
env:
LOG_LEVEL: INFO
BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
TF_REGISTRY_TOKEN: ${{ secrets.TFC_TOKEN }}
GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
- name: Run integration tests
run: |
pipenv run pytest integration_tests
prisma-tests:
runs-on: [ self-hosted, public, linux, x64 ]
env:
PYTHON_VERSION: "3.9"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ env.PYTHON_VERSION }}
pipenv run pip install pytest pytest-xdist
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone Terragoat - vulnerable terraform
run: git clone https://github.com/bridgecrewio/terragoat
- name: Run checkov with Prisma creds
env:
PRISMA_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
run: |
pipenv run checkov -s -d terragoat --bc-api-key "$PRISMA_KEY" --repo-id yuvalyacoby/terragoat > checkov_report_prisma.txt
grep "prismacloud.io" checkov_report_prisma.txt
exit $?
sast-integration-tests:
strategy:
fail-fast: true
matrix:
python: ["3.10", "3.11", "3.12", "3.13"]
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
continue-on-error: true # for now it is ok to fail
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone flask - Python repo for SAST
run: git clone https://github.com/pallets/flask
- name: Clone WebGoat - Java repo for SAST
run: git clone https://github.com/WebGoat/WebGoat
- name: Clone axios - JavaScript repo for SAST
run: git clone https://github.com/axios/axios
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
run: bash -c './sast_integration_tests/prepare_data.sh'
- name: Run integration tests
run: |
pipenv run pytest sast_integration_tests
sast-integration-tests-old-python:
strategy:
fail-fast: true
matrix:
python: ["3.9"]
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
continue-on-error: true # for now it is ok to fail
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone flask - Python repo for SAST
run: git clone https://github.com/pallets/flask
- name: Clone WebGoat - Java repo for SAST
run: git clone https://github.com/WebGoat/WebGoat
- name: Clone axios - JavaScript repo for SAST
run: git clone https://github.com/axios/axios
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
run: bash -c './sast_integration_tests/prepare_data.sh'
- name: Run integration tests
run: |
pipenv run pytest sast_integration_tests
unit-tests:
timeout-minutes: 30
runs-on: ubuntu-latest
env:
PYTHON_VERSION: "3.9"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Install dependencies
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ env.PYTHON_VERSION }}
pipenv install --dev
- name: Test with pytest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
IS_TEST: true
run: |
pipenv run python -m pytest tests
bump-version:
needs: [integration-tests, unit-tests, prisma-tests, sast-integration-tests, integration-tests-old-python, sast-integration-tests-old-python]
runs-on: [self-hosted, public, linux, x64]
environment: release
permissions:
contents: write
# IMPORTANT: this permission is mandatory for trusted publishing to pypi
id-token: write
timeout-minutes: 30
env:
PYTHON_VERSION: "3.9"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
with:
token: ${{ secrets.GH_PAT_SECRET }}
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v5
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Install dependencies
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ env.PYTHON_VERSION }}
pipenv install
- name: Calculate version
run: |
git fetch --tags --force
latest_tag="$(git tag --sort=v:refname | tail -n 1)"
echo "latest tag: $latest_tag"
if [[ -z "${{ inputs.versionBump }}" ]]
then
version="patch"
else
version="${{ inputs.versionBump }}"
fi
case $version in
minor)
new_tag=$(echo "$latest_tag" | awk -F. -v a="$1" -v b="$2" -v c="$3" '{printf("%d.%d.%d", $1+a, $2+b+1 , 0)}')
;;
major)
new_tag=$(echo "$latest_tag" | awk -F. -v a="$1" -v b="$2" -v c="$3" '{printf("%d.%d.%d", $1+a+1, 0 , 0)}')
;;
patch)
new_tag=$(echo "$latest_tag" | awk -F. -v a="$1" -v b="$2" -v c="$3" '{printf("%d.%d.%d", $1+a, $2+b , $3+1)}')
;;
esac
echo "new tag: $new_tag"
echo "version=$new_tag" >> "$GITHUB_OUTPUT"
# grab major version for later image tag usage
major_version=$(echo "${new_tag}" | head -c1)
echo "major_version=$major_version" >> "$GITHUB_OUTPUT"
id: calculateVersion
- name: version
env:
GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}
run: |
## update docs
export PYTHONPATH='.'
# change the doc links to proper markdown versions
export CHECKOV_CREATE_MARKDOWN_HYPERLINKS='True'
git pull
for i in cloudformation terraform kubernetes serverless arm dockerfile secrets github_configuration gitlab_configuration bitbucket_configuration github_actions gitlab_ci bicep openapi bitbucket_pipelines argo_workflows circleci_pipelines azure_pipelines ansible all
do
export scansdoc="docs/5.Policy Index/$i.md"
echo "---" > "$scansdoc"
echo "layout: default" >> "$scansdoc"
echo "title: $i resource scans" >> "$scansdoc"
echo "nav_order: 1" >> "$scansdoc"
echo "---" >> "$scansdoc"
echo "" >> "$scansdoc"
echo "# $i resource scans (auto generated)" >> "$scansdoc"
echo "" >> "$scansdoc"
pipenv run python checkov/main.py --list --framework "$i" >> "$scansdoc"
done
#add cloudformation scans to serverless
export scansdoc="docs/5.Policy Index/serverless.md"
pipenv run python checkov/main.py --list --framework cloudformation >> "$scansdoc"
git add "docs/5.Policy Index/*"
git commit --reuse-message="HEAD@{1}" || echo "No changes to commit"
git config --global user.name 'GitHub Actions Bot'
git config --global user.email 'actions@github.com'
new_tag=${{ steps.calculateVersion.outputs.version }}
echo "new tag: $new_tag"
## update python version
echo "version = '$new_tag'" > 'checkov/version.py'
echo "checkov==$new_tag" > 'kubernetes/requirements.txt'
git commit --reuse-message="HEAD@{1}" checkov/version.py kubernetes/requirements.txt || echo "No changes to commit"
git push origin
git tag $new_tag
git push --tags
id: version
- name: create python package
run: |
pipenv run python setup.py sdist bdist_wheel
- name: Publish a Python distribution to PyPI
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1
- name: sleep and wait for package to refresh
run: |
sleep 2m
outputs:
version: ${{ steps.calculateVersion.outputs.version }}
major_version: ${{ steps.calculateVersion.outputs.major_version }}
publish-checkov-dockerhub:
needs: bump-version
uses: bridgecrewio/gha-reusable-workflows/.github/workflows/publish-image.yaml@main
permissions:
contents: read
id-token: write # Enable OIDC
packages: write
with:
image_name_dockerhub: bridgecrew/checkov
image_name_ghcr: ghcr.io/${{ github.repository }}
image_tag_full: ${{ needs.bump-version.outputs.version }}
image_tag_short: ${{ needs.bump-version.outputs.major_version }}
runner: "['self-hosted', 'public', 'linux', 'x64']"
secrets:
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
publish-checkov-k8s-dockerhub:
needs: bump-version
uses: bridgecrewio/gha-reusable-workflows/.github/workflows/publish-image.yaml@main
permissions:
contents: read
id-token: write # Enable OIDC
packages: write
with:
image_name_dockerhub: bridgecrew/checkov-k8s
image_name_ghcr: ghcr.io/${{ github.repository }}-k8s
image_tag_full: ${{ needs.bump-version.outputs.version }}
image_tag_short: ${{ needs.bump-version.outputs.major_version }}
dockerfile_path: kubernetes/Dockerfile
runner: "['self-hosted', 'public', 'linux', 'x64']"
secrets:
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
update-bridgecrew-projects:
needs: publish-checkov-dockerhub
runs-on: [self-hosted, public, linux, x64]
environment: release
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- name: update checkov release
run: |
curl -X POST "https://jenkins-webhook.bridgecrew.cloud/buildByToken/build?job=Open-Source/upgrade-checkov&token=${{ secrets.BC_JENKINS_TOKEN }}"
# trigger checkov-action update
curl -XPOST -u "${{ secrets.GH_PAT_USER}}:${{secrets.GH_PAT_SECRET}}" -H "Accept: application/vnd.github.everest-preview+json" -H "Content-Type: application/json" https://api.github.com/repos/bridgecrewio/checkov-action/dispatches --data '{"event_type": "build"}'
# trigger bridgecrew-py update
curl -XPOST -u "${{ secrets.GH_PAT_USER}}:${{secrets.GH_PAT_SECRET}}" -H "Accept: application/vnd.github.everest-preview+json" -H "Content-Type: application/json" https://api.github.com/repos/bridgecrewio/bridgecrew-py/dispatches --data '{"event_type": "build"}'
# trigger whorf update
curl -XPOST -u "${{ secrets.GH_PAT_USER}}:${{secrets.GH_PAT_SECRET}}" -H "Accept: application/vnd.github.everest-preview+json" -H "Content-Type: application/json" https://api.github.com/repos/bridgecrewio/whorf/dispatches --data '{"event_type": "release"}'
================================================
FILE: .github/workflows/codeql-analysis.yml
================================================
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"
on:
push:
branches: [ main ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ main ]
schedule:
- cron: '17 4 * * 2'
workflow_dispatch:
permissions:
contents: read
jobs:
analyze:
name: Analyze
runs-on: [self-hosted, public, linux, x64]
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- name: Set up Python
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: '3.10'
- name: Setup python for CodeQL
run: |
python -m pip install --no-cache-dir --upgrade pip pipenv
echo "CODEQL_PYTHON=$(which python)" >> "$GITHUB_ENV"
- name: Check Pipfile.lock changed
uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v13
id: changed_files
with:
files: Pipfile.lock
- name: Setup dependencies if they changed
if: steps.changed_files.outputs.files_changed == 'true'
run: |
pipenv lock -r > requirements.txt
pip install -r requirements.txt
- name: Initialize CodeQL
uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v2
with:
languages: python
setup-python-dependencies: false
config-file: ./.github/codeql-config.yml
- name: Autobuild
uses: github/codeql-action/autobuild@45775bd8235c68ba998cffa5171334d58593da47 # v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v2
================================================
FILE: .github/workflows/coverage.yaml
================================================
name: Coverage
on:
schedule:
- cron: '0 0 * * 0'
workflow_dispatch:
permissions:
contents: read
jobs:
update-coverage:
runs-on: [ self-hosted, public, linux, x64 ]
permissions:
contents: write
environment: release
env:
PYTHON_VERSION: "3.9"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
with:
token: ${{ secrets.GH_PAT_SECRET }}
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v5
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Install dependencies
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ env.PYTHON_VERSION }}
pipenv install --dev
pipenv run pip install pytest
- name: Test with pytest
run: |
pipenv run pytest --cov-report term --cov=checkov tests
pipenv run python -m coverage_badge -o coverage.svg -f
git commit -m "Update coverage" coverage.svg || echo "No changes to commit"
================================================
FILE: .github/workflows/jekyll-gh-pages.yml
================================================
# Sample workflow for building and deploying a Jekyll site to GitHub Pages
name: Deploy Jekyll with GitHub Pages dependencies preinstalled
on:
# Runs on pushes targeting the default branch
push:
branches: ["main"]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
permissions:
contents: read
pages: write
id-token: write
# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
concurrency:
group: "pages"
cancel-in-progress: false
jobs:
# Build job
build:
runs-on: [self-hosted, public, linux, x64]
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- name: Setup Pages
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v3
- name: Build with Jekyll
uses: actions/jekyll-build-pages@44a6e6beabd48582f863aeeb6cb2151cc1716697 # v1
with:
source: ./docs
destination: ./_site
- name: Upload artifact
uses: actions/upload-pages-artifact@0252fc4ba7626f0298f0cf00902a25c6afc77fa8 # v2
# Deployment job
deploy:
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
runs-on: [self-hosted, public, linux, x64]
needs: build
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v2
================================================
FILE: .github/workflows/nightly.yml
================================================
name: Nightly Run
on:
schedule:
# daily at 23:00 UTC
- cron: "0 23 * * *"
workflow_dispatch:
permissions:
contents: read
jobs:
github-release:
runs-on: [self-hosted, public, linux, x64]
environment: release
permissions:
contents: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
with:
fetch-depth: 0
token: ${{ secrets.GH_PAT_SECRET }}
- name: Prepare Release
id: prepare_release
run: |
# grab latest release and tag to compare and decide to create a new one
create_release=true
latest_gh_release=$(curl -s "https://api.github.com/repos/${{ github.repository }}/releases/latest" | grep -Po '"tag_name": "\K.*?(?=")')
latest_tag=$(git describe --abbrev=0 --tags)
if [ "$latest_gh_release" = "$latest_tag" ]
then
create_release=false
fi
echo "create_release=$create_release" >> "$GITHUB_OUTPUT"
echo "latest_release_version=$latest_gh_release" >> "$GITHUB_OUTPUT"
echo "version=$latest_tag" >> "$GITHUB_OUTPUT"
- name: Build GitHub Release changelog
if: steps.prepare_release.outputs.create_release == 'true'
id: build_github_release
uses: mikepenz/release-changelog-builder-action@5f3409748e2230350e149a7f7b5b8e9bcd785d44 # v3
env:
GITHUB_TOKEN: ${{ secrets.GH_PAT_SECRET }}
with:
configuration: ".github/release-changelog-config.json"
fromTag: ${{ steps.prepare_release.outputs.latest_release_version }}
toTag: ${{ steps.prepare_release.outputs.version }}
- name: Create GitHub Release
if: steps.build_github_release.outputs.changelog != ''
uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
id: create_github_release
with:
tag_name: ${{ steps.prepare_release.outputs.version }}
name: ${{ steps.prepare_release.outputs.version }}
body: ${{ steps.build_github_release.outputs.changelog }}
- name: Update CHANGELOG.md
if: steps.build_github_release.outputs.changelog != ''
uses: stefanzweifel/changelog-updater-action@a938690fad7edf25368f37e43a1ed1b34303eb36 # v1
with:
latest-version: ${{ steps.prepare_release.outputs.version }}
release-notes: ${{ steps.build_github_release.outputs.changelog }}
- name: Commit updated CHANGELOG.md
if: steps.build_github_release.outputs.changelog != ''
uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5
with:
commit_message: "chore: update release notes"
file_pattern: CHANGELOG.md
outputs:
upload_url: ${{ steps.create_github_release.outputs.upload_url }}
version: ${{ steps.prepare_release.outputs.version }}
build-release-artifacts:
strategy:
matrix:
include:
- os: macos-latest
name: darwin
suffix: ''
- os: ubuntu-latest
name: linux
suffix: ''
- os: windows-latest
name: windows
suffix: '.exe'
needs: [github-release]
if: needs.github-release.outputs.upload_url != ''
runs-on: ${{ matrix.os }}
permissions:
contents: write
env:
PYTHON_VERSION: "3.9"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Install deps and run pyinstaller
run: |
pipenv sync
pipenv run pip install pyinstaller
- name: Build executable
run: pipenv run pyinstaller checkov.spec
- name: Windows - Test executable
if: matrix.os == 'windows-latest'
shell: bash
# make sure it doesn't crash
run: ./dist/checkov.exe -s -d tests/terraform/checks/resource/alicloud
- name: Windows - zip artifact
if: matrix.os == 'windows-latest'
run: tar.exe -a -c -f checkov.zip dist\\checkov.exe
- name: Linux/Mac - Test executable
if: matrix.os != 'windows-latest'
# make sure it doesn't crash
run: ./dist/checkov -s -d tests/terraform/checks/resource/alicloud
- name: Linux/Mac - zip artifact
if: matrix.os != 'windows-latest'
run: zip checkov.zip dist/checkov
- name: Upload Release Asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.github-release.outputs.upload_url }}
asset_path: checkov.zip
asset_name: checkov_${{ matrix.name }}_X86_64.zip
asset_content_type: application/zip
build-release-artifact-linux-arm:
needs: [ github-release ]
if: needs.github-release.outputs.upload_url != ''
runs-on: [self-hosted, public, linux, arm64]
container:
image: arm64v8/python:3.9
permissions:
contents: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Install deps and run pyinstaller
run: |
pipenv sync
pipenv run pip install pyinstaller
- name: Build executable
run: pipenv run pyinstaller checkov.spec
- name: zip artifact
run: |
apt-get update
apt install zip
zip checkov.zip dist/checkov
- name: Upload Release Asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.github-release.outputs.upload_url }}
asset_path: checkov.zip
asset_name: checkov_linux_arm64.zip
asset_content_type: application/zip
================================================
FILE: .github/workflows/pipenv-update.yml
================================================
name: pipenv-update
on:
schedule:
- cron: '8 22 * * 1'
workflow_dispatch:
permissions:
contents: read
jobs:
pipenv-update:
runs-on: [self-hosted, public, linux, x64]
permissions:
contents: write
pull-requests: write
env:
PYTHON_VERSION: "3.9"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.GH_PAT_SECRET }}
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v5
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
pipenv update
git add -u
git commit -m "update pipenv packages"
env:
GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}
- name: Create Pull Request
id: cpr
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v5
with:
token: ${{ secrets.PAT_TOKEN }}
title: '[AUTO-PR] Update pipenv packages'
body: |
bump pipenv packages
- Auto-generated by [pipenv-update github action](https://github.com/bridgecrewio/checkov/blob/main/.github/workflows/pipenv-update.yml)
labels: automated pr
branch: pipenvfix
branch-suffix: timestamp
================================================
FILE: .github/workflows/pr-test.yml
================================================
name: PR Test
on: pull_request
permissions:
contents: read
jobs:
lint:
uses: bridgecrewio/gha-reusable-workflows/.github/workflows/pre-commit.yaml@main
with:
python-version: "3.9"
danger-check:
runs-on: [ self-hosted, public, linux, x64 ]
permissions:
contents: read
pull-requests: read
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- name: Install Node.js
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
with:
node-version: "16"
- name: Install and run DangerJS
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
npm install -g danger
danger ci --verbose --failOnErrors
cfn-lint:
runs-on: ubuntu-latest
env:
PYTHON_VERSION: "3.9"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Get changed CFN test files
id: changed-files-specific
uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v44
with:
files: tests/cloudformation/checks/resource/aws/**/*
- name: Filter YAML and JSON files
if: steps.changed-files-specific.outputs.any_changed == 'true'
id: filter-files
run: |
YAML_JSON_FILES=$(echo ${{ steps.changed-files-specific.outputs.all_changed_files }} \
| tr ' ' '\n' \
| grep -E '\.ya?ml$|\.json$' \
| grep -v 'sam\.yaml$' \
| tr '\n' ' ')
if [ -n "$YAML_JSON_FILES" ]; then
echo "YAML_JSON_FILES=$YAML_JSON_FILES" >> "$GITHUB_ENV"
fi
- name: Install cfn-lint & Lint Cloudformation templates
if: env.YAML_JSON_FILES != ''
run: |
pip install -U cfn-lint
for file in $YAML_JSON_FILES; do
cfn-lint "$file" -i W
done
mypy:
uses: bridgecrewio/gha-reusable-workflows/.github/workflows/mypy.yaml@main
with:
python-version: "3.9"
unit-tests:
strategy:
fail-fast: true
matrix:
python: ["3.9", "3.10", "3.11", "3.12", "3.13"]
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- name: Set up Python ${{ matrix.python }}
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
if [ "${{ matrix.python }}" = "3.12" ] || [ "${{ matrix.python }}" = "3.13" ]; then
# needed for numpy
python -m pip install --no-cache-dir --upgrade pipenv==2024.4.0
else
python -m pip install --no-cache-dir --upgrade pipenv
fi
- name: Install dependencies
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
if [ "${{ matrix.python }}" = "3.12" ] || [ "${{ matrix.python }}" = "3.13" ]; then
echo "patching >3.12 issues"
pipenv run pip install setuptools
# needed for numpy
pipenv install --skip-lock --dev -v
else
pipenv install --dev -v
fi
# list all dependencies to get a better view about installed package versions
pipenv run pip list
- name: Unit tests
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: pipenv run python -m pytest tests
integration-tests:
strategy:
fail-fast: true
matrix:
python: ["3.10", "3.11", "3.12", "3.13"]
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
version: "v3.19.1" # the tests break starting v4 as checkov cannot support it, needs to be investigated
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
if: ${{ runner.os != 'windows' }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
shell: bash
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone Terragoat - vulnerable terraform
run: git clone https://github.com/bridgecrewio/terragoat
- name: Clone Cfngoat - vulnerable cloudformation
run: git clone https://github.com/bridgecrewio/cfngoat
- name: Clone Kubernetes-goat - vulnerable kubernetes
run: git clone https://github.com/madhuakula/kubernetes-goat
- name: Clone kustomize-goat - vulnerable kustomize
run: git clone https://github.com/bridgecrewio/kustomizegoat
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
run: |
# Just making sure the API key tests don't run on PRs
bash -c './integration_tests/prepare_data.sh ${{ matrix.os }} 3.9'
- name: Run integration tests
run: |
pipenv run pytest integration_tests -k 'not api_key'
integration-tests-old-python:
strategy:
fail-fast: true
matrix:
python: ["3.9"]
os: [ubuntu-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
version: "v3.19.1"
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
if: ${{ runner.os != 'windows' }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
shell: bash
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone Terragoat - vulnerable terraform
run: git clone https://github.com/bridgecrewio/terragoat
- name: Clone Cfngoat - vulnerable cloudformation
run: git clone https://github.com/bridgecrewio/cfngoat
- name: Clone Kubernetes-goat - vulnerable kubernetes
run: git clone https://github.com/madhuakula/kubernetes-goat
- name: Clone kustomize-goat - vulnerable kustomize
run: git clone https://github.com/bridgecrewio/kustomizegoat
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
run: |
# Just making sure the API key tests don't run on PRs
bash -c './integration_tests/prepare_data.sh ${{ matrix.os }} 3.9'
- name: Run integration tests
run: |
pipenv run pytest integration_tests -k 'not api_key'
sast-integration-tests:
strategy:
fail-fast: true
matrix:
python: ["3.12", "3.13"]
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone flask - Python repo for SAST
run: git clone https://github.com/pallets/flask
- name: Clone WebGoat - Java repo for SAST
run: git clone https://github.com/WebGoat/WebGoat
- name: Clone axios - JavaScript repo for SAST
run: git clone https://github.com/axios/axios
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: bash -c './sast_integration_tests/prepare_data.sh'
- name: Run integration tests
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: |
pipenv run pytest sast_integration_tests
sast-integration-tests-old-python:
strategy:
fail-fast: true
matrix:
python: ["3.9"]
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone flask - Python repo for SAST
run: git clone https://github.com/pallets/flask
- name: Clone WebGoat - Java repo for SAST
run: git clone https://github.com/WebGoat/WebGoat
- name: Clone axios - JavaScript repo for SAST
run: git clone https://github.com/axios/axios
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: bash -c './sast_integration_tests/prepare_data.sh'
- name: Run integration tests
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: |
pipenv run pytest sast_integration_tests
cdk-integration-tests:
strategy:
fail-fast: true
matrix:
python: ["3.12", "3.13"]
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: bash -c './cdk_integration_tests/prepare_data.sh'
- name: Run integration tests
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: |
pipenv run pytest cdk_integration_tests
cdk-integration-tests-old-python:
strategy:
fail-fast: true
matrix:
python: ["3.9"]
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: bash -c './cdk_integration_tests/prepare_data.sh'
- name: Run integration tests
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: |
pipenv run pytest cdk_integration_tests
performance-tests:
env:
PYTHON_VERSION: "3.9"
working-directory: ./performance_tests
runs-on: [self-hosted, public, linux, x64]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ env.PYTHON_VERSION }}
# 'py' package is used in 'pytest-benchmark', but 'pytest' removed it in their latest version
pipenv run pip install pytest pytest-benchmark py
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone terraform-aws-components
run: git clone --branch 0.182.0 https://github.com/cloudposse/terraform-aws-components.git
working-directory: ${{ env.working-directory }}
- name: Clone aws-cloudformation-templates
run: git clone --branch 0.0.1 https://github.com/awslabs/aws-cloudformation-templates.git
working-directory: ${{ env.working-directory }}
- name: Clone kubernetes-yaml-templates
run: git clone https://github.com/dennyzhang/kubernetes-yaml-templates.git
working-directory: ${{ env.working-directory }}
# TODO: migrate to separate performance tests
# - name: Clone Python-Mini-Projects
# run: git clone https://github.com/alimoustafa2000/Python-Mini-Projects.git
# working-directory: ${{ env.working-directory }}
# - name: Clone NodeJs
# run: git clone https://github.com/harshitbansal373/NodeJs.git
# working-directory: ${{ env.working-directory }}
# - name: Clone Mini-Project-using-Java
# run: git clone https://github.com/ikanurfitriani/Mini-Project-using-Java.git
# working-directory: ${{ env.working-directory }}
- name: Run performance tests
run: |
pipenv run pytest
working-directory: ${{ env.working-directory }}
dogfood-tests:
runs-on: ubuntu-latest
env:
PYTHON_VERSION: "3.9"
WORKING_DIRECTORY: ./dogfood_tests
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ env.PYTHON_VERSION }}
pipenv run pip install pytest pytest-xdist
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Run dogfood tests
run: |
pipenv run pytest
working-directory: ${{ env.WORKING_DIRECTORY }}
eval-keys-test:
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
- name: Get changed Python files
id: changed-files
uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v44
with:
files: checkov/**/*.py
- name: Validate 'BaseResourceCheck' use contains eval keys
if: steps.changed-files.outputs.any_changed == 'true'
run: |
# Define an array of exceptions (files to skip)
EXCEPTIONS=(
"base_resource_check.py"
"VPCDefaultNetwork.py"
"IAMUserNotUsedForAccess.py" # Whole Resource type check
)
echo "Changed files:"
echo "${{ steps.changed-files.outputs.all_changed_files }}"
EXIT_CODE=0
IFS=$'\n' # Change Internal Field Separator to handle spaces in filenames too
for file in $(echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ',' '\n'); do
# Check if the file is in the list of exceptions
SKIP_FILE="false"
for exception in "${EXCEPTIONS[@]}"; do
# If the file ends with one of the exception file names, skip it
if [[ "$file" == *"$exception" ]]; then
echo "Skipping $file (allowed exception)"
SKIP_FILE="true"
break
fi
done
# Only run checks if not in exceptions list
if [[ "$SKIP_FILE" == "false" ]]; then
# If file contains 'BaseResourceCheck', check for 'get_inspected_key' or 'evaluated_keys'
if grep -q "BaseResourceCheck" "$file"; then
if ! grep -q "get_inspected_key" "$file" && ! grep -q "evaluated_keys" "$file"; then
echo "ERROR: $file has BaseResourceCheck but does NOT contain 'get_inspected_key' or 'evaluated_keys'"
EXIT_CODE=1
fi
fi
fi
done
unset IFS # Restore IFS to default
# Fail the job if any file violated the rule
if [ "$EXIT_CODE" -ne 0 ]; then
echo "One or more files did not satisfy the requirement."
exit 1
fi
================================================
FILE: .github/workflows/pr-title.yml
================================================
name: PR Title
on:
pull_request:
branches:
- main
types: [opened, edited, reopened, synchronize]
permissions:
contents: read
jobs:
validate:
runs-on: [self-hosted, public, linux, x64]
permissions:
contents: write
steps:
- uses: thehanimo/pr-title-checker@7fbfe05602bdd86f926d3fb3bccb6f3aed43bc70 # v1
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
configuration_path: ".github/pr-title-checker-config.json"
================================================
FILE: .github/workflows/security-shared.yml
================================================
# !!! Important !!!
# This a reusable workflow and is used in the PR and push to main branch flow separately
# to be able to protect it behind a manual approval in the PR flow
name: security-shared
on:
workflow_call:
permissions:
contents: read
jobs:
bandit:
runs-on: [self-hosted, public, linux, x64]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: security test
uses: jpetrucciani/bandit-check@74c5ecc4297e374c7e9283bc81f649287bb14f34 # v1
with:
path: 'checkov'
trufflehog-secrets:
runs-on: [self-hosted, public, linux, x64]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: detect secrets
uses: edplato/trufflehog-actions-scan@0af17d9dd1410283f740eb76b0b8f6b696cadefc # v0.9
with:
scanArguments: "--regex --entropy=False --exclude_paths .github/exclude-patterns.txt --max_depth=1"
checkov-secrets:
runs-on: [self-hosted, public, linux, x64]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Scan for secrets
uses: bridgecrewio/checkov-action@master # use latest and greatest
with:
api-key: ${{ secrets.PRISMA_KEY_API2 }}
prisma-api-url: ${{ secrets.PRISMA_API_URL_2 }}
config_file: .github/checkov.yaml
================================================
FILE: .github/workflows/security.yml
================================================
# !!! Important !!!
# any change to this workflow will not take into effect on the same PR and only after,
# because of security implications from target 'pull_request_target'
name: security
on:
pull_request_target: # this is needed to use the API key in a PR
branches:
- main
permissions:
contents: read
jobs:
start-security-scan:
runs-on: ubuntu-latest
environment: scan-security
steps:
- run: echo start security scan # just needs a simple step to better control the follow-up jobs
security:
needs: start-security-scan
uses: ./.github/workflows/security-shared.yml
secrets: inherit
================================================
FILE: .gitignore
================================================
# Created by .ignore support plugin (hsz.mobi)
### Python template
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
*__pycache__/
# Python tests residuals
tests/sca_package_2/examples/obj*
# Terraform
*.tfstate*
*.terraform*
*.tfbackend
# git
*.orig
# C extensions
*.so
# Distribution / packaging
.Python
env/
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
.vscode/
*.egg-info/
.installed.cfg
*.egg
.DS_Store
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*,cover
.hypothesis/
.external_modules/
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
# Flask stuff:
instance/
.webassets-cache
# Scrapy stuff:
.scrapy
# Sphinx documentation
docs/_build/
# PyBuilder
target/
# IPython Notebook
.ipynb_checkpoints
# pyenv
.python-version
# celery beat schedule file
celerybeat-schedule
# dotenv
.env
# virtualenv
venv/
ENV/
# Spyder project settings
.spyderproject
# Rope project settings
.ropeproject
### VirtualEnv template
# Virtualenv
# http://iamzed.com/2009/05/07/a-primer-on-virtualenv/
[Ii]nclude
[Ll]ib
[Ll]ib64
[Ll]ocal
[Ss]cripts
pyvenv.cfg
.venv
pip-selfcheck.json
### JetBrains template
# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm
# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
# User-specific stuff:
.idea/workspace.xml
.idea/tasks.xml
.idea/dictionaries
.idea/vcs.xml
.idea/jsLibraryMappings.xml
# Sensitive or high-churn files:
.idea/dataSources.ids
.idea/dataSources.xml
.idea/dataSources.local.xml
.idea/sqlDataSources.xml
.idea/dynamic.xml
.idea/uiDesigner.xml
# Gradle:
.idea/gradle.xml
.idea/libraries
# Mongo Explorer plugin:
.idea/mongoSettings.xml
.idea/
## File-based project format:
*.iws
## Plugin-specific files:
# IntelliJ
/out/
# mpeltonen/sbt-idea plugin
.idea_modules/
# JIRA plugin
atlassian-ide-plugin.xml
# Crashlytics plugin (for Android Studio and IntelliJ)
com_crashlytics_export_strings.xml
crashlytics.properties
crashlytics-build.properties
fabric.properties
# Checkov baseline file
.checkov.baseline
# pytest-benchmarks output directory
.benchmarks/
# test assets that get created locally (20* refers to the start of a date, so this covers us for 78 years)
tests/20*
# vim
.*.sw?
.vim/
.vimspector.json
!tests/terraform/graph/variable_rendering/test_resources/tfvar_module_variables/modules/instance
tests/common/runner_registry/packages_csv_results/
tests/console
# sast go mod
checkov/sast_core/vendor
*.prof
================================================
FILE: .gitmodules
================================================
[submodule "checkov/sast/sast_core"]
path = checkov/sast/sast_core
url = git@github.com:bridgecrewio/SAST-Core.git
================================================
FILE: .gitpod.Dockerfile
================================================
FROM gitpod/workspace-python
RUN pyenv install 3.10.14
RUN wget -q -O get_kustomize.sh https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh; \
chmod 700 get_kustomize.sh; \
mkdir -p /usr/local/bin; \
sudo sh -c './get_kustomize.sh 4.5.2 /usr/local/bin'; \
rm ./get_kustomize.sh
================================================
FILE: .gitpod.yml
================================================
# This configuration file was automatically generated by Gitpod.
# Please adjust to your needs (see https://www.gitpod.io/docs/config-gitpod-file)
# and commit this file to your remote git repository to share the goodness with others.
tasks:
- name: Pipenv Environment And Dev
init: |
pipenv sync --dev
pipenv run python -m coverage run -m pytest tests
image:
file: .gitpod.Dockerfile
github:
prebuilds:
# enable for the master/default branch (defaults to true)
master: true
# enable for all branches in this repo (defaults to false)
branches: true
# enable for pull requests coming from this repo (defaults to true)
pullRequests: true
# enable for pull requests coming from forks (defaults to false)
pullRequestsFromForks: true
# add a "Review in Gitpod" button as a comment to pull requests (defaults to true)
addComment: true
# add a "Review in Gitpod" button to pull requests (defaults to false)
addBadge: false
# add a label once the prebuild is ready to pull requests (defaults to false)
addLabel: prebuilt-in-gitpod
================================================
FILE: .pre-commit-config.yaml
================================================
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
hooks:
- id: debug-statements
- repo: https://github.com/PyCQA/flake8
rev: 6.1.0
hooks:
- id: flake8
language_version: python3.9
additional_dependencies:
- dlint
- flake8-bugbear
- flake8-type-checking
- repo: https://github.com/isidentical/teyit # unit test formatter
rev: 0.4.3
hooks:
- id: teyit
language_version: python3.9
- repo: https://github.com/rhysd/actionlint
rev: v1.6.26
hooks:
- id: actionlint-docker
# SC2129 - Consider using { cmd1; cmd2; } >> file instead of individual redirects.
args: ["-ignore", "SC2129"]
- repo: https://github.com/Madoshakalaka/pipenv-setup # Pipfile to setup.py sync checker
rev: v3.2.0
hooks:
- id: pipenv-setup
language_version: python3.9
entry: pipenv-setup check
args: []
additional_dependencies:
- vistir<0.7.0 # can be removed, when v4.0.0 of pipenv-setup comes out
- plette<1.0.0 # Solve issue of import error for plette.models
- repo: https://github.com/seddonym/import-linter # checks the import dependencies between each other
rev: v1.12.1
hooks:
- id: import-linter
language_version: python3.9
args: ["--show-timings"]
================================================
FILE: .pre-commit-hooks.yaml
================================================
---
# For use with pre-commit.
# See usage instructions at http://pre-commit.com
- id: checkov
name: Checkov
description: This hook runs checkov.
entry: checkov -d .
language: python
pass_filenames: false
always_run: false
files: \.tf$
exclude: \.+.terraform\/.*$
require_serial: true
- id: checkov_container
name: Checkov
description: This hook runs checkov.
entry: --tty bridgecrew/checkov:latest -d .
args: []
language: docker_image
pass_filenames: false
always_run: false
files: \.tf$
exclude: \.+.terraform\/.*$
require_serial: true
- id: checkov_diff
name: Checkov Diff
description: This hook runs checkov against all changed files.
entry: checkov --enable-secret-scan-all-files
args: ["-f"] # required and must come last
language: python
require_serial: true
- id: checkov_diff_container
name: Checkov Diff
description: This hook runs checkov against all changed files.
entry: --tty bridgecrew/checkov:latest --enable-secret-scan-all-files
args: ["-f"] # required and must come last
language: docker_image
require_serial: true
- id: checkov_secrets
name: Checkov Secrets
description: This hook looks for secrets with checkov.
entry: checkov --framework secrets --enable-secret-scan-all-files
args: ["-f"] # required and must come last
language: python
always_run: true
require_serial: true
- id: checkov_secrets_container
name: Checkov Secrets
description: This hook looks for secrets with checkov.
entry: --tty bridgecrew/checkov:latest --framework secrets --enable-secret-scan-all-files
args: ["-f"] # required and must come last
language: docker_image
always_run: true
require_serial: true
================================================
FILE: .swm/creating-a-solver.gm0ti.sw.md
================================================
---
id: gm0ti
name: Creating a Solver
file_version: 1.0.2
app_version: 0.9.4-0
file_blobs:
checkov/common/checks_infra/solvers/complex_solvers/not_solver.py: 60e9301de2a35a51b0464babaf537104d82cf00a
checkov/common/checks_infra/checks_parser.py: 50130edc6639275b43dbd287572972b826eee687
checkov/common/checks_infra/solvers/complex_solvers/__init__.py: 2e25b8e1f51406fe5e2995019eb6046fdf3650f2
checkov/common/graph/checks_infra/solvers/base_solver.py: e84d471f6fc2e8ef12d82fa061784c57a7915d5c
checkov/common/checks_infra/solvers/complex_solvers/base_complex_solver.py: 186dd8805259132d32936fafc19c389d452869c4
checkov/common/checks_infra/solvers/connections_solvers/or_connection_solver.py: 38df2db8112768f7ee10facc3feac82b84affc32
checkov/common/checks_infra/solvers/attribute_solvers/any_attribute_solver.py: 5aa38478ce1174ea46d2cff94ec52358e8595369
checkov/common/checks_infra/solvers/attribute_solvers/not_contains_attribute_solver.py: 0d44d643a7ba2f1fc78fa86ad53b46c47e546ee1
checkov/common/checks_infra/solvers/attribute_solvers/not_ending_with_attribute_solver.py: 334cc79488dc5f5f52e3d66ef9b24e3ad89f1e99
---
A Solver is a major component in our system. This document will describe what it is and how to add a new one.
A Solver is a graph operator that impelements a certain piece of logic, such as AttributeEquals, GreaterThan, Exists and more. There are also more complext solvers such as the `And` solver which implement logic between two or more solvers
When we add a new Solver, we create a class that inherits from `BaseSolver`[↓](#f-2wxET6).
Some examples of `BaseSolver`[↓](#f-2wxET6)s are `OrConnectionSolver`[↓](#f-Z1oapTp), `AnyResourceSolver`[↓](#f-Z7ghIg), `NotContainsAttributeSolver`[↓](#f-Z136myH), and `NotEndingWithAttributeSolver`[↓](#f-923Qq). Note: some of these examples inherit indirectly from `BaseSolver`[↓](#f-2wxET6).
> **NOTE: Inherit from** `BaseComplexSolver`[↓](#f-10523X)
>
> Most `BaseSolver`[↓](#f-2wxET6)s inherit directly from `BaseComplexSolver`[↓](#f-10523X) and almost none inherit directly from `BaseSolver`[↓](#f-2wxET6). In this document we demonstrate inheriting from `BaseComplexSolver`[↓](#f-10523X).
## TL;DR - How to Add a `BaseComplexSolver`[↓](#f-10523X)
1. Create a new class inheriting from `BaseComplexSolver`[↓](#f-10523X)
* Place the file under `📄 checkov/common/checks_infra/solvers/complex_solvers`, e.g. `NotSolver`[↓](#f-Z2wW09R) is defined in `📄 checkov/common/checks_infra/solvers/complex_solvers/not_solver.py`.
2. Define `operator`[↓](#f-Z1HozjT).
3. Implement `__init__`[↓](#f-ZDc3b7), `_get_operation`[↓](#f-Z1IWbj3), and `get_operation`[↓](#f-I3t5K).
4. Update `📄 checkov/common/checks_infra/checks_parser.py`.
5. Update `📄 checkov/common/checks_infra/solvers/complex_solvers/__init__.py`.
6. **Profit** 💰
## Example Walkthrough - `NotSolver`[↓](#f-Z2wW09R)
We'll follow the implementation of `NotSolver`[↓](#f-Z2wW09R) for this example.
A `NotSolver`[↓](#f-Z2wW09R) is a solver that inverts the logic of the solvers within it
## Steps to Adding a new `BaseComplexSolver`[↓](#f-10523X)
### 1\. Inherit from `BaseComplexSolver`[↓](#f-10523X).
All `BaseComplexSolver`[↓](#f-10523X)s are defined in files under `📄 checkov/common/checks_infra/solvers/complex_solvers`.
We first need to define our class in the relevant file, and inherit from `BaseComplexSolver`[↓](#f-10523X):
### 📄 checkov/common/checks_infra/solvers/complex_solvers/not_solver.py
```python
⬜ 5 from checkov.common.checks_infra.solvers.complex_solvers.base_complex_solver import BaseComplexSolver
⬜ 6
⬜ 7
🟩 8 class NotSolver(BaseComplexSolver):
⬜ 9 operator = Operators.NOT # noqa: CCE003 # a static attribute
⬜ 10
⬜ 11 def __init__(self, solvers: List[BaseSolver], resource_types: List[str]) -> None:
```
> **Note**: the class name should end with "Solver".
### 2\. Define `operator`[↓](#f-Z1HozjT)
`BaseSolver`[↓](#f-2wxET6)s should define this variable:
* `operator`[↓](#f-Z1HozjT)
### 📄 checkov/common/checks_infra/solvers/complex_solvers/not_solver.py
```python
⬜ 6
⬜ 7
⬜ 8 class NotSolver(BaseComplexSolver):
🟩 9 operator = Operators.NOT # noqa: CCE003 # a static attribute
⬜ 10
⬜ 11 def __init__(self, solvers: List[BaseSolver], resource_types: List[str]) -> None:
⬜ 12 if len(solvers) != 1:
```
### 3\. Implement `__init__`[↓](#f-ZDc3b7), `_get_operation`[↓](#f-Z1IWbj3), and `get_operation`[↓](#f-I3t5K)
Here is how we do it for `NotSolver`[↓](#f-Z2wW09R):
Implement `__init__`[↓](#f-ZDc3b7).
### 📄 checkov/common/checks_infra/solvers/complex_solvers/not_solver.py
```python
⬜ 8 class NotSolver(BaseComplexSolver):
⬜ 9 operator = Operators.NOT # noqa: CCE003 # a static attribute
⬜ 10
🟩 11 def __init__(self, solvers: List[BaseSolver], resource_types: List[str]) -> None:
🟩 12 if len(solvers) != 1:
🟩 13 raise Exception('The "not" operator must have exactly one child')
🟩 14 super().__init__(solvers, resource_types)
⬜ 15
⬜ 16 def _get_operation(self, *args: Any, **kwargs: Any) -> Any:
⬜ 17 if len(args) != 1:
```
### 📄 checkov/common/checks_infra/solvers/complex_solvers/not_solver.py
```python
⬜ 13 raise Exception('The "not" operator must have exactly one child')
⬜ 14 super().__init__(solvers, resource_types)
⬜ 15
🟩 16 def _get_operation(self, *args: Any, **kwargs: Any) -> Any:
🟩 17 if len(args) != 1:
🟩 18 raise Exception('The "not" operator must have exactly one child')
🟩 19 return not args[0]
⬜ 20
⬜ 21 def get_operation(self, vertex: Dict[str, Any]) -> bool: # type:ignore[override]
⬜ 22 return not self.solvers[0].get_operation(vertex)
```
### 📄 checkov/common/checks_infra/solvers/complex_solvers/not_solver.py
```python
⬜ 18 raise Exception('The "not" operator must have exactly one child')
⬜ 19 return not args[0]
⬜ 20
🟩 21 def get_operation(self, vertex: Dict[str, Any]) -> bool: # type:ignore[override]
🟩 22 return not self.solvers[0].get_operation(vertex)
⬜ 23
```
## Update additional files with the new class
Every time we add new `BaseComplexSolver`[↓](#f-10523X)s, we reference them in a few locations.
We will still look at `NotSolver`[↓](#f-Z2wW09R) as our example.
4\. Update `📄 checkov/common/checks_infra/checks_parser.py`, as we do with `NotSolver`[↓](#f-Z2wW09R) here:
### 📄 checkov/common/checks_infra/checks_parser.py
```python
⬜ 19 NotEndingWithAttributeSolver,
⬜ 20 AndSolver,
⬜ 21 OrSolver,
🟩 22 NotSolver,
⬜ 23 ConnectionExistsSolver,
⬜ 24 ConnectionNotExistsSolver,
⬜ 25 AndConnectionSolver,
```
In addition, in the same file:
### 📄 checkov/common/checks_infra/checks_parser.py
```python
⬜ 93 operators_to_complex_solver_classes: dict[str, Type[BaseComplexSolver]] = {
⬜ 94 "and": AndSolver,
⬜ 95 "or": OrSolver,
🟩 96 "not": NotSolver,
⬜ 97 }
⬜ 98
⬜ 99 operator_to_connection_solver_classes: dict[str, Type[BaseConnectionSolver]] = {
```
4\. We modify `📄 checkov/common/checks_infra/solvers/complex_solvers/__init__.py`, for example:
### 📄 checkov/common/checks_infra/solvers/complex_solvers/__init__.py
```python
⬜ 1 from checkov.common.checks_infra.solvers.complex_solvers.or_solver import OrSolver # noqa
⬜ 2 from checkov.common.checks_infra.solvers.complex_solvers.and_solver import AndSolver # noqa
🟩 3 from checkov.common.checks_infra.solvers.complex_solvers.not_solver import NotSolver # noqa
⬜ 4
```
### Swimm Note
__init__[^](#ZDc3b7) - "checkov/common/checks_infra/solvers/complex_solvers/not_solver.py" L11
```python
def __init__(self, solvers: List[BaseSolver], resource_types: List[str]) -> None:
```
_get_operation[^](#Z1IWbj3) - "checkov/common/checks_infra/solvers/complex_solvers/not_solver.py" L16
```python
def _get_operation(self, *args: Any, **kwargs: Any) -> Any:
```
AnyResourceSolver[^](#Z7ghIg) - "checkov/common/checks_infra/solvers/attribute_solvers/any_attribute_solver.py" L7
```python
class AnyResourceSolver(BaseAttributeSolver):
```
BaseComplexSolver[^](#10523X) - "checkov/common/checks_infra/solvers/complex_solvers/base_complex_solver.py" L9
```python
class BaseComplexSolver(BaseSolver):
```
BaseSolver[^](#2wxET6) - "checkov/common/graph/checks_infra/solvers/base_solver.py" L9
```python
class BaseSolver:
```
get_operation[^](#I3t5K) - "checkov/common/checks_infra/solvers/complex_solvers/not_solver.py" L21
```python
def get_operation(self, vertex: Dict[str, Any]) -> bool: # type:ignore[override]
```
NotContainsAttributeSolver[^](#Z136myH) - "checkov/common/checks_infra/solvers/attribute_solvers/not_contains_attribute_solver.py" L7
```python
class NotContainsAttributeSolver(ContainsAttributeSolver):
```
NotEndingWithAttributeSolver[^](#923Qq) - "checkov/common/checks_infra/solvers/attribute_solvers/not_ending_with_attribute_solver.py" L7
```python
class NotEndingWithAttributeSolver(EndingWithAttributeSolver):
```
NotSolver[^](#Z2wW09R) - "checkov/common/checks_infra/solvers/complex_solvers/not_solver.py" L8
```python
class NotSolver(BaseComplexSolver):
```
operator[^](#Z1HozjT) - "checkov/common/checks_infra/solvers/complex_solvers/not_solver.py" L9
```python
operator = Operators.NOT # noqa: CCE003 # a static attribute
```
OrConnectionSolver[^](#Z1oapTp) - "checkov/common/checks_infra/solvers/connections_solvers/or_connection_solver.py" L11
```python
class OrConnectionSolver(ComplexConnectionSolver):
```
This file was generated by Swimm. [Click here to view it in the app](https://app.swimm.io/repos/Z2l0aHViJTNBJTNBY2hlY2tvdiUzQSUzQWJyaWRnZWNyZXdpbw==/docs/gm0ti).
================================================
FILE: .swm/swimm.json
================================================
{
"repo_id": "Z2l0aHViJTNBJTNBY2hlY2tvdiUzQSUzQWJyaWRnZWNyZXdpbw==",
"configuration": {
"swmd": true
}
}
================================================
FILE: CHANGELOG.md
================================================
# CHANGELOG
## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.510...HEAD)
## [3.2.510](https://github.com/bridgecrewio/checkov/compare/3.2.508...3.2.510) - 2026-03-18
### Bug Fix
- **terraform:** support modern TLS security policies in CKV_AWS_206 - [#7466](https://github.com/bridgecrewio/checkov/pull/7466)
- **terraform:** update CKV_AWS_339 supported EKS Kubernetes versions - [#7465](https://github.com/bridgecrewio/checkov/pull/7465)
- **terraform:** update CKV_GCP_79 latest Postgres version from 17 to 18 - [#7464](https://github.com/bridgecrewio/checkov/pull/7464)
## [3.2.508](https://github.com/bridgecrewio/checkov/compare/3.2.507...3.2.508) - 2026-03-08
### Bug Fix
- **secrets:** eliminate race condition in secrets scanner when running concurrently with other scanners - [#7456](https://github.com/bridgecrewio/checkov/pull/7456)
## [3.2.507](https://github.com/bridgecrewio/checkov/compare/3.2.506...3.2.507) - 2026-03-05
### Bug Fix
- **secrets:** add _thread_safe_transient_settings( to secret runner - [#7455](https://github.com/bridgecrewio/checkov/pull/7455)
## [3.2.506](https://github.com/bridgecrewio/checkov/compare/3.2.505...3.2.506) - 2026-02-23
### Bug Fix
- **terraform:** return inner module path when dest_dir already exists on Linux - [#7436](https://github.com/bridgecrewio/checkov/pull/7436)
## [3.2.505](https://github.com/bridgecrewio/checkov/compare/3.2.504...3.2.505) - 2026-02-22
### Feature
- **bicep:** revert bump pycep to support better bicep syntax - [#7446](https://github.com/bridgecrewio/checkov/pull/7446)
## [3.2.504](https://github.com/bridgecrewio/checkov/compare/3.2.502...3.2.504) - 2026-02-18
### Feature
- **bicep:** bump pycep to support better bicep syntax - [#7441](https://github.com/bridgecrewio/checkov/pull/7441)
- **terraform:** deprecate dotnet v6 and support v9 and v10 - [#7442](https://github.com/bridgecrewio/checkov/pull/7442)
## [3.2.502](https://github.com/bridgecrewio/checkov/compare/3.2.501...3.2.502) - 2026-02-16
### Feature
- **general:** better shell commands - [#7438](https://github.com/bridgecrewio/checkov/pull/7438)
## [3.2.501](https://github.com/bridgecrewio/checkov/compare/3.2.500...3.2.501) - 2026-02-11
### Bug Fix
- **general:** secret detection in build log files with line prefixes - [#7431](https://github.com/bridgecrewio/checkov/pull/7431)
## [3.2.500](https://github.com/bridgecrewio/checkov/compare/3.2.499...3.2.500) - 2026-02-01
### Bug Fix
- **cloudformation:** render variables in cfn vertices config - [#7423](https://github.com/bridgecrewio/checkov/pull/7423)
## [3.2.499](https://github.com/bridgecrewio/checkov/compare/3.2.497...3.2.499) - 2026-01-25
### Feature
- **general:** Add BC_CA_BUNDLE environment variable support for custom CA certificates - [#7419](https://github.com/bridgecrewio/checkov/pull/7419)
- **secrets:** Override AWS generic check with cortex specific checks - [#7420](https://github.com/bridgecrewio/checkov/pull/7420)
### Bug Fix
- **terraform:** test dates - [#7422](https://github.com/bridgecrewio/checkov/pull/7422)
## [3.2.497](https://github.com/bridgecrewio/checkov/compare/3.2.496...3.2.497) - 2025-12-30
### Bug Fix
- **terraform:** handle file path instead of directory - [#7408](https://github.com/bridgecrewio/checkov/pull/7408)
## [3.2.496](https://github.com/bridgecrewio/checkov/compare/3.2.495...3.2.496) - 2025-12-28
### Bug Fix
- **terraform:** CKV_GCP_6 - Added special handling for MSSQL SERVER database type - [#7405](https://github.com/bridgecrewio/checkov/pull/7405)
## [3.2.495](https://github.com/bridgecrewio/checkov/compare/3.2.494...3.2.495) - 2025-11-23
### Bug Fix
- **kubernetes:** Fix CKV_K8S_21 - [#7378](https://github.com/bridgecrewio/checkov/pull/7378)
## [3.2.494](https://github.com/bridgecrewio/checkov/compare/3.2.493...3.2.494) - 2025-11-18
### Bug Fix
- **general:** Fixed build workflows of integration test by locking helm version - [#7371](https://github.com/bridgecrewio/checkov/pull/7371)
- **terraform:** Fixed variable rendering of complex variables to avoid changing type - [#7369](https://github.com/bridgecrewio/checkov/pull/7369)
## [3.2.493](https://github.com/bridgecrewio/checkov/compare/3.2.492...3.2.493) - 2025-11-12
### Feature
- **general:** support skips for module for_each and count - [#7368](https://github.com/bridgecrewio/checkov/pull/7368)
## [3.2.492](https://github.com/bridgecrewio/checkov/compare/3.2.491...3.2.492) - 2025-11-10
### Bug Fix
- **terraform:** get_resource_tags handles more cases - [#7365](https://github.com/bridgecrewio/checkov/pull/7365)
## [3.2.491](https://github.com/bridgecrewio/checkov/compare/3.2.490...3.2.491) - 2025-11-09
### Bug Fix
- **terraform:** Graph report tags should be dict - [#7363](https://github.com/bridgecrewio/checkov/pull/7363)
## [3.2.490](https://github.com/bridgecrewio/checkov/compare/3.2.489...3.2.490) - 2025-11-04
### Feature
- **general:** Fix downloading of the external modules when ref is a shortened Git hash - [#7278](https://github.com/bridgecrewio/checkov/pull/7278)
## [3.2.489](https://github.com/bridgecrewio/checkov/compare/3.2.488...3.2.489) - 2025-10-29
### Bug Fix
- **helm:** Check HELM_NAMESPACE env var in CKV_K8S_21 - [#7355](https://github.com/bridgecrewio/checkov/pull/7355)
## [3.2.488](https://github.com/bridgecrewio/checkov/compare/3.2.487...3.2.488) - 2025-10-27
### Feature
- **terraform_plan:** add new cases for foreach in the presence of skips - [#7351](https://github.com/bridgecrewio/checkov/pull/7351)
## [3.2.487](https://github.com/bridgecrewio/checkov/compare/3.2.486...3.2.487) - 2025-10-23
### Bug Fix
- **general:** CKV_AWS_174 should-allow-higher-then-TLSv1.2 - terraform and cloudformation - [#7352](https://github.com/bridgecrewio/checkov/pull/7352)
## [3.2.486](https://github.com/bridgecrewio/checkov/compare/3.2.485...3.2.486) - 2025-10-22
### Feature
- **general:** update setuptools version 78.1.1 - [#7347](https://github.com/bridgecrewio/checkov/pull/7347)
## [3.2.485](https://github.com/bridgecrewio/checkov/compare/3.2.484...3.2.485) - 2025-10-20
### Bug Fix
- **general:** fix urllib3 dependency - [#7345](https://github.com/bridgecrewio/checkov/pull/7345)
## [3.2.484](https://github.com/bridgecrewio/checkov/compare/3.2.483...3.2.484) - 2025-10-15
### Bug Fix
- **terraform_plan:** Correctly handle complex types for after_unknown - [#7333](https://github.com/bridgecrewio/checkov/pull/7333)
## [3.2.483](https://github.com/bridgecrewio/checkov/compare/3.2.479...3.2.483) - 2025-10-12
### Feature
- **general:** anchor setuptools to fix metadata version - [#7330](https://github.com/bridgecrewio/checkov/pull/7330)
- **general:** update our publishing job SHA to latest - [#7332](https://github.com/bridgecrewio/checkov/pull/7332)
- **terraform_plan:** fix handling of resource_id for enrichment in tf_plan - [#7329](https://github.com/bridgecrewio/checkov/pull/7329)
## [3.2.479](https://github.com/bridgecrewio/checkov/compare/3.2.477...3.2.479) - 2025-10-09
### Feature
- **general:** upgrade checkov python version 3.9 - [#7326](https://github.com/bridgecrewio/checkov/pull/7326)
- **general:** upgrade checkvo python version - [#7303](https://github.com/bridgecrewio/checkov/pull/7303)
- **terraform:** skip raw tf resource violation - [#7325](https://github.com/bridgecrewio/checkov/pull/7325)
### Bug Fix
- **general:** revert pipfile urllib3 change - [#7324](https://github.com/bridgecrewio/checkov/pull/7324)
## [3.2.477](https://github.com/bridgecrewio/checkov/compare/3.2.474...3.2.477) - 2025-10-08
### Bug Fix
- **terraform_plan:** compute the longest common prefix between two optional vertex - [#7320](https://github.com/bridgecrewio/checkov/pull/7320)
- **terraform_plan:** Don't add values to empty list values in after_unknown - [#7319](https://github.com/bridgecrewio/checkov/pull/7319)
## [3.2.474](https://github.com/bridgecrewio/checkov/compare/3.2.473...3.2.474) - 2025-10-05
### Documentation
- **general:** Add JAVA_FULL_DT environment variable to CLI reference - [#7312](https://github.com/bridgecrewio/checkov/pull/7312)
## [3.2.473](https://github.com/bridgecrewio/checkov/compare/3.2.472...3.2.473) - 2025-09-30
- no noteworthy changes
## [3.2.472](https://github.com/bridgecrewio/checkov/compare/3.2.471...3.2.472) - 2025-09-28
### Feature
- **terraform:** fix foreach module handling - [#7313](https://github.com/bridgecrewio/checkov/pull/7313)
## [3.2.471](https://github.com/bridgecrewio/checkov/compare/3.2.470...3.2.471) - 2025-09-14
### Bug Fix
- **terraform_plan:** fix access to list by str in tf plan under _handle_complex_after_unknown - [#7299](https://github.com/bridgecrewio/checkov/pull/7299)
## [3.2.470](https://github.com/bridgecrewio/checkov/compare/3.2.469...3.2.470) - 2025-09-08
### Bug Fix
- **helm:** Make Helm template detection less aggressive - [#7288](https://github.com/bridgecrewio/checkov/pull/7288)
## [3.2.469](https://github.com/bridgecrewio/checkov/compare/3.2.467...3.2.469) - 2025-09-01
### Feature
- **general:** Control parallelism - [#7286](https://github.com/bridgecrewio/checkov/pull/7286)
## [3.2.467](https://github.com/bridgecrewio/checkov/compare/3.2.466...3.2.467) - 2025-08-27
### Bug Fix
- **serverless:** Fixed bad entity code line generation - [#7285](https://github.com/bridgecrewio/checkov/pull/7285)
## [3.2.466](https://github.com/bridgecrewio/checkov/compare/3.2.464...3.2.466) - 2025-08-25
### Feature
- **terraform:** add aws_vpc_endpoint to RESOURCE_TYPES_JSONIFY - [#7281](https://github.com/bridgecrewio/checkov/pull/7281)
### Bug Fix
- **general:** Add exclusion for plan_with_providers test files in security scanning - [#7282](https://github.com/bridgecrewio/checkov/pull/7282)
## [3.2.464](https://github.com/bridgecrewio/checkov/compare/3.2.461...3.2.464) - 2025-08-20
### Feature
- **secrets:** support suppressions in JSON files - [#7275](https://github.com/bridgecrewio/checkov/pull/7275)
## [3.2.461](https://github.com/bridgecrewio/checkov/compare/3.2.460...3.2.461) - 2025-08-12
### Bug Fix
- **terraform:** Handled git external module loading with sub-directory but without protocol - [#7272](https://github.com/bridgecrewio/checkov/pull/7272)
## [3.2.460](https://github.com/bridgecrewio/checkov/compare/3.2.458...3.2.460) - 2025-08-10
### Bug Fix
- **general:** pin boto3 and botocore versions as failed test in Jenkins - [#7270](https://github.com/bridgecrewio/checkov/pull/7270)
## [3.2.458](https://github.com/bridgecrewio/checkov/compare/3.2.457...3.2.458) - 2025-08-06
### Bug Fix
- **terraform:** Fix conditional expression evaluation - [#7265](https://github.com/bridgecrewio/checkov/pull/7265)
- **terraform:** Update FunctionAppsAccessibleOverHttps - [#7078](https://github.com/bridgecrewio/checkov/pull/7078)
## [3.2.457](https://github.com/bridgecrewio/checkov/compare/3.2.456...3.2.457) - 2025-07-28
### Bug Fix
- **dockerfile:** Use proxy env vars in aiohttp client requests - [#7260](https://github.com/bridgecrewio/checkov/pull/7260)
## [3.2.456](https://github.com/bridgecrewio/checkov/compare/3.2.454...3.2.456) - 2025-07-27
### Bug Fix
- **terraform:** Parse continue as a string rather as a python object - [#7261](https://github.com/bridgecrewio/checkov/pull/7261)
## [3.2.454](https://github.com/bridgecrewio/checkov/compare/3.2.452...3.2.454) - 2025-07-24
### Bug Fix
- **serverless:** Fixed extraction of code lines for serverless resources - [#7259](https://github.com/bridgecrewio/checkov/pull/7259)
## [3.2.452](https://github.com/bridgecrewio/checkov/compare/3.2.451...3.2.452) - 2025-07-23
### Feature
- **general:** Support Py 3.13 on build workflow - [#7222](https://github.com/bridgecrewio/checkov/pull/7222)
## [3.2.451](https://github.com/bridgecrewio/checkov/compare/3.2.450...3.2.451) - 2025-07-14
### Feature
- **terraform:** Support parsing of provider functions - [#7237](https://github.com/bridgecrewio/checkov/pull/7237)
## [3.2.450](https://github.com/bridgecrewio/checkov/compare/3.2.449...3.2.450) - 2025-07-10
### Bug Fix
- **arm:** filter out failed checks with resource names containing un-rendered functions - [#7231](https://github.com/bridgecrewio/checkov/pull/7231)
## [3.2.449](https://github.com/bridgecrewio/checkov/compare/3.2.447...3.2.449) - 2025-07-09
### Bug Fix
- **terraform:** fix cloning external modules from private regsitries - [#7229](https://github.com/bridgecrewio/checkov/pull/7229)
- **terraform:** fix issue 7216 module version parsing issue - [#7224](https://github.com/bridgecrewio/checkov/pull/7224)
## [3.2.447](https://github.com/bridgecrewio/checkov/compare/3.2.446...3.2.447) - 2025-06-26
### Bug Fix
- **terraform:** Added support in restricting to a specific GitHub organization for GithubActionsOIDCTrustPolicy - [#7221](https://github.com/bridgecrewio/checkov/pull/7221)
## [3.2.446](https://github.com/bridgecrewio/checkov/compare/3.2.445...3.2.446) - 2025-06-24
### Feature
- **kubernetes:** include hidden folders in scan - [#7219](https://github.com/bridgecrewio/checkov/pull/7219)
## [3.2.445](https://github.com/bridgecrewio/checkov/compare/3.2.443...3.2.445) - 2025-06-22
### Bug Fix
- **helm:** fix file paths to point to original files and not generated ones - [#7212](https://github.com/bridgecrewio/checkov/pull/7212)
- **secrets:** fix omitting and masking - [#7218](https://github.com/bridgecrewio/checkov/pull/7218)
## [3.2.443](https://github.com/bridgecrewio/checkov/compare/3.2.442...3.2.443) - 2025-06-19
### Bug Fix
- **secrets:** fix omit and masking - [#7213](https://github.com/bridgecrewio/checkov/pull/7213)
## [3.2.442](https://github.com/bridgecrewio/checkov/compare/3.2.440...3.2.442) - 2025-06-15
### Bug Fix
- **secrets:** fix relative path secrets - [#7211](https://github.com/bridgecrewio/checkov/pull/7211)
## [3.2.440](https://github.com/bridgecrewio/checkov/compare/3.2.439...3.2.440) - 2025-06-11
### Feature
- **secrets:** Bump detect secrets - [#7203](https://github.com/bridgecrewio/checkov/pull/7203)
## [3.2.439](https://github.com/bridgecrewio/checkov/compare/3.2.437...3.2.439) - 2025-06-09
### Bug Fix
- **serverless:** Enhance yaml parsing, better support for file expansion - [#7115](https://github.com/bridgecrewio/checkov/pull/7115)
- **terraform:** Better utilization of managed modules (if enabled) - [#7111](https://github.com/bridgecrewio/checkov/pull/7111)
## [3.2.437](https://github.com/bridgecrewio/checkov/compare/3.2.436...3.2.437) - 2025-06-05
### Bug Fix
- **terraform:** Handle explicitly-specified tfvars explicitly - [#7107](https://github.com/bridgecrewio/checkov/pull/7107)
## [3.2.436](https://github.com/bridgecrewio/checkov/compare/3.2.435...3.2.436) - 2025-05-30
### Bug Fix
- **terraform_plan:** Support count in terraform plan files - [#7195](https://github.com/bridgecrewio/checkov/pull/7195)
## [3.2.435](https://github.com/bridgecrewio/checkov/compare/3.2.433...3.2.435) - 2025-05-27
### Bug Fix
- **kubernetes:** Only filter out files that contain Helm built-in variables and functions - [#6922](https://github.com/bridgecrewio/checkov/pull/6922)
- **serverless:** check if start and end line in serverless definitions context - [#7189](https://github.com/bridgecrewio/checkov/pull/7189)
## [3.2.433](https://github.com/bridgecrewio/checkov/compare/3.2.432...3.2.433) - 2025-05-26
### Bug Fix
- **terraform_plan:** add a check to avoid doing get on a none dict object in tfplan scan - [#7180](https://github.com/bridgecrewio/checkov/pull/7180)
## [3.2.432](https://github.com/bridgecrewio/checkov/compare/3.2.429...3.2.432) - 2025-05-22
### Bug Fix
- **terraform:** Multiple fixes - [#7178](https://github.com/bridgecrewio/checkov/pull/7178)
## [3.2.429](https://github.com/bridgecrewio/checkov/compare/3.2.427...3.2.429) - 2025-05-21
### Bug Fix
- **general:** Fix support for git external module syntax 'git::git@' - [#7175](https://github.com/bridgecrewio/checkov/pull/7175)
- **general:** Remove asteval syntax error logs - [#7172](https://github.com/bridgecrewio/checkov/pull/7172)
## [3.2.427](https://github.com/bridgecrewio/checkov/compare/3.2.426...3.2.427) - 2025-05-20
### Feature
- **secrets:** Revert - Bump detect secrets - [#7171](https://github.com/bridgecrewio/checkov/pull/7171)
### Bug Fix
- **terraform:** dont move clone to internal dir - [#7159](https://github.com/bridgecrewio/checkov/pull/7159)
## [3.2.426](https://github.com/bridgecrewio/checkov/compare/3.2.424...3.2.426) - 2025-05-19
### Feature
- **secrets:** Bump detect secrets - [#7158](https://github.com/bridgecrewio/checkov/pull/7158)
- **terraform:** 7 new policies - [#7056](https://github.com/bridgecrewio/checkov/pull/7056)
## [3.2.424](https://github.com/bridgecrewio/checkov/compare/3.2.422...3.2.424) - 2025-05-15
### Feature
- **terraform:** Add SNS check and modify some - [#7154](https://github.com/bridgecrewio/checkov/pull/7154)
### Bug Fix
- **secrets:** Fix for git-history scan by commits - [#7160](https://github.com/bridgecrewio/checkov/pull/7160)
## [3.2.422](https://github.com/bridgecrewio/checkov/compare/3.2.420...3.2.422) - 2025-05-14
### Feature
- **secrets:** git-history allow scan by commits list - [#7155](https://github.com/bridgecrewio/checkov/pull/7155)
### Bug Fix
- **general:** exclude **start_line** and **end_line** from is empty solver - [#7156](https://github.com/bridgecrewio/checkov/pull/7156)
## [3.2.420](https://github.com/bridgecrewio/checkov/compare/3.2.417...3.2.420) - 2025-05-13
### Feature
- **kustomize:** export get kustomize resource id to a function - [#7153](https://github.com/bridgecrewio/checkov/pull/7153)
### Bug Fix
- **general:** Skip bc_api_key in output - [#7148](https://github.com/bridgecrewio/checkov/pull/7148)
- **terraform:** Fixed crash when using variable rendering inside a list of len > 1 - [#7151](https://github.com/bridgecrewio/checkov/pull/7151)
## [3.2.417](https://github.com/bridgecrewio/checkov/compare/3.2.416...3.2.417) - 2025-05-12
### Breaking Change
- **general:** Remove OpenAI - [#7146](https://github.com/bridgecrewio/checkov/pull/7146)
## [3.2.416](https://github.com/bridgecrewio/checkov/compare/3.2.415...3.2.416) - 2025-05-06
### Bug Fix
- **terraform_plan:** use provider name not resource address to fix supported_provider matching - [#7119](https://github.com/bridgecrewio/checkov/pull/7119)
## [3.2.415](https://github.com/bridgecrewio/checkov/compare/3.2.414...3.2.415) - 2025-05-05
### Bug Fix
- **general:** using asteval instead of using eval - [#7116](https://github.com/bridgecrewio/checkov/pull/7116)
## [3.2.414](https://github.com/bridgecrewio/checkov/compare/3.2.413...3.2.414) - 2025-05-01
### Bug Fix
- **terraform:** Fix protocols for CKV2_AWS_74 and fix for CKV2_K8S_5 - [#7134](https://github.com/bridgecrewio/checkov/pull/7134)
## [3.2.413](https://github.com/bridgecrewio/checkov/compare/3.2.411...3.2.413) - 2025-04-29
### Feature
- **terraform:** Add new check for overly permissive SQS policy - [#7125](https://github.com/bridgecrewio/checkov/pull/7125)
### Bug Fix
- **terraform:** support CLI notation in CKV_AZURE_228 for EventHub locations - [#7124](https://github.com/bridgecrewio/checkov/pull/7124)
## [3.2.411](https://github.com/bridgecrewio/checkov/compare/3.2.408...3.2.411) - 2025-04-28
### Feature
- **secrets:** Add support in git history for producer consumer - [#7123](https://github.com/bridgecrewio/checkov/pull/7123)
### Bug Fix
- **general:** Make --download-external-modules Optional[bool] - [#7121](https://github.com/bridgecrewio/checkov/pull/7121)
- **secrets:** Fix test directory tree race - [#7122](https://github.com/bridgecrewio/checkov/pull/7122)
- **terraform:** add aws_elasticache_serverless_cache to CKV2_AWS_5 - [#7079](https://github.com/bridgecrewio/checkov/pull/7079)
## [3.2.408](https://github.com/bridgecrewio/checkov/compare/3.2.407...3.2.408) - 2025-04-24
### Feature
- **terraform:** Over permissive Lambda Cors check (Terraform & Cloudformation) - [#7113](https://github.com/bridgecrewio/checkov/pull/7113)
### Bug Fix
- **general:** base_runner: Properly escape excluded directories that begin with '.' - [#7112](https://github.com/bridgecrewio/checkov/pull/7112)
## [3.2.407](https://github.com/bridgecrewio/checkov/compare/3.2.406...3.2.407) - 2025-04-21
### Feature
- **terraform:** Add new check and update old around cipher suites - [#7108](https://github.com/bridgecrewio/checkov/pull/7108)
## [3.2.406](https://github.com/bridgecrewio/checkov/compare/3.2.404...3.2.406) - 2025-04-17
### Bug Fix
- **kustomize:** handle kustomize file with empty resources section - [#7109](https://github.com/bridgecrewio/checkov/pull/7109)
## [3.2.404](https://github.com/bridgecrewio/checkov/compare/3.2.403...3.2.404) - 2025-04-14
### Bug Fix
- **terraform:** Fix for multiple checks - [#7097](https://github.com/bridgecrewio/checkov/pull/7097)
## [3.2.403](https://github.com/bridgecrewio/checkov/compare/3.2.402...3.2.403) - 2025-04-10
### Feature
- **cloudformation:** Update Lambda Runtime checks - [#7065](https://github.com/bridgecrewio/checkov/pull/7065)
## [3.2.402](https://github.com/bridgecrewio/checkov/compare/3.2.400...3.2.402) - 2025-04-08
### Bug Fix
- **terraform:** Change to valid name - [#7089](https://github.com/bridgecrewio/checkov/pull/7089)
- **terraform:** CKV2_IBM_1 - ignore case for load balancer of type private_path - [#7010](https://github.com/bridgecrewio/checkov/pull/7010)
- **terraform:** rename test FunctionAppsAccessibleOverHttps - [#7085](https://github.com/bridgecrewio/checkov/pull/7085)
### Documentation
- **general:** Add install for debian - [#7083](https://github.com/bridgecrewio/checkov/pull/7083)
## [3.2.400](https://github.com/bridgecrewio/checkov/compare/3.2.398...3.2.400) - 2025-04-07
### Bug Fix
- **general:** typos discovered by codespell - [#7012](https://github.com/bridgecrewio/checkov/pull/7012)
- **terraform:** Update FunctionAppsAccessibleOverHttps - [#7084](https://github.com/bridgecrewio/checkov/pull/7084)
## [3.2.398](https://github.com/bridgecrewio/checkov/compare/3.2.397...3.2.398) - 2025-04-06
### Bug Fix
- **general:** handle connected_node tuple in CustomJSONEncoder for json report (#7062) - [#7063](https://github.com/bridgecrewio/checkov/pull/7063)
## [3.2.397](https://github.com/bridgecrewio/checkov/compare/3.2.396...3.2.397) - 2025-04-04
- no noteworthy changes
## [3.2.396](https://github.com/bridgecrewio/checkov/compare/3.2.395...3.2.396) - 2025-04-01
### Bug Fix
- **terraform:** Fix keeping range a range - [#7073](https://github.com/bridgecrewio/checkov/pull/7073)
## [3.2.395](https://github.com/bridgecrewio/checkov/compare/3.2.394...3.2.395) - 2025-03-31
### Feature
- **serverless:** add check for empty resource attributes - [#7074](https://github.com/bridgecrewio/checkov/pull/7074)
## [3.2.394](https://github.com/bridgecrewio/checkov/compare/3.2.393...3.2.394) - 2025-03-27
### Bug Fix
- **terraform:** Fix CKV2_GCP_12 and a few tests - [#7069](https://github.com/bridgecrewio/checkov/pull/7069)
## [3.2.393](https://github.com/bridgecrewio/checkov/compare/3.2.392...3.2.393) - 2025-03-26
### Bug Fix
- **general:** Updated correct connected_node when creating graph report out of all options - [#7068](https://github.com/bridgecrewio/checkov/pull/7068)
## [3.2.392](https://github.com/bridgecrewio/checkov/compare/3.2.391...3.2.392) - 2025-03-24
### Bug Fix
- **terraform_plan:** Run provider checks against all providers in plan - [#7061](https://github.com/bridgecrewio/checkov/pull/7061)
## [3.2.391](https://github.com/bridgecrewio/checkov/compare/3.2.390...3.2.391) - 2025-03-23
### Bug Fix
- **secrets:** Bump detect-secrets to not flag AZ secrets in plan files - [#7064](https://github.com/bridgecrewio/checkov/pull/7064)
## [3.2.390](https://github.com/bridgecrewio/checkov/compare/3.2.386...3.2.390) - 2025-03-19
### Feature
- **terraform:** add raw tf resource to graph - [#7047](https://github.com/bridgecrewio/checkov/pull/7047)
### Bug Fix
- **general:** Fix a few checks - [#7051](https://github.com/bridgecrewio/checkov/pull/7051)
- **general:** Remove sneaky unicode characters that break a regex and console outputs on Windows - [#6987](https://github.com/bridgecrewio/checkov/pull/6987)
- **terraform:** CKV_AWS_228 - support new AWS Opensearch TLS policy - [#7007](https://github.com/bridgecrewio/checkov/pull/7007)
## [3.2.386](https://github.com/bridgecrewio/checkov/compare/3.2.385...3.2.386) - 2025-03-14
- no noteworthy changes
## [3.2.385](https://github.com/bridgecrewio/checkov/compare/3.2.384...3.2.385) - 2025-03-13
### Bug Fix
- **terraform:** Update all resources - [#7049](https://github.com/bridgecrewio/checkov/pull/7049)
## [3.2.384](https://github.com/bridgecrewio/checkov/compare/3.2.383...3.2.384) - 2025-03-12
### Bug Fix
- **terraform:** Update CKV_ALI_1 - [#7040](https://github.com/bridgecrewio/checkov/pull/7040)
## [3.2.383](https://github.com/bridgecrewio/checkov/compare/3.2.382...3.2.383) - 2025-03-11
### Feature
- **serverless:** add tags enrichment to serverless - [#7044](https://github.com/bridgecrewio/checkov/pull/7044)
### Bug Fix
- **sast:** Fix CKV_AWS_194 policy - [#7048](https://github.com/bridgecrewio/checkov/pull/7048)
## [3.2.382](https://github.com/bridgecrewio/checkov/compare/3.2.381...3.2.382) - 2025-03-06
### Feature
- **secrets:** Bump detect-secrets to remove more lock files - [#7039](https://github.com/bridgecrewio/checkov/pull/7039)
## [3.2.381](https://github.com/bridgecrewio/checkov/compare/3.2.379...3.2.381) - 2025-03-05
### Bug Fix
- **general:** prevent connected_node attribute from being overriden - [#7032](https://github.com/bridgecrewio/checkov/pull/7032)
- **secrets:** ckv_secret_80 filtering fix - [#7037](https://github.com/bridgecrewio/checkov/pull/7037)
## [3.2.379](https://github.com/bridgecrewio/checkov/compare/3.2.378...3.2.379) - 2025-03-03
### Feature
- **terraform:** Add azure DB checks for flexible server private endpoints - [#7030](https://github.com/bridgecrewio/checkov/pull/7030)
## [3.2.378](https://github.com/bridgecrewio/checkov/compare/3.2.377...3.2.378) - 2025-02-27
### Bug Fix
- **secrets:** Remove CKV_SECRET_80 instead of CKV_SECRET_6 - [#7029](https://github.com/bridgecrewio/checkov/pull/7029)
## [3.2.377](https://github.com/bridgecrewio/checkov/compare/3.2.373...3.2.377) - 2025-02-25
### Feature
- **terraform:** adding 3 policies & tests - [#7011](https://github.com/bridgecrewio/checkov/pull/7011)
### Bug Fix
- **cloudformation:** Handle subs in CKV_AWS_384 - [#7022](https://github.com/bridgecrewio/checkov/pull/7022)
- **secrets:** Fix Duplicated Violation in line bug - [#7027](https://github.com/bridgecrewio/checkov/pull/7027)
- **terraform:** Fixed CKV2_GCP_10 to exclude non http triggered cloud functions from security_level requirement - [#7008](https://github.com/bridgecrewio/checkov/pull/7008)
- **terraform:** Handle new resource type for CKV_GCP_73 - [#7023](https://github.com/bridgecrewio/checkov/pull/7023)
## [3.2.373](https://github.com/bridgecrewio/checkov/compare/3.2.372...3.2.373) - 2025-02-24
### Bug Fix
- **terraform:** CKV_GCP_74, CKV_GCP_76 incorrectly enforced for REGIONAL and GLOBAL managed proxy networks - [#7002](https://github.com/bridgecrewio/checkov/pull/7002)
## [3.2.372](https://github.com/bridgecrewio/checkov/compare/3.2.370...3.2.372) - 2025-02-18
### Feature
- **terraform:** Add multiple checks - [#7016](https://github.com/bridgecrewio/checkov/pull/7016)
### Bug Fix
- **terraform:** Postgres latest stable version - [#7015](https://github.com/bridgecrewio/checkov/pull/7015)
## [3.2.370](https://github.com/bridgecrewio/checkov/compare/3.2.369...3.2.370) - 2025-02-13
### Bug Fix
- **general:** Handle ECS enhanced container insights - [#7001](https://github.com/bridgecrewio/checkov/pull/7001)
## [3.2.369](https://github.com/bridgecrewio/checkov/compare/3.2.368...3.2.369) - 2025-02-10
### Bug Fix
- **terraform:** Multiple check fixes - [#6999](https://github.com/bridgecrewio/checkov/pull/6999)
## [3.2.368](https://github.com/bridgecrewio/checkov/compare/3.2.366...3.2.368) - 2025-02-06
### Feature
- **general:** fix proxy access from git and registry loader - [#6992](https://github.com/bridgecrewio/checkov/pull/6992)
## [3.2.366](https://github.com/bridgecrewio/checkov/compare/3.2.364...3.2.366) - 2025-02-05
### Bug Fix
- **bicep:** Add bicep specific for CKV_AZURE_25 since ARM implementation fails - [#6996](https://github.com/bridgecrewio/checkov/pull/6996)
- **terraform:** CKV_AZURE_249 & CKV_AWS_358 - better support for OIDC 'repo' detection regex and conditions order - [#6994](https://github.com/bridgecrewio/checkov/pull/6994)
## [3.2.364](https://github.com/bridgecrewio/checkov/compare/3.2.362...3.2.364) - 2025-02-04
### Bug Fix
- **terraform:** CKV_AWS_339 - Add EKS platform version 1.32 to allowed lists of versions - [#6988](https://github.com/bridgecrewio/checkov/pull/6988)
## [3.2.362](https://github.com/bridgecrewio/checkov/compare/3.2.358...3.2.362) - 2025-02-03
### Bug Fix
- **secrets:** Multiple matching groups are being caught as regex separated by | sign - [#6967](https://github.com/bridgecrewio/checkov/pull/6967)
- **secrets:** Remove both random and base64 entropy secrets finding - [#6969](https://github.com/bridgecrewio/checkov/pull/6969)
### Platform
- **general:** Backfill more eval keys - [#6970](https://github.com/bridgecrewio/checkov/pull/6970)
## [3.2.358](https://github.com/bridgecrewio/checkov/compare/3.2.357...3.2.358) - 2025-01-28
### Feature
- **general:** Add env var for policy metadata - [#6979](https://github.com/bridgecrewio/checkov/pull/6979)
## [3.2.357](https://github.com/bridgecrewio/checkov/compare/3.2.355...3.2.357) - 2025-01-23
### Feature
- **general:** initial support for python 3.13 - [#6962](https://github.com/bridgecrewio/checkov/pull/6962)
### Bug Fix
- **terraform:** OIDC checks fixes - [#6964](https://github.com/bridgecrewio/checkov/pull/6964)
## [3.2.355](https://github.com/bridgecrewio/checkov/compare/3.2.353...3.2.355) - 2025-01-22
### Feature
- **terraform:** Update CKV_AWS_358, add CKV_GCP_125 and CKV_AZURE_249 for OIDC claims analysis for GitHub - [#6960](https://github.com/bridgecrewio/checkov/pull/6960)
### Bug Fix
- **terraform:** Accept TLS 1.3 for Azure web apps and web app slots - [#6956](https://github.com/bridgecrewio/checkov/pull/6956)
### Platform
- **terraform:** Add eval keys - [#6929](https://github.com/bridgecrewio/checkov/pull/6929)
## [3.2.353](https://github.com/bridgecrewio/checkov/compare/3.2.352...3.2.353) - 2025-01-15
### Bug Fix
- **general:** Support CVE suppressions with the root file in repo - [#6948](https://github.com/bridgecrewio/checkov/pull/6948)
## [3.2.352](https://github.com/bridgecrewio/checkov/compare/3.2.351...3.2.352) - 2025-01-09
### Feature
- **terraform:** add option to add external_modules_content_cache to terraform build_graph - [#6942](https://github.com/bridgecrewio/checkov/pull/6942)
## [3.2.351](https://github.com/bridgecrewio/checkov/compare/3.2.350...3.2.351) - 2025-01-08
### Bug Fix
- **terraform:** Skip tsconfig in terraform plan - [#6941](https://github.com/bridgecrewio/checkov/pull/6941)
## [3.2.350](https://github.com/bridgecrewio/checkov/compare/3.2.347...3.2.350) - 2025-01-07
### Feature
- **terraform:** add CKV_AZURE_248 - Azure batch account network access restriction - [#6928](https://github.com/bridgecrewio/checkov/pull/6928)
### Bug Fix
- **terraform:** Revert feat(terraform): Add a terraform block check (#6904) - [#6937](https://github.com/bridgecrewio/checkov/pull/6937)
## [3.2.347](https://github.com/bridgecrewio/checkov/compare/3.2.346...3.2.347) - 2025-01-06
### Feature
- **general:** Change behavior where if a config file is missing, run the scan as if there was no config file - [#6926](https://github.com/bridgecrewio/checkov/pull/6926)
### Bug Fix
- **terraform:** Fix for multiple checks - [#6933](https://github.com/bridgecrewio/checkov/pull/6933)
## [3.2.346](https://github.com/bridgecrewio/checkov/compare/3.2.345...3.2.346) - 2025-01-01
### Feature
- **terraform:** add option to add proxy to request - [#6923](https://github.com/bridgecrewio/checkov/pull/6923)
## [3.2.345](https://github.com/bridgecrewio/checkov/compare/3.2.344...3.2.345) - 2024-12-31
### Feature
- **cloudformation:** Add sensitive param check - [#6921](https://github.com/bridgecrewio/checkov/pull/6921)
- **terraform:** add option to add proxy to request - [#6916](https://github.com/bridgecrewio/checkov/pull/6916)
- **terraform:** check cognitive services restrict outbound network - [#6919](https://github.com/bridgecrewio/checkov/pull/6919)
### Bug Fix
- **terraform_json:** support CDKTF output in CKV_TF_3 - [#6918](https://github.com/bridgecrewio/checkov/pull/6918)
## [3.2.344](https://github.com/bridgecrewio/checkov/compare/3.2.342...3.2.344) - 2024-12-21
### Bug Fix
- **kubernetes:** Add to nested resources on k8s graph inherit namespace - [#6912](https://github.com/bridgecrewio/checkov/pull/6912)
## [3.2.342](https://github.com/bridgecrewio/checkov/compare/3.2.339...3.2.342) - 2024-12-18
### Feature
- **serverless:** serverless definitions context - [#6910](https://github.com/bridgecrewio/checkov/pull/6910)
- **serverless:** Serverless graph integration - [#6911](https://github.com/bridgecrewio/checkov/pull/6911)
- **terraform:** Add a terraform block check - [#6904](https://github.com/bridgecrewio/checkov/pull/6904)
## [3.2.339](https://github.com/bridgecrewio/checkov/compare/3.2.336...3.2.339) - 2024-12-17
### Bug Fix
- **general:** Fix jsonpath-key handling for special characters like "/" and reduce log size - [#6907](https://github.com/bridgecrewio/checkov/pull/6907)
- **serverless:** Fix serverless check crash - [#6909](https://github.com/bridgecrewio/checkov/pull/6909)
## [3.2.336](https://github.com/bridgecrewio/checkov/compare/3.2.334...3.2.336) - 2024-12-16
### Feature
- **general:** add cortex:skip for suppressions - [#6908](https://github.com/bridgecrewio/checkov/pull/6908)
### Bug Fix
- **terraform:** fix CKV_AZURE_136 for replicas - [#6895](https://github.com/bridgecrewio/checkov/pull/6895)
- **terraform:** Fix CKV_AZURE_227 for Azure V4 - [#6906](https://github.com/bridgecrewio/checkov/pull/6906)
## [3.2.334](https://github.com/bridgecrewio/checkov/compare/3.2.332...3.2.334) - 2024-12-08
### Feature
- **serverless:** Serverless graph vertices - [#6894](https://github.com/bridgecrewio/checkov/pull/6894)
### Bug Fix
- **secrets:** fix indentation to remove duplications - [#6626](https://github.com/bridgecrewio/checkov/pull/6626)
## [3.2.332](https://github.com/bridgecrewio/checkov/compare/3.2.328...3.2.332) - 2024-12-05
### Feature
- **terraform:** Add multi skip inline suppression - [#6860](https://github.com/bridgecrewio/checkov/pull/6860)
- **terraform:** New bedrock check - [#6892](https://github.com/bridgecrewio/checkov/pull/6892)
### Bug Fix
- **kubernetes:** fix json file parsing - [#6891](https://github.com/bridgecrewio/checkov/pull/6891)
- **terraform:** Fix CKV2_AZURE_31 - [#6893](https://github.com/bridgecrewio/checkov/pull/6893)
## [3.2.328](https://github.com/bridgecrewio/checkov/compare/3.2.327...3.2.328) - 2024-12-04
### Feature
- **serverless:** Serverless refactor for graph implementation - [#6885](https://github.com/bridgecrewio/checkov/pull/6885)
### Documentation
- **general:** docs flags update - [#6888](https://github.com/bridgecrewio/checkov/pull/6888)
## [3.2.327](https://github.com/bridgecrewio/checkov/compare/3.2.326...3.2.327) - 2024-12-03
### Bug Fix
- **terraform:** Convert to graph check - [#6875](https://github.com/bridgecrewio/checkov/pull/6875)
## [3.2.326](https://github.com/bridgecrewio/checkov/compare/3.2.324...3.2.326) - 2024-12-02
### Feature
- **general:** add new CIDR operator - [#6877](https://github.com/bridgecrewio/checkov/pull/6877)
### Bug Fix
- **arm:** Fix resource ID generation to use variables - [#6884](https://github.com/bridgecrewio/checkov/pull/6884)
## [3.2.324](https://github.com/bridgecrewio/checkov/compare/3.2.322...3.2.324) - 2024-12-01
### Bug Fix
- **terraform_plan:** run post_runner after get_enriched_resources for terraform_plan - [#6883](https://github.com/bridgecrewio/checkov/pull/6883)
## [3.2.322](https://github.com/bridgecrewio/checkov/compare/3.2.320...3.2.322) - 2024-11-28
### Feature
- **general:** Update range includes to handle range values - [#6867](https://github.com/bridgecrewio/checkov/pull/6867)
### Bug Fix
- **general:** fix_memory error with adding new env - [#6879](https://github.com/bridgecrewio/checkov/pull/6879)
- **general:** revert comment out ARM test - [#6882](https://github.com/bridgecrewio/checkov/pull/6882)
## [3.2.320](https://github.com/bridgecrewio/checkov/compare/3.2.317...3.2.320) - 2024-11-27
### Feature
- **terraform:** Add new checks to match run checks - [#6868](https://github.com/bridgecrewio/checkov/pull/6868)
### Bug Fix
- **arm:** Fix arm root folder - [#6880](https://github.com/bridgecrewio/checkov/pull/6880)
- **terraform:** Update CKV_AZURE_164 to correct check on trust policy - [#6757](https://github.com/bridgecrewio/checkov/pull/6757)
## [3.2.317](https://github.com/bridgecrewio/checkov/compare/3.2.314...3.2.317) - 2024-11-26
### Feature
- **terraform:** support resource_type attribute - [#6872](https://github.com/bridgecrewio/checkov/pull/6872)
### Bug Fix
- **arm:** Fix arm report resource naming - [#6876](https://github.com/bridgecrewio/checkov/pull/6876)
- **terraform:** Fix two checks and logs - [#6874](https://github.com/bridgecrewio/checkov/pull/6874)
## [3.2.314](https://github.com/bridgecrewio/checkov/compare/3.2.312...3.2.314) - 2024-11-25
### Feature
- **general:** add logs for suppression - [#6873](https://github.com/bridgecrewio/checkov/pull/6873)
### Bug Fix
- **arm:** Fix arm resource naming on integration with Prisma - [#6870](https://github.com/bridgecrewio/checkov/pull/6870)
## [3.2.312](https://github.com/bridgecrewio/checkov/compare/3.2.311...3.2.312) - 2024-11-24
### Bug Fix
- **arm:** Fix arm graph breadcrumbs - [#6869](https://github.com/bridgecrewio/checkov/pull/6869)
## [3.2.311](https://github.com/bridgecrewio/checkov/compare/3.2.307...3.2.311) - 2024-11-21
### Bug Fix
- **cloudformation:** Fixed issue where Ref was not rendered correctly if the parameter name was identical to the default value - [#6856](https://github.com/bridgecrewio/checkov/pull/6856)
- **secrets:** fix find line - [#6864](https://github.com/bridgecrewio/checkov/pull/6864)
- **secrets:** masking test format - [#6859](https://github.com/bridgecrewio/checkov/pull/6859)
- **secrets:** multiline matches show the secret and not the first line - [#6854](https://github.com/bridgecrewio/checkov/pull/6854)
## [3.2.307](https://github.com/bridgecrewio/checkov/compare/3.2.305...3.2.307) - 2024-11-20
### Bug Fix
- **arm:** Change ARM graph creation log lvl to debug - [#6857](https://github.com/bridgecrewio/checkov/pull/6857)
## [3.2.305](https://github.com/bridgecrewio/checkov/compare/3.2.301...3.2.305) - 2024-11-19
### Feature
- **sca:** support java full dependency tree scan - [#6834](https://github.com/bridgecrewio/checkov/pull/6834)
- **terraform:** Add check - ensure AWS CodeGuru resource contains CMK - [#6851](https://github.com/bridgecrewio/checkov/pull/6851)
### Bug Fix
- **general:** Used jsonpath to update vertex attributes - [#6852](https://github.com/bridgecrewio/checkov/pull/6852)
- **terraform:** Update EKS supported versions - [#6826](https://github.com/bridgecrewio/checkov/pull/6826)
- **terraform:** Update CKV_AZURE_171 to check automatic_upgrade_channel - [#6756](https://github.com/bridgecrewio/checkov/pull/6756)
## [3.2.301](https://github.com/bridgecrewio/checkov/compare/3.2.300...3.2.301) - 2024-11-18
### Bug Fix
- **secrets:** skip empty match - [#6849](https://github.com/bridgecrewio/checkov/pull/6849)
## [3.2.300](https://github.com/bridgecrewio/checkov/compare/3.2.296...3.2.300) - 2024-11-17
### Feature
- **azure:** add new policies for Azure Synapse arm - [#6553](https://github.com/bridgecrewio/checkov/pull/6553)
- **helm:** Made helm + kustomize use the Kubernetes graph registry - [#6847](https://github.com/bridgecrewio/checkov/pull/6847)
- **secrets:** Adding check_id to EnrichedSecret class - [#6842](https://github.com/bridgecrewio/checkov/pull/6842)
- **secrets:** Masking secrets files - [#6848](https://github.com/bridgecrewio/checkov/pull/6848)
### Bug Fix
- **secrets:** add prerun support for singleline - [#6846](https://github.com/bridgecrewio/checkov/pull/6846)
- **terraform:** Update CKV_AZURE_167 to correct check on retention policy - [#6758](https://github.com/bridgecrewio/checkov/pull/6758)
## [3.2.296](https://github.com/bridgecrewio/checkov/compare/3.2.293...3.2.296) - 2024-11-14
### Feature
- **cloudformation:** Support Fn::Sub in cases of using a pseudo parameter - [#6835](https://github.com/bridgecrewio/checkov/pull/6835)
- **terraform:** support resource_type attribute - revert - [#6843](https://github.com/bridgecrewio/checkov/pull/6843)
### Bug Fix
- **terraform:** CKV_GCP_32 (GoogleComputeBlockProjectSSH) Add other common enabling values - [#6663](https://github.com/bridgecrewio/checkov/pull/6663)
## [3.2.293](https://github.com/bridgecrewio/checkov/compare/3.2.291...3.2.293) - 2024-11-13
### Feature
- **terraform:** support resource_type attribute - [#6830](https://github.com/bridgecrewio/checkov/pull/6830)
### Bug Fix
- **general:** fixed mypy issue - [#6838](https://github.com/bridgecrewio/checkov/pull/6838)
## [3.2.291](https://github.com/bridgecrewio/checkov/compare/3.2.287...3.2.291) - 2024-11-12
### Feature
- **general:** remove specific botocore version - [#6796](https://github.com/bridgecrewio/checkov/pull/6796)
### Bug Fix
- **arm:** fix ARM graph block types - [#6824](https://github.com/bridgecrewio/checkov/pull/6824)
- **dockerfile:** Handle heredoc - [#6828](https://github.com/bridgecrewio/checkov/pull/6828)
- **sast:** filter unsupported policies - [#6833](https://github.com/bridgecrewio/checkov/pull/6833)
## [3.2.287](https://github.com/bridgecrewio/checkov/compare/3.2.286...3.2.287) - 2024-11-11
### Bug Fix
- **graph:** fix internal checks loading when adding custom policies in cli - [#6819](https://github.com/bridgecrewio/checkov/pull/6819)
## [3.2.286](https://github.com/bridgecrewio/checkov/compare/3.2.282...3.2.286) - 2024-11-10
### Feature
- **secrets:** Add npm detector - [#6821](https://github.com/bridgecrewio/checkov/pull/6821)
### Bug Fix
- **secrets:** fix empty diff scan - [#6822](https://github.com/bridgecrewio/checkov/pull/6822)
## [3.2.282](https://github.com/bridgecrewio/checkov/compare/3.2.281...3.2.282) - 2024-11-07
### Bug Fix
- **arm:** finish variable rendering and use definitions context - [#6814](https://github.com/bridgecrewio/checkov/pull/6814)
## [3.2.281](https://github.com/bridgecrewio/checkov/compare/3.2.280...3.2.281) - 2024-11-06
### Documentation
- **general:** Update Python versions and add env vars to the docs - [#6812](https://github.com/bridgecrewio/checkov/pull/6812)
## [3.2.280](https://github.com/bridgecrewio/checkov/compare/3.2.278...3.2.280) - 2024-11-05
### Bug Fix
- **arm:** add middleware function for platform integration for Arm definitions - [#6811](https://github.com/bridgecrewio/checkov/pull/6811)
- **secrets:** Update CKV_SECRET_4 to duplication list GENERIC_PRIVATE_KEY - [#6810](https://github.com/bridgecrewio/checkov/pull/6810)
- **terraform:** Add opensearch to CKV2_AWS_5 - [#6807](https://github.com/bridgecrewio/checkov/pull/6807)
## [3.2.278](https://github.com/bridgecrewio/checkov/compare/3.2.277...3.2.278) - 2024-11-04
### Bug Fix
- **arm:** Align arm definitions function arguments - [#6808](https://github.com/bridgecrewio/checkov/pull/6808)
## [3.2.277](https://github.com/bridgecrewio/checkov/compare/3.2.276...3.2.277) - 2024-11-03
### Bug Fix
- **secrets:** add detector for IbmCosHmac - [#6790](https://github.com/bridgecrewio/checkov/pull/6790)
## [3.2.276](https://github.com/bridgecrewio/checkov/compare/3.2.275...3.2.276) - 2024-10-31
### Bug Fix
- **terraform:** Fix possible exception when for_each data has boolean values - [#6733](https://github.com/bridgecrewio/checkov/pull/6733)
## [3.2.275](https://github.com/bridgecrewio/checkov/compare/3.2.271...3.2.275) - 2024-10-30
### Feature
- **arm:** Add arm definition context - [#6801](https://github.com/bridgecrewio/checkov/pull/6801)
### Bug Fix
- **cloudformation:** change parse log level - [#6794](https://github.com/bridgecrewio/checkov/pull/6794)
- **general:** pipenv==2024.0.3 - [#6803](https://github.com/bridgecrewio/checkov/pull/6803)
- **secrets:** omit all secrets value in line - [#6802](https://github.com/bridgecrewio/checkov/pull/6802)
- **terraform:** Security group attached to aws_mskconnect_connector is not recognized - [#6780](https://github.com/bridgecrewio/checkov/pull/6780)
## [3.2.271](https://github.com/bridgecrewio/checkov/compare/3.2.270...3.2.271) - 2024-10-29
### Feature
- **sca:** add enableDotnetCpm env var to sca scan request - [#6786](https://github.com/bridgecrewio/checkov/pull/6786)
## [3.2.270](https://github.com/bridgecrewio/checkov/compare/3.2.269...3.2.270) - 2024-10-28
### Feature
- **arm:** add variable and parameters edges and rendering - [#6787](https://github.com/bridgecrewio/checkov/pull/6787)
- **arm:** arm custom policy support - [#6769](https://github.com/bridgecrewio/checkov/pull/6769)
## [3.2.269](https://github.com/bridgecrewio/checkov/compare/3.2.268...3.2.269) - 2024-10-23
### Bug Fix
- **terraform:** Fix crash when version isn't a float - [#6783](https://github.com/bridgecrewio/checkov/pull/6783)
## [3.2.268](https://github.com/bridgecrewio/checkov/compare/3.2.267...3.2.268) - 2024-10-20
### Feature
- **terraform_plan:** Support after_unknown evaluation of complex attributes - [#6784](https://github.com/bridgecrewio/checkov/pull/6784)
## [3.2.267](https://github.com/bridgecrewio/checkov/compare/3.2.266...3.2.267) - 2024-10-16
- no noteworthy changes
## [3.2.266](https://github.com/bridgecrewio/checkov/compare/3.2.262...3.2.266) - 2024-10-15
### Feature
- **arm:** unsupported module soft fail - [#6775](https://github.com/bridgecrewio/checkov/pull/6775)
## [3.2.262](https://github.com/bridgecrewio/checkov/compare/3.2.258...3.2.262) - 2024-10-14
### Feature
- **terraform:** 2 new checks - [#6764](https://github.com/bridgecrewio/checkov/pull/6764)
- **terraform:** Add s3 data transport check - [#6763](https://github.com/bridgecrewio/checkov/pull/6763)
### Bug Fix
- **helm:** Remove helm target dir after scanning - [#6767](https://github.com/bridgecrewio/checkov/pull/6767)
- **kubernetes:** Handle non-sting params in command - [#6768](https://github.com/bridgecrewio/checkov/pull/6768)
## [3.2.258](https://github.com/bridgecrewio/checkov/compare/3.2.257...3.2.258) - 2024-10-13
### Bug Fix
- **terraform:** Set timeout for parsing Terraform files with hcl2. - [#6759](https://github.com/bridgecrewio/checkov/pull/6759)
## [3.2.257](https://github.com/bridgecrewio/checkov/compare/3.2.256...3.2.257) - 2024-10-06
### Bug Fix
- **ansible:** handle empty tasks - [#6751](https://github.com/bridgecrewio/checkov/pull/6751)
## [3.2.256](https://github.com/bridgecrewio/checkov/compare/3.2.254...3.2.256) - 2024-10-01
### Feature
- **terraform:** New checks - [#6720](https://github.com/bridgecrewio/checkov/pull/6720)
### Bug Fix
- **general:** Fix operator docs - [#6735](https://github.com/bridgecrewio/checkov/pull/6735)
- **sca:** add Pipfile and Pipfile.lock to supported package files list - [#6746](https://github.com/bridgecrewio/checkov/pull/6746)
- **terraform:** extend CKV2_AWS_5 to include DMS Serverless (#6628) - [#6630](https://github.com/bridgecrewio/checkov/pull/6630)
- **terraform:** Remove dataproc.admin from multiple checks - [#6725](https://github.com/bridgecrewio/checkov/pull/6725)
- **terraform:** Security group attached to an Elastic DocumentDB cluster is not recognized by check CKV2_AWS_5 - [#6687](https://github.com/bridgecrewio/checkov/pull/6687)
### Documentation
- **general:** update README.md - [#6719](https://github.com/bridgecrewio/checkov/pull/6719)
## [3.2.254](https://github.com/bridgecrewio/checkov/compare/3.2.253...3.2.254) - 2024-09-15
### Bug Fix
- **terraform:** Added ssl_mode attribute support to CKV_GCP_6 - [#6703](https://github.com/bridgecrewio/checkov/pull/6703)
## [3.2.253](https://github.com/bridgecrewio/checkov/compare/3.2.251...3.2.253) - 2024-09-12
### Feature
- **general:** allow tool name field to be customised using cli arguments - [#6692](https://github.com/bridgecrewio/checkov/pull/6692)
- **secrets:** Change log level - [#6716](https://github.com/bridgecrewio/checkov/pull/6716)
- **terraform:** Add check for local user in storage - [#6715](https://github.com/bridgecrewio/checkov/pull/6715)
### Bug Fix
- **terraform:** Update CKV_AZURE_228 for automatic calculation - [#6714](https://github.com/bridgecrewio/checkov/pull/6714)
## [3.2.251](https://github.com/bridgecrewio/checkov/compare/3.2.250...3.2.251) - 2024-09-11
### Feature
- **general:** add severity metadata to custom policy - [#6579](https://github.com/bridgecrewio/checkov/pull/6579)
## [3.2.250](https://github.com/bridgecrewio/checkov/compare/3.2.249...3.2.250) - 2024-09-10
### Bug Fix
- **secrets:** fix suppressions and duplications - [#6710](https://github.com/bridgecrewio/checkov/pull/6710)
## [3.2.249](https://github.com/bridgecrewio/checkov/compare/3.2.246...3.2.249) - 2024-09-08
### Feature
- **general:** revert packages read permissions - [#6706](https://github.com/bridgecrewio/checkov/pull/6706)
- **terraform_plan:** remove secret - [#6705](https://github.com/bridgecrewio/checkov/pull/6705)
### Bug Fix
- **secrets:** fix suppression and duplication - [#6701](https://github.com/bridgecrewio/checkov/pull/6701)
- **secrets:** Revert suppression and duplication - [#6708](https://github.com/bridgecrewio/checkov/pull/6708)
- **terraform:** Fix foreach multi attributes in field - [#6707](https://github.com/bridgecrewio/checkov/pull/6707)
## [3.2.246](https://github.com/bridgecrewio/checkov/compare/3.2.245...3.2.246) - 2024-09-05
### Feature
- **sast:** add log level when running sast in windows - [#6704](https://github.com/bridgecrewio/checkov/pull/6704)
## [3.2.245](https://github.com/bridgecrewio/checkov/compare/3.2.242...3.2.245) - 2024-09-04
### Feature
- **kubernetes:** Add policy for git-sync code injection - [#6694](https://github.com/bridgecrewio/checkov/pull/6694)
- **terraform_plan:** add support for provider in tf_plan framework - [#6690](https://github.com/bridgecrewio/checkov/pull/6690)
## [3.2.242](https://github.com/bridgecrewio/checkov/compare/3.2.241...3.2.242) - 2024-09-02
### Feature
- **general:** add support for windows 10 for aiohttp - [#6696](https://github.com/bridgecrewio/checkov/pull/6696)
## [3.2.241](https://github.com/bridgecrewio/checkov/compare/3.2.239...3.2.241) - 2024-09-01
### Feature
- **sast:** remove the env var for Go - [#6697](https://github.com/bridgecrewio/checkov/pull/6697)
### Bug Fix
- **secrets:** add edge case for policy that looks like uuid - [#6698](https://github.com/bridgecrewio/checkov/pull/6698)
## [3.2.239](https://github.com/bridgecrewio/checkov/compare/3.2.238...3.2.239) - 2024-08-29
### Feature
- **general:** Add multiple checks to match runtime checks - [#6680](https://github.com/bridgecrewio/checkov/pull/6680)
## [3.2.238](https://github.com/bridgecrewio/checkov/compare/3.2.236...3.2.238) - 2024-08-27
### Feature
- **terraform:** add support for TF cloudsplaining evaluated_keys - [#6677](https://github.com/bridgecrewio/checkov/pull/6677)
### Bug Fix
- **secrets:** change logs form info to debug - [#6685](https://github.com/bridgecrewio/checkov/pull/6685)
## [3.2.236](https://github.com/bridgecrewio/checkov/compare/3.2.235...3.2.236) - 2024-08-26
- no noteworthy changes
## [3.2.235](https://github.com/bridgecrewio/checkov/compare/3.2.234...3.2.235) - 2024-08-21
### Feature
- **cloudformation:** SAM Globals support with CloudFormation - [#6657](https://github.com/bridgecrewio/checkov/pull/6657)
## [3.2.234](https://github.com/bridgecrewio/checkov/compare/3.2.232...3.2.234) - 2024-08-20
### Feature
- **sast:** Adding support for sast in windows - [#6638](https://github.com/bridgecrewio/checkov/pull/6638)
### Bug Fix
- **secrets:** revert duplications suppressions for secrets - [#6674](https://github.com/bridgecrewio/checkov/pull/6674)
## [3.2.232](https://github.com/bridgecrewio/checkov/compare/3.2.230...3.2.232) - 2024-08-19
### Bug Fix
- **general:** add try except to loads file - [#6668](https://github.com/bridgecrewio/checkov/pull/6668)
- **secrets:** duplications suppressions for secrets - [#6665](https://github.com/bridgecrewio/checkov/pull/6665)
## [3.2.230](https://github.com/bridgecrewio/checkov/compare/3.2.228...3.2.230) - 2024-08-18
### Feature
- **general:** Support multiple frameworks in custom policy - [#6666](https://github.com/bridgecrewio/checkov/pull/6666)
### Bug Fix
- **general:** revert support multiple frameworks in one custom policy - [#6664](https://github.com/bridgecrewio/checkov/pull/6664)
## [3.2.228](https://github.com/bridgecrewio/checkov/compare/3.2.223...3.2.228) - 2024-08-15
### Feature
- **terraform:** Add build policy to match run policy for API Method without Auth or API - [#6637](https://github.com/bridgecrewio/checkov/pull/6637)
### Bug Fix
- **secrets:** remove dups logic - [#6655](https://github.com/bridgecrewio/checkov/pull/6655)
- **secrets:** Revert remove dups - [#6656](https://github.com/bridgecrewio/checkov/pull/6656)
- **terraform:** Don't pass existed resources in non_exists resource checks - [#6653](https://github.com/bridgecrewio/checkov/pull/6653)
## [3.2.223](https://github.com/bridgecrewio/checkov/compare/3.2.221...3.2.223) - 2024-08-13
### Bug Fix
- **secrets:** remove duplications in secrets - [#6648](https://github.com/bridgecrewio/checkov/pull/6648)
- **secrets:** revert fixing duplications - [#6652](https://github.com/bridgecrewio/checkov/pull/6652)
## [3.2.221](https://github.com/bridgecrewio/checkov/compare/3.2.219...3.2.221) - 2024-08-12
### Bug Fix
- **terraform:** evaluate resource with double underscore - [#6642](https://github.com/bridgecrewio/checkov/pull/6642)
## [3.2.219](https://github.com/bridgecrewio/checkov/compare/3.2.217...3.2.219) - 2024-08-05
### Feature
- **general:** support multiple frameworks in one custom policy - [#6587](https://github.com/bridgecrewio/checkov/pull/6587)
- **terraform:** Add run policy for RDS encryption in transit - [#6631](https://github.com/bridgecrewio/checkov/pull/6631)
### Documentation
- **general:** Add OpenTofu - [#6627](https://github.com/bridgecrewio/checkov/pull/6627)
## [3.2.217](https://github.com/bridgecrewio/checkov/compare/3.2.216...3.2.217) - 2024-07-31
- no noteworthy changes
## [3.2.216](https://github.com/bridgecrewio/checkov/compare/3.2.213...3.2.216) - 2024-07-30
### Feature
- **sast:** Verify that all sast policies are parsed correctly - [#6621](https://github.com/bridgecrewio/checkov/pull/6621)
### Bug Fix
- **secrets:** fix secrets duplication - [#6619](https://github.com/bridgecrewio/checkov/pull/6619)
- **secrets:** fix secrets duplication - Revert - [#6623](https://github.com/bridgecrewio/checkov/pull/6623)
## [3.2.213](https://github.com/bridgecrewio/checkov/compare/3.2.209...3.2.213) - 2024-07-29
### Feature
- **arm:** ARM AppServiceInstanceMinimum - CKV_AZURE_212 - [#6502](https://github.com/bridgecrewio/checkov/pull/6502)
- **terraform:** - TF and CFN - Add a policy for ensuring AWS Bedrock Agent is encrypted with a CMK - [#6603](https://github.com/bridgecrewio/checkov/pull/6603)
### Bug Fix
- **ansible:** Fix CKV2_ANSIBLE_2 - [#6610](https://github.com/bridgecrewio/checkov/pull/6610)
- **arm:** Support upper and lower disabled for CKV_AZURE_189 - [#6609](https://github.com/bridgecrewio/checkov/pull/6609)
- **dockerfile:** Fix edge case with apt in domain - [#6611](https://github.com/bridgecrewio/checkov/pull/6611)
- **terraform_plan:** Fix parsing other types of provisioners - [#6606](https://github.com/bridgecrewio/checkov/pull/6606)
- **terraform:** add condition for CKV_AWS_353 - [#6607](https://github.com/bridgecrewio/checkov/pull/6607)
- **terraform:** catch unknowns with WAF configs - [#6612](https://github.com/bridgecrewio/checkov/pull/6612)
- **terraform:** Handle default for CKV_GCP_76 - [#6608](https://github.com/bridgecrewio/checkov/pull/6608)
## [3.2.209](https://github.com/bridgecrewio/checkov/compare/3.2.208...3.2.209) - 2024-07-28
### Feature
- **cloudformation:** Enrich cloudsplaining eval keys - [#6602](https://github.com/bridgecrewio/checkov/pull/6602)
### Documentation
- **general:** add --repo-id to relevant examples with API key - [#6605](https://github.com/bridgecrewio/checkov/pull/6605)
## [3.2.208](https://github.com/bridgecrewio/checkov/compare/3.2.204...3.2.208) - 2024-07-25
### Feature
- **general:** filter resource by provider for all resources types - [#6598](https://github.com/bridgecrewio/checkov/pull/6598)
- **secrets:** add CKV_SECRET_192 to GENERIC_PRIVATE_KEY_CHECK_IDS - [#6600](https://github.com/bridgecrewio/checkov/pull/6600)
- **terraform:** Update ckv-aws-8 policy - support unknown statement - [#6596](https://github.com/bridgecrewio/checkov/pull/6596)
### Bug Fix
- **terraform:** Fix resource type for CKV_AZURE_242 - [#6599](https://github.com/bridgecrewio/checkov/pull/6599)
### Platform
- **general:** handle multiple values for the same metadata filter - [#6604](https://github.com/bridgecrewio/checkov/pull/6604)
## [3.2.204](https://github.com/bridgecrewio/checkov/compare/3.2.201...3.2.204) - 2024-07-24
### Feature
- **arm:** add CKV_AZURE_191 to ensure that Managed identity provider is enabled for Azure Event Grid Topic - [#6496](https://github.com/bridgecrewio/checkov/pull/6496)
### Bug Fix
- **sast:** BCE-36172 fix cdk policies - [#6588](https://github.com/bridgecrewio/checkov/pull/6588)
## [3.2.201](https://github.com/bridgecrewio/checkov/compare/3.2.199...3.2.201) - 2024-07-23
### Feature
- **terraform:** add 14 rules for tencentcloud provider - [#6448](https://github.com/bridgecrewio/checkov/pull/6448)
### Bug Fix
- **secrets:** fix secrets prerun bug - [#6594](https://github.com/bridgecrewio/checkov/pull/6594)
- **terraform:** Exclude String in CKV_AWS_337 - [#6592](https://github.com/bridgecrewio/checkov/pull/6592)
## [3.2.199](https://github.com/bridgecrewio/checkov/compare/3.2.196...3.2.199) - 2024-07-22
### Feature
- **arm:** add CKV_AZURE_87 to ensure that Azure Defender is set to On for Key Vault - [#6418](https://github.com/bridgecrewio/checkov/pull/6418)
- **arm:** ARM VnetSingleDNSServer - [#6379](https://github.com/bridgecrewio/checkov/pull/6379)
- **secrets:** Adding the option to prerun before multiline pattern executing - [#6586](https://github.com/bridgecrewio/checkov/pull/6586)
- **secrets:** If the prrun regex found but we already scanned file we already scann… - [#6591](https://github.com/bridgecrewio/checkov/pull/6591)
## [3.2.196](https://github.com/bridgecrewio/checkov/compare/3.2.194...3.2.196) - 2024-07-21
### Feature
- **general:** Add metadata exception filter to GHA - [#6583](https://github.com/bridgecrewio/checkov/pull/6583)
- **general:** Refactor all resource type handling in Checkov - [#6572](https://github.com/bridgecrewio/checkov/pull/6572)
## [3.2.194](https://github.com/bridgecrewio/checkov/compare/3.2.193...3.2.194) - 2024-07-18
### Feature
- **arm:** AKSEncryptionAtHostEnable - [#6575](https://github.com/bridgecrewio/checkov/pull/6575)
- **arm:** AKSEphemeralOSDisks - [#6578](https://github.com/bridgecrewio/checkov/pull/6578)
- **arm:** CKV_AZURE_92 to Ensure that Virtual Machines use managed disks - [#6455](https://github.com/bridgecrewio/checkov/pull/6455)
- **arm:** FrontDoorWAFACLCVE202144228 - Mitigates the Log4j2 vulnerability CVE-2021-44228. - [#6419](https://github.com/bridgecrewio/checkov/pull/6419)
### Bug Fix
- **general:** fix the right numbers in TestSkipJsonRegexPattern - [#6580](https://github.com/bridgecrewio/checkov/pull/6580)
- **terraform:** Fix title of CKV_AZURE_238 - [#6570](https://github.com/bridgecrewio/checkov/pull/6570)
## [3.2.193](https://github.com/bridgecrewio/checkov/compare/3.2.191...3.2.193) - 2024-07-17
### Bug Fix
- **terraform:** fix failures of no caller on definition context - [#6573](https://github.com/bridgecrewio/checkov/pull/6573)
- **terraform:** TFPlan + TF fixes for google_project_iam_policy + google_iam_policy - [#6577](https://github.com/bridgecrewio/checkov/pull/6577)
## [3.2.191](https://github.com/bridgecrewio/checkov/compare/3.2.190...3.2.191) - 2024-07-16
### Bug Fix
- **general:** fix sca unit tests for python 3.12 - [#6574](https://github.com/bridgecrewio/checkov/pull/6574)
## [3.2.190](https://github.com/bridgecrewio/checkov/compare/3.2.189...3.2.190) - 2024-07-15
- no noteworthy changes
## [3.2.189](https://github.com/bridgecrewio/checkov/compare/3.2.186...3.2.189) - 2024-07-14
### Feature
- **arm:** add CKV_AZURE_169 to ensure that AKS use the Paid Sku for its SLA - [#6545](https://github.com/bridgecrewio/checkov/pull/6545)
- **arm:** add CKV_AZURE_177 to ensure that Windows VM enables automatic updates - [#6484](https://github.com/bridgecrewio/checkov/pull/6484)
- **cloudformation:** Update audit_logs valid values - [#6566](https://github.com/bridgecrewio/checkov/pull/6566)
## [3.2.186](https://github.com/bridgecrewio/checkov/compare/3.2.183...3.2.186) - 2024-07-11
### Feature
- **azure:** add new policies for Azure Synapse (tf and arm) - [#6554](https://github.com/bridgecrewio/checkov/pull/6554)
- **bicep:** support bicep custom policy - [#6561](https://github.com/bridgecrewio/checkov/pull/6561)
### Bug Fix
- **arm:** CKV_AZURE_56 just for authsettingsV2 name - [#6557](https://github.com/bridgecrewio/checkov/pull/6557)
- **secrets:** filter secrets that have vault: in them - [#6565](https://github.com/bridgecrewio/checkov/pull/6565)
## [3.2.183](https://github.com/bridgecrewio/checkov/compare/3.2.179...3.2.183) - 2024-07-10
### Feature
- **terraform_plan:** support tf_plan after_unknown enrichment - [#6517](https://github.com/bridgecrewio/checkov/pull/6517)
### Bug Fix
- **secrets:** small fix for filtering - [#6562](https://github.com/bridgecrewio/checkov/pull/6562)
### Platform
- **general:** pass repo ID to runconfig - [#6560](https://github.com/bridgecrewio/checkov/pull/6560)
## [3.2.179](https://github.com/bridgecrewio/checkov/compare/3.2.177...3.2.179) - 2024-07-09
### Feature
- **arm:** add CKV_AZURE_206 to ensure that Storage Accounts use replication - [#6524](https://github.com/bridgecrewio/checkov/pull/6524)
- **arm:** BCE-33785 Support Azure Synapse Analytics policies - [#6513](https://github.com/bridgecrewio/checkov/pull/6513)
## [3.2.177](https://github.com/bridgecrewio/checkov/compare/3.2.175...3.2.177) - 2024-07-08
### Bug Fix
- **sast:** fix cdk policies - [#6552](https://github.com/bridgecrewio/checkov/pull/6552)
## [3.2.175](https://github.com/bridgecrewio/checkov/compare/3.2.174...3.2.175) - 2024-07-07
### Feature
- **arm:** AzureSearchSQLQueryUpdates - [#6543](https://github.com/bridgecrewio/checkov/pull/6543)
## [3.2.174](https://github.com/bridgecrewio/checkov/compare/3.2.171...3.2.174) - 2024-07-04
### Feature
- **arm:** add CKV_AZURE_172 to ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters - [#6533](https://github.com/bridgecrewio/checkov/pull/6533)
- **arm:** add CKV_AZURE_173 to ensure that API management uses at least TLS 1.2 - [#6478](https://github.com/bridgecrewio/checkov/pull/6478)
- **arm:** AppServicePlanZoneRedundant - [#6472](https://github.com/bridgecrewio/checkov/pull/6472)
- **arm:** AzureSearchSLAIndex - [#6530](https://github.com/bridgecrewio/checkov/pull/6530)
- **arm:** SQLDatabaseZoneRedundant - [#6515](https://github.com/bridgecrewio/checkov/pull/6515)
- **azure:** add new policies for Azure Synapse - [#6520](https://github.com/bridgecrewio/checkov/pull/6520)
- **general:** update detect secrets package - [#6535](https://github.com/bridgecrewio/checkov/pull/6535)
## [3.2.171](https://github.com/bridgecrewio/checkov/compare/3.2.164...3.2.171) - 2024-07-03
### Feature
- **arm:** add CKV_AZURE_171 to ensure that AKS cluster upgrade channel is chosen - [#6532](https://github.com/bridgecrewio/checkov/pull/6532)
- **arm:** add CKV_AZURE_175 to ensure that Web PubSub uses a SKU with an SLA - [#6523](https://github.com/bridgecrewio/checkov/pull/6523)
- **arm:** add CKV_AZURE_178 to ensure that linux VM enables SSH with keys for secure communication - [#6486](https://github.com/bridgecrewio/checkov/pull/6486)
- **arm:** add CKV_AZURE_85 to ensure that Azure Defender is set to On for Kubernetes - [#6279](https://github.com/bridgecrewio/checkov/pull/6279)
- **arm:** CKV_AZURE_99 to Ensure Cosmos DB accounts have restricted access - [#6498](https://github.com/bridgecrewio/checkov/pull/6498)
- **arm:** DataFactoryNoPublicNetworkAccess - [#6479](https://github.com/bridgecrewio/checkov/pull/6479)
- **arm:** DataLakeStoreEncryption - [#6516](https://github.com/bridgecrewio/checkov/pull/6516)
- **arm:** EventHubNamespaceMinTLS12 - [#6485](https://github.com/bridgecrewio/checkov/pull/6485)
### Bug Fix
- **openapi:** [CKV_OPENAPI_3] Prevent false-positive when checking for http+!basic - [#6406](https://github.com/bridgecrewio/checkov/pull/6406)
- **terraform_json:** support locals block in CDKTF output - [#6452](https://github.com/bridgecrewio/checkov/pull/6452)
- **terraform:** Deprecate CKV2_AWS_67 - [#6529](https://github.com/bridgecrewio/checkov/pull/6529)
## [3.2.164](https://github.com/bridgecrewio/checkov/compare/3.2.163...3.2.164) - 2024-07-02
### Documentation
- **general:** Add Python note - [#6521](https://github.com/bridgecrewio/checkov/pull/6521)
## [3.2.163](https://github.com/bridgecrewio/checkov/compare/3.2.159...3.2.163) - 2024-07-01
### Feature
- **arm:** add CKV_AZURE_174 to ensure that API management public access is disabled - [#6480](https://github.com/bridgecrewio/checkov/pull/6480)
- **arm:** AppServicePHPVersion - [#6436](https://github.com/bridgecrewio/checkov/pull/6436)
- **arm:** AppServicePublicAccessDisabled - [#6467](https://github.com/bridgecrewio/checkov/pull/6467)
- **arm:** KeyVaultEnablesPurgeProtection - [#6465](https://github.com/bridgecrewio/checkov/pull/6465)
- **arm:** PubsubSpecifyIdentity - [#6483](https://github.com/bridgecrewio/checkov/pull/6483)
## [3.2.159](https://github.com/bridgecrewio/checkov/compare/3.2.156...3.2.159) - 2024-06-30
### Bug Fix
- **arm:** fix CKV_AZURE_78: `siteConfig` object should be under `properties` - [#6477](https://github.com/bridgecrewio/checkov/pull/6477)
- **general:** Mypy issues - [#6510](https://github.com/bridgecrewio/checkov/pull/6510)
- **terraform:** ignore comment out modules - [#6507](https://github.com/bridgecrewio/checkov/pull/6507)
## [3.2.156](https://github.com/bridgecrewio/checkov/compare/3.2.145...3.2.156) - 2024-06-27
### Feature
- **arm:** add CKV_AZURE_129 Ensure that MariaDB server enables geo-redundant backups - [#6427](https://github.com/bridgecrewio/checkov/pull/6427)
- **arm:** add CKV_AZURE_137 Ensure ACR admin account is disabled - [#6430](https://github.com/bridgecrewio/checkov/pull/6430)
- **arm:** add CKV_AZURE_139 Ensure ACR set to disable public networking - [#6428](https://github.com/bridgecrewio/checkov/pull/6428)
- **arm:** add CKV_AZURE_166 Ensure container image quarantine, scan, and mark images verified - [#6431](https://github.com/bridgecrewio/checkov/pull/6431)
- **arm:** add CKV_AZURE_168 to ensure that Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods - [#6385](https://github.com/bridgecrewio/checkov/pull/6385)
- **arm:** add CKV_AZURE_45 to ensure that no sensitive credentials are exposed in VM custom_data - [#6422](https://github.com/bridgecrewio/checkov/pull/6422)
- **arm:** add CKV_AZURE_70 to ensure that Function apps is only accessible over HTTPS - [#6457](https://github.com/bridgecrewio/checkov/pull/6457)
- **arm:** ARM AppServiceSlotDebugDisabled - CKV_AZURE_155 - [#6453](https://github.com/bridgecrewio/checkov/pull/6453)
- **arm:** ARM AppServiceSlotHTTPSOnly - [#6454](https://github.com/bridgecrewio/checkov/pull/6454)
- **arm:** ARM VnetLocalDNS - [#6424](https://github.com/bridgecrewio/checkov/pull/6424)
- **arm:** PostgressSQLGeoBackupEnabled - [#6456](https://github.com/bridgecrewio/checkov/pull/6456)
- **arm:** StorageAccountName - [#6426](https://github.com/bridgecrewio/checkov/pull/6426)
- **secrets:** dont filter secrets - [#6508](https://github.com/bridgecrewio/checkov/pull/6508)
### Bug Fix
- **azure:** fix description of CKV_AZURE_236 - [#6503](https://github.com/bridgecrewio/checkov/pull/6503)
- **kubernetes:** Fix CKV_K8S_31 for CronJobs - [#6506](https://github.com/bridgecrewio/checkov/pull/6506)
- **sca:** fix parsing json with comments - [#6509](https://github.com/bridgecrewio/checkov/pull/6509)
- **terraform:** CKV_AWS_339 add Kubernetes 1.30 to AWS EKS version checks - [#6353](https://github.com/bridgecrewio/checkov/pull/6353)
- **terraform:** remove print from CKV_AWS_364 - [#6504](https://github.com/bridgecrewio/checkov/pull/6504)
## [3.2.145](https://github.com/bridgecrewio/checkov/compare/3.2.144...3.2.145) - 2024-06-25
### Documentation
- **general:** Note for feature requests - [#6497](https://github.com/bridgecrewio/checkov/pull/6497)
## [3.2.144](https://github.com/bridgecrewio/checkov/compare/3.2.141...3.2.144) - 2024-06-23
### Bug Fix
- **kubernetes:** ensure seccompProfile is set to RuntimeDefault for all containers in deployments and similar resources - [#6459](https://github.com/bridgecrewio/checkov/pull/6459)
- **terraform:** Add more conditions for CKV_AWS_70 - [#6464](https://github.com/bridgecrewio/checkov/pull/6464)
## [3.2.141](https://github.com/bridgecrewio/checkov/compare/3.2.140...3.2.141) - 2024-06-19
### Bug Fix
- **secrets:** dedup secrets history values - [#6462](https://github.com/bridgecrewio/checkov/pull/6462)
## [3.2.140](https://github.com/bridgecrewio/checkov/compare/3.2.138...3.2.140) - 2024-06-18
### Feature
- **azure:** fix ckv_azure_189 according to docs - [#6413](https://github.com/bridgecrewio/checkov/pull/6413)
### Bug Fix
- **sca:** Support parsing json with comments - [#6466](https://github.com/bridgecrewio/checkov/pull/6466)
### Documentation
- **general:** fix pre-commit link - [#6433](https://github.com/bridgecrewio/checkov/pull/6433)
## [3.2.138](https://github.com/bridgecrewio/checkov/compare/3.2.136...3.2.138) - 2024-06-17
### Feature
- **graph:** support creation of resource type allow/deny lists - [#6451](https://github.com/bridgecrewio/checkov/pull/6451)
### Bug Fix
- **terraform:** Fix name of CKV2_AWS_67 to be more clear - [#6434](https://github.com/bridgecrewio/checkov/pull/6434)
- **terraform:** Fix when apt is in rm statement - [#6437](https://github.com/bridgecrewio/checkov/pull/6437)
- **terraform:** Update CKV_AWS_224 title - [#6435](https://github.com/bridgecrewio/checkov/pull/6435)
## [3.2.136](https://github.com/bridgecrewio/checkov/compare/3.2.133...3.2.136) - 2024-06-13
### Bug Fix
- **arm:** Correct AzureMLWorkspacePrivateEndpoint rule check logic - [#6432](https://github.com/bridgecrewio/checkov/pull/6432)
- **general:** removed references Putin references - [#6445](https://github.com/bridgecrewio/checkov/pull/6445)
## [3.2.133](https://github.com/bridgecrewio/checkov/compare/3.2.130...3.2.133) - 2024-06-10
### Feature
- **general:** add AI_AND_ML to CheckCategories - [#6423](https://github.com/bridgecrewio/checkov/pull/6423)
### Bug Fix
- **sast:** Update CKV IDs for CDK policies - [#6415](https://github.com/bridgecrewio/checkov/pull/6415)
## [3.2.130](https://github.com/bridgecrewio/checkov/compare/3.2.128...3.2.130) - 2024-06-09
### Feature
- **arm:** add CKV_AZURE_135 to ensure Application Gateway WAF prevents message lookup in Log4j2. - [#6364](https://github.com/bridgecrewio/checkov/pull/6364)
- **arm:** add CKV_AZURE_140 to ensure that Local Authentication is disabled on CosmosDB - [#6329](https://github.com/bridgecrewio/checkov/pull/6329)
- **arm:** add CKV_AZURE_163 Enable vulnerability scanning for container images - [#6339](https://github.com/bridgecrewio/checkov/pull/6339)
- **arm:** add MariaDbPublicAccessDisabled convert policy to arm - [#6246](https://github.com/bridgecrewio/checkov/pull/6246)
- **arm:** AKSLocalAdminDisabled - [#6334](https://github.com/bridgecrewio/checkov/pull/6334)
- **arm:** AppServiceFTPSState - [#6363](https://github.com/bridgecrewio/checkov/pull/6363)
- **arm:** AzureServiceFabricClusterProtectionLevel - [#6366](https://github.com/bridgecrewio/checkov/pull/6366)
- **arm:** ensure ACR disables anonymous pulling of images (CKV_AZURE_138) - [#6373](https://github.com/bridgecrewio/checkov/pull/6373)
- **arm:** KeyVaultDisablesPublicNetworkAccess - [#6342](https://github.com/bridgecrewio/checkov/pull/6342)
- **arm:** PostgreSQLServerPublicAccessDisabled - [#6330](https://github.com/bridgecrewio/checkov/pull/6330)
- **terraform:** extract image referencers for AWS SageMaker - [#6408](https://github.com/bridgecrewio/checkov/pull/6408)
### Bug Fix
- **ansible:** add dict check in create_tasks_vertices - [#6417](https://github.com/bridgecrewio/checkov/pull/6417)
## [3.2.128](https://github.com/bridgecrewio/checkov/compare/3.2.125...3.2.128) - 2024-06-06
### Feature
- **azure:** drop support for dotnet v7.0 - [#6383](https://github.com/bridgecrewio/checkov/pull/6383)
- **general:** Image Referencer should not run for CI workflow files - [#6386](https://github.com/bridgecrewio/checkov/pull/6386)
- **secrets:** Add _prioritise_secrets by 3 levels of severity - [#6390](https://github.com/bridgecrewio/checkov/pull/6390)
- **terraform:** add 5 policies - [#6401](https://github.com/bridgecrewio/checkov/pull/6401)
- **terraform:** add 6 policies - [#6396](https://github.com/bridgecrewio/checkov/pull/6396)
- **terraform:** add fix for ckv_aws_300 - [#6404](https://github.com/bridgecrewio/checkov/pull/6404)
- **terraform:** add fix for not contains solver - [#6389](https://github.com/bridgecrewio/checkov/pull/6389)
### Bug Fix
- **ansible:** filter conf if its int or float - [#6409](https://github.com/bridgecrewio/checkov/pull/6409)
- **general:** add try except gihub_action read file - [#6411](https://github.com/bridgecrewio/checkov/pull/6411)
- **general:** bitbucket integration test failure - [#6407](https://github.com/bridgecrewio/checkov/pull/6407)
- **general:** CKV2_AZURE_50 generates false positive azurerm_storage_account violations - [#6391](https://github.com/bridgecrewio/checkov/pull/6391)
- **sast:** add log for sast on windows - [#6397](https://github.com/bridgecrewio/checkov/pull/6397)
## [3.2.125](https://github.com/bridgecrewio/checkov/compare/3.2.124...3.2.125) - 2024-06-03
### Feature
- **arm:** Add check for AzureML workspace not configured with private endpoint - [#6387](https://github.com/bridgecrewio/checkov/pull/6387)
## [3.2.124](https://github.com/bridgecrewio/checkov/compare/3.2.122...3.2.124) - 2024-06-02
### Feature
- **azure:** Add policy to ensure proper AzureML Workspace network access - [#6362](https://github.com/bridgecrewio/checkov/pull/6362)
- **azure:** Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible - [#6368](https://github.com/bridgecrewio/checkov/pull/6368)
## [3.2.122](https://github.com/bridgecrewio/checkov/compare/3.2.121...3.2.122) - 2024-06-01
### Feature
- **arm:** AppServicePythonVersion - 82 check the 'python version' is the latest, if used to run the web app - [#6282](https://github.com/bridgecrewio/checkov/pull/6282)
## [3.2.121](https://github.com/bridgecrewio/checkov/compare/3.2.119...3.2.121) - 2024-05-31
### Feature
- **terraform:** AWS SageMaker notebook instance KMS Key - [#6374](https://github.com/bridgecrewio/checkov/pull/6374)
- **terraform:** CognitiveServicesConfigureIdentity - new check - [#6378](https://github.com/bridgecrewio/checkov/pull/6378)
- **terraform:** Ensure that Cognitive Services accounts enable local authentication - new check - [#6377](https://github.com/bridgecrewio/checkov/pull/6377)
## [3.2.119](https://github.com/bridgecrewio/checkov/compare/3.2.112...3.2.119) - 2024-05-30
### Feature
- **arm:** add FunctionAppsEnableAuthentication - Checking if a certain field exists - [#6250](https://github.com/bridgecrewio/checkov/pull/6250)
- **terraform:** Add more conditions to CKV_AWS_70 - [#6371](https://github.com/bridgecrewio/checkov/pull/6371)
- **terraform:** Added the CKV2_AWS_68 Check for TF and CFN - [#6369](https://github.com/bridgecrewio/checkov/pull/6369)
### Bug Fix
- **ansible:** set task as ansible vertices config - [#6376](https://github.com/bridgecrewio/checkov/pull/6376)
- **terraform:** for_each/count attribute wasn't rendering if referencing a dynamic variable of a higher level module - [#6372](https://github.com/bridgecrewio/checkov/pull/6372)
## [3.2.112](https://github.com/bridgecrewio/checkov/compare/3.2.108...3.2.112) - 2024-05-29
### Feature
- **terraform:** Add provider address to resources - [#6266](https://github.com/bridgecrewio/checkov/pull/6266)
- **terraform:** Support for count & for_each in data blocks - [#6359](https://github.com/bridgecrewio/checkov/pull/6359)
### Bug Fix
- **terraform:** Fix an issue for loading tfvars + issue in the dynamic rendering - [#6360](https://github.com/bridgecrewio/checkov/pull/6360)
## [3.2.108](https://github.com/bridgecrewio/checkov/compare/3.2.107...3.2.108) - 2024-05-26
### Bug Fix
- **sast:** don't scan hidden files - [#6349](https://github.com/bridgecrewio/checkov/pull/6349)
## [3.2.107](https://github.com/bridgecrewio/checkov/compare/3.2.106...3.2.107) - 2024-05-24
### Bug Fix
- **terraform:** Handle registry modules with a version in CKF_TF_2 - [#6354](https://github.com/bridgecrewio/checkov/pull/6354)
## [3.2.106](https://github.com/bridgecrewio/checkov/compare/3.2.105...3.2.106) - 2024-05-23
### Feature
- **arm:** Ensure Databricks Workspace data plane to control plane co… - [#6319](https://github.com/bridgecrewio/checkov/pull/6319)
- **general:** TF and ARM - Ensure that Databricks Workspaces enable… - [#6313](https://github.com/bridgecrewio/checkov/pull/6313)
- **secrets:** Bump detect-secrets - [#6346](https://github.com/bridgecrewio/checkov/pull/6346)
## [3.2.105](https://github.com/bridgecrewio/checkov/compare/3.2.100...3.2.105) - 2024-05-22
### Feature
- **arm:** add AppServiceJavaVersion - [#6258](https://github.com/bridgecrewio/checkov/pull/6258)
- **arm:** add CKV_AZURE_145 to check that the function app uses the latest version of TLS encryption - [#6323](https://github.com/bridgecrewio/checkov/pull/6323)
- **arm:** add CKV_AZURE_218 to ensure that Application Gateway defines secure protocols for in transit communicationApp gw defines secure protocols - [#6320](https://github.com/bridgecrewio/checkov/pull/6320)
- **arm:** add CKV_AZURE_54 to ensure Enforce a minimal Tls version for the server - [#6270](https://github.com/bridgecrewio/checkov/pull/6270)
- **arm:** add CKV_AZURE_71 to Ensure that Managed identity provider is enabled for web apps - [#6272](https://github.com/bridgecrewio/checkov/pull/6272)
- **arm:** add CKV_AZURE_72 to ensure that remote debugging is not enabled for app services - [#6281](https://github.com/bridgecrewio/checkov/pull/6281)
- **arm:** AzureDefenderOStorage - [#6269](https://github.com/bridgecrewio/checkov/pull/6269)
- **arm:** MySQLPublicAccessDisabled-Azure MySQL: Restrict Public Access - [#6263](https://github.com/bridgecrewio/checkov/pull/6263)
- **arm:** StorageSyncPublicAccessDisabled - [#6331](https://github.com/bridgecrewio/checkov/pull/6331)
- **secrets:** eliminate false positives in entropy keyword combinator detector - [#6327](https://github.com/bridgecrewio/checkov/pull/6327)
### Bug Fix
- **ansible:** fix ansible resource id in local graph - [#6344](https://github.com/bridgecrewio/checkov/pull/6344)
- **secrets:** fix entropy type - [#6347](https://github.com/bridgecrewio/checkov/pull/6347)
## [3.2.100](https://github.com/bridgecrewio/checkov/compare/3.2.98...3.2.100) - 2024-05-21
### Feature
- **sast:** TS-legacy-checks - [#6311](https://github.com/bridgecrewio/checkov/pull/6311)
- **secrets:** entropy limit as env variable - [#6332](https://github.com/bridgecrewio/checkov/pull/6332)
## [3.2.98](https://github.com/bridgecrewio/checkov/compare/3.2.97...3.2.98) - 2024-05-20
### Bug Fix
- **terraform:** Remove invalid CIDRs in CKV2_AWS_44 - [#6301](https://github.com/bridgecrewio/checkov/pull/6301)
## [3.2.97](https://github.com/bridgecrewio/checkov/compare/3.2.95...3.2.97) - 2024-05-19
### Feature
- **arm:** add CKV_AZURE_73 to ensure that Automation account variables are encrypted - [#6271](https://github.com/bridgecrewio/checkov/pull/6271)
- **arm:** add CKV_AZURE_76 to ensure that Azure Batch account uses key vault to encrypt data - [#6280](https://github.com/bridgecrewio/checkov/pull/6280)
- **arm:** add FunctionAppDisallowCORS - password correctness check - [#6248](https://github.com/bridgecrewio/checkov/pull/6248)
- **arm:** ARM FunctionAppHttpVersionLatest policy - [#6244](https://github.com/bridgecrewio/checkov/pull/6244)
- **arm:** CKV_AZURE_74 to Ensure that Azure Data Explorer (Kusto) uses disk encryption - [#6273](https://github.com/bridgecrewio/checkov/pull/6273)
- **arm:** MSSQLServerMinTLSVersion - [#6245](https://github.com/bridgecrewio/checkov/pull/6245)
## [3.2.95](https://github.com/bridgecrewio/checkov/compare/3.2.94...3.2.95) - 2024-05-17
### Bug Fix
- **terraform:** handle module source tag ref when it is not the first parameter - [#6314](https://github.com/bridgecrewio/checkov/pull/6314)
## [3.2.94](https://github.com/bridgecrewio/checkov/compare/3.2.92...3.2.94) - 2024-05-16
### Bug Fix
- **sast:** fix random test sast js - [#6315](https://github.com/bridgecrewio/checkov/pull/6315)
### Platform
- **general:** Double-Encode URI for RelayState Parameter - [#6302](https://github.com/bridgecrewio/checkov/pull/6302)
## [3.2.92](https://github.com/bridgecrewio/checkov/compare/3.2.91...3.2.92) - 2024-05-15
### Feature
- **sast:** CDK TypeScript policies - [#6161](https://github.com/bridgecrewio/checkov/pull/6161)
- **terraform:** add check for tf module versioned tag - [#6213](https://github.com/bridgecrewio/checkov/pull/6213)
### Bug Fix
- **secrets:** secret_filter_block_list filter by file name and suffixes - [#6285](https://github.com/bridgecrewio/checkov/pull/6285)
- **secrets:** secret_filter_block_list filter by file name and suffixes 2 - [#6306](https://github.com/bridgecrewio/checkov/pull/6306)
### Platform
- **general:** Fix policy.name to use the spaces as specified on CLI. - [#6296](https://github.com/bridgecrewio/checkov/pull/6296)
## [3.2.91](https://github.com/bridgecrewio/checkov/compare/3.2.90...3.2.91) - 2024-05-12
### Feature
- **secrets:** bump bc-detect-secrets to 1.5.10 - [#6297](https://github.com/bridgecrewio/checkov/pull/6297)
## [3.2.90](https://github.com/bridgecrewio/checkov/compare/3.2.85...3.2.90) - 2024-05-09
### Feature
- **general:** Add deep-analysis to GHA - [#6288](https://github.com/bridgecrewio/checkov/pull/6288)
- **terraform:** Add more hype policies - [#6239](https://github.com/bridgecrewio/checkov/pull/6239)
### Bug Fix
- **ansible:** fix ansible definitions raw type - [#6292](https://github.com/bridgecrewio/checkov/pull/6292)
### Platform
- **ansible:** add set definitions raw to ansible runner - [#6286](https://github.com/bridgecrewio/checkov/pull/6286)
- **general:** Handle SAST suppressions (suppressions V2) - [#6109](https://github.com/bridgecrewio/checkov/pull/6109)
### Documentation
- **general:** add RENDER_EDGES_DUPLICATE_ITER_COUNT to docs - [#6291](https://github.com/bridgecrewio/checkov/pull/6291)
- **general:** Update README links for PyPi - [#6231](https://github.com/bridgecrewio/checkov/pull/6231)
## [3.2.85](https://github.com/bridgecrewio/checkov/compare/3.2.84...3.2.85) - 2024-05-08
### Platform
- **ansible:** add missing arg to ansible runner - [#6276](https://github.com/bridgecrewio/checkov/pull/6276)
## [3.2.84](https://github.com/bridgecrewio/checkov/compare/3.2.82...3.2.84) - 2024-05-07
### Feature
- **sast:** Enable cdk ts integraion test - [#6158](https://github.com/bridgecrewio/checkov/pull/6158)
### Bug Fix
- **secrets:** add files for secret to skip - [#6275](https://github.com/bridgecrewio/checkov/pull/6275)
- **terraform:** Update CKV_AWS_31 for RBAC - [#6224](https://github.com/bridgecrewio/checkov/pull/6224)
## [3.2.82](https://github.com/bridgecrewio/checkov/compare/3.2.79...3.2.82) - 2024-05-06
### Feature
- **github:** add summary message in github_failed_only output - [#6131](https://github.com/bridgecrewio/checkov/pull/6131)
- **sast:** add ts checks to python pack - [#6261](https://github.com/bridgecrewio/checkov/pull/6261)
- **sast:** run all cdk integration test - [#6256](https://github.com/bridgecrewio/checkov/pull/6256)
### Bug Fix
- **general:** fix changed serif path - [#6251](https://github.com/bridgecrewio/checkov/pull/6251)
## [3.2.79](https://github.com/bridgecrewio/checkov/compare/3.2.74...3.2.79) - 2024-05-02
### Feature
- **sast:** Add 10 TS CDK - [#6194](https://github.com/bridgecrewio/checkov/pull/6194)
- **sast:** add typescript - DONT MERGE - [#6193](https://github.com/bridgecrewio/checkov/pull/6193)
- **sast:** Filter js files generate by ts - [#6220](https://github.com/bridgecrewio/checkov/pull/6220)
- **secrets:** bump bc-detect-secrets 1.5.9 - [#6205](https://github.com/bridgecrewio/checkov/pull/6205)
- **terraform:** Add GCP policy - [#6177](https://github.com/bridgecrewio/checkov/pull/6177)
- **terraform:** Add resource attributes to jsonify - [#6203](https://github.com/bridgecrewio/checkov/pull/6203)
- **terraform:** Ensure dedicated data endpoints are enabled - [#6188](https://github.com/bridgecrewio/checkov/pull/6188)
- **terraform:** support provider in tf_plan graph - [#6195](https://github.com/bridgecrewio/checkov/pull/6195)
- **terraform:** Update CloudArmorWAFACLCVE202144228.py - [#6217](https://github.com/bridgecrewio/checkov/pull/6217)
### Bug Fix
- **general:** add print to random test - [#6229](https://github.com/bridgecrewio/checkov/pull/6229)
- **general:** fix integration test in build - [#6227](https://github.com/bridgecrewio/checkov/pull/6227)
- **general:** fix integration tests - [#6207](https://github.com/bridgecrewio/checkov/pull/6207)
- **kubernetes:** Update checkov-job.yaml - [#5985](https://github.com/bridgecrewio/checkov/pull/5985)
- **sca:** remove old test for the depracated workflow github-action - [#6232](https://github.com/bridgecrewio/checkov/pull/6232)
- **terraform_plan:** Edges not created because of indexing in resource["address"] when resources in modules use count - [#6145](https://github.com/bridgecrewio/checkov/pull/6145)
- **terraform:** CKV_AWS_23 rule description fixed for clarity - [#5993](https://github.com/bridgecrewio/checkov/pull/5993)
- **terraform:** Fix CKV_AWS_358 to handle plan files - [#6202](https://github.com/bridgecrewio/checkov/pull/6202)
### Platform
- **ansible:** add create_definitions function for ansible framework - [#6225](https://github.com/bridgecrewio/checkov/pull/6225)
### Documentation
- **general:** Fix docs html brackets - [#6051](https://github.com/bridgecrewio/checkov/pull/6051)
- **general:** Remove Python 3.7 - [#6200](https://github.com/bridgecrewio/checkov/pull/6200)
## [3.2.74](https://github.com/bridgecrewio/checkov/compare/3.2.73...3.2.74) - 2024-04-22
### Feature
- **general:** Update range includes to handle lists of ranges and lists of values - [#6192](https://github.com/bridgecrewio/checkov/pull/6192)
## [3.2.73](https://github.com/bridgecrewio/checkov/compare/3.2.72...3.2.73) - 2024-04-21
### Feature
- **sast:** TypeScript cdk policies p7 - [#6186](https://github.com/bridgecrewio/checkov/pull/6186)
## [3.2.72](https://github.com/bridgecrewio/checkov/compare/3.2.71...3.2.72) - 2024-04-19
### Feature
- **bicep:** Add bicep version of policy - [#6191](https://github.com/bridgecrewio/checkov/pull/6191)
## [3.2.71](https://github.com/bridgecrewio/checkov/compare/3.2.70...3.2.71) - 2024-04-18
### Feature
- **sca:** support licenses custom policies enforcement rules - [#6173](https://github.com/bridgecrewio/checkov/pull/6173)
## [3.2.70](https://github.com/bridgecrewio/checkov/compare/3.2.68...3.2.70) - 2024-04-17
### Feature
- **sast:** Add 5 cdk for TS - [#6179](https://github.com/bridgecrewio/checkov/pull/6179)
### Bug Fix
- **sast:** fix skipped_checks paths before upload to the platform - [#6183](https://github.com/bridgecrewio/checkov/pull/6183)
## [3.2.68](https://github.com/bridgecrewio/checkov/compare/3.2.65...3.2.68) - 2024-04-16
### Feature
- **sast:** adding extended code block - [#6178](https://github.com/bridgecrewio/checkov/pull/6178)
- **sca:** using the new api license/get-licenses-violations instead of packages/get-licenses-violations (which is deprecated) - [#6174](https://github.com/bridgecrewio/checkov/pull/6174)
### Bug Fix
- **sca:** Revert "feat(sca): using the new api license/get-licenses-violations … - [#6176](https://github.com/bridgecrewio/checkov/pull/6176)
## [3.2.65](https://github.com/bridgecrewio/checkov/compare/3.2.63...3.2.65) - 2024-04-15
### Bug Fix
- **sast:** save suppress_comment for sast inline suppressions - [#6171](https://github.com/bridgecrewio/checkov/pull/6171)
- **secrets:** Azure Storage Key detector updates in bc-detect-secrets 1.5.7 - [#6168](https://github.com/bridgecrewio/checkov/pull/6168)
## [3.2.63](https://github.com/bridgecrewio/checkov/compare/3.2.60...3.2.63) - 2024-04-14
### Feature
- **sast:** CDK TS policies p2 - [#6165](https://github.com/bridgecrewio/checkov/pull/6165)
## [3.2.60](https://github.com/bridgecrewio/checkov/compare/3.2.55...3.2.60) - 2024-04-10
### Feature
- **sast:** Add TS CDK policies 1 - [#6151](https://github.com/bridgecrewio/checkov/pull/6151)
- **sast:** CDK TS policies p3 - [#6157](https://github.com/bridgecrewio/checkov/pull/6157)
### Bug Fix
- **terraform:** Fix conditional expression evaluation logic with compare - [#6160](https://github.com/bridgecrewio/checkov/pull/6160)
- **terraform:** Fixed flaky test for CKV_AWS_356 - [#6162](https://github.com/bridgecrewio/checkov/pull/6162)
## [3.2.55](https://github.com/bridgecrewio/checkov/compare/3.2.53...3.2.55) - 2024-04-08
### Feature
- **sast:** Adding typescript cdk part 6 paz - [#6149](https://github.com/bridgecrewio/checkov/pull/6149)
### Bug Fix
- **sca:** enabling suppression in the cli-output for IR-files and dockerfiles - [#6148](https://github.com/bridgecrewio/checkov/pull/6148)
## [3.2.53](https://github.com/bridgecrewio/checkov/compare/3.2.52...3.2.53) - 2024-04-03
### Feature
- **terraform:** support s3 bucket name for references in graph - [#6134](https://github.com/bridgecrewio/checkov/pull/6134)
## [3.2.52](https://github.com/bridgecrewio/checkov/compare/3.2.51...3.2.52) - 2024-04-03
### Feature
- **general:** Update the releases' zip file names to be generic - [#6141](https://github.com/bridgecrewio/checkov/pull/6141)
## [3.2.51](https://github.com/bridgecrewio/checkov/compare/3.2.50...3.2.51) - 2024-04-02
### Feature
- **general:** add policy metadata filter exception flag - [#6132](https://github.com/bridgecrewio/checkov/pull/6132)
## [3.2.50](https://github.com/bridgecrewio/checkov/compare/3.2.49...3.2.50) - 2024-03-31
### Bug Fix
- **general:** remove limitation of resource and provider in tf.json file - [#6133](https://github.com/bridgecrewio/checkov/pull/6133)
## [3.2.49](https://github.com/bridgecrewio/checkov/compare/3.2.47...3.2.49) - 2024-03-28
### Bug Fix
- **general:** pin the version of schema to <=0.7.5 - [#6125](https://github.com/bridgecrewio/checkov/pull/6125)
## [3.2.47](https://github.com/bridgecrewio/checkov/compare/3.2.45...3.2.47) - 2024-03-26
### Feature
- **secrets:** bump manually bc-detect-secrets - [#6120](https://github.com/bridgecrewio/checkov/pull/6120)
- **terraform:** add fix for when tf_def is a string - [#6121](https://github.com/bridgecrewio/checkov/pull/6121)
## [3.2.45](https://github.com/bridgecrewio/checkov/compare/3.2.44...3.2.45) - 2024-03-25
### Feature
- **terraform:** fix for_each resource handling - [#6119](https://github.com/bridgecrewio/checkov/pull/6119)
## [3.2.44](https://github.com/bridgecrewio/checkov/compare/3.2.43...3.2.44) - 2024-03-24
### Bug Fix
- **sca:** Fix suppression integration crashing if licenseTypes is missing - [#6117](https://github.com/bridgecrewio/checkov/pull/6117)
## [3.2.43](https://github.com/bridgecrewio/checkov/compare/3.2.42...3.2.43) - 2024-03-21
### Bug Fix
- **terraform:** Fixed bug in evaluate_conditional_expression and added zipmap support - [#6106](https://github.com/bridgecrewio/checkov/pull/6106)
## [3.2.42](https://github.com/bridgecrewio/checkov/compare/3.2.39...3.2.42) - 2024-03-20
### Feature
- **sast:** support sast skipped checks - [#6095](https://github.com/bridgecrewio/checkov/pull/6095)
### Bug Fix
- **secrets:** ignore secret check in test file - [#6105](https://github.com/bridgecrewio/checkov/pull/6105)
### Platform
- **general:** handle API errors with more detail - [#6107](https://github.com/bridgecrewio/checkov/pull/6107)
## [3.2.39](https://github.com/bridgecrewio/checkov/compare/3.2.38...3.2.39) - 2024-03-17
### Feature
- **secrets:** fix entropy detector FP - [#6090](https://github.com/bridgecrewio/checkov/pull/6090)
## [3.2.38](https://github.com/bridgecrewio/checkov/compare/3.2.37...3.2.38) - 2024-03-14
### Bug Fix
- **terraform:** prevent side effects when updating variable rendering - [#6087](https://github.com/bridgecrewio/checkov/pull/6087)
## [3.2.37](https://github.com/bridgecrewio/checkov/compare/3.2.36...3.2.37) - 2024-03-13
### Feature
- **terraform:** connect module resource to provider - [#6083](https://github.com/bridgecrewio/checkov/pull/6083)
## [3.2.36](https://github.com/bridgecrewio/checkov/compare/3.2.35...3.2.36) - 2024-03-12
### Bug Fix
- **gha:** make sure to have prisma url - [#6084](https://github.com/bridgecrewio/checkov/pull/6084)
## [3.2.35](https://github.com/bridgecrewio/checkov/compare/3.2.34...3.2.35) - 2024-03-11
### Feature
- **general:** add policy name and guidelines to CSV output - [#6082](https://github.com/bridgecrewio/checkov/pull/6082)
### Bug Fix
- **sast:** add attribute verification - [#6078](https://github.com/bridgecrewio/checkov/pull/6078)
## [3.2.34](https://github.com/bridgecrewio/checkov/compare/3.2.33...3.2.34) - 2024-03-10
### Bug Fix
- **terraform:** Dont duplicate more vertices than needed for nested modules with large count/for each values + used cache to avoid extensive usage of os.path.realpath to drastically improve performance - [#6072](https://github.com/bridgecrewio/checkov/pull/6072)
## [3.2.33](https://github.com/bridgecrewio/checkov/compare/3.2.32...3.2.33) - 2024-03-08
### Platform
- **general:** improve upload failure logging and log size of failed files - [#6076](https://github.com/bridgecrewio/checkov/pull/6076)
## [3.2.32](https://github.com/bridgecrewio/checkov/compare/3.2.31...3.2.32) - 2024-03-06
### Bug Fix
- **sast:** do not log warning when using skip framework - [#6066](https://github.com/bridgecrewio/checkov/pull/6066)
## [3.2.31](https://github.com/bridgecrewio/checkov/compare/3.2.28...3.2.31) - 2024-03-04
### Bug Fix
- **terraform:** better handling of interpolation rendering in conditional expressions - [#6062](https://github.com/bridgecrewio/checkov/pull/6062)
- **terraform:** Changed a couple of checks from negative to positive check, behavior is the same - [#6063](https://github.com/bridgecrewio/checkov/pull/6063)
## [3.2.28](https://github.com/bridgecrewio/checkov/compare/3.2.26...3.2.28) - 2024-02-28
### Bug Fix
- **sca:** handling unknown severity - [#6055](https://github.com/bridgecrewio/checkov/pull/6055)
- **terraform:** Add Condition exceptions CKV_AWS_70 - [#6044](https://github.com/bridgecrewio/checkov/pull/6044)
- **terraform:** Add k8s 1.29 to CKV_AWS_339 - [#6056](https://github.com/bridgecrewio/checkov/pull/6056)
## [3.2.26](https://github.com/bridgecrewio/checkov/compare/3.2.25...3.2.26) - 2024-02-26
### Bug Fix
- **sast:** fetch sast custom policieis - [#6040](https://github.com/bridgecrewio/checkov/pull/6040)
## [3.2.25](https://github.com/bridgecrewio/checkov/compare/3.2.24...3.2.25) - 2024-02-25
### Feature
- **terraform:** Added support for `try` function in evaluate_terraform - [#6043](https://github.com/bridgecrewio/checkov/pull/6043)
## [3.2.24](https://github.com/bridgecrewio/checkov/compare/3.2.23...3.2.24) - 2024-02-22
### Feature
- **cloudformation:** add CFN policies for MSK - [#6021](https://github.com/bridgecrewio/checkov/pull/6021)
## [3.2.23](https://github.com/bridgecrewio/checkov/compare/3.2.22...3.2.23) - 2024-02-21
### Bug Fix
- **terraform:** support vertex reference based on foreach key - [#6039](https://github.com/bridgecrewio/checkov/pull/6039)
## [3.2.22](https://github.com/bridgecrewio/checkov/compare/3.2.21...3.2.22) - 2024-02-18
### Bug Fix
- **terraform:** CKV_AWS_308 - checked if caching was enabled and only then check for encryption of cache - [#6034](https://github.com/bridgecrewio/checkov/pull/6034)
## [3.2.21](https://github.com/bridgecrewio/checkov/compare/3.2.20...3.2.21) - 2024-02-14
### Bug Fix
- **sast:** fix cdk checks path - [#6029](https://github.com/bridgecrewio/checkov/pull/6029)
## [3.2.20](https://github.com/bridgecrewio/checkov/compare/3.2.19...3.2.20) - 2024-02-11
### Bug Fix
- **graph:** remove SCA runner v1 - re-enable - [#6024](https://github.com/bridgecrewio/checkov/pull/6024)
## [3.2.19](https://github.com/bridgecrewio/checkov/compare/3.2.17...3.2.19) - 2024-02-08
### Feature
- **general:** Implement authentication retry mechanism - [#6022](https://github.com/bridgecrewio/checkov/pull/6022)
- **sast:** add danger rule - [#6012](https://github.com/bridgecrewio/checkov/pull/6012)
## [3.2.17](https://github.com/bridgecrewio/checkov/compare/3.2.12...3.2.17) - 2024-02-07
### Bug Fix
- **general:** downgrade botocore dependency - [#6016](https://github.com/bridgecrewio/checkov/pull/6016)
- **graph:** remove SCA runner v1 - [#6005](https://github.com/bridgecrewio/checkov/pull/6005)
- **terraform:** Deleted deprecated check CKV_GCP_19 - [#6010](https://github.com/bridgecrewio/checkov/pull/6010)
## [3.2.12](https://github.com/bridgecrewio/checkov/compare/3.2.8...3.2.12) - 2024-02-06
### Bug Fix
- **general:** downgrade boto3 - [#6011](https://github.com/bridgecrewio/checkov/pull/6011)
- **terraform:** fix check CKV2_AZURE_10 - [#6009](https://github.com/bridgecrewio/checkov/pull/6009)
## [3.2.8](https://github.com/bridgecrewio/checkov/compare/3.2.7...3.2.8) - 2024-02-05
### Feature
- **secrets:** bump bc-detect-secrets to version 1.5.4 - [#5998](https://github.com/bridgecrewio/checkov/pull/5998)
## [3.2.7](https://github.com/bridgecrewio/checkov/compare/3.2.3...3.2.7) - 2024-02-04
### Feature
- **azure:** create arm check StorageAccountMinimumTlsVersion CKV_AZURE_236 - [#5986](https://github.com/bridgecrewio/checkov/pull/5986)
- **sast:** add dataflow to output - [#5987](https://github.com/bridgecrewio/checkov/pull/5987)
### Bug Fix
- **terraform:** Correctly relace foreach_value inside _update_attributes for complex cases - [#5994](https://github.com/bridgecrewio/checkov/pull/5994)
## [3.2.3](https://github.com/bridgecrewio/checkov/compare/3.2.2...3.2.3) - 2024-01-31
### Bug Fix
- **terraform:** find explicit lockout fail actions for s3 - [#5943](https://github.com/bridgecrewio/checkov/pull/5943)
## [3.2.2](https://github.com/bridgecrewio/checkov/compare/3.2.1...3.2.2) - 2024-01-30
### Feature
- **sca:** persist support logs for sub processes - [#5988](https://github.com/bridgecrewio/checkov/pull/5988)
## [3.2.1](https://github.com/bridgecrewio/checkov/compare/3.2.0...3.2.1) - 2024-01-29
### Bug Fix
- **sast:** summarize errors - [#5977](https://github.com/bridgecrewio/checkov/pull/5977)
## [3.2.0](https://github.com/bridgecrewio/checkov/compare/3.1.70...3.2.0) - 2024-01-28
### Bug Fix
- **terraform:** and cdk/cloudformation: inconsistent naming of AWS resources in checks - [#5966](https://github.com/bridgecrewio/checkov/pull/5966)
### Platform
- **general:** remove igraph - [#5781](https://github.com/bridgecrewio/checkov/pull/5781)
## [3.1.70](https://github.com/bridgecrewio/checkov/compare/3.1.69...3.1.70) - 2024-01-24
### Bug Fix
- **terraform:** Manually fixed test for loading terraform registry to be with commit hash instead of version tag - [#5971](https://github.com/bridgecrewio/checkov/pull/5971)
## [3.1.69](https://github.com/bridgecrewio/checkov/compare/3.1.67...3.1.69) - 2024-01-22
### Bug Fix
- **sast:** replaced TBD with owasp and removed "sast engine" - [#5959](https://github.com/bridgecrewio/checkov/pull/5959)
- **terraform:** External module test - [#5963](https://github.com/bridgecrewio/checkov/pull/5963)
## [3.1.67](https://github.com/bridgecrewio/checkov/compare/3.1.66...3.1.67) - 2024-01-18
### Feature
- **sast:** Add policies to executable - [#5955](https://github.com/bridgecrewio/checkov/pull/5955)
## [3.1.66](https://github.com/bridgecrewio/checkov/compare/3.1.63...3.1.66) - 2024-01-17
### Bug Fix
- **sast:** change the path for taint mode match - [#5953](https://github.com/bridgecrewio/checkov/pull/5953)
- **sast:** fix report with only reachability - [#5951](https://github.com/bridgecrewio/checkov/pull/5951)
### Platform
- **general:** Change SAST enforcement rule to weaknesses - [#5950](https://github.com/bridgecrewio/checkov/pull/5950)
- **general:** handle weaknesses rename - [#5954](https://github.com/bridgecrewio/checkov/pull/5954)
## [3.1.63](https://github.com/bridgecrewio/checkov/compare/3.1.61...3.1.63) - 2024-01-16
### Bug Fix
- **sast:** Fix serialize for sast report with taint mode - [#5949](https://github.com/bridgecrewio/checkov/pull/5949)
## [3.1.61](https://github.com/bridgecrewio/checkov/compare/3.1.60...3.1.61) - 2024-01-15
### Bug Fix
- **general:** allow colorama version >=0.4.3,<0.5.0 in setup - [#5944](https://github.com/bridgecrewio/checkov/pull/5944)
## [3.1.60](https://github.com/bridgecrewio/checkov/compare/3.1.57...3.1.60) - 2024-01-14
### Bug Fix
- **sast:** fix relative paths in sast cdk reports - [#5932](https://github.com/bridgecrewio/checkov/pull/5932)
- **sast:** fix sast cdk code location paths - [#5938](https://github.com/bridgecrewio/checkov/pull/5938)
- **terraform:** CKV_GCP_79 Upgrade CloudSQL SQLSERVER major version to 2022 - [#5936](https://github.com/bridgecrewio/checkov/pull/5936)
- **terraform:** Improved bad performance pathlib check - [#5939](https://github.com/bridgecrewio/checkov/pull/5939)
## [3.1.57](https://github.com/bridgecrewio/checkov/compare/3.1.55...3.1.57) - 2024-01-10
### Bug Fix
- **general:** fix multiprocess abilities - [#5887](https://github.com/bridgecrewio/checkov/pull/5887)
- **general:** fixing hidden dependencies & state breaking tests - [#5911](https://github.com/bridgecrewio/checkov/pull/5911)
- **general:** Reenabling cdk-integration-tests - [#5922](https://github.com/bridgecrewio/checkov/pull/5922)
## [3.1.55](https://github.com/bridgecrewio/checkov/compare/3.1.54...3.1.55) - 2024-01-08
### Bug Fix
- **terraform:** Support "pass_prefix_list" for SG ingress rules correctly - [#5918](https://github.com/bridgecrewio/checkov/pull/5918)
## [3.1.54](https://github.com/bridgecrewio/checkov/compare/3.1.53...3.1.54) - 2024-01-05
### Bug Fix
- **general:** temporary disable runtime config - [#5921](https://github.com/bridgecrewio/checkov/pull/5921)
## [3.1.53](https://github.com/bridgecrewio/checkov/compare/3.1.51...3.1.53) - 2024-01-04
### Feature
- **terraform:** node pools should be configured separately from a cl… - [#5916](https://github.com/bridgecrewio/checkov/pull/5916)
### Bug Fix
- **terraform:** handle no action in aws_dlm_lifecycle_policy - [#5905](https://github.com/bridgecrewio/checkov/pull/5905)
## [3.1.51](https://github.com/bridgecrewio/checkov/compare/3.1.50...3.1.51) - 2024-01-03
- no noteworthy changes
## [3.1.50](https://github.com/bridgecrewio/checkov/compare/3.1.46...3.1.50) - 2023-12-31
### Feature
- **sast:** Add sast metadata to sast report - [#5910](https://github.com/bridgecrewio/checkov/pull/5910)
- **terraform:** Add various vertex related policies - [#5898](https://github.com/bridgecrewio/checkov/pull/5898)
### Bug Fix
- **sast:** persist empty sast report for cdk - [#5909](https://github.com/bridgecrewio/checkov/pull/5909)
- **terraform:** Fix typo Customer Managed Key - [#5900](https://github.com/bridgecrewio/checkov/pull/5900)
## [3.1.46](https://github.com/bridgecrewio/checkov/compare/3.1.44...3.1.46) - 2023-12-28
### Feature
- **terraform:** CLI output - add indication if repository was discovered In a running environment - [#5908](https://github.com/bridgecrewio/checkov/pull/5908)
### Bug Fix
- **sast:** add missing field in MatchMetadata - [#5907](https://github.com/bridgecrewio/checkov/pull/5907)
## [3.1.44](https://github.com/bridgecrewio/checkov/compare/3.1.43...3.1.44) - 2023-12-26
### Feature
- **sast:** add dataflow to checkov report from sast - [#5892](https://github.com/bridgecrewio/checkov/pull/5892)
## [3.1.43](https://github.com/bridgecrewio/checkov/compare/3.1.42...3.1.43) - 2023-12-24
### Feature
- **terraform:** add CKV2_AZURE_47, ensure storage account is configured without blob anonymous access - [#5888](https://github.com/bridgecrewio/checkov/pull/5888)
- **terraform:** Ensure SES Configuration Set enforces TLS usage - [#5891](https://github.com/bridgecrewio/checkov/pull/5891)
### Bug Fix
- **terraform:** pod security policy removed in GKE 1.25 - [#5675](https://github.com/bridgecrewio/checkov/pull/5675)
## [3.1.42](https://github.com/bridgecrewio/checkov/compare/3.1.40...3.1.42) - 2023-12-22
### Feature
- **sast:** Split sast and cdk reports - [#5889](https://github.com/bridgecrewio/checkov/pull/5889)
### Bug Fix
- **terraform:** Fix CKV_Azure_234 - [#5886](https://github.com/bridgecrewio/checkov/pull/5886)
## [3.1.40](https://github.com/bridgecrewio/checkov/compare/3.1.38...3.1.40) - 2023-12-19
### Feature
- **terraform_plan:** Add PY graph checks for tf plan - [#5875](https://github.com/bridgecrewio/checkov/pull/5875)
### Bug Fix
- **terraform:** Remove CKV_AWS_188 as dupe - [#5884](https://github.com/bridgecrewio/checkov/pull/5884)
## [3.1.38](https://github.com/bridgecrewio/checkov/compare/3.1.34...3.1.38) - 2023-12-13
### Feature
- **sast:** add integration test platform report - [#5856](https://github.com/bridgecrewio/checkov/pull/5856)
- **sast:** python Cdk policies batch 3 - [#5820](https://github.com/bridgecrewio/checkov/pull/5820)
- **sast:** python Cdk policies batch 4 - [#5857](https://github.com/bridgecrewio/checkov/pull/5857)
### Bug Fix
- **sast:** add save local sast report to run integration script - [#5863](https://github.com/bridgecrewio/checkov/pull/5863)
## [3.1.34](https://github.com/bridgecrewio/checkov/compare/3.1.33...3.1.34) - 2023-12-12
### Feature
- **terraform:** Used parallel run to run all split_graph iterations - [#5840](https://github.com/bridgecrewio/checkov/pull/5840)
## [3.1.33](https://github.com/bridgecrewio/checkov/compare/3.1.29...3.1.33) - 2023-12-11
### Feature
- **general:** anchor cyclonedx to last non breaking version - [#5846](https://github.com/bridgecrewio/checkov/pull/5846)
- **general:** Revert pipfile lock changes - [#5848](https://github.com/bridgecrewio/checkov/pull/5848)
- **sast:** add back commented checks - [#5851](https://github.com/bridgecrewio/checkov/pull/5851)
### Bug Fix
- **sast:** fix reachability with no regular matches - [#5847](https://github.com/bridgecrewio/checkov/pull/5847)
- **sca:** not printing reachability data for lines without cves - [#5849](https://github.com/bridgecrewio/checkov/pull/5849)
## [3.1.29](https://github.com/bridgecrewio/checkov/compare/3.1.27...3.1.29) - 2023-12-10
### Feature
- **terraform:** fix for check VPCPeeringRouteTableOverlyPermissive and add tests - [#5837](https://github.com/bridgecrewio/checkov/pull/5837)
### Bug Fix
- **sast:** fix sast report format - [#5811](https://github.com/bridgecrewio/checkov/pull/5811)
## [3.1.27](https://github.com/bridgecrewio/checkov/compare/3.1.26...3.1.27) - 2023-12-07
### Feature
- **secrets:** used 10 characters in secret violation - [#5835](https://github.com/bridgecrewio/checkov/pull/5835)
## [3.1.26](https://github.com/bridgecrewio/checkov/compare/3.1.24...3.1.26) - 2023-12-06
### Bug Fix
- **general:** check both path types for suppression - [#5834](https://github.com/bridgecrewio/checkov/pull/5834)
- **terraform:** Fix range issue in OCI RDP check - [#5832](https://github.com/bridgecrewio/checkov/pull/5832)
## [3.1.24](https://github.com/bridgecrewio/checkov/compare/3.1.21...3.1.24) - 2023-12-05
### Bug Fix
- **sca:** Update the log level of specific logs - [#5828](https://github.com/bridgecrewio/checkov/pull/5828)
- **terraform:** CKV_GCP_26 Added additional google_compute_subnetwork purposes that do not support flow logs - [#5812](https://github.com/bridgecrewio/checkov/pull/5812)
- **terraform:** Fix CKV_GCP_30 for unknown service account - [#5818](https://github.com/bridgecrewio/checkov/pull/5818)
- **terraform:** Fixed to_dict of terraform block regarding source_module_object - [#5822](https://github.com/bridgecrewio/checkov/pull/5822)
## [3.1.21](https://github.com/bridgecrewio/checkov/compare/3.1.20...3.1.21) - 2023-12-04
### Feature
- **ansible:** add CKV_PAN_17 - Check for src and dst zone any - [#5803](https://github.com/bridgecrewio/checkov/pull/5803)
- **sast:** sast enabled from integration - [#5780](https://github.com/bridgecrewio/checkov/pull/5780)
- **terraform:** Adding Python based build time policies for corresponding PC runtime policies - [#5762](https://github.com/bridgecrewio/checkov/pull/5762)
- **terraform:** Adding YAML based build time policies for corresponding PC runtime policies - [#5810](https://github.com/bridgecrewio/checkov/pull/5810)
## [3.1.20](https://github.com/bridgecrewio/checkov/compare/3.1.19...3.1.20) - 2023-11-30
### Platform
- **general:** handle the updated on prem response from the platform - [#5809](https://github.com/bridgecrewio/checkov/pull/5809)
## [3.1.19](https://github.com/bridgecrewio/checkov/compare/3.1.18...3.1.19) - 2023-11-29
### Feature
- **sca:** Using alias data from assets.json for giving Package Used indication for aliased packages - [#5808](https://github.com/bridgecrewio/checkov/pull/5808)
## [3.1.18](https://github.com/bridgecrewio/checkov/compare/3.1.17...3.1.18) - 2023-11-28
### Bug Fix
- **terraform:** Add source_module_object to blocks from_dict func - [#5806](https://github.com/bridgecrewio/checkov/pull/5806)
## [3.1.17](https://github.com/bridgecrewio/checkov/compare/3.1.15...3.1.17) - 2023-11-27
### Feature
- **ansible:** PAN-OS IPsec checks - [#5802](https://github.com/bridgecrewio/checkov/pull/5802)
## [3.1.15](https://github.com/bridgecrewio/checkov/compare/3.1.11...3.1.15) - 2023-11-26
### Feature
- **ansible:** add CKV_PAN_16 PAN-OS BPA Check for session log at start - [#5794](https://github.com/bridgecrewio/checkov/pull/5794)
- **sast:** Add alias data to imports assets - [#5788](https://github.com/bridgecrewio/checkov/pull/5788)
### Bug Fix
- **bicep:** Update AppServiceHttps20Enabled to consider newer ApiVersion - [#5795](https://github.com/bridgecrewio/checkov/pull/5795)
## [3.1.11](https://github.com/bridgecrewio/checkov/compare/3.1.9...3.1.11) - 2023-11-23
### Bug Fix
- **general:** Policy metadata API fixes - [#5761](https://github.com/bridgecrewio/checkov/pull/5761)
## [3.1.9](https://github.com/bridgecrewio/checkov/compare/3.1.4...3.1.9) - 2023-11-21
### Bug Fix
- **gha:** Update GitHub Actions Workflow Schema #5742 - [#5759](https://github.com/bridgecrewio/checkov/pull/5759)
- **terraform_plan:** load terraform registry checks when using terraform plan - [#5778](https://github.com/bridgecrewio/checkov/pull/5778)
- **terraform:** Ensure HTTPS in Azure Function App and App Slots - [#5766](https://github.com/bridgecrewio/checkov/pull/5766)
### Platform
- **general:** do not display an auth error when the runconfig endpoint returns a 500 - [#5779](https://github.com/bridgecrewio/checkov/pull/5779)
## [3.1.4](https://github.com/bridgecrewio/checkov/compare/3.0.40...3.1.4) - 2023-11-20
### Breaking Change
- **general:** set default parallelization type to spawn and leverage Terraform downloaded module by default - [#5760](https://github.com/bridgecrewio/checkov/pull/5760)
### Feature
- **terraform:** Ensure ACR is zone-redundant - [#5748](https://github.com/bridgecrewio/checkov/pull/5748)
### Bug Fix
- **general:** Revert parallelization commit - [#5777](https://github.com/bridgecrewio/checkov/pull/5777)
- **sast:** remove SAST frameworks for OSS users - [#5773](https://github.com/bridgecrewio/checkov/pull/5773)
- **secrets:** don't reinitialize the upload client without API key usage - [#5771](https://github.com/bridgecrewio/checkov/pull/5771)
### Documentation
- **general:** properly escape CLI flags in the CLI command docs - [#5768](https://github.com/bridgecrewio/checkov/pull/5768)
## [3.0.40](https://github.com/bridgecrewio/checkov/compare/3.0.38...3.0.40) - 2023-11-19
### Bug Fix
- **terraform_plan:** TF plan resources connection fix - [#5767](https://github.com/bridgecrewio/checkov/pull/5767)
## [3.0.38](https://github.com/bridgecrewio/checkov/compare/3.0.37...3.0.38) - 2023-11-16
### Feature
- **terraform:** Adding YAML based build time policies for corresponding PC runtime policies - [#5714](https://github.com/bridgecrewio/checkov/pull/5714)
## [3.0.37](https://github.com/bridgecrewio/checkov/compare/3.0.36...3.0.37) - 2023-11-15
### Bug Fix
- **terraform:** fix valid value for aws keyspaces_table encryption_specification type - [#5756](https://github.com/bridgecrewio/checkov/pull/5756)
## [3.0.36](https://github.com/bridgecrewio/checkov/compare/3.0.34...3.0.36) - 2023-11-14
### Bug Fix
- **terraform:** check min TLS version also on azure app slots - [#5753](https://github.com/bridgecrewio/checkov/pull/5753)
## [3.0.34](https://github.com/bridgecrewio/checkov/compare/3.0.32...3.0.34) - 2023-11-12
### Feature
- **general:** add possibility to change parallelization type - [#5737](https://github.com/bridgecrewio/checkov/pull/5737)
### Bug Fix
- **cloudformation:** ignore unresolved references in CKV_AWS_45 - [#5747](https://github.com/bridgecrewio/checkov/pull/5747)
## [3.0.32](https://github.com/bridgecrewio/checkov/compare/3.0.28...3.0.32) - 2023-11-09
### Feature
- **sast:** Python cdk policies batch 2 - [#5725](https://github.com/bridgecrewio/checkov/pull/5725)
### Bug Fix
- **general:** add option to pass `--skip-download` with github-action - [#5734](https://github.com/bridgecrewio/checkov/pull/5734)
### Platform
- **general:** print the log upload location if the --support flag is used - [#5738](https://github.com/bridgecrewio/checkov/pull/5738)
## [3.0.28](https://github.com/bridgecrewio/checkov/compare/3.0.25...3.0.28) - 2023-11-08
### Bug Fix
- **terraform:** Adding both azurerm_linux_web_app_slot & azurerm_windows_web_app_slot in scope of the test CKV_AZURE_153 - [#5687](https://github.com/bridgecrewio/checkov/pull/5687)
### Documentation
- **general:** Switch references to Bridgecrew with Prisma Cloud - [#5704](https://github.com/bridgecrewio/checkov/pull/5704)
## [3.0.25](https://github.com/bridgecrewio/checkov/compare/3.0.24...3.0.25) - 2023-11-07
### Bug Fix
- **general:** do not require a repo ID when using an API key and --list - [#5726](https://github.com/bridgecrewio/checkov/pull/5726)
## [3.0.24](https://github.com/bridgecrewio/checkov/compare/3.0.21...3.0.24) - 2023-11-06
### Feature
- **sast:** add new python CDK policies - [#5706](https://github.com/bridgecrewio/checkov/pull/5706)
- **terraform:** Ensure that only critical system pods run on system nodes - [#5665](https://github.com/bridgecrewio/checkov/pull/5665)
## [3.0.21](https://github.com/bridgecrewio/checkov/compare/3.0.19...3.0.21) - 2023-11-05
### Feature
- **terraform:** Ensure App Service Environment is zone redundant - [#5662](https://github.com/bridgecrewio/checkov/pull/5662)
- **terraform:** Ensure that Standard Replication is enabled - [#5649](https://github.com/bridgecrewio/checkov/pull/5649)
### Bug Fix
- **sca:** Setting only relevant cves for the extracted reachable functions with risk factor of ReachableFunction as True - [#5715](https://github.com/bridgecrewio/checkov/pull/5715)
- **terraform:** CKV_AWS_208 valid Amazon MQ versions - [#5653](https://github.com/bridgecrewio/checkov/pull/5653)
## [3.0.19](https://github.com/bridgecrewio/checkov/compare/3.0.16...3.0.19) - 2023-11-02
### Feature
- **sca:** adjusting the cli-output to support indicating of reachable functions - [#5713](https://github.com/bridgecrewio/checkov/pull/5713)
- **terraform:** Adding YAML based build time policies for corresponding PC runtime policies - [#5637](https://github.com/bridgecrewio/checkov/pull/5637)
- **terraform:** bigtable deletion protection [depends on #5625] - [#5626](https://github.com/bridgecrewio/checkov/pull/5626)
- **terraform:** drop and deletion checks for spanner - [#5625](https://github.com/bridgecrewio/checkov/pull/5625)
### Bug Fix
- **sast:** add cveid to reachability report - [#5708](https://github.com/bridgecrewio/checkov/pull/5708)
## [3.0.16](https://github.com/bridgecrewio/checkov/compare/3.0.15...3.0.16) - 2023-11-01
### Feature
- **sca:** Extending reachability post-runner in checkov and enriching cves with ReachableFunction data - [#5707](https://github.com/bridgecrewio/checkov/pull/5707)
## [3.0.15](https://github.com/bridgecrewio/checkov/compare/3.0.14...3.0.15) - 2023-10-31
### Bug Fix
- **general:** fix duplicate components in CycloneDX report - [#5705](https://github.com/bridgecrewio/checkov/pull/5705)
## [3.0.14](https://github.com/bridgecrewio/checkov/compare/3.0.13...3.0.14) - 2023-10-30
### Bug Fix
- **general:** address python 3.12 SyntaxWarning - [#5699](https://github.com/bridgecrewio/checkov/pull/5699)
- **terraform:** fix variable rendering for foreach resources with dot included names - [#5701](https://github.com/bridgecrewio/checkov/pull/5701)
## [3.0.13](https://github.com/bridgecrewio/checkov/compare/3.0.12...3.0.13) - 2023-10-29
### Bug Fix
- **sast:** comment out SAST JS integration test - [#5697](https://github.com/bridgecrewio/checkov/pull/5697)
## [3.0.12](https://github.com/bridgecrewio/checkov/compare/3.0.7...3.0.12) - 2023-10-26
### Bug Fix
- **general:** Fix sast & cdk integration tests - [#5688](https://github.com/bridgecrewio/checkov/pull/5688)
- **sast:** Adding exit code in sast integration test - [#5690](https://github.com/bridgecrewio/checkov/pull/5690)
- **sast:** adjust SAST file pattern search - [#5694](https://github.com/bridgecrewio/checkov/pull/5694)
- **sast:** fix sast reachability report format - [#5686](https://github.com/bridgecrewio/checkov/pull/5686)
- **terraform:** Fixing the typo within the name of the Terraform check CKV_AZURE_158 - [#5696](https://github.com/bridgecrewio/checkov/pull/5696)
### Platform
- **general:** Do not crash the run if S3 integration fails during setup, upload, or finalize - [#5691](https://github.com/bridgecrewio/checkov/pull/5691)
## [3.0.7](https://github.com/bridgecrewio/checkov/compare/3.0.4...3.0.7) - 2023-10-25
### Bug Fix
- **secrets:** fix secret FP of client_secret_setting_name - [#5679](https://github.com/bridgecrewio/checkov/pull/5679)
### Platform
- **general:** Add SAST enforcement rules and check severity thresholds - [#5684](https://github.com/bridgecrewio/checkov/pull/5684)
- **general:** do not get fixes for on prem integrations - [#5668](https://github.com/bridgecrewio/checkov/pull/5668)
## [3.0.4](https://github.com/bridgecrewio/checkov/compare/2.5.18...3.0.4) - 2023-10-24
### Breaking Change
- **general:** remove level up flow - [#5677](https://github.com/bridgecrewio/checkov/pull/5677)
- **general:** remove multi_signature and adjust base check classes - [#5645](https://github.com/bridgecrewio/checkov/pull/5645)
- **general:** v3 release - [#5681](https://github.com/bridgecrewio/checkov/pull/5681)
### Bug Fix
- **sast:** fix error logs coming from SAST - [#5685](https://github.com/bridgecrewio/checkov/pull/5685)
### Documentation
- **general:** add BC token deprecation notice and v3 migration guide - [#5644](https://github.com/bridgecrewio/checkov/pull/5644)
## [2.5.18](https://github.com/bridgecrewio/checkov/compare/2.5.15...2.5.18) - 2023-10-22
### Feature
- **general:** Adds GHA support for skip-frameworks, skip-cve-package & output-bc-ids flags - [#5619](https://github.com/bridgecrewio/checkov/pull/5619)
- **terraform:** Ensure that the SQL database is zone-redundant - [#5540](https://github.com/bridgecrewio/checkov/pull/5540)
- **terraform:** Ensure the Azure Event Hub Namespace is zone redundant - [#5538](https://github.com/bridgecrewio/checkov/pull/5538)
### Bug Fix
- **bicep:** enforce encryption flag to be string for CKV_AZURE_97 - [#5669](https://github.com/bridgecrewio/checkov/pull/5669)
- **terraform_plan:** Add provisioners to TF Plan parser - [#5622](https://github.com/bridgecrewio/checkov/pull/5622)
## [2.5.15](https://github.com/bridgecrewio/checkov/compare/2.5.13...2.5.15) - 2023-10-19
### Feature
- **terraform:** Support for merge func inside jsondecode - [#5656](https://github.com/bridgecrewio/checkov/pull/5656)
### Bug Fix
- **sca:** make the abs path to be correcnt - [#5660](https://github.com/bridgecrewio/checkov/pull/5660)
## [2.5.13](https://github.com/bridgecrewio/checkov/compare/2.5.11...2.5.13) - 2023-10-18
### Feature
- **arm:** implement CKV_AZURE_103 for ARM - [#5527](https://github.com/bridgecrewio/checkov/pull/5527)
- **arm:** implement CKV_AZURE_96 for ARM - [#5506](https://github.com/bridgecrewio/checkov/pull/5506)
- **arm:** implement CKV_AZURE_97 for ARM - [#5515](https://github.com/bridgecrewio/checkov/pull/5515)
### Bug Fix
- **terraform:** Added a check to make sure dynamic "blocks" are of the expected type - [#5642](https://github.com/bridgecrewio/checkov/pull/5642)
- **terraform:** update CKV_AWS_339 valid EKS versions - [#5652](https://github.com/bridgecrewio/checkov/pull/5652)
## [2.5.11](https://github.com/bridgecrewio/checkov/compare/2.5.10...2.5.11) - 2023-10-17
### Feature
- **sca:** giving file path on relative the the current dir for cases there is no either specified root_folder and the is no repo scan dir - [#5654](https://github.com/bridgecrewio/checkov/pull/5654)
## [2.5.10](https://github.com/bridgecrewio/checkov/compare/2.5.9...2.5.10) - 2023-10-16
### Feature
- **terraform:** support scanning of Terraform managed modules instead of downloading them - [#5635](https://github.com/bridgecrewio/checkov/pull/5635)
### Bug Fix
- **terraform:** Fixing issues with checks CKV_AZURE_226 & CKV_AZURE_227 - [#5638](https://github.com/bridgecrewio/checkov/pull/5638)
## [2.5.9](https://github.com/bridgecrewio/checkov/compare/2.5.8...2.5.9) - 2023-10-15
### Feature
- **sca:** support case where there are no cves suppressions - [#5636](https://github.com/bridgecrewio/checkov/pull/5636)
## [2.5.8](https://github.com/bridgecrewio/checkov/compare/2.5.6...2.5.8) - 2023-10-12
### Feature
- **general:** Remove code upload for on-prem integrations - [#5624](https://github.com/bridgecrewio/checkov/pull/5624)
## [2.5.6](https://github.com/bridgecrewio/checkov/compare/2.5.3...2.5.6) - 2023-10-05
### Feature
- **arm:** implement CKV_AZURE_95 for ARM - [#5500](https://github.com/bridgecrewio/checkov/pull/5500)
- **general:** Added source and target to edge data - [#5621](https://github.com/bridgecrewio/checkov/pull/5621)
### Bug Fix
- **terraform_plan:** add azurerm_portal_dashboard to jsonify list - [#5618](https://github.com/bridgecrewio/checkov/pull/5618)
- **terraform:** check if the dynamic name is one of the resources block - [#5607](https://github.com/bridgecrewio/checkov/pull/5607)
## [2.5.3](https://github.com/bridgecrewio/checkov/compare/2.4.61...2.5.3) - 2023-10-04
### Breaking Change
- **general:** remove Python 3.7 - [#5605](https://github.com/bridgecrewio/checkov/pull/5605)
- **graph:** remove CHECKOV_CREATE_GRAPH env var to control graph creation - [#5606](https://github.com/bridgecrewio/checkov/pull/5606)
### Bug Fix
- **dockerfile:** fix Docker image scan - [#5617](https://github.com/bridgecrewio/checkov/pull/5617)
- **openapi:** Take into account that security is at the root level of your OpenAPI specification. - [#5603](https://github.com/bridgecrewio/checkov/pull/5603)
- **terraform:** stop CKV_GCP_43 crashing when not a string - [#5561](https://github.com/bridgecrewio/checkov/pull/5561)
## [2.4.61](https://github.com/bridgecrewio/checkov/compare/2.4.59...2.4.61) - 2023-10-03
### Bug Fix
- **terraform:** fix upload resource_subgraph_maps - [#5615](https://github.com/bridgecrewio/checkov/pull/5615)
### Platform
- **terraform:** Upload resource subgraph map - [#5612](https://github.com/bridgecrewio/checkov/pull/5612)
## [2.4.59](https://github.com/bridgecrewio/checkov/compare/2.4.58...2.4.59) - 2023-10-02
### Platform
- **terraform:** fix in subgraphs uploads - [#5610](https://github.com/bridgecrewio/checkov/pull/5610)
## [2.4.58](https://github.com/bridgecrewio/checkov/compare/2.4.57...2.4.58) - 2023-10-01
### Platform
- **terraform:** upload tf sub graphs - [#5596](https://github.com/bridgecrewio/checkov/pull/5596)
## [2.4.57](https://github.com/bridgecrewio/checkov/compare/2.4.55...2.4.57) - 2023-09-29
### Feature
- **terraform:** Ensure ephemeral disks are used for OS disks - [#5584](https://github.com/bridgecrewio/checkov/pull/5584)
- **terraform:** Ensure that App Service plan is zone redundant - [#5577](https://github.com/bridgecrewio/checkov/pull/5577)
- **terraform:** Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources - [#5588](https://github.com/bridgecrewio/checkov/pull/5588)
## [2.4.55](https://github.com/bridgecrewio/checkov/compare/2.4.51...2.4.55) - 2023-09-28
### Feature
- **general:** Add image referencer rustworkx support - [#5564](https://github.com/bridgecrewio/checkov/pull/5564)
- **general:** Add rustworkx support - [#5595](https://github.com/bridgecrewio/checkov/pull/5595)
- **terraform:** Adding 2 new AWS policies - [#5599](https://github.com/bridgecrewio/checkov/pull/5599)
- **terraform:** simply IMDSv2 checks - [#5601](https://github.com/bridgecrewio/checkov/pull/5601)
## [2.4.51](https://github.com/bridgecrewio/checkov/compare/2.4.50...2.4.51) - 2023-09-27
### Feature
- **arm:** CKV_AZURE_88 convert to arm check - [#5465](https://github.com/bridgecrewio/checkov/pull/5465)
- **arm:** implement CKV_AZURE_149 for ARM - [#5496](https://github.com/bridgecrewio/checkov/pull/5496)
### Bug Fix
- **terraform:** Adding missing null checks - [#5589](https://github.com/bridgecrewio/checkov/pull/5589)
## [2.4.50](https://github.com/bridgecrewio/checkov/compare/2.4.48...2.4.50) - 2023-09-26
### Feature
- **general:** add rustworkx (#5511) - [#5565](https://github.com/bridgecrewio/checkov/pull/5565)
- **general:** Revert add rustworkx (#5565)" - [#5594](https://github.com/bridgecrewio/checkov/pull/5594)
## [2.4.48](https://github.com/bridgecrewio/checkov/compare/2.4.47...2.4.48) - 2023-09-21
### Platform
- **general:** expose retry and timeout configuration for interaction with the platform - [#5585](https://github.com/bridgecrewio/checkov/pull/5585)
## [2.4.47](https://github.com/bridgecrewio/checkov/compare/2.4.39...2.4.47) - 2023-09-20
### Feature
- **sca:** creating alias mapping for javascript - [#5567](https://github.com/bridgecrewio/checkov/pull/5567)
- **sca:** creating alias mapping for javascript - [#5582](https://github.com/bridgecrewio/checkov/pull/5582)
- **sca:** revert creating alias mapping for javascript - [#5581](https://github.com/bridgecrewio/checkov/pull/5581)
### Bug Fix
- **general:** fix print to encode in windows - [#5572](https://github.com/bridgecrewio/checkov/pull/5572)
- **terraform:** Nested source_module_objects with missing foreach key - [#5580](https://github.com/bridgecrewio/checkov/pull/5580)
## [2.4.39](https://github.com/bridgecrewio/checkov/compare/2.4.36...2.4.39) - 2023-09-14
### Feature
- **arm:** implement CKV2_AZURE_27 for arm - [#5534](https://github.com/bridgecrewio/checkov/pull/5534)
- **terraform:** Add new policy for deprecated runtimes - [#5555](https://github.com/bridgecrewio/checkov/pull/5555)
- **terraform:** Ensure Event Hub Namespace uses at least TLS 1.2 - [#5535](https://github.com/bridgecrewio/checkov/pull/5535)
- **terraform:** Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity - [#5541](https://github.com/bridgecrewio/checkov/pull/5541)
## [2.4.36](https://github.com/bridgecrewio/checkov/compare/2.4.33...2.4.36) - 2023-09-13
### Feature
- **general:** add rustworkx - [#5511](https://github.com/bridgecrewio/checkov/pull/5511)
### Bug Fix
- **terraform:** Module from_dict func to static func - [#5562](https://github.com/bridgecrewio/checkov/pull/5562)
## [2.4.33](https://github.com/bridgecrewio/checkov/compare/2.4.32...2.4.33) - 2023-09-12
### Feature
- **general:** attempt to fix overload in loaders and add tests - [#5549](https://github.com/bridgecrewio/checkov/pull/5549)
- **general:** remove 3.7 integ. test - [#5556](https://github.com/bridgecrewio/checkov/pull/5556)
- **general:** remove line to force code change - [#5558](https://github.com/bridgecrewio/checkov/pull/5558)
- **terraform:** add check Neptune DB clusters should be configured to copy tags to snapshots - [#5552](https://github.com/bridgecrewio/checkov/pull/5552)
- **terraform:** add CKV_AWS_361 to ensure Neptune DB cluster has adequate backup retention - [#5548](https://github.com/bridgecrewio/checkov/pull/5548)
### Bug Fix
- **terraform:** Fix external_modules_source_map serialization - [#5546](https://github.com/bridgecrewio/checkov/pull/5546)
## [2.4.32](https://github.com/bridgecrewio/checkov/compare/2.4.30...2.4.32) - 2023-09-10
### Feature
- **terraform:** add check for Neptune DB clusters IAM database auth enabled - [#5545](https://github.com/bridgecrewio/checkov/pull/5545)
- **terraform:** add CKV_AWS_360 to ensure backup retention period on AWS Document DB - [#5547](https://github.com/bridgecrewio/checkov/pull/5547)
## [2.4.30](https://github.com/bridgecrewio/checkov/compare/2.4.29...2.4.30) - 2023-09-07
### Feature
- **terraform:** add public network checks for Azure Function and Web Apps - [#5533](https://github.com/bridgecrewio/checkov/pull/5533)
## [2.4.29](https://github.com/bridgecrewio/checkov/compare/2.4.27...2.4.29) - 2023-09-06
### Feature
- **arm:** Implement CKV_AZURE_111 in ARM - [#5528](https://github.com/bridgecrewio/checkov/pull/5528)
- **arm:** implement CKV_AZURE_134 for ARM - [#5518](https://github.com/bridgecrewio/checkov/pull/5518)
- **arm:** implement CKV_AZURE_160 for arm - [#5526](https://github.com/bridgecrewio/checkov/pull/5526)
- **arm:** implement CKV_AZURE_89 for ARM - [#5529](https://github.com/bridgecrewio/checkov/pull/5529)
### Bug Fix
- **terraform:** CKV_AWS_208 bug fix - [#5512](https://github.com/bridgecrewio/checkov/pull/5512)
## [2.4.27](https://github.com/bridgecrewio/checkov/compare/2.4.25...2.4.27) - 2023-09-05
### Feature
- **general:** Check module download - [#5525](https://github.com/bridgecrewio/checkov/pull/5525)
- **general:** Check module download and quit on failure - [#5523](https://github.com/bridgecrewio/checkov/pull/5523)
## [2.4.25](https://github.com/bridgecrewio/checkov/compare/2.4.22...2.4.25) - 2023-09-03
### Feature
- **arm:** Implement CKV_AZURE_101 for ARM - [#5516](https://github.com/bridgecrewio/checkov/pull/5516)
- **arm:** implement CKV_AZURE_107 for arm - [#5514](https://github.com/bridgecrewio/checkov/pull/5514)
- **arm:** implement CKV_AZURE_113 for ARM - [#5510](https://github.com/bridgecrewio/checkov/pull/5510)
## [2.4.22](https://github.com/bridgecrewio/checkov/compare/2.4.18...2.4.22) - 2023-08-31
### Feature
- **arm:** implement CKV_AZURE_112 for arm - [#5507](https://github.com/bridgecrewio/checkov/pull/5507)
- **arm:** implement CKV_AZURE_40 for ARM - [#5499](https://github.com/bridgecrewio/checkov/pull/5499)
- **arm:** implement CKV_AZURE_58 for ARM - [#5497](https://github.com/bridgecrewio/checkov/pull/5497)
- **arm:** implement CKV_AZURE_94 for arm - [#5508](https://github.com/bridgecrewio/checkov/pull/5508)
### Bug Fix
- **helm:** Changed error message to failure to better differentiate problems - [#5517](https://github.com/bridgecrewio/checkov/pull/5517)
- **terraform_json:** correctly parse data blocks in Terraform JSON - [#5509](https://github.com/bridgecrewio/checkov/pull/5509)
- **terraform:** continue processing of TF modules in the same file - [#5503](https://github.com/bridgecrewio/checkov/pull/5503)
- **terraform:** fix error type - [#5513](https://github.com/bridgecrewio/checkov/pull/5513)
## [2.4.18](https://github.com/bridgecrewio/checkov/compare/2.4.14...2.4.18) - 2023-08-30
### Feature
- **arm:** implement CKV_AZURE_100 for arm - [#5490](https://github.com/bridgecrewio/checkov/pull/5490)
- **arm:** implement CKV_AZURE_114 for arm - [#5489](https://github.com/bridgecrewio/checkov/pull/5489)
- **arm:** implement CKV_AZURE_130 for arm - [#5485](https://github.com/bridgecrewio/checkov/pull/5485)
- **arm:** implement CKV_AZURE_151 for arm - [#5484](https://github.com/bridgecrewio/checkov/pull/5484)
### Bug Fix
- **arm:** correctly handle json files with comments and output parsing errors - [#5495](https://github.com/bridgecrewio/checkov/pull/5495)
## [2.4.14](https://github.com/bridgecrewio/checkov/compare/2.4.10...2.4.14) - 2023-08-27
### Feature
- **arm:** CKV_AZURE_66 implement config logging check for arm - [#5464](https://github.com/bridgecrewio/checkov/pull/5464)
- **arm:** convert CKV_AZURE_65 to arm - [#5467](https://github.com/bridgecrewio/checkov/pull/5467)
- **arm:** Implement CKV_AZURE_109 in arm - [#5483](https://github.com/bridgecrewio/checkov/pull/5483)
- **arm:** implement CKV_AZURE_63 for arm - [#5475](https://github.com/bridgecrewio/checkov/pull/5475)
- **arm:** implement CKV_AZURE_80 in arm - [#5476](https://github.com/bridgecrewio/checkov/pull/5476)
- **secrets:** fix resource in git history scan - [#5482](https://github.com/bridgecrewio/checkov/pull/5482)
### Bug Fix
- **terraform:** extend CKV2_AWS_5 to include aws_appstream_fleet (#5487) - [#5491](https://github.com/bridgecrewio/checkov/pull/5491)
## [2.4.10](https://github.com/bridgecrewio/checkov/compare/2.4.7...2.4.10) - 2023-08-24
### Feature
- **arm:** migrate check CKV_AZURE_50 to arm - [#5453](https://github.com/bridgecrewio/checkov/pull/5453)
- **arm:** translate tf CKV_AZURE_93 check to arm - [#5450](https://github.com/bridgecrewio/checkov/pull/5450)
- **kubernetes:** Added new endpoint for both helm and kustomize - [#5481](https://github.com/bridgecrewio/checkov/pull/5481)
### Bug Fix
- **dockerfile:** consider platform flag in CKV_DOCKER_7 - [#5468](https://github.com/bridgecrewio/checkov/pull/5468)
- **kustomize:** support kubectl 1.28+ - [#5480](https://github.com/bridgecrewio/checkov/pull/5480)
## [2.4.7](https://github.com/bridgecrewio/checkov/compare/2.4.6...2.4.7) - 2023-08-23
### Feature
- **secrets:** handle non iac secrets FP - [#5478](https://github.com/bridgecrewio/checkov/pull/5478)
## [2.4.6](https://github.com/bridgecrewio/checkov/compare/2.4.5...2.4.6) - 2023-08-22
### Bug Fix
- **terraform:** Replaced / with os.pathsep to support windows better in terraform runner - [#5473](https://github.com/bridgecrewio/checkov/pull/5473)
### Documentation
- **terraform:** make jq default - [#5462](https://github.com/bridgecrewio/checkov/pull/5462)
## [2.4.5](https://github.com/bridgecrewio/checkov/compare/2.4.4...2.4.5) - 2023-08-21
### Bug Fix
- **terraform:** Fix for-each/count updating inner for each index for every child resource - [#5463](https://github.com/bridgecrewio/checkov/pull/5463)
## [2.4.4](https://github.com/bridgecrewio/checkov/compare/2.4.2...2.4.4) - 2023-08-20
### Platform
- **sca:** Filter IR FW upload results by supportedIrFw list - [#5448](https://github.com/bridgecrewio/checkov/pull/5448)
## [2.4.2](https://github.com/bridgecrewio/checkov/compare/2.4.1...2.4.2) - 2023-08-17
### Feature
- **dockerfile:** Add CKV2_DOCKER_17 for chpasswd - [#5441](https://github.com/bridgecrewio/checkov/pull/5441)
### Bug Fix
- **kustomize:** Fix kustomize ignoring external policy dir command line options - [#5436](https://github.com/bridgecrewio/checkov/pull/5436)
## [2.4.1](https://github.com/bridgecrewio/checkov/compare/2.3.365...2.4.1) - 2023-08-16
### Feature
- **terraform:** Remove old tf parser - [#5420](https://github.com/bridgecrewio/checkov/pull/5420)
### Bug Fix
- **terraform:** ensure TFModule is created properly in definition context - [#5446](https://github.com/bridgecrewio/checkov/pull/5446)
## [2.3.365](https://github.com/bridgecrewio/checkov/compare/2.3.364...2.3.365) - 2023-08-14
### Feature
- **terraform:** Removed most usages of enable_nested_modules - [#5415](https://github.com/bridgecrewio/checkov/pull/5415)
## [2.3.364](https://github.com/bridgecrewio/checkov/compare/2.3.361...2.3.364) - 2023-08-13
### Feature
- **sca:** update spdx-tools dep to version 0.8.0 and lower bound it - [#5431](https://github.com/bridgecrewio/checkov/pull/5431)
- **terraform:** Add **address** field on vertices even if render_variables is set to False - [#5434](https://github.com/bridgecrewio/checkov/pull/5434)
### Bug Fix
- **terraform:** add new attached resource possibility to CKV2_AWS_23 #5424 - [#5429](https://github.com/bridgecrewio/checkov/pull/5429)
- **terraform:** fix ordering issue in CKV_AWS_358 - [#5425](https://github.com/bridgecrewio/checkov/pull/5425)
## [2.3.361](https://github.com/bridgecrewio/checkov/compare/2.3.360...2.3.361) - 2023-08-10
### Bug Fix
- **arm:** improve CKV_AZURE_24 check - [#5427](https://github.com/bridgecrewio/checkov/pull/5427)
## [2.3.360](https://github.com/bridgecrewio/checkov/compare/2.3.358...2.3.360) - 2023-08-08
### Bug Fix
- **general:** Fix empty credentials file issue - [#5421](https://github.com/bridgecrewio/checkov/pull/5421)
## [2.3.358](https://github.com/bridgecrewio/checkov/compare/2.3.356...2.3.358) - 2023-08-06
### Feature
- **secrets:** Make non-entropy signatures take precedence over entropy signatures - [#5412](https://github.com/bridgecrewio/checkov/pull/5412)
### Bug Fix
- **terraform:** Remove DMS S3 check CKV_AWS_299 - [#5413](https://github.com/bridgecrewio/checkov/pull/5413)
## [2.3.356](https://github.com/bridgecrewio/checkov/compare/2.3.354...2.3.356) - 2023-08-03
### Feature
- **terraform:** Github Actions OIDC trust policy check - [#5402](https://github.com/bridgecrewio/checkov/pull/5402)
## [2.3.354](https://github.com/bridgecrewio/checkov/compare/2.3.351...2.3.354) - 2023-08-02
### Feature
- **general:** allow `--var-file` to be passed as environment variable - [#5406](https://github.com/bridgecrewio/checkov/pull/5406)
- **terraform:** Add new policy to ensure AWS Transfer server only allows secure protocols - [#5409](https://github.com/bridgecrewio/checkov/pull/5409)
### Platform
- **general:** remove obsolete run config fallback API call - [#5404](https://github.com/bridgecrewio/checkov/pull/5404)
### Documentation
- **gha:** Update setup-python version in GitHub Actions.md - [#5393](https://github.com/bridgecrewio/checkov/pull/5393)
## [2.3.351](https://github.com/bridgecrewio/checkov/compare/2.3.349...2.3.351) - 2023-08-01
### Feature
- **terraform:** new serialization methods for module and block - [#5391](https://github.com/bridgecrewio/checkov/pull/5391)
### Bug Fix
- **terraform:** pr for upgrade-checkov - [#5400](https://github.com/bridgecrewio/checkov/pull/5400)
## [2.3.349](https://github.com/bridgecrewio/checkov/compare/2.3.347...2.3.349) - 2023-07-31
### Bug Fix
- **terraform:** add TFDefinitionKey to get_entity_context_and_evaluations - [#5392](https://github.com/bridgecrewio/checkov/pull/5392)
- **terraform:** consider new domain attribute in CKV2_AWS_19 - [#5383](https://github.com/bridgecrewio/checkov/pull/5383)
## [2.3.347](https://github.com/bridgecrewio/checkov/compare/2.3.343...2.3.347) - 2023-07-27
### Feature
- **sca:** support composer.json - [#5382](https://github.com/bridgecrewio/checkov/pull/5382)
- **terraform:** Use new function to create multi graph instead of single graph - [#5375](https://github.com/bridgecrewio/checkov/pull/5375)
### Platform
- **general:** Implement SSO Relay State Parameter in Checkov Output Links - [#5217](https://github.com/bridgecrewio/checkov/pull/5217)
## [2.3.343](https://github.com/bridgecrewio/checkov/compare/2.3.338...2.3.343) - 2023-07-26
### Feature
- **sca:** fix package line numbers - [#5376](https://github.com/bridgecrewio/checkov/pull/5376)
### Bug Fix
- **terraform:** Fix CKV_AWS_104 to support new values - [#5377](https://github.com/bridgecrewio/checkov/pull/5377)
## [2.3.338](https://github.com/bridgecrewio/checkov/compare/2.3.335...2.3.338) - 2023-07-23
### Feature
- **terraform:** add new function to create module and definitions with tests - [#5362](https://github.com/bridgecrewio/checkov/pull/5362)
- **terraform:** GCP Ensure IAM Workload identity is restricted - [#5369](https://github.com/bridgecrewio/checkov/pull/5369)
### Bug Fix
- **general:** fix inline suppression collection inside lists - [#5370](https://github.com/bridgecrewio/checkov/pull/5370)
## [2.3.335](https://github.com/bridgecrewio/checkov/compare/2.3.334...2.3.335) - 2023-07-20
### Bug Fix
- **terraform:** leverage read_file_with_any_encoding to safely look for modules - [#5360](https://github.com/bridgecrewio/checkov/pull/5360)
## [2.3.334](https://github.com/bridgecrewio/checkov/compare/2.3.331...2.3.334) - 2023-07-19
### Feature
- **general:** Add resource code filter to all checkov loggers - [#5356](https://github.com/bridgecrewio/checkov/pull/5356)
- **general:** Infrastructure for custom code logger filter - [#5346](https://github.com/bridgecrewio/checkov/pull/5346)
### Bug Fix
- **kustomize:** Avoid index error when calculating file path - [#5357](https://github.com/bridgecrewio/checkov/pull/5357)
## [2.3.331](https://github.com/bridgecrewio/checkov/compare/2.3.329...2.3.331) - 2023-07-18
### Feature
- **openapi:** Add CKV_OPENAPI_21 - [#5268](https://github.com/bridgecrewio/checkov/pull/5268)
### Bug Fix
- **secrets:** handle regex error in custom secrets gracefully - [#5355](https://github.com/bridgecrewio/checkov/pull/5355)
### Documentation
- **general:** update docs about installation guidelines - [#5352](https://github.com/bridgecrewio/checkov/pull/5352)
## [2.3.329](https://github.com/bridgecrewio/checkov/compare/2.3.326...2.3.329) - 2023-07-17
### Feature
- **github:** Add ability for External checks with git branch - [#5337](https://github.com/bridgecrewio/checkov/pull/5337)
- **sca:** add fix command and code for indirect deps - [#5347](https://github.com/bridgecrewio/checkov/pull/5347)
### Bug Fix
- **kubernetes:** No dups when extracting images - [#5339](https://github.com/bridgecrewio/checkov/pull/5339)
## [2.3.326](https://github.com/bridgecrewio/checkov/compare/2.3.324...2.3.326) - 2023-07-16
### Feature
- **sca:** add fix code and command to cve report - [#5333](https://github.com/bridgecrewio/checkov/pull/5333)
- **sca:** fix code block array structure - [#5338](https://github.com/bridgecrewio/checkov/pull/5338)
### Bug Fix
- **general:** properly encode non supported chars in SARIF uri field - [#5336](https://github.com/bridgecrewio/checkov/pull/5336)
### Documentation
- **sca:** Add SCA skip comments to docs - [#5330](https://github.com/bridgecrewio/checkov/pull/5330)
## [2.3.324](https://github.com/bridgecrewio/checkov/compare/2.3.321...2.3.324) - 2023-07-13
### Bug Fix
- **kustomize:** Added support for case where no parents are found for the relative fie path - [#5332](https://github.com/bridgecrewio/checkov/pull/5332)
- **terraform:** Update CKV2_AWS_12 for the new defaults - [#5203](https://github.com/bridgecrewio/checkov/pull/5203)
## [2.3.321](https://github.com/bridgecrewio/checkov/compare/2.3.320...2.3.321) - 2023-07-13
### Feature
- **kustomize:** Support child k8s resources inside kustomize origin annotations - [#5328](https://github.com/bridgecrewio/checkov/pull/5328)
## [2.3.320](https://github.com/bridgecrewio/checkov/compare/2.3.318...2.3.320) - 2023-07-12
### Bug Fix
- **kustomize:** Checked for existence of caller_file_path in definitions_raw - [#5324](https://github.com/bridgecrewio/checkov/pull/5324)
- **openapi:** Fix ws for CKV_OPENAPI_20 - [#5317](https://github.com/bridgecrewio/checkov/pull/5317)
- **terraform:** CKV_AWS_342 - managed rules have predefined actions - [#5322](https://github.com/bridgecrewio/checkov/pull/5322)
## [2.3.318](https://github.com/bridgecrewio/checkov/compare/2.3.316...2.3.318) - 2023-07-10
### Feature
- **general:** support UTF-16 and other encodings in multiple frameworks - [#5308](https://github.com/bridgecrewio/checkov/pull/5308)
- **kustomize:** add back reverted kustomize annotations and update build github action to use github runners - [#5316](https://github.com/bridgecrewio/checkov/pull/5316)
- **kustomize:** Add origin annotations to calculate bases of kustomize checks - [#5298](https://github.com/bridgecrewio/checkov/pull/5298)
## [2.3.316](https://github.com/bridgecrewio/checkov/compare/2.3.314...2.3.316) - 2023-07-09
### Feature
- **secrets:** Improve the entropy keyword combinator secret scanner - [#5307](https://github.com/bridgecrewio/checkov/pull/5307)
### Bug Fix
- **openapi:** Fix CKV_OpenAPI_20 - [#5302](https://github.com/bridgecrewio/checkov/pull/5302)
- **terraform:** fix invalid value in CKV_AWS_304 - [#5301](https://github.com/bridgecrewio/checkov/pull/5301)
- **terraform:** support new field in CKV2_AWS_3 - [#5304](https://github.com/bridgecrewio/checkov/pull/5304)
## [2.3.314](https://github.com/bridgecrewio/checkov/compare/2.3.312...2.3.314) - 2023-07-06
### Feature
- **dockerfile:** add ARM build for K8s container image - [#5293](https://github.com/bridgecrewio/checkov/pull/5293)
- **general:** Add checkov.spec to enable PyInstaller - [#5281](https://github.com/bridgecrewio/checkov/pull/5281)
### Bug Fix
- **terraform:** remove CKV2_AZURE_18 check and improve CKV2_AZURE_1 - [#5294](https://github.com/bridgecrewio/checkov/pull/5294)
## [2.3.312](https://github.com/bridgecrewio/checkov/compare/2.3.311...2.3.312) - 2023-07-05
### Platform
- **general:** use sca inline suppressions - [#5285](https://github.com/bridgecrewio/checkov/pull/5285)
## [2.3.311](https://github.com/bridgecrewio/checkov/compare/2.3.310...2.3.311) - 2023-07-04
### Feature
- **openapi:** New OpenAPI check CKV_OPENAPI_20 - [#5253](https://github.com/bridgecrewio/checkov/pull/5253)
## [2.3.310](https://github.com/bridgecrewio/checkov/compare/2.3.309...2.3.310) - 2023-07-02
### Bug Fix
- **terraform:** remove deprecated check CKV_GCP_67 - [#5275](https://github.com/bridgecrewio/checkov/pull/5275)
### Documentation
- **general:** Add csv to output - [#5273](https://github.com/bridgecrewio/checkov/pull/5273)
## [2.3.309](https://github.com/bridgecrewio/checkov/compare/2.3.306...2.3.309) - 2023-06-29
### Feature
- **graph:** add experimental debug output for graph check evaluation - [#5257](https://github.com/bridgecrewio/checkov/pull/5257)
### Bug Fix
- **general:** revert add composer files to supported package files - [#5269](https://github.com/bridgecrewio/checkov/pull/5269)
### Platform
- **general:** add composer files to supported package files - [#5263](https://github.com/bridgecrewio/checkov/pull/5263)
## [2.3.306](https://github.com/bridgecrewio/checkov/compare/2.3.303...2.3.306) - 2023-06-27
### Feature
- **terraform:** add module check for commit hash revision usage - [#5261](https://github.com/bridgecrewio/checkov/pull/5261)
### Bug Fix
- **openapi:** add security definition type validation into CKV_OPENAPI_9 - [#5262](https://github.com/bridgecrewio/checkov/pull/5262)
- **secrets:** fix secrets omit crash when value is not string - [#5260](https://github.com/bridgecrewio/checkov/pull/5260)
- **terraform:** ignore local modules in CKV_TF_1 - [#5264](https://github.com/bridgecrewio/checkov/pull/5264)
## [2.3.303](https://github.com/bridgecrewio/checkov/compare/2.3.302...2.3.303) - 2023-06-26
### Bug Fix
- **arm:** consider encryption property in CKV_AZURE_2 - [#5254](https://github.com/bridgecrewio/checkov/pull/5254)
## [2.3.302](https://github.com/bridgecrewio/checkov/compare/2.3.301...2.3.302) - 2023-06-25
### Bug Fix
- **terraform:** add missing AWS RDS CA certificate identifiers for aws_db_instance resource - [#5247](https://github.com/bridgecrewio/checkov/pull/5247)
## [2.3.301](https://github.com/bridgecrewio/checkov/compare/2.3.299...2.3.301) - 2023-06-22
### Feature
- **general:** remove log from parallel common - [#5244](https://github.com/bridgecrewio/checkov/pull/5244)
### Platform
- **general:** Fix local repo generated name if ends with / - [#5243](https://github.com/bridgecrewio/checkov/pull/5243)
## [2.3.299](https://github.com/bridgecrewio/checkov/compare/2.3.296...2.3.299) - 2023-06-21
### Feature
- **terraform:** ensure kms key policy is defined - [#5235](https://github.com/bridgecrewio/checkov/pull/5235)
### Bug Fix
- **sca:** fix wrongly invoked Image Referencer scanning when scanning a single file - [#5237](https://github.com/bridgecrewio/checkov/pull/5237)
- **terraform_plan:** add terraform plan vertices to terraform graph if not exist - [#5230](https://github.com/bridgecrewio/checkov/pull/5230)
## [2.3.296](https://github.com/bridgecrewio/checkov/compare/2.3.294...2.3.296) - 2023-06-19
### Bug Fix
- **dockerfile:** negative `is_dockerfile()` lookup on `.dockerignore` suffix - [#5219](https://github.com/bridgecrewio/checkov/pull/5219)
- **terraform:** fix empty value issue for CKV_GIT_4 - [#5222](https://github.com/bridgecrewio/checkov/pull/5222)
### Documentation
- **graph:** add jsonpath custom policy example - [#5221](https://github.com/bridgecrewio/checkov/pull/5221)
## [2.3.294](https://github.com/bridgecrewio/checkov/compare/2.3.292...2.3.294) - 2023-06-15
### Feature
- **gha:** add skip_path flag to GHA and allow multiple values in var_file - [#5213](https://github.com/bridgecrewio/checkov/pull/5213)
- **sca:** add root package name and version to csv sbom - [#5211](https://github.com/bridgecrewio/checkov/pull/5211)
## [2.3.292](https://github.com/bridgecrewio/checkov/compare/2.3.289...2.3.292) - 2023-06-14
### Feature
- **arm:** Handle another structure for SQL retention policy - [#5210](https://github.com/bridgecrewio/checkov/pull/5210)
### Bug Fix
- **secrets:** limit line length for custom secrets - [#5208](https://github.com/bridgecrewio/checkov/pull/5208)
- **terraform:** Update GCP checks for plan files - [#5197](https://github.com/bridgecrewio/checkov/pull/5197)
## [2.3.289](https://github.com/bridgecrewio/checkov/compare/2.3.287...2.3.289) - 2023-06-13
### Feature
- **sca:** removing the using of the constant CHECKOV_DISPLAY_REGISTRY_URL - [#5204](https://github.com/bridgecrewio/checkov/pull/5204)
## [2.3.287](https://github.com/bridgecrewio/checkov/compare/2.3.285...2.3.287) - 2023-06-11
### Feature
- **general:** add checkov_diff pre-commit hook for scanning all changed files - [#5192](https://github.com/bridgecrewio/checkov/pull/5192)
### Bug Fix
- **cloudformation:** fix CKV_AWS_33 to consider deny statements - [#5193](https://github.com/bridgecrewio/checkov/pull/5193)
### Documentation
- **general:** Update pre-commit.md - [#5190](https://github.com/bridgecrewio/checkov/pull/5190)
## [2.3.285](https://github.com/bridgecrewio/checkov/compare/2.3.283...2.3.285) - 2023-06-08
### Feature
- **arm:** and bicep: Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 - [#5049](https://github.com/bridgecrewio/checkov/pull/5049)
### Bug Fix
- **general:** handle cloned checks filtered via labels - [#5188](https://github.com/bridgecrewio/checkov/pull/5188)
- **terraform:** adjust CKV_AZURE_6 to comply with new provider version - [#5189](https://github.com/bridgecrewio/checkov/pull/5189)
## [2.3.283](https://github.com/bridgecrewio/checkov/compare/2.3.281...2.3.283) - 2023-06-07
### Feature
- **arm:** Handle arm db servers 2021 05 01 - [#5187](https://github.com/bridgecrewio/checkov/pull/5187)
- **terraform:** Mark unresolved tf function calls as unresolved - [#5186](https://github.com/bridgecrewio/checkov/pull/5186)
### Documentation
- **general:** Add Enforcement CLI Command - [#5185](https://github.com/bridgecrewio/checkov/pull/5185)
## [2.3.281](https://github.com/bridgecrewio/checkov/compare/2.3.278...2.3.281) - 2023-06-06
### Feature
- **terraform_plan:** Expose field changes to python checks - [#5112](https://github.com/bridgecrewio/checkov/pull/5112)
### Bug Fix
- **general:** Check that the result is not None before extracting vars in cli multiprocess runs - [#5183](https://github.com/bridgecrewio/checkov/pull/5183)
- **general:** Correctly handle cli graphs in case we run with multiprocessing - [#5177](https://github.com/bridgecrewio/checkov/pull/5177)
## [2.3.278](https://github.com/bridgecrewio/checkov/compare/2.3.276...2.3.278) - 2023-06-05
### Bug Fix
- **kubernetes:** dont' fail if spec is missing and default value is set to the fix value. - [#5167](https://github.com/bridgecrewio/checkov/pull/5167)
## [2.3.276](https://github.com/bridgecrewio/checkov/compare/2.3.273...2.3.276) - 2023-06-04
### Feature
- **arm:** ARM and bicep checks for CKV_AZURE_121 - [#5029](https://github.com/bridgecrewio/checkov/pull/5029)
- **terraform:** Ensure Application Gateway defines secure SSL protocols CKV_AZURE_217, 218 - [#5027](https://github.com/bridgecrewio/checkov/pull/5027)
- **terraform:** Ensure Azure firewall sets threatintelMode to Deny - [#5013](https://github.com/bridgecrewio/checkov/pull/5013)
- **terraform:** Ensure firewall defines a policy - [#5038](https://github.com/bridgecrewio/checkov/pull/5038)
- **terraform:** Ensure Firewall policy has IDPS mode as deny - [#5039](https://github.com/bridgecrewio/checkov/pull/5039)
### Bug Fix
- **dockerfile:** support platform flag in CKV_DOCKER_11 - [#5170](https://github.com/bridgecrewio/checkov/pull/5170)
- **terraform:** support condition in IAM policy data blocks - [#5171](https://github.com/bridgecrewio/checkov/pull/5171)
- **terraform:** Unable to download Terraform modules from JFrog Artifactory - [#5155](https://github.com/bridgecrewio/checkov/pull/5155)
## [2.3.273](https://github.com/bridgecrewio/checkov/compare/2.3.267...2.3.273) - 2023-06-01
### Feature
- **ansible:** add support of inline suppression for Ansible graph checks - [#5143](https://github.com/bridgecrewio/checkov/pull/5143)
- **terraform:** Use just AWS regex to check EC2Credentials - [#5159](https://github.com/bridgecrewio/checkov/pull/5159)
### Bug Fix
- **cloudformation:** fix evaluate_default_refs func in cfn - [#5164](https://github.com/bridgecrewio/checkov/pull/5164)
- **general:** fix SARIF output related to security-severity field - [#5160](https://github.com/bridgecrewio/checkov/pull/5160)
- **terraform:** adjust CKV_AWS_85 to only look for one log type to pass - [#5162](https://github.com/bridgecrewio/checkov/pull/5162)
- **terraform:** update latest major version of Postgres to v15 - [#5163](https://github.com/bridgecrewio/checkov/pull/5163)
### Platform
- **general:** Add no upload flag and report contributors for all API key runs - [#5052](https://github.com/bridgecrewio/checkov/pull/5052)
## [2.3.267](https://github.com/bridgecrewio/checkov/compare/2.3.264...2.3.267) - 2023-05-31
### Bug Fix
- **kubernetes:** fix extracting k8s nested resources - [#5146](https://github.com/bridgecrewio/checkov/pull/5146)
- **sca:** suppression - fix unit testing - [#5158](https://github.com/bridgecrewio/checkov/pull/5158)
- **sca:** suppression is not working on SCA packages - [#5156](https://github.com/bridgecrewio/checkov/pull/5156)
## [2.3.264](https://github.com/bridgecrewio/checkov/compare/2.3.261...2.3.264) - 2023-05-30
### Feature
- **terraform:** don't fail CKV_AWS_2 on un-rendered value - [#5147](https://github.com/bridgecrewio/checkov/pull/5147)
- **terraform:** Foreach support resources edges - [#5145](https://github.com/bridgecrewio/checkov/pull/5145)
### Bug Fix
- **terraform:** exclude unrestrictable actions in CKV_AWS_355 and CKV_AWS_356 - [#5135](https://github.com/bridgecrewio/checkov/pull/5135)
### Documentation
- **general:** Update operators with examples - [#5137](https://github.com/bridgecrewio/checkov/pull/5137)
## [2.3.261](https://github.com/bridgecrewio/checkov/compare/2.3.259...2.3.261) - 2023-05-28
### Feature
- **general:** Added computation of git_root_path to igraph serialization - [#5107](https://github.com/bridgecrewio/checkov/pull/5107)
- **sca:** adding validation for the file_line_number - [#5132](https://github.com/bridgecrewio/checkov/pull/5132)
- **terraform:** foreach remove error from info log. - [#5139](https://github.com/bridgecrewio/checkov/pull/5139)
### Bug Fix
- **terraform:** Should use UNKNOWN rather than skipped - [#5136](https://github.com/bridgecrewio/checkov/pull/5136)
## [2.3.259](https://github.com/bridgecrewio/checkov/compare/2.3.257...2.3.259) - 2023-05-24
### Feature
- **terraform:** extend CKV2_AWS_5 with new resources - [#5129](https://github.com/bridgecrewio/checkov/pull/5129)
- **terraform:** IAM limit resource access - [#5015](https://github.com/bridgecrewio/checkov/pull/5015)
### Bug Fix
- **kustomize:** fix empty kustomize file crash - [#5131](https://github.com/bridgecrewio/checkov/pull/5131)
### Platform
- **general:** SBOM lines numbers adjusting - [#5127](https://github.com/bridgecrewio/checkov/pull/5127)
## [2.3.257](https://github.com/bridgecrewio/checkov/compare/2.3.251...2.3.257) - 2023-05-23
### Feature
- **sca:** adding the risk factor v2 to the vulnerability details - [#5108](https://github.com/bridgecrewio/checkov/pull/5108)
- **sca:** dockerfile image-referencer fixes - [#5120](https://github.com/bridgecrewio/checkov/pull/5120)
- **secrets:** Add new pre-commit hook for secrets - [#5103](https://github.com/bridgecrewio/checkov/pull/5103)
- **terraform:** add check to look at star resources - [#4996](https://github.com/bridgecrewio/checkov/pull/4996)
### Bug Fix
- **gitlab:** Skipping image blocks without name attribute - [#5126](https://github.com/bridgecrewio/checkov/pull/5126)
- **terraform:** fix terraform variable rendering for provider alias - [#5124](https://github.com/bridgecrewio/checkov/pull/5124)
### Platform
- **general:** Enhancing Sarif output with Security Severity Level - [#5074](https://github.com/bridgecrewio/checkov/pull/5074)
## [2.3.251](https://github.com/bridgecrewio/checkov/compare/2.3.247...2.3.251) - 2023-05-21
### Feature
- **secrets:** add jwt detector to the secret runner - [#5116](https://github.com/bridgecrewio/checkov/pull/5116)
- **terraform:** Adding yaml based build time policies for corresponding PC runtime policies - [#5089](https://github.com/bridgecrewio/checkov/pull/5089)
- **terraform:** AWS Ensure RDS performance insights uses a CMK - [#4985](https://github.com/bridgecrewio/checkov/pull/4985)
- **terraform:** NACL should restrict port ingress - [#4976](https://github.com/bridgecrewio/checkov/pull/4976)
- **terraform:** RDS Enable Performance insights - [#4983](https://github.com/bridgecrewio/checkov/pull/4983)
### Bug Fix
- **dockerfile:** improve update searching in CKV_DOCKER_5 - [#5115](https://github.com/bridgecrewio/checkov/pull/5115)
### Documentation
- **general:** Update CLI Command Reference.md - [#5114](https://github.com/bridgecrewio/checkov/pull/5114)
## [2.3.247](https://github.com/bridgecrewio/checkov/compare/2.3.245...2.3.247) - 2023-05-18
### Feature
- **general:** add SPDX output - [#5104](https://github.com/bridgecrewio/checkov/pull/5104)
- **kubernetes:** seperate service acoount builder to improve performance - [#5093](https://github.com/bridgecrewio/checkov/pull/5093)
- **sca:** showing line numbers in the cli output for csv - [#5096](https://github.com/bridgecrewio/checkov/pull/5096)
- **sca:** showing line numbers in the cli output for licenses - [#5098](https://github.com/bridgecrewio/checkov/pull/5098)
## [2.3.245](https://github.com/bridgecrewio/checkov/compare/2.3.243...2.3.245) - 2023-05-16
### Feature
- **dockerfile:** Support docker graph check skips - [#5085](https://github.com/bridgecrewio/checkov/pull/5085)
- **sca:** using the lines in the directly in the record, rather than in the "vulnerability_details" + having it in ExtraResources - [#5092](https://github.com/bridgecrewio/checkov/pull/5092)
## [2.3.243](https://github.com/bridgecrewio/checkov/compare/2.3.240...2.3.243) - 2023-05-15
### Feature
- **kubernetes:** Improve k8s perf - [#5083](https://github.com/bridgecrewio/checkov/pull/5083)
- **terraform:** EMR - At rest local disk, EBS and in transit encryption checks - [#4968](https://github.com/bridgecrewio/checkov/pull/4968)
### Bug Fix
- **kubernetes:** add mini k8s parser for invalid templates - [#5088](https://github.com/bridgecrewio/checkov/pull/5088)
- **terraform:** handle false-positives for Route53ZoneEnableDNSSECSigning - [#5084](https://github.com/bridgecrewio/checkov/pull/5084)
### Platform
- **general:** Add lines to SBOM - [#5078](https://github.com/bridgecrewio/checkov/pull/5078)
- **graph:** upload graphs to the platform - [#5073](https://github.com/bridgecrewio/checkov/pull/5073)
## [2.3.240](https://github.com/bridgecrewio/checkov/compare/2.3.239...2.3.240) - 2023-05-14
### Bug Fix
- **terraform:** skip invalid multiple modules names - [#5079](https://github.com/bridgecrewio/checkov/pull/5079)
## [2.3.239](https://github.com/bridgecrewio/checkov/compare/2.3.238...2.3.239) - 2023-05-12
### Bug Fix
- **sca:** only run image referencer with sca_image framework - [#5081](https://github.com/bridgecrewio/checkov/pull/5081)
## [2.3.238](https://github.com/bridgecrewio/checkov/compare/2.3.237...2.3.238) - 2023-05-11
### Feature
- **kustomize:** Support inline skips for Kubernetes graph checks - [#5070](https://github.com/bridgecrewio/checkov/pull/5070)
## [2.3.237](https://github.com/bridgecrewio/checkov/compare/2.3.234...2.3.237) - 2023-05-10
### Bug Fix
- **secrets:** add filter for suppressed custom secret checks - [#5068](https://github.com/bridgecrewio/checkov/pull/5068)
- **secrets:** exclude Kubernetes secretName from secret scanning - [#5071](https://github.com/bridgecrewio/checkov/pull/5071)
- **secrets:** omit the code line - [#5075](https://github.com/bridgecrewio/checkov/pull/5075)
## [2.3.234](https://github.com/bridgecrewio/checkov/compare/2.3.231...2.3.234) - 2023-05-09
### Feature
- **terraform:** Added caller_file_path and caller_file_line_range to reduced report - [#5062](https://github.com/bridgecrewio/checkov/pull/5062)
- **terraform:** AWS IAM don't generate root credentials 348 - [#4966](https://github.com/bridgecrewio/checkov/pull/4966)
- **terraform:** Ensure Neptune cluster is encrypted with a CMK CKV_AWS_347 - [#4965](https://github.com/bridgecrewio/checkov/pull/4965)
### Bug Fix
- **terraform:** fix SQS encryption check CKV_AWS_27 - [#5065](https://github.com/bridgecrewio/checkov/pull/5065)
### Documentation
- **general:** Fix some links - [#5064](https://github.com/bridgecrewio/checkov/pull/5064)
- **general:** update Python custom checks docs - [#5054](https://github.com/bridgecrewio/checkov/pull/5054)
## [2.3.231](https://github.com/bridgecrewio/checkov/compare/2.3.227...2.3.231) - 2023-05-08
### Feature
- **terraform:** aws ensure delete protection for firewalls 344 - [#4870](https://github.com/bridgecrewio/checkov/pull/4870)
- **terraform:** check that WAF rules have an action 342 - [#4806](https://github.com/bridgecrewio/checkov/pull/4806)
- **terraform:** Ensure encryption for firewall uses a CMK CKV_AWS_345 - [#4871](https://github.com/bridgecrewio/checkov/pull/4871)
- **terraform:** Ensure Network firewall policy defines a encryption configuration that uses a CMK - CKV_AWS_346 - [#4877](https://github.com/bridgecrewio/checkov/pull/4877)
### Bug Fix
- **kubernetes:** Update ckv_k8s_31 - [#4991](https://github.com/bridgecrewio/checkov/pull/4991)
## [2.3.227](https://github.com/bridgecrewio/checkov/compare/2.3.224...2.3.227) - 2023-05-07
### Feature
- **general:** include missing files in save repository - [#5056](https://github.com/bridgecrewio/checkov/pull/5056)
- **terraform:** launch config/template Ensure metadata hop =1 341 - [#4817](https://github.com/bridgecrewio/checkov/pull/4817)
- **terraform:** Update CKV_AZURE_43 StorageAccountName.py VARIABLE_REFS - [#5045](https://github.com/bridgecrewio/checkov/pull/5045)
### Bug Fix
- **arm:** enabled is not true - [#5051](https://github.com/bridgecrewio/checkov/pull/5051)
- **cloudformation:** Enable ALB to support tls1.3 policies #4962 - [#5035](https://github.com/bridgecrewio/checkov/pull/5035)
- **secrets:** add handling of unicode error - [#5055](https://github.com/bridgecrewio/checkov/pull/5055)
## [2.3.224](https://github.com/bridgecrewio/checkov/compare/2.3.223...2.3.224) - 2023-05-05
### Platform
- **general:** Catch None responses from BE - [#5033](https://github.com/bridgecrewio/checkov/pull/5033)
## [2.3.223](https://github.com/bridgecrewio/checkov/compare/2.3.220...2.3.223) - 2023-05-04
### Feature
- **terraform:** Elastic beanstalk uses managed updates and fixes the EB check while i… 340 - [#4816](https://github.com/bridgecrewio/checkov/pull/4816)
### Bug Fix
- **secrets:** don't scan images in git history - [#5040](https://github.com/bridgecrewio/checkov/pull/5040)
- **terraform:** fix foreach render value for lookup - [#5037](https://github.com/bridgecrewio/checkov/pull/5037)
- **terraform:** Handle entity context for for_each resources - [#5036](https://github.com/bridgecrewio/checkov/pull/5036)
## [2.3.220](https://github.com/bridgecrewio/checkov/compare/2.3.214...2.3.220) - 2023-05-03
### Feature
- **secrets:** open the feature - scan git history - [#5022](https://github.com/bridgecrewio/checkov/pull/5022)
- **terraform:** Set TF Modules for_each env var to true - [#5021](https://github.com/bridgecrewio/checkov/pull/5021)
- **terraform:** Set TF modules for_each env vars as True - [#4794](https://github.com/bridgecrewio/checkov/pull/4794)
### Bug Fix
- **secrets:** add filter for suppressed custom secret checks - [#5016](https://github.com/bridgecrewio/checkov/pull/5016)
- **terraform:** improve attribute performance - [#5014](https://github.com/bridgecrewio/checkov/pull/5014)
- **terraform:** Update CKV_AWS_338 message and retention check for 0 - [#5018](https://github.com/bridgecrewio/checkov/pull/5018)
- **terraform:** Update CKV2_AZURE_33 to remove checks on unrelated conditions - [#5020](https://github.com/bridgecrewio/checkov/pull/5020)
## [2.3.214](https://github.com/bridgecrewio/checkov/compare/2.3.212...2.3.214) - 2023-05-02
### Bug Fix
- **secrets:** Adding quote to required secret in case needed - [#5008](https://github.com/bridgecrewio/checkov/pull/5008)
- **secrets:** change color of invalid secret message - [#5007](https://github.com/bridgecrewio/checkov/pull/5007)
### Platform
- **general:** upload checks code_block to report - [#5001](https://github.com/bridgecrewio/checkov/pull/5001)
## [2.3.212](https://github.com/bridgecrewio/checkov/compare/2.3.205...2.3.212) - 2023-04-30
### Feature
- **kubernetes:** support suppressing custom K8s policies - [#4990](https://github.com/bridgecrewio/checkov/pull/4990)
- **terraform:** AWS EKS Use only platform supported versions 339 - [#4810](https://github.com/bridgecrewio/checkov/pull/4810)
- **terraform:** Azure APIm backend uses only HTTPS - [#4811](https://github.com/bridgecrewio/checkov/pull/4811)
- **terraform:** Ensure Cloudwatch retention is a year or more 338 - [#4799](https://github.com/bridgecrewio/checkov/pull/4799)
- **terraform:** remove redundant foreach deepcopy - [#4982](https://github.com/bridgecrewio/checkov/pull/4982)
### Bug Fix
- **secrets:** fix missing history results when history store is used - [#4992](https://github.com/bridgecrewio/checkov/pull/4992)
- **terraform:** secret- also check user data in launch config and template - [#4969](https://github.com/bridgecrewio/checkov/pull/4969)
## [2.3.205](https://github.com/bridgecrewio/checkov/compare/2.3.204...2.3.205) - 2023-04-28
### Bug Fix
- **gitlab:** fix resource id parsing recursive - [#4987](https://github.com/bridgecrewio/checkov/pull/4987)
### Documentation
- **terraform:** fix docs formatting - [#4988](https://github.com/bridgecrewio/checkov/pull/4988)
## [2.3.204](https://github.com/bridgecrewio/checkov/compare/2.3.199...2.3.204) - 2023-04-27
### Feature
- **terraform:** add support for private terraform registries - [#4964](https://github.com/bridgecrewio/checkov/pull/4964)
- **terraform:** remove cross varaibles bad list comprehension - [#4948](https://github.com/bridgecrewio/checkov/pull/4948)
### Bug Fix
- **general:** log all returned enforcement rules for debugging - [#4989](https://github.com/bridgecrewio/checkov/pull/4989)
- **general:** remove invalid URLs in GitLab SAST output - [#4960](https://github.com/bridgecrewio/checkov/pull/4960)
- **secrets:** change default value of secret values to empty strings - [#4973](https://github.com/bridgecrewio/checkov/pull/4973)
- **terraform:** Added a condition to not override source module object for old parser - [#4975](https://github.com/bridgecrewio/checkov/pull/4975)
## [2.3.199](https://github.com/bridgecrewio/checkov/compare/2.3.194...2.3.199) - 2023-04-24
### Feature
- **terraform:** Ensure container defines a readonly root drive 336 - [#4788](https://github.com/bridgecrewio/checkov/pull/4788)
- **terraform:** ensure pidmode is not set to host 335 - [#4786](https://github.com/bridgecrewio/checkov/pull/4786)
- **terraform:** Ensure SSM params are encrypted using a CMK 337 - [#4789](https://github.com/bridgecrewio/checkov/pull/4789)
- **terraform:** Network firewall must define a logging configuration CKV2_AWS_63 - [#4872](https://github.com/bridgecrewio/checkov/pull/4872)
- **terraform:** Reduce module loading in TF Parser - [#4959](https://github.com/bridgecrewio/checkov/pull/4959)
### Bug Fix
- **kustomize:** fix image_referencer paths - [#4898](https://github.com/bridgecrewio/checkov/pull/4898)
- **terraform:** support TF provider v3 for lifecycle existence check - [#4952](https://github.com/bridgecrewio/checkov/pull/4952)
### Documentation
- **terraform_plan:** Add Deep Analysis to docs - [#4950](https://github.com/bridgecrewio/checkov/pull/4950)
## [2.3.194](https://github.com/bridgecrewio/checkov/compare/2.3.192...2.3.194) - 2023-04-23
### Feature
- **general:** deserialize report & record from json - [#4947](https://github.com/bridgecrewio/checkov/pull/4947)
- **sca:** fix extract fix version in sbom report - [#4936](https://github.com/bridgecrewio/checkov/pull/4936)
- **terraform:** cross variable performance improvement - [#4946](https://github.com/bridgecrewio/checkov/pull/4946)
### Bug Fix
- **github:** make GH Actions delimiter unique in multiline env vars - [#4938](https://github.com/bridgecrewio/checkov/pull/4938)
## [2.3.192](https://github.com/bridgecrewio/checkov/compare/2.3.187...2.3.192) - 2023-04-20
### Feature
- **general:** add policy-metadata-filter to gh action - [#4941](https://github.com/bridgecrewio/checkov/pull/4941)
- **secrets:** support first commit results - [#4927](https://github.com/bridgecrewio/checkov/pull/4927)
- **terraform:** Used generator instead of list comprehension to improve performance for large graphs - [#4939](https://github.com/bridgecrewio/checkov/pull/4939)
### Bug Fix
- **terraform:** make the ECS cluster logging check more resilient - [#4942](https://github.com/bridgecrewio/checkov/pull/4942)
- **terraform:** remove invalid Terraform module reference support - [#4931](https://github.com/bridgecrewio/checkov/pull/4931)
- **terraform:** support null values in list of dicts - [#4937](https://github.com/bridgecrewio/checkov/pull/4937)
### Documentation
- **bitbucket:** Update Bitbucket documentation to match the code. - [#4934](https://github.com/bridgecrewio/checkov/pull/4934)
- **sca:** Add more ways to skip CVEs - [#4928](https://github.com/bridgecrewio/checkov/pull/4928)
## [2.3.187](https://github.com/bridgecrewio/checkov/compare/2.3.183...2.3.187) - 2023-04-19
### Feature
- **general:** 3D policies syntax refactor - [#4865](https://github.com/bridgecrewio/checkov/pull/4865)
- **secrets:** support scanning of secrets in hidden paths - [#4925](https://github.com/bridgecrewio/checkov/pull/4925)
### Bug Fix
- **secrets:** Revert timeout in unix to work with signals - [#4932](https://github.com/bridgecrewio/checkov/pull/4932)
- **secrets:** timeout in unix to work with signals - [#4933](https://github.com/bridgecrewio/checkov/pull/4933)
### Documentation
- **secrets:** Add readme file for Git History - [#4913](https://github.com/bridgecrewio/checkov/pull/4913)
## [2.3.183](https://github.com/bridgecrewio/checkov/compare/2.3.176...2.3.183) - 2023-04-18
### Feature
- **sca:** add is public fix version to sbom report - [#4915](https://github.com/bridgecrewio/checkov/pull/4915)
- **secrets:** add more files to ignore list in git history - [#4912](https://github.com/bridgecrewio/checkov/pull/4912)
- **terraform:** Ensure that container definition is not privileged 334 - [#4779](https://github.com/bridgecrewio/checkov/pull/4779)
- **terraform:** TF provider check support - [#4911](https://github.com/bridgecrewio/checkov/pull/4911)
### Bug Fix
- **general:** Dedup results contain multiple identical images if using template syntax - [#4924](https://github.com/bridgecrewio/checkov/pull/4924)
- **general:** fix wrong abs path in IR record - [#4919](https://github.com/bridgecrewio/checkov/pull/4919)
- **secrets:** Save fetched policy destination from current work dir to temp - [#4914](https://github.com/bridgecrewio/checkov/pull/4914)
- **secrets:** timeout in unix to work with signals - [#4920](https://github.com/bridgecrewio/checkov/pull/4920)
- **terraform:** Fix for_each flow conditions - [#4918](https://github.com/bridgecrewio/checkov/pull/4918)
- **terraform:** make sure K8s volume is a dict - [#4917](https://github.com/bridgecrewio/checkov/pull/4917)
## [2.3.176](https://github.com/bridgecrewio/checkov/compare/2.3.171...2.3.176) - 2023-04-17
### Feature
- **arm:** add Storage accounts disallow public access check for ARM - [#4906](https://github.com/bridgecrewio/checkov/pull/4906)
- **dockerfile:** Add CKV2_DOCKER_16 for PIP_TRUSTED_HOST - [#4893](https://github.com/bridgecrewio/checkov/pull/4893)
- **sca:** add is private fix version to sca output - [#4891](https://github.com/bridgecrewio/checkov/pull/4891)
### Bug Fix
- **secrets:** fix absolute file path cases - [#4901](https://github.com/bridgecrewio/checkov/pull/4901)
- **terraform:** fix foreach count is none bug - [#4907](https://github.com/bridgecrewio/checkov/pull/4907)
- **terraform:** limit RDS cluster audit logging to MySQL engine - [#4897](https://github.com/bridgecrewio/checkov/pull/4897)
- **terraform:** remove duplicate call to convert graph vertices - [#4909](https://github.com/bridgecrewio/checkov/pull/4909)
- **terraform:** remove local blocks with just line number - [#4902](https://github.com/bridgecrewio/checkov/pull/4902)
## [2.3.171](https://github.com/bridgecrewio/checkov/compare/2.3.165...2.3.171) - 2023-04-16
### Feature
- **secrets:** improve timing git history - [#4890](https://github.com/bridgecrewio/checkov/pull/4890)
- **terraform:** add support for list of dicts in for loop - [#4895](https://github.com/bridgecrewio/checkov/pull/4895)
### Bug Fix
- **cloudformation:** fix invalid fn sub param in cfn - [#4900](https://github.com/bridgecrewio/checkov/pull/4900)
- **secrets:** fix error if writing to file when don't have access - [#4896](https://github.com/bridgecrewio/checkov/pull/4896)
- **secrets:** fix None in file name - [#4899](https://github.com/bridgecrewio/checkov/pull/4899)
- **secrets:** reduce false positives in yaml files - case of serverless and secretmanager - [#4892](https://github.com/bridgecrewio/checkov/pull/4892)
## [2.3.165](https://github.com/bridgecrewio/checkov/compare/2.3.160...2.3.165) - 2023-04-13
### Feature
- **terraform:** ECS Service should not auto assign public IPs 333 - [#4777](https://github.com/bridgecrewio/checkov/pull/4777)
- **terraform:** EFS access points should define a user and a path 329-330 - [#4768](https://github.com/bridgecrewio/checkov/pull/4768)
- **terraform:** Ensure ECS Fargate uses latest version 332 - [#4775](https://github.com/bridgecrewio/checkov/pull/4775)
- **terraform:** Transit gateway should not be set up to autoaccept any VPC 331 - [#4770](https://github.com/bridgecrewio/checkov/pull/4770)
### Bug Fix
- **general:** fix duplicate sarif output - [#4886](https://github.com/bridgecrewio/checkov/pull/4886)
- **secrets:** fix slicing in githistory - [#4889](https://github.com/bridgecrewio/checkov/pull/4889)
- **terraform:** exclude GCP asymmetric keys from key rotation - [#4879](https://github.com/bridgecrewio/checkov/pull/4879)
- **terraform:** Paid is now standard - [#4880](https://github.com/bridgecrewio/checkov/pull/4880)
- **terraform:** support empty filter in S3 lifecycle config - [#4875](https://github.com/bridgecrewio/checkov/pull/4875)
## [2.3.160](https://github.com/bridgecrewio/checkov/compare/2.3.158...2.3.160) - 2023-04-11
### Bug Fix
- **general:** catch unexpected errors when querying OpenAI - [#4883](https://github.com/bridgecrewio/checkov/pull/4883)
## [2.3.158](https://github.com/bridgecrewio/checkov/compare/2.3.155...2.3.158) - 2023-04-10
### Feature
- **secrets:** Add fields to record of secrets in git history - [#4838](https://github.com/bridgecrewio/checkov/pull/4838)
### Bug Fix
- **terraform_plan:** Handled TFDefinitionKey in plan runner as well - [#4864](https://github.com/bridgecrewio/checkov/pull/4864)
## [2.3.155](https://github.com/bridgecrewio/checkov/compare/2.3.152...2.3.155) - 2023-04-09
### Feature
- **cloudformation:** support inline suppression of CFN graph checks - [#4843](https://github.com/bridgecrewio/checkov/pull/4843)
- **terraform:** Aurora DB should enable backtrack - [#4739](https://github.com/bridgecrewio/checkov/pull/4739)
- **terraform:** Desync must be set to defensive or strictest - [#4766](https://github.com/bridgecrewio/checkov/pull/4766)
- **terraform:** Ensure that RDS clusters are encrypted using a CMK - [#4742](https://github.com/bridgecrewio/checkov/pull/4742)
- **terraform:** RDS Cluster - make sure rds cluster defined defaults for logging and audit logging - [#4736](https://github.com/bridgecrewio/checkov/pull/4736)
### Bug Fix
- **general:** be more forgiving of skipped checks without comment - [#4844](https://github.com/bridgecrewio/checkov/pull/4844)
- **terraform:** default case should pass for auto updates - [#4847](https://github.com/bridgecrewio/checkov/pull/4847)
- **terraform:** False negative for CKV_AZURE_179 - [#4846](https://github.com/bridgecrewio/checkov/pull/4846)
- **terraform:** Only update config if len is bigger than 0 - [#4855](https://github.com/bridgecrewio/checkov/pull/4855)
## [2.3.152](https://github.com/bridgecrewio/checkov/compare/2.3.150...2.3.152) - 2023-04-04
### Feature
- **dockerfile:** Add CKV2_DOCKER_15 for yum-config-manager sslverify - [#4622](https://github.com/bridgecrewio/checkov/pull/4622)
### Bug Fix
- **cloudformation:** Security Group check now work for ranges and strings - [#4797](https://github.com/bridgecrewio/checkov/pull/4797)
- **terraform:** Ensure APPService default action is to ignore not fail - [#4790](https://github.com/bridgecrewio/checkov/pull/4790)
- **terraform:** Subnetworks with internal purpose can have private_ipv6_google_access… - [#4804](https://github.com/bridgecrewio/checkov/pull/4804)
## [2.3.150](https://github.com/bridgecrewio/checkov/compare/2.3.148...2.3.150) - 2023-04-03
### Feature
- **terraform:** Adding yaml based build time policies for corresponding PC runtime policies - [#4800](https://github.com/bridgecrewio/checkov/pull/4800)
### Bug Fix
- **terraform:** Fix for edge cases in for_each modules - [#4831](https://github.com/bridgecrewio/checkov/pull/4831)
## [2.3.148](https://github.com/bridgecrewio/checkov/compare/2.3.140...2.3.148) - 2023-04-02
### Feature
- **kubernetes:** support non-utf-8 encoded Kubernetes manifest files - [#4820](https://github.com/bridgecrewio/checkov/pull/4820)
- **terraform:** ElasticCache for Redis cluster should automatically take minor updates - [#4726](https://github.com/bridgecrewio/checkov/pull/4726)
- **terraform:** Ensure opensearch is configured for HA - [#4717](https://github.com/bridgecrewio/checkov/pull/4717)
- **terraform:** Ensure Redshift specifies a DB name - [#4723](https://github.com/bridgecrewio/checkov/pull/4723)
- **terraform:** Ensure Redshift uses enhanced vpc routing - [#4724](https://github.com/bridgecrewio/checkov/pull/4724)
- **terraform:** Fix up ES logging check - [#4720](https://github.com/bridgecrewio/checkov/pull/4720)
### Bug Fix
- **general:** don't add an invalid URL to helpUri field in SARIF output - [#4814](https://github.com/bridgecrewio/checkov/pull/4814)
- **graph:** support string values for resource_types in graph checks properly - [#4819](https://github.com/bridgecrewio/checkov/pull/4819)
- **kubernetes:** Don't require ImagePullPolicy when digest (#4776) - [#4781](https://github.com/bridgecrewio/checkov/pull/4781)
- **secrets:** catch errors in middle of process of getting commit diffs - [#4823](https://github.com/bridgecrewio/checkov/pull/4823)
- **terraform:** Fix add_to_block condition to support more edge cases - [#4822](https://github.com/bridgecrewio/checkov/pull/4822)
- **terraform:** fix false positive CKV2_GCP_20 (fails for any non-MySQL instance) - [#4813](https://github.com/bridgecrewio/checkov/pull/4813)
- **terraform:** Length resolvers evaluate length of `dict` as 1. - [#4808](https://github.com/bridgecrewio/checkov/pull/4808)
### Platform
- **general:** Save error lines in IR records - [#4821](https://github.com/bridgecrewio/checkov/pull/4821)
## [2.3.140](https://github.com/bridgecrewio/checkov/compare/2.3.134...2.3.140) - 2023-03-30
### Feature
- **general:** add OpenAI integration - [#4782](https://github.com/bridgecrewio/checkov/pull/4782)
- **terraform:** Ensure that cloudwatch alarms are set on - [#4805](https://github.com/bridgecrewio/checkov/pull/4805)
### Bug Fix
- **general:** fix scan all files entrypoint - [#4801](https://github.com/bridgecrewio/checkov/pull/4801)
- **terraform:** Set back CHECKOV_ENABLE_FOREACH_HANDLING to False to check perfomence - [#4798](https://github.com/bridgecrewio/checkov/pull/4798)
- **terraform:** TF new parser - Check for tfvars block - [#4796](https://github.com/bridgecrewio/checkov/pull/4796)
## [2.3.134](https://github.com/bridgecrewio/checkov/compare/2.3.128...2.3.134) - 2023-03-29
### Feature
- **ansible:** PAN-OS policy and zone checks - [#4737](https://github.com/bridgecrewio/checkov/pull/4737)
- **terraform_plan:** support data blocks in Terraform plan files - [#4758](https://github.com/bridgecrewio/checkov/pull/4758)
- **terraform:** Set CHECKOV_ENABLE_FOREACH_HANDLING as True - [#4774](https://github.com/bridgecrewio/checkov/pull/4774)
### Bug Fix
- **terraform:** Correctly serialize/deserialize TFModule object - [#4780](https://github.com/bridgecrewio/checkov/pull/4780)
- **terraform:** Fix nested `each.value` replacement in for_each handler - [#4787](https://github.com/bridgecrewio/checkov/pull/4787)
## [2.3.128](https://github.com/bridgecrewio/checkov/compare/2.3.124...2.3.128) - 2023-03-28
### Feature
- **secrets:** make git history scan run in parallel - [#4769](https://github.com/bridgecrewio/checkov/pull/4769)
- **terraform:** Add source_module_object_ to block attributes - [#4773](https://github.com/bridgecrewio/checkov/pull/4773)
- **terraform:** codebuild dont enable privilege mode - [#4714](https://github.com/bridgecrewio/checkov/pull/4714)
### Bug Fix
- **terraform:** Fix nested statements in _is_static_foreach_statement - [#4772](https://github.com/bridgecrewio/checkov/pull/4772)
## [2.3.124](https://github.com/bridgecrewio/checkov/compare/2.3.121...2.3.124) - 2023-03-27
### Feature
- **terraform:** AWS Use Launch templates in ASG - [#4698](https://github.com/bridgecrewio/checkov/pull/4698)
- **terraform:** Codebuild defines and uses logs - [#4696](https://github.com/bridgecrewio/checkov/pull/4696)
### Bug Fix
- **terraform:** Foreach - Fix regex on an empty list - [#4765](https://github.com/bridgecrewio/checkov/pull/4765)
## [2.3.121](https://github.com/bridgecrewio/checkov/compare/2.3.115...2.3.121) - 2023-03-26
### Feature
- **general:** Add scan all files to entrypoint - [#4746](https://github.com/bridgecrewio/checkov/pull/4746)
- **terraform:** check routes are authorised - [#4682](https://github.com/bridgecrewio/checkov/pull/4682)
- **terraform:** CloudDistribution set Failover origin - [#4686](https://github.com/bridgecrewio/checkov/pull/4686)
- **terraform:** code build s3 logs are encrypted - [#4687](https://github.com/bridgecrewio/checkov/pull/4687)
- **terraform:** Elasticbeanstalk should use enhanced health reporting - [#4692](https://github.com/bridgecrewio/checkov/pull/4692)
- **terraform:** RDS cluster copy tags to snapshot - [#4693](https://github.com/bridgecrewio/checkov/pull/4693)
- **terraform:** Support for_each/count statements in TF Modules - [#4708](https://github.com/bridgecrewio/checkov/pull/4708)
### Bug Fix
- **secrets:** Don't show stack trace in failures when uploading secrets to verify - [#4734](https://github.com/bridgecrewio/checkov/pull/4734)
- **secrets:** Compare abs paths in SecretsOmitter - [#4756](https://github.com/bridgecrewio/checkov/pull/4756)
- **terraform:** refine IAM assume role check CKV_AWS_61 - [#4749](https://github.com/bridgecrewio/checkov/pull/4749)
- **terraform:** refine S3 lifecycle check CKV_AWS_300 - [#4750](https://github.com/bridgecrewio/checkov/pull/4750)
### Platform
- **terraform:** external module from git fail - log warning - [#4755](https://github.com/bridgecrewio/checkov/pull/4755)
### Documentation
- **terraform:** Document no private registry - [#4745](https://github.com/bridgecrewio/checkov/pull/4745)
## [2.3.115](https://github.com/bridgecrewio/checkov/compare/2.3.114...2.3.115) - 2023-03-24
### Bug Fix
- **general:** fix default log levels for support stream - [#4741](https://github.com/bridgecrewio/checkov/pull/4741)
## [2.3.114](https://github.com/bridgecrewio/checkov/compare/2.3.110...2.3.114) - 2023-03-23
### Feature
- **ansible:** Ansible panos int mgmt checks - [#4683](https://github.com/bridgecrewio/checkov/pull/4683)
- **terraform:** api gateway ensure api cache is encrypted - [#4681](https://github.com/bridgecrewio/checkov/pull/4681)
- **terraform:** AWS ensure Sagemaker Notebook users are not Root - [#4676](https://github.com/bridgecrewio/checkov/pull/4676)
- **terraform:** Sagemaker Notebook In Custom VPC - [#4675](https://github.com/bridgecrewio/checkov/pull/4675)
- **terraform:** Terraform runner with the new TF parser - [#4728](https://github.com/bridgecrewio/checkov/pull/4728)
### Bug Fix
- **gitlab:** fixing include scope that predominant all others - [#4735](https://github.com/bridgecrewio/checkov/pull/4735)
### Documentation
- **general:** fix small typo - [#4725](https://github.com/bridgecrewio/checkov/pull/4725)
## [2.3.110](https://github.com/bridgecrewio/checkov/compare/2.3.108...2.3.110) - 2023-03-22
### Bug Fix
- **graph:** Fix an issue in and connection solver - [#4719](https://github.com/bridgecrewio/checkov/pull/4719)
## [2.3.108](https://github.com/bridgecrewio/checkov/compare/2.3.105...2.3.108) - 2023-03-21
### Feature
- **secrets:** add option to get and set the secret store - [#4707](https://github.com/bridgecrewio/checkov/pull/4707)
### Platform
- **graph:** Ignore SyntaxWarning in variable rendering - [#4718](https://github.com/bridgecrewio/checkov/pull/4718)
## [2.3.105](https://github.com/bridgecrewio/checkov/compare/2.3.102...2.3.105) - 2023-03-20
### Feature
- **general:** add flag to skip cert verification - [#4641](https://github.com/bridgecrewio/checkov/pull/4641)
- **secrets:** Override secrets validation flag with tenant config - [#4701](https://github.com/bridgecrewio/checkov/pull/4701)
## [2.3.102](https://github.com/bridgecrewio/checkov/compare/2.3.96...2.3.102) - 2023-03-19
### Feature
- **terraform:** AWS Ensure cloudfront has a default root - [#4673](https://github.com/bridgecrewio/checkov/pull/4673)
- **terraform:** AWS ensure secret rotation is less than 90 days - [#4672](https://github.com/bridgecrewio/checkov/pull/4672)
- **terraform:** AWS Secrets are rotated - [#4671](https://github.com/bridgecrewio/checkov/pull/4671)
- **terraform:** ensure DB snapshots arent public - [#4667](https://github.com/bridgecrewio/checkov/pull/4667)
- **terraform:** ensure SSM docs are private - [#4668](https://github.com/bridgecrewio/checkov/pull/4668)
- **terraform:** lambda permission is not public - [#4666](https://github.com/bridgecrewio/checkov/pull/4666)
### Bug Fix
- **general:** Custom policies integration correct check IDs filtering - [#4700](https://github.com/bridgecrewio/checkov/pull/4700)
- **sca:** return empty result when using BC API key in IDE - [#4694](https://github.com/bridgecrewio/checkov/pull/4694)
- **terraform:** add extra handling around private GitHub Terraform modules - [#4699](https://github.com/bridgecrewio/checkov/pull/4699)
## [2.3.96](https://github.com/bridgecrewio/checkov/compare/2.3.95...2.3.96) - 2023-03-16
### Feature
- **ansible:** Ansible panos security policy checks - [#4639](https://github.com/bridgecrewio/checkov/pull/4639)
- **terraform:** s3 bucket has event notifications - [#4660](https://github.com/bridgecrewio/checkov/pull/4660)
- **terraform:** s3 ensure failed uploads are deleted id=300!!!! - [#4662](https://github.com/bridgecrewio/checkov/pull/4662)
### Bug Fix
- **gitlab:** index_out_of_range - [#4677](https://github.com/bridgecrewio/checkov/pull/4677)
- **terraform:** Revert "feat(terraform): support provider blocks yaml policy checks (… - [#4680](https://github.com/bridgecrewio/checkov/pull/4680)
## [2.3.95](https://github.com/bridgecrewio/checkov/compare/2.3.92...2.3.95) - 2023-03-15
### Feature
- **sca:** filter twistcli results with empty package name and version - [#4670](https://github.com/bridgecrewio/checkov/pull/4670)
- **terraform:** Support new TFParser in the local graph (under env var) - [#4664](https://github.com/bridgecrewio/checkov/pull/4664)
- **terraform:** support provider blocks yaml policy checks - [#4656](https://github.com/bridgecrewio/checkov/pull/4656)
## [2.3.92](https://github.com/bridgecrewio/checkov/compare/2.3.85...2.3.92) - 2023-03-14
### Feature
- **sca:** fix unexpected maven packageName - cycloneDX - [#4663](https://github.com/bridgecrewio/checkov/pull/4663)
- **sca:** skipping finding IsPrivateFixVersion by default - [#4648](https://github.com/bridgecrewio/checkov/pull/4648)
- **sca:** support inline CVE suppression in requirements.txt - [#4630](https://github.com/bridgecrewio/checkov/pull/4630)
- **secrets:** allow scanning just partial history of commits - [#4659](https://github.com/bridgecrewio/checkov/pull/4659)
- **terraform:** Refactor Module mapping objects - [#4661](https://github.com/bridgecrewio/checkov/pull/4661)
- **terraform:** s3 to have lifecycle policy - [#4658](https://github.com/bridgecrewio/checkov/pull/4658)
### Bug Fix
- **secrets:** fix git history partial scan - [#4665](https://github.com/bridgecrewio/checkov/pull/4665)
## [2.3.85](https://github.com/bridgecrewio/checkov/compare/2.3.79...2.3.85) - 2023-03-13
### Feature
- **secrets:** support git history scan in multiline parsers - [#4637](https://github.com/bridgecrewio/checkov/pull/4637)
- **terraform:** Definitions serialization with new definitions key/module objects - [#4655](https://github.com/bridgecrewio/checkov/pull/4655)
- **terraform:** support variable rendering for default objects in vars - [#4650](https://github.com/bridgecrewio/checkov/pull/4650)
### Bug Fix
- **arm:** Fix resource type check in SQLServerAuditingRetention90Days - [#4657](https://github.com/bridgecrewio/checkov/pull/4657)
- **general:** check suppression id instead of policy id - [#4646](https://github.com/bridgecrewio/checkov/pull/4646)
- **gitlab:** Modify GitLab CI resource ids - [#4647](https://github.com/bridgecrewio/checkov/pull/4647)
## [2.3.79](https://github.com/bridgecrewio/checkov/compare/2.3.75...2.3.79) - 2023-03-12
### Feature
- **terraform:** Fix for foreach subgraph rendering - [#4649](https://github.com/bridgecrewio/checkov/pull/4649)
- **terraform:** new checks on new resources - [#4491](https://github.com/bridgecrewio/checkov/pull/4491)
### Platform
- **general:** skip uploading repo for VSCode source - [#4643](https://github.com/bridgecrewio/checkov/pull/4643)
## [2.3.75](https://github.com/bridgecrewio/checkov/compare/2.3.71...2.3.75) - 2023-03-09
### Feature
- **general:** add Terraform JSON support - [#4626](https://github.com/bridgecrewio/checkov/pull/4626)
- **terraform:** Adding yaml based build time policies for corresponding PC runtime policies - [#4605](https://github.com/bridgecrewio/checkov/pull/4605)
### Bug Fix
- **arm:** ignore incomplete resource in ARM templates - [#4636](https://github.com/bridgecrewio/checkov/pull/4636)
- **terraform:** stop handle resource `for_each` as dynamic attribute - [#4632](https://github.com/bridgecrewio/checkov/pull/4632)
## [2.3.71](https://github.com/bridgecrewio/checkov/compare/2.3.70...2.3.71) - 2023-03-08
### Bug Fix
- **terraform:** v2 settings valid for windows and linux web apps - [#4628](https://github.com/bridgecrewio/checkov/pull/4628)
## [2.3.70](https://github.com/bridgecrewio/checkov/compare/2.3.66...2.3.70) - 2023-03-07
### Feature
- **ansible:** add Ansible check for CKV_PAN_4 for PAN-OS DSRI - [#4608](https://github.com/bridgecrewio/checkov/pull/4608)
- **dockerfile:** Add tdnf support for CKV2_DOCKER_9 - [#4620](https://github.com/bridgecrewio/checkov/pull/4620)
- **terraform:** Check added for AWS Database instance deletion protection - [#4616](https://github.com/bridgecrewio/checkov/pull/4616)
- **terraform:** CloudtrailEventDataStoreUsesCMK - [#4621](https://github.com/bridgecrewio/checkov/pull/4621)
### Bug Fix
- **bicep:** handle malformed files in bicep parser - [#4629](https://github.com/bridgecrewio/checkov/pull/4629)
- **cloudformation:** KMSKeyWildCardPrincipal modification - Check for wildcards inside of lists - [#4590](https://github.com/bridgecrewio/checkov/pull/4590)
- **terraform:** in sg rules ignore self referencing - [#4603](https://github.com/bridgecrewio/checkov/pull/4603)
## [2.3.66](https://github.com/bridgecrewio/checkov/compare/2.3.59...2.3.66) - 2023-03-06
### Feature
- **gitlab:** fix wrong resource in gitlab-ci - [#4610](https://github.com/bridgecrewio/checkov/pull/4610)
- **terraform:** Support the -1 protocol on SG checks - [#4611](https://github.com/bridgecrewio/checkov/pull/4611)
- **terraform:** TF Parser support of new modules keys - [#4601](https://github.com/bridgecrewio/checkov/pull/4601)
### Bug Fix
- **bicep:** extend CKV_AZURE_4 to consider omsAgent to be written in camelCase - [#4614](https://github.com/bridgecrewio/checkov/pull/4614)
- **general:** refactor SARIF output - [#4606](https://github.com/bridgecrewio/checkov/pull/4606)
- **general:** skip scanning invalid resources - [#4617](https://github.com/bridgecrewio/checkov/pull/4617)
- **sca:** Added an error log for Twistcli failures - [#4613](https://github.com/bridgecrewio/checkov/pull/4613)
- **terraform:** stop evaluating a string ... to the Ellipsis object - [#4623](https://github.com/bridgecrewio/checkov/pull/4623)
## [2.3.59](https://github.com/bridgecrewio/checkov/compare/2.3.57...2.3.59) - 2023-03-05
### Bug Fix
- **general:** do not stop getting fixes if one attempt results in a 403 - [#4607](https://github.com/bridgecrewio/checkov/pull/4607)
- **gha:** skip schema validity check if parsing returned None - [#4609](https://github.com/bridgecrewio/checkov/pull/4609)
- **secrets:** Adjust output to include the additional Git History info - [#4566](https://github.com/bridgecrewio/checkov/pull/4566)
## [2.3.57](https://github.com/bridgecrewio/checkov/compare/2.3.53...2.3.57) - 2023-03-02
### Feature
- **ansible:** Add checks for the ansible builtin dnf module - [#4570](https://github.com/bridgecrewio/checkov/pull/4570)
- **dockerfile:** Add new dockerfile checks - [#4569](https://github.com/bridgecrewio/checkov/pull/4569)
- **terraform:** Create a new TF parser - [#4584](https://github.com/bridgecrewio/checkov/pull/4584)
### Bug Fix
- **secrets:** only check secrets framework when scanning history - [#4592](https://github.com/bridgecrewio/checkov/pull/4592)
- **terraform:** AWS - there's a new sg vpc ingress rule - [#4575](https://github.com/bridgecrewio/checkov/pull/4575)
- **terraform:** Azurerm NSG UDP check should work for old style but still valid tf - [#4454](https://github.com/bridgecrewio/checkov/pull/4454)
## [2.3.53](https://github.com/bridgecrewio/checkov/compare/2.3.50...2.3.53) - 2023-03-01
### Feature
- **terraform:** Add foreach_attrs in saved graph - [#4587](https://github.com/bridgecrewio/checkov/pull/4587)
- **terraform:** Set foreach_attrs directly under the block - [#4586](https://github.com/bridgecrewio/checkov/pull/4586)
- **terraform:** TF foreach - Support updating each.value in nested dict - [#4588](https://github.com/bridgecrewio/checkov/pull/4588)
### Bug Fix
- **sca:** Set prisma token and scan packages by v2 for IDE scans - [#4580](https://github.com/bridgecrewio/checkov/pull/4580)
- **terraform:** fix CKV_AWS_70 test and add graph for coverage of data source - [#4542](https://github.com/bridgecrewio/checkov/pull/4542)
- **terraform:** TF foreach - Avoid rendering in static statements - [#4583](https://github.com/bridgecrewio/checkov/pull/4583)
### Documentation
- **ansible:** add Ansible policy docs generation - [#4582](https://github.com/bridgecrewio/checkov/pull/4582)
## [2.3.50](https://github.com/bridgecrewio/checkov/compare/2.3.48...2.3.50) - 2023-02-28
### Bug Fix
- **terraform:** add not exists conditional to CKV2_AWS_16 to account for defaults - [#4578](https://github.com/bridgecrewio/checkov/pull/4578)
## [2.3.48](https://github.com/bridgecrewio/checkov/compare/2.3.44...2.3.48) - 2023-02-27
### Feature
- **secrets:** track complete file deletion and renaming - [#4551](https://github.com/bridgecrewio/checkov/pull/4551)
- **terraform:** Adding yaml based build time policies for corresponding PC runtime policies - [#4529](https://github.com/bridgecrewio/checkov/pull/4529)
### Bug Fix
- **ansible:** support skip check for Ansible Python-based checks - [#4556](https://github.com/bridgecrewio/checkov/pull/4556)
- **terraform:** Handle unescaped lookup values - [#4565](https://github.com/bridgecrewio/checkov/pull/4565)
## [2.3.44](https://github.com/bridgecrewio/checkov/compare/2.3.39...2.3.44) - 2023-02-26
### Feature
- **dockerfile:** Add check for the environment variable NPM_CONFIG_STRICT_SSL - [#4553](https://github.com/bridgecrewio/checkov/pull/4553)
- **terraform:** TF Parser - Move funcs and consts to utils file - [#4550](https://github.com/bridgecrewio/checkov/pull/4550)
### Bug Fix
- **terraform_plan:** Fix tf plan nested modules - [#4562](https://github.com/bridgecrewio/checkov/pull/4562)
- **terraform:** fix for #4518 - [#4528](https://github.com/bridgecrewio/checkov/pull/4528)
- **terraform:** Move get_module back to parser - [#4560](https://github.com/bridgecrewio/checkov/pull/4560)
- **terraform:** remove dynamic warning exc_info - [#4563](https://github.com/bridgecrewio/checkov/pull/4563)
## [2.3.39](https://github.com/bridgecrewio/checkov/compare/2.3.36...2.3.39) - 2023-02-23
### Feature
- **dockerfile:** Add checks for disabling signature checks for apk, apt-get, rpm, yum, dnf - [#4404](https://github.com/bridgecrewio/checkov/pull/4404)
- **terraform:** New classes for the TF module model - [#4546](https://github.com/bridgecrewio/checkov/pull/4546)
### Bug Fix
- **gha:** Align GHA resource ids (Graph vs Python checks) - [#4549](https://github.com/bridgecrewio/checkov/pull/4549)
## [2.3.36](https://github.com/bridgecrewio/checkov/compare/2.3.33...2.3.36) - 2023-02-22
### Feature
- **arm:** add graph capabilities to ARM framework - [#4526](https://github.com/bridgecrewio/checkov/pull/4526)
- **secrets:** add timeout for scan history checks - [#4523](https://github.com/bridgecrewio/checkov/pull/4523)
- **secrets:** Support secret findings in git history - [#4525](https://github.com/bridgecrewio/checkov/pull/4525)
## [2.3.33](https://github.com/bridgecrewio/checkov/compare/2.3.29...2.3.33) - 2023-02-21
### Feature
- **gitlab:** fix gitlab ci yaml file processing - [#4536](https://github.com/bridgecrewio/checkov/pull/4536)
- **sca:** adding is_registry_url and printing in the cyclonedx only private registries urls - [#4533](https://github.com/bridgecrewio/checkov/pull/4533)
- **sca:** support also the key "registryUrl" when extracting registry_url for the report - [#4535](https://github.com/bridgecrewio/checkov/pull/4535)
### Bug Fix
- **terraform:** Optional module content path - [#4537](https://github.com/bridgecrewio/checkov/pull/4537)
## [2.3.29](https://github.com/bridgecrewio/checkov/compare/2.3.28...2.3.29) - 2023-02-20
### Bug Fix
- **cloudformation:** Update CKV_AWS_46 to handle base64 encoded userdata - [#4530](https://github.com/bridgecrewio/checkov/pull/4530)
## [2.3.28](https://github.com/bridgecrewio/checkov/compare/2.3.23...2.3.28) - 2023-02-19
### Feature
- **secrets:** add flag for scan secrets history - [#4513](https://github.com/bridgecrewio/checkov/pull/4513)
- **terraform:** Used parentheses in key for foreach attributes but not count - [#4520](https://github.com/bridgecrewio/checkov/pull/4520)
### Bug Fix
- **gha:** fix output flag for usage in checkov-action - [#4517](https://github.com/bridgecrewio/checkov/pull/4517)
- **terraform:** add datasource option for headers check - [#4496](https://github.com/bridgecrewio/checkov/pull/4496)
- **terraform:** optimize check CKV2_AWS_60 - [#4512](https://github.com/bridgecrewio/checkov/pull/4512)
### Platform
- **general:** Use new enforcement categories (#4456) - [#4519](https://github.com/bridgecrewio/checkov/pull/4519)
## [2.3.23](https://github.com/bridgecrewio/checkov/compare/2.3.22...2.3.23) - 2023-02-18
### Feature
- **ansible:** Add checks for the ansible builtin apt module - [#4500](https://github.com/bridgecrewio/checkov/pull/4500)
### Bug Fix
- **gha:** now looks for GHA on windows - [#4515](https://github.com/bridgecrewio/checkov/pull/4515)
## [2.3.22](https://github.com/bridgecrewio/checkov/compare/2.3.18...2.3.22) - 2023-02-16
### Feature
- **sca:** adding registry-url to the cyclonedx output report - [#4511](https://github.com/bridgecrewio/checkov/pull/4511)
- **secrets:** Add capability to iterate over git history - [#4469](https://github.com/bridgecrewio/checkov/pull/4469)
- **terraform:** Adding yaml based build time policies for corresponding PC run time policies - [#4425](https://github.com/bridgecrewio/checkov/pull/4425)
### Bug Fix
- **secrets:** import git - [#4514](https://github.com/bridgecrewio/checkov/pull/4514)
## [2.3.18](https://github.com/bridgecrewio/checkov/compare/2.3.14...2.3.18) - 2023-02-15
### Feature
- **sca:** add registry urls and description to the output report and to the csv report - [#4485](https://github.com/bridgecrewio/checkov/pull/4485)
### Bug Fix
- **ansible:** skip unsupported Ansible resources - [#4504](https://github.com/bridgecrewio/checkov/pull/4504)
- **terraform:** Fix an str split edge case in function - [#4507](https://github.com/bridgecrewio/checkov/pull/4507)
- **terraform:** fix enforcement rules mapping - [#4509](https://github.com/bridgecrewio/checkov/pull/4509)
## [2.3.14](https://github.com/bridgecrewio/checkov/compare/2.3.7...2.3.14) - 2023-02-14
### Feature
- **secrets:** log and filter potential uuid case - [#4486](https://github.com/bridgecrewio/checkov/pull/4486)
- **terraform:** Assign/override main vertices by the first new vertice. - [#4493](https://github.com/bridgecrewio/checkov/pull/4493)
- **terraform:** Support for loops in foreach statements - [#4483](https://github.com/bridgecrewio/checkov/pull/4483)
### Bug Fix
- **terraform:** Handle KeyError in hadle_for_loop func - [#4501](https://github.com/bridgecrewio/checkov/pull/4501)
- **terraform:** Handle type error in `_handle_for_loop_in_dict` - [#4495](https://github.com/bridgecrewio/checkov/pull/4495)
- **terraform:** skip loading module that calls to the same dir - [#4499](https://github.com/bridgecrewio/checkov/pull/4499)
### Platform
- **general:** Use new enforcement categories - [#4456](https://github.com/bridgecrewio/checkov/pull/4456)
### Documentation
- **general:** update installation on Alpine docs - [#4474](https://github.com/bridgecrewio/checkov/pull/4474)
## [2.3.7](https://github.com/bridgecrewio/checkov/compare/2.3.3...2.3.7) - 2023-02-13
### Feature
- **graph:** Add UT as an example of not-exists for the nested list. - [#4484](https://github.com/bridgecrewio/checkov/pull/4484)
- **secrets:** Save secrets line number - [#4488](https://github.com/bridgecrewio/checkov/pull/4488)
- **terraform:** AWS:check global DocDB cluster is encrypted - [#4405](https://github.com/bridgecrewio/checkov/pull/4405)
- **terraform:** check msk nodes are private - [#4392](https://github.com/bridgecrewio/checkov/pull/4392)
- **terraform:** support more json encoded objects as part of terraform resource and fix evaluation of true/false in json - [#4487](https://github.com/bridgecrewio/checkov/pull/4487)
### Bug Fix
- **ansible:** support nested blocks and empty module values - [#4479](https://github.com/bridgecrewio/checkov/pull/4479)
- **cloudformation:** Updated AWS_CKV_7 to not require rotation on asymmetric keys - [#4476](https://github.com/bridgecrewio/checkov/pull/4476)
## [2.3.3](https://github.com/bridgecrewio/checkov/compare/2.3.0...2.3.3) - 2023-02-09
### Feature
- **secrets:** limit multiline regex detector run - [#4453](https://github.com/bridgecrewio/checkov/pull/4453)
- **terraform:** Add foreach_attrs to config objects + UTs - [#4463](https://github.com/bridgecrewio/checkov/pull/4463)
- **terraform:** GCP: Ensure Basic role are not used at Org/Folder/Project level (CKV_GCP_115, CKV_GCP_116, CKV_GCP_117) - [#4390](https://github.com/bridgecrewio/checkov/pull/4390)
### Bug Fix
- **kustomize:** fix kustomize file path cli - [#4466](https://github.com/bridgecrewio/checkov/pull/4466)
- **terraform:** Allow different type of value in BaseResourceValueCheck - [#4470](https://github.com/bridgecrewio/checkov/pull/4470)
- **terraform:** deny statements with wildcards are valid - [#4440](https://github.com/bridgecrewio/checkov/pull/4440)
## [2.3.0](https://github.com/bridgecrewio/checkov/compare/2.2.356...2.3.0) - 2023-02-09
### Breaking Change
- **gha:** adjust the attribute reference for GitHub Actions graph checks - [#4445](https://github.com/bridgecrewio/checkov/pull/4445)
- **terraform:** enable nested modules by default - [#4448](https://github.com/bridgecrewio/checkov/pull/4448)
### Feature
- **general:** Create 3d combinations post runner - [#4353](https://github.com/bridgecrewio/checkov/pull/4353)
### Bug Fix
- **gha:** fix GHA _get_jobs edge case (string step) - [#4444](https://github.com/bridgecrewio/checkov/pull/4444)
- **graph:** added graph init to igraph db connector - [#4455](https://github.com/bridgecrewio/checkov/pull/4455)
## [2.2.356](https://github.com/bridgecrewio/checkov/compare/2.2.348...2.2.356) - 2023-02-08
### Feature
- **sca:** Add support for Dotnet files - [#4189](https://github.com/bridgecrewio/checkov/pull/4189)
- **terraform:** Create new resources for count/foreach resources - [#4427](https://github.com/bridgecrewio/checkov/pull/4427)
- **terraform:** extend CKV2_AWS_5 to support aws_ec2_spot_fleet_request - [#4438](https://github.com/bridgecrewio/checkov/pull/4438)
### Bug Fix
- **general:** Correct BigQueryDatasetEncryptedWithCMK name field - [#4443](https://github.com/bridgecrewio/checkov/pull/4443)
- **kubernetes:** Fix empty spec in k8s file - [#4452](https://github.com/bridgecrewio/checkov/pull/4452)
- **kustomize:** Fix kustomize cli file path - [#4447](https://github.com/bridgecrewio/checkov/pull/4447)
- **secrets:** remove CKV_SECRET_78 from SECRET_TYPE_TO_ID - [#4446](https://github.com/bridgecrewio/checkov/pull/4446)
- **terraform:** change module index separator in full path - [#4437](https://github.com/bridgecrewio/checkov/pull/4437)
## [2.2.348](https://github.com/bridgecrewio/checkov/compare/2.2.341...2.2.348) - 2023-02-07
### Feature
- **cloudformation:** support new default s3 encryption - [#4429](https://github.com/bridgecrewio/checkov/pull/4429)
- **graph:** added indices to igraph nodes - [#4433](https://github.com/bridgecrewio/checkov/pull/4433)
- **secrets:** Add args to analyze line is added and is removed for git history scan - [#4426](https://github.com/bridgecrewio/checkov/pull/4426)
### Bug Fix
- **secrets:** Comment out checkob multiline regex detectors - [#4441](https://github.com/bridgecrewio/checkov/pull/4441)
- **terraform:** Fix updating resource config - [#4432](https://github.com/bridgecrewio/checkov/pull/4432)
### Platform
- **secrets:** Add secrets custom regex on file - [#4430](https://github.com/bridgecrewio/checkov/pull/4430)
## [2.2.341](https://github.com/bridgecrewio/checkov/compare/2.2.335...2.2.341) - 2023-02-06
### Feature
- **ansible:** add support for Ansible blocks - [#4419](https://github.com/bridgecrewio/checkov/pull/4419)
- **general:** Control check failure logging level - [#4431](https://github.com/bridgecrewio/checkov/pull/4431)
- **graph:** add validation for graph checks - [#4352](https://github.com/bridgecrewio/checkov/pull/4352)
- **kubernetes:** support inline skips for Kubernetes graph checks - [#4412](https://github.com/bridgecrewio/checkov/pull/4412)
- **secrets:** remove secrets dependency in generic record - [#4424](https://github.com/bridgecrewio/checkov/pull/4424)
### Bug Fix
- **kustomize:** remove redundant error in kustomize runner - [#4428](https://github.com/bridgecrewio/checkov/pull/4428)
### Documentation
- **general:** fix graph check link in docs - [#4420](https://github.com/bridgecrewio/checkov/pull/4420)
## [2.2.335](https://github.com/bridgecrewio/checkov/compare/2.2.332...2.2.335) - 2023-02-05
### Feature
- **kustomize:** support kustomize v5 - [#4411](https://github.com/bridgecrewio/checkov/pull/4411)
- **terraform:** [Foreach/Count Handling] Render dynamic foreach/count statement - [#4398](https://github.com/bridgecrewio/checkov/pull/4398)
### Bug Fix
- **general:** Checks edge-cases fixes in terraform and openapi - [#4414](https://github.com/bridgecrewio/checkov/pull/4414)
- **general:** Skip resources with no 'Type' defined + Checks containing wildcards for resource types leads to crash - [#4408](https://github.com/bridgecrewio/checkov/pull/4408)
- **terraform:** fix getting the module for resource named 'module' - [#4418](https://github.com/bridgecrewio/checkov/pull/4418)
- **terraform:** retire CKV_AWS_128 in favour of CKV_AWS_162 - [#4350](https://github.com/bridgecrewio/checkov/pull/4350)
- **terraform:** SQS check was all types of wrong - [#4382](https://github.com/bridgecrewio/checkov/pull/4382)
## [2.2.332](https://github.com/bridgecrewio/checkov/compare/2.2.331...2.2.332) - 2023-02-04
### Bug Fix
- **cloudformation:** Don't fail Aurora instances for MultiAZ not being set - [#4316](https://github.com/bridgecrewio/checkov/pull/4316)
## [2.2.331](https://github.com/bridgecrewio/checkov/compare/2.2.330...2.2.331) - 2023-02-03
### Bug Fix
- **general:** fix compact json output - [#4406](https://github.com/bridgecrewio/checkov/pull/4406)
## [2.2.330](https://github.com/bridgecrewio/checkov/compare/2.2.327...2.2.330) - 2023-02-02
### Feature
- **sca:** Add a --support flag - [#4397](https://github.com/bridgecrewio/checkov/pull/4397)
- **sca:** Add a --support flag --revert - [#4396](https://github.com/bridgecrewio/checkov/pull/4396)
- **secrets:** add workdir info to secrets scanner - [#4400](https://github.com/bridgecrewio/checkov/pull/4400)
- **secrets:** extract new detector_utils file from entropy keyword combinator - [#4385](https://github.com/bridgecrewio/checkov/pull/4385)
### Bug Fix
- **general:** Remove empty links from GitLab SAST output - [#4393](https://github.com/bridgecrewio/checkov/pull/4393)
## [2.2.327](https://github.com/bridgecrewio/checkov/compare/2.2.320...2.2.327) - 2023-02-01
### Feature
- **gha:** add gha permissions lines - [#4372](https://github.com/bridgecrewio/checkov/pull/4372)
- **sca:** add extract nodes igraph - [#4359](https://github.com/bridgecrewio/checkov/pull/4359)
- **sca:** create bom report when extra_resources is not empty - [#4388](https://github.com/bridgecrewio/checkov/pull/4388)
- **secrets:** add support for runnable secrets plugins - [#4368](https://github.com/bridgecrewio/checkov/pull/4368)
- **terraform:** add CKV_GCP_114 to ensure that Public Access Prevention is enforced on GoogleCloudStorage bucket. - [#4347](https://github.com/bridgecrewio/checkov/pull/4347)
- **terraform:** Add cloudsplaining checks to tf aws_iam_policy CKV_AWS_287-290 - [#4386](https://github.com/bridgecrewio/checkov/pull/4386)
- **terraform:** get static foreach/count values of resources - [#4374](https://github.com/bridgecrewio/checkov/pull/4374)
## [2.2.320](https://github.com/bridgecrewio/checkov/compare/2.2.316...2.2.320) - 2023-01-31
### Feature
- **sca:** Add a --support flag - [#4323](https://github.com/bridgecrewio/checkov/pull/4323)
- **sca:** added extra supported package files to find_scannable_files - [#4378](https://github.com/bridgecrewio/checkov/pull/4378)
- **terraform:** add reset edges function to terraform local graph - [#4373](https://github.com/bridgecrewio/checkov/pull/4373)
- **terraform:** Added base class for cloudsplaining iam checks to be integrated between data and resource objects - [#4338](https://github.com/bridgecrewio/checkov/pull/4338)
- **terraform:** Added basic check with test for tf resource with IAM privilege escalation - [#4376](https://github.com/bridgecrewio/checkov/pull/4376)
### Bug Fix
- **cloudformation:** Skip SAM Global Tags propagation - [#4383](https://github.com/bridgecrewio/checkov/pull/4383)
- **sca:** extend image name validation - [#4377](https://github.com/bridgecrewio/checkov/pull/4377)
- **terraform:** simple check naming fix - [#4371](https://github.com/bridgecrewio/checkov/pull/4371)
## [2.2.316](https://github.com/bridgecrewio/checkov/compare/2.2.312...2.2.316) - 2023-01-30
### Feature
- **sca:** ignore package.json file when yarn.lock exists - [#4370](https://github.com/bridgecrewio/checkov/pull/4370)
- **terraform:** GCP check kms policy does not define public access - [#4190](https://github.com/bridgecrewio/checkov/pull/4190)
- **terraform:** GCP check policy isn't public - [#4194](https://github.com/bridgecrewio/checkov/pull/4194)
### Bug Fix
- **sca:** support BC_VUL_X IDs in GitLab SAST output - [#4360](https://github.com/bridgecrewio/checkov/pull/4360)
## [2.2.312](https://github.com/bridgecrewio/checkov/compare/2.2.305...2.2.312) - 2023-01-29
### Feature
- **azure:** fix container latest tag missing results - [#4337](https://github.com/bridgecrewio/checkov/pull/4337)
### Bug Fix
- **azure:** Add `.*.` in azure checks to check in lists as well - [#4355](https://github.com/bridgecrewio/checkov/pull/4355)
- **azure:** Azure checks fixes - [#4342](https://github.com/bridgecrewio/checkov/pull/4342)
- **azure:** Azure checks fixes - [#4354](https://github.com/bridgecrewio/checkov/pull/4354)
- **azure:** Support string function_app min_tls_version as well - [#4357](https://github.com/bridgecrewio/checkov/pull/4357)
- **kubernetes:** k8s checks fixes - [#4343](https://github.com/bridgecrewio/checkov/pull/4343)
- **sca:** Fix multiple issues related to IR - [#4358](https://github.com/bridgecrewio/checkov/pull/4358)
- **terraform:** Terraform checks fixes - [#4344](https://github.com/bridgecrewio/checkov/pull/4344)
## [2.2.305](https://github.com/bridgecrewio/checkov/compare/2.2.304...2.2.305) - 2023-01-28
### Feature
- **general:** Add GitLab SAST output - [#4315](https://github.com/bridgecrewio/checkov/pull/4315)
## [2.2.304](https://github.com/bridgecrewio/checkov/compare/2.2.302...2.2.304) - 2023-01-26
### Bug Fix
- **kubernetes:** skip extracting pods for custom resources - [#4334](https://github.com/bridgecrewio/checkov/pull/4334)
- **sca:** require requests 2.27.0 - [#4339](https://github.com/bridgecrewio/checkov/pull/4339)
### Documentation
- **general:** fix env var name to `CKV_IGNORE_HIDDEN_DIRECTORIES` - [#4335](https://github.com/bridgecrewio/checkov/pull/4335)
## [2.2.302](https://github.com/bridgecrewio/checkov/compare/2.2.299...2.2.302) - 2023-01-25
### Feature
- **general:** igraph library support - [#4327](https://github.com/bridgecrewio/checkov/pull/4327)
### Bug Fix
- **general:** add missing header in --list output - [#4329](https://github.com/bridgecrewio/checkov/pull/4329)
- **kubernetes:** extract pods only for supported resources - [#4330](https://github.com/bridgecrewio/checkov/pull/4330)
- **sca:** catch exceptional error during SCA results polling - [#4331](https://github.com/bridgecrewio/checkov/pull/4331)
- **terraform:** change terraform nested modules path separators - [#4319](https://github.com/bridgecrewio/checkov/pull/4319)
- **terraform:** handle unexpected container definition type - [#4328](https://github.com/bridgecrewio/checkov/pull/4328)
## [2.2.299](https://github.com/bridgecrewio/checkov/compare/2.2.292...2.2.299) - 2023-01-24
### Feature
- **azure:** change detect image source - [#4320](https://github.com/bridgecrewio/checkov/pull/4320)
- **general:** add empty azure image check - [#4308](https://github.com/bridgecrewio/checkov/pull/4308)
- **general:** add logs for async license and image retrieval - [#4317](https://github.com/bridgecrewio/checkov/pull/4317)
- **sca:** Support the new --image flag along the --docker-image flag - [#4314](https://github.com/bridgecrewio/checkov/pull/4314)
### Bug Fix
- **general:** ignore repo_id setting when list flag is set - [#4313](https://github.com/bridgecrewio/checkov/pull/4313)
- **kubernetes:** handle k8s resource with missing required data - [#4318](https://github.com/bridgecrewio/checkov/pull/4318)
- **secrets:** Change s3 path for enriched secrets upload - [#4275](https://github.com/bridgecrewio/checkov/pull/4275)
- **terraform:** handle unexpected container type - [#4311](https://github.com/bridgecrewio/checkov/pull/4311)
### Documentation
- **general:** Update README for supported Python versions - [#4305](https://github.com/bridgecrewio/checkov/pull/4305)
## [2.2.292](https://github.com/bridgecrewio/checkov/compare/2.2.289...2.2.292) - 2023-01-23
### Feature
- **terraform:** new app service checks for azurerm - [#4072](https://github.com/bridgecrewio/checkov/pull/4072)
### Bug Fix
- **general:** In case of a non-JSON response, log the response - [#4304](https://github.com/bridgecrewio/checkov/pull/4304)
- **terraform_plan:** fix in deep analysis - [#4306](https://github.com/bridgecrewio/checkov/pull/4306)
- **terraform:** fix default behaviour of CKV_GCP_19 - [#4289](https://github.com/bridgecrewio/checkov/pull/4289)
## [2.2.289](https://github.com/bridgecrewio/checkov/compare/2.2.281...2.2.289) - 2023-01-22
### Feature
- **general:** add Ansible framework - [#4244](https://github.com/bridgecrewio/checkov/pull/4244)
- **general:** Allow using `--repo-root-for-plan-enrichment` flag in GitHub Actions - [#4292](https://github.com/bridgecrewio/checkov/pull/4292)
- **secrets:** add new sanity test files for base64 entropy detector - [#4298](https://github.com/bridgecrewio/checkov/pull/4298)
- **terraform:** Adding yaml based build time policies for corresponding PC run time policies - [#4265](https://github.com/bridgecrewio/checkov/pull/4265)
### Bug Fix
- **sca:** fix dependency tree cli print - [#4282](https://github.com/bridgecrewio/checkov/pull/4282)
- **terraform:** fix Exception in image ref - [#4297](https://github.com/bridgecrewio/checkov/pull/4297)
- **terraform:** fix in variable rendering - [#4296](https://github.com/bridgecrewio/checkov/pull/4296)
- **terraform:** Fix policy str in graph checks - [#4286](https://github.com/bridgecrewio/checkov/pull/4286)
## [2.2.281](https://github.com/bridgecrewio/checkov/compare/2.2.278...2.2.281) - 2023-01-19
### Feature
- **general:** add Image referencer igraph support - [#4277](https://github.com/bridgecrewio/checkov/pull/4277)
- **general:** Support aiohttp for IR API calls - [#4274](https://github.com/bridgecrewio/checkov/pull/4274)
### Bug Fix
- **general:** Enable running cloned policies in case the OOTB policy is suppressed - [#4281](https://github.com/bridgecrewio/checkov/pull/4281)
- **secrets:** change default secret validation status to unavailable - [#4284](https://github.com/bridgecrewio/checkov/pull/4284)
- **terraform:** fix error for push_skipped_checks_down with definition that not in the definition context - [#4272](https://github.com/bridgecrewio/checkov/pull/4272)
## [2.2.278](https://github.com/bridgecrewio/checkov/compare/2.2.274...2.2.278) - 2023-01-18
### Feature
- **azure:** Add image referencer in azure pipelines - [#4234](https://github.com/bridgecrewio/checkov/pull/4234)
- **gha:** fix yaml parsing of multi files - [#4270](https://github.com/bridgecrewio/checkov/pull/4270)
- **secrets:** fix to keyword combinator to reduce FPs - [#4260](https://github.com/bridgecrewio/checkov/pull/4260)
### Bug Fix
- **secrets:** add guideline and severity to custom secret check metadata - [#4276](https://github.com/bridgecrewio/checkov/pull/4276)
## [2.2.274](https://github.com/bridgecrewio/checkov/compare/2.2.271...2.2.274) - 2023-01-17
### Feature
- **gha:** fix failing image retrieval in GHA IR - [#4268](https://github.com/bridgecrewio/checkov/pull/4268)
### Bug Fix
- **cloudformation:** fix CloudFormation checks related to number values - [#4243](https://github.com/bridgecrewio/checkov/pull/4243)
- **general:** Add normalization to change the name of nuget to dotNet lang - [#4271](https://github.com/bridgecrewio/checkov/pull/4271)
## [2.2.271](https://github.com/bridgecrewio/checkov/compare/2.2.264...2.2.271) - 2023-01-16
### Feature
- **dockerfile:** Add checks for PYTHONHTTPSVERIFY and NODE_TLS_REJECT_UNAUTHORIZED - [#4223](https://github.com/bridgecrewio/checkov/pull/4223)
- **secrets:** Skip invalid secrets checks + soft/hard fails - [#4247](https://github.com/bridgecrewio/checkov/pull/4247)
- **terraform:** Azure search service checks - [#4064](https://github.com/bridgecrewio/checkov/pull/4064)
- **terraform:** GCP checks for definition of a firewall resource for a network - [#4188](https://github.com/bridgecrewio/checkov/pull/4188)
### Bug Fix
- **general:** Support encoding of function object - [#4259](https://github.com/bridgecrewio/checkov/pull/4259)
- **kubernetes:** handle missing subjects in k8s cluster role binding - [#4262](https://github.com/bridgecrewio/checkov/pull/4262)
- **kubernetes:** handle resources with incompatible selector - [#4257](https://github.com/bridgecrewio/checkov/pull/4257)
- **secrets:** Change secret validation status message - [#4250](https://github.com/bridgecrewio/checkov/pull/4250)
- **terraform:** default value for CKV_AZURE_5 - [#4237](https://github.com/bridgecrewio/checkov/pull/4237)
- **terraform:** fix get_current_module_index for path that contain .tf in them - [#4261](https://github.com/bridgecrewio/checkov/pull/4261)
## [2.2.264](https://github.com/bridgecrewio/checkov/compare/2.2.258...2.2.264) - 2023-01-15
### Feature
- **general:** fix circleci crash when cannot find image - [#4249](https://github.com/bridgecrewio/checkov/pull/4249)
- **general:** fix circleci yaml-doc - [#4246](https://github.com/bridgecrewio/checkov/pull/4246)
- **kubernetes:** set default k8s graph env vars to true - [#4225](https://github.com/bridgecrewio/checkov/pull/4225)
- **terraform:** Add new checks for ensuring execution history logging and Xray for State Machine is enabled - [#4240](https://github.com/bridgecrewio/checkov/pull/4240)
### Bug Fix
- **cloudformation:** Fix edge-cases in checks - [#4251](https://github.com/bridgecrewio/checkov/pull/4251)
- **kubernetes:** removed env vars from tests - [#4252](https://github.com/bridgecrewio/checkov/pull/4252)
- **secrets:** Change secret validation status message - [#4238](https://github.com/bridgecrewio/checkov/pull/4238)
- **secrets:** Revert "fix(secrets): Change secret validation status message" - [#4248](https://github.com/bridgecrewio/checkov/pull/4248)
## [2.2.258](https://github.com/bridgecrewio/checkov/compare/2.2.257...2.2.258) - 2023-01-12
### Feature
- **terraform:** PC-Policy-Team - GCP PostgreSQL Instance Database Policies - [#4090](https://github.com/bridgecrewio/checkov/pull/4090)
## [2.2.257](https://github.com/bridgecrewio/checkov/compare/2.2.254...2.2.257) - 2023-01-11
### Bug Fix
- **secrets:** Change verify secrets key to include relative path - [#4232](https://github.com/bridgecrewio/checkov/pull/4232)
- **terraform:** improve cross-variable edges performance - [#4231](https://github.com/bridgecrewio/checkov/pull/4231)
## [2.2.254](https://github.com/bridgecrewio/checkov/compare/2.2.252...2.2.254) - 2023-01-10
### Feature
- **general:** Add resource attributes to omit arg - [#4193](https://github.com/bridgecrewio/checkov/pull/4193)
- **terraform:** enable cross variable edges - [#4224](https://github.com/bridgecrewio/checkov/pull/4224)
### Bug Fix
- **secrets:** add function to add the custom policies to the metadata integration not in the multiprocess - [#4221](https://github.com/bridgecrewio/checkov/pull/4221)
## [2.2.252](https://github.com/bridgecrewio/checkov/compare/2.2.246...2.2.252) - 2023-01-09
### Feature
- **kubernetes:** support more types of k8s pod template containers - [#4208](https://github.com/bridgecrewio/checkov/pull/4208)
- **secrets:** Add secret validation status to reduced report - [#4219](https://github.com/bridgecrewio/checkov/pull/4219)
- **secrets:** fix unquoted secret value - [#4214](https://github.com/bridgecrewio/checkov/pull/4214)
- **terraform_plan:** support multiple references in one resource - [#4206](https://github.com/bridgecrewio/checkov/pull/4206)
### Bug Fix
- **kubernetes:** allow filtering of custom with built-in Kubernetes check IDs - [#4204](https://github.com/bridgecrewio/checkov/pull/4204)
- **secrets:** add long to see metadata_integration - [#4220](https://github.com/bridgecrewio/checkov/pull/4220)
- **terraform_plan:** fix module resources ids - [#4211](https://github.com/bridgecrewio/checkov/pull/4211)
## [2.2.246](https://github.com/bridgecrewio/checkov/compare/2.2.239...2.2.246) - 2023-01-08
### Feature
- **dockerfile:** Add checks for unsafe wget and pip usages - [#4202](https://github.com/bridgecrewio/checkov/pull/4202)
- **secrets:** Implement lower entropy threshold on a line with keyword - [#4210](https://github.com/bridgecrewio/checkov/pull/4210)
- **terraform:** add CKV2_AWS_51 to Ensure AWS Managed IAMFullAccess IAM policy is not used. - [#4174](https://github.com/bridgecrewio/checkov/pull/4174)
- **terraform:** CDN and service bus checks for azure - [#4059](https://github.com/bridgecrewio/checkov/pull/4059)
### Bug Fix
- **secrets:** add logs - [#4215](https://github.com/bridgecrewio/checkov/pull/4215)
- **secrets:** add logs to secrets - [#4213](https://github.com/bridgecrewio/checkov/pull/4213)
- **secrets:** Disable verify secrets if skip_download is specified - [#4209](https://github.com/bridgecrewio/checkov/pull/4209)
- **secrets:** fix relative file path in secrets saved to coordinator - [#4212](https://github.com/bridgecrewio/checkov/pull/4212)
## [2.2.239](https://github.com/bridgecrewio/checkov/compare/2.2.238...2.2.239) - 2023-01-06
### Bug Fix
- **general:** fix incorrect billing message when frameworks are removed from --framework list - [#4201](https://github.com/bridgecrewio/checkov/pull/4201)
## [2.2.238](https://github.com/bridgecrewio/checkov/compare/2.2.234...2.2.238) - 2023-01-05
### Feature
- **dockerfile:** Add check for unsafe curl usages - [#4186](https://github.com/bridgecrewio/checkov/pull/4186)
- **general:** add logic to vcs scanning to prevent empty repo collabs failing check - [#4199](https://github.com/bridgecrewio/checkov/pull/4199)
- **terraform:** Adding yaml based build time policies for corresponding PC run time policies - [#4113](https://github.com/bridgecrewio/checkov/pull/4113)
### Bug Fix
- **general:** handle variable dependent values in policy - [#4200](https://github.com/bridgecrewio/checkov/pull/4200)
- **secrets:** Fix api key condition in verify_secrets - [#4195](https://github.com/bridgecrewio/checkov/pull/4195)
- **secrets:** Remove raw string modifier from re.compile - [#4197](https://github.com/bridgecrewio/checkov/pull/4197)
## [2.2.234](https://github.com/bridgecrewio/checkov/compare/2.2.230...2.2.234) - 2023-01-04
### Feature
- **sca:** enable CHECKOV_RUN_SCA_PACKAGE_SCAN_V2 env var - [#4192](https://github.com/bridgecrewio/checkov/pull/4192)
- **secrets:** Call secrets verify API - [#4181](https://github.com/bridgecrewio/checkov/pull/4181)
### Bug Fix
- **general:** set newer jsonschema dependency bound- solves #2227 - [#4183](https://github.com/bridgecrewio/checkov/pull/4183)
- **general:** Update exclude-patterns.txt - [#4187](https://github.com/bridgecrewio/checkov/pull/4187)
### Documentation
- **general:** fix links in contributing docs - [#4184](https://github.com/bridgecrewio/checkov/pull/4184)
## [2.2.230](https://github.com/bridgecrewio/checkov/compare/2.2.229...2.2.230) - 2023-01-03
### Feature
- **general:** Skip check in json file - [#4172](https://github.com/bridgecrewio/checkov/pull/4172)
## [2.2.229](https://github.com/bridgecrewio/checkov/compare/2.2.220...2.2.229) - 2023-01-01
### Feature
- **gha:** add support for gha existing graph - [#4175](https://github.com/bridgecrewio/checkov/pull/4175)
- **secrets:** change secretsCoordinator to dict format - [#4169](https://github.com/bridgecrewio/checkov/pull/4169)
- **terraform:** added aws_ssoadmin_managed_policy_attachment resource to CKV_AWS_274 - [#4173](https://github.com/bridgecrewio/checkov/pull/4173)
### Bug Fix
- **general:** add link to BaseGraphRegistry checks - [#4177](https://github.com/bridgecrewio/checkov/pull/4177)
- **general:** change CODE_LINK_BASE from master to main - [#4178](https://github.com/bridgecrewio/checkov/pull/4178)
- **kubernetes:** remove unneeded context check - [#4171](https://github.com/bridgecrewio/checkov/pull/4171)
- **kustomize:** fixed kustomize abs_file_path - [#4159](https://github.com/bridgecrewio/checkov/pull/4159)
- **terraform:** out of range error by checking if list is empty - [#4176](https://github.com/bridgecrewio/checkov/pull/4176)
## [2.2.220](https://github.com/bridgecrewio/checkov/compare/2.2.217...2.2.220) - 2022-12-29
### Feature
- **sca:** remove report_results from checkov, as it is not used at all - [#4161](https://github.com/bridgecrewio/checkov/pull/4161)
### Bug Fix
- **general:** fix f-string log message - [#4170](https://github.com/bridgecrewio/checkov/pull/4170)
### Documentation
- **general:** fix reference link in Contributing docs page - [#4164](https://github.com/bridgecrewio/checkov/pull/4164)
## [2.2.217](https://github.com/bridgecrewio/checkov/compare/2.2.212...2.2.217) - 2022-12-28
### Feature
- **general:** Make code blocks for json check results focused on the relevant part - [#4130](https://github.com/bridgecrewio/checkov/pull/4130)
- **openapi:** Add v2 openAPI new checks - [#4112](https://github.com/bridgecrewio/checkov/pull/4112)
- **terraform:** new azure storage checks - [#4021](https://github.com/bridgecrewio/checkov/pull/4021)
### Bug Fix
- **github:** Handle entity configurations of type list - [#4160](https://github.com/bridgecrewio/checkov/pull/4160)
- **sca:** Fix extra space in output of dependencies - [#4162](https://github.com/bridgecrewio/checkov/pull/4162)
## [2.2.212](https://github.com/bridgecrewio/checkov/compare/2.2.207...2.2.212) - 2022-12-27
### Feature
- **azure:** Add check - azure keyvalut public network access - [#4155](https://github.com/bridgecrewio/checkov/pull/4155)
### Bug Fix
- **terraform:** fix edge-case in CKV_AZURE_183 check - [#4154](https://github.com/bridgecrewio/checkov/pull/4154)
- **terraform:** fix graph checks nested modules - [#4157](https://github.com/bridgecrewio/checkov/pull/4157)
- **terraform:** fix or connection graph checks nested modules - [#4158](https://github.com/bridgecrewio/checkov/pull/4158)
## [2.2.207](https://github.com/bridgecrewio/checkov/compare/2.2.201...2.2.207) - 2022-12-26
### Feature
- **kubernetes:** Support graph edges for nested (related) Pod resources. - [#4100](https://github.com/bridgecrewio/checkov/pull/4100)
- **secrets:** Keep original secrets data in runtime for further validation - [#4144](https://github.com/bridgecrewio/checkov/pull/4144)
- **secrets:** Keep original secrets data in runtime for further validation - [#4149](https://github.com/bridgecrewio/checkov/pull/4149)
### Bug Fix
- **general:** fix excluded paths for path with special characters - [#4152](https://github.com/bridgecrewio/checkov/pull/4152)
- **terraform:** add test path to exclude-patterns - [#4150](https://github.com/bridgecrewio/checkov/pull/4150)
- **terraform:** fix edge-case in CKV_AZURE_37 check - [#4153](https://github.com/bridgecrewio/checkov/pull/4153)
- **terraform:** fix getting graph entity config in terraform runner - [#4146](https://github.com/bridgecrewio/checkov/pull/4146)
- **terraform:** remove redundant nested definitions - [#4147](https://github.com/bridgecrewio/checkov/pull/4147)
## [2.2.201](https://github.com/bridgecrewio/checkov/compare/2.2.199...2.2.201) - 2022-12-25
### Bug Fix
- **secrets:** add support to conditionQuery - [#4086](https://github.com/bridgecrewio/checkov/pull/4086)
- **terraform:** fix edge-case in CKV_AZURE_183 check - [#4145](https://github.com/bridgecrewio/checkov/pull/4145)
## [2.2.199](https://github.com/bridgecrewio/checkov/compare/2.2.191...2.2.199) - 2022-12-22
### Feature
- **gha:** support on directive in workflow files - [#4125](https://github.com/bridgecrewio/checkov/pull/4125)
- **sca:** run old package scanning for IDE scan - [#4133](https://github.com/bridgecrewio/checkov/pull/4133)
- **secrets:** expose maximum 6 characters of secret values - [#4140](https://github.com/bridgecrewio/checkov/pull/4140)
### Bug Fix
- **circleci:** add resource to ir - [#4135](https://github.com/bridgecrewio/checkov/pull/4135)
- **general:** Reformat PR template - [#4139](https://github.com/bridgecrewio/checkov/pull/4139)
- **kubernetes:** move Kubernetes context error message - [#4132](https://github.com/bridgecrewio/checkov/pull/4132)
- **terraform:** add aws_transfer_server to CKV2_AWS_5 check - [#4137](https://github.com/bridgecrewio/checkov/pull/4137)
- **terraform:** Add some more supported keys to bigquery public acl check ignore list to avoid false positive - [#3969](https://github.com/bridgecrewio/checkov/pull/3969)
- **terraform:** fix azure network address invalid value - [#4131](https://github.com/bridgecrewio/checkov/pull/4131)
## [2.2.191](https://github.com/bridgecrewio/checkov/compare/2.2.186...2.2.191) - 2022-12-21
### Feature
- **general:** add the stack trace to the error message when caught by main.py - [#4121](https://github.com/bridgecrewio/checkov/pull/4121)
- **sca:** add GCP Terraform resources for Image Referencer - [#4094](https://github.com/bridgecrewio/checkov/pull/4094)
- **sca:** protecting checkov with try/catch wrapping - [#4104](https://github.com/bridgecrewio/checkov/pull/4104)
### Bug Fix
- **kubernetes:** removed obsolete error logging - [#4126](https://github.com/bridgecrewio/checkov/pull/4126)
- **terraform:** fix azure dns invalid ip - [#4128](https://github.com/bridgecrewio/checkov/pull/4128)
## [2.2.186](https://github.com/bridgecrewio/checkov/compare/2.2.180...2.2.186) - 2022-12-20
### Feature
- **general:** move the jsonpath try/catch up a level to catch more errors - [#3911](https://github.com/bridgecrewio/checkov/pull/3911)
- **sca:** returning exit code 2 in case of error for downloading twistcli - [#4105](https://github.com/bridgecrewio/checkov/pull/4105)
### Bug Fix
- **dockerfile:** adjust the file abs path for Dockerfile graph results - [#4118](https://github.com/bridgecrewio/checkov/pull/4118)
- **openapi:** fix an open API CKV_OPENAPI_6 check - [#4109](https://github.com/bridgecrewio/checkov/pull/4109)
- **sca:** fixing integration tests - [#4117](https://github.com/bridgecrewio/checkov/pull/4117)
- **terraform_plan:** use abs path for repo_root_for_plan_enrichment - [#4115](https://github.com/bridgecrewio/checkov/pull/4115)
- **terraform:** CKV2_AZURE_21 changed blob access type to private - [#3898](https://github.com/bridgecrewio/checkov/pull/3898)
- **terraform:** fix support for getting module-referenced resources context - [#4110](https://github.com/bridgecrewio/checkov/pull/4110)
### Platform
- **terraform:** add previous get_tf_definition_key function - [#4114](https://github.com/bridgecrewio/checkov/pull/4114)
## [2.2.180](https://github.com/bridgecrewio/checkov/compare/2.2.172...2.2.180) - 2022-12-19
### Feature
- **general:** Use --no-fail-on-crash to gracefully exit commit_repository and setup_bridgecrew_credentials - [#4099](https://github.com/bridgecrewio/checkov/pull/4099)
- **terraform_plan:** add check details to TF plan scan results - [#4091](https://github.com/bridgecrewio/checkov/pull/4091)
- **terraform:** new azurerm checks - App config - [#3988](https://github.com/bridgecrewio/checkov/pull/3988)
- **terraform:** Omit values from graph checks - [#4076](https://github.com/bridgecrewio/checkov/pull/4076)
### Bug Fix
- **general:** change env var name for no-fail-on-crash flag - [#4107](https://github.com/bridgecrewio/checkov/pull/4107)
- **github:** Fix GHA IR resource names in case of 2 identical images - [#4108](https://github.com/bridgecrewio/checkov/pull/4108)
- **terraform:** azurerm storage defaults - fix for storage case #3516 - [#4083](https://github.com/bridgecrewio/checkov/pull/4083)
- **terraform:** fix nested module resources ids in the report - [#4098](https://github.com/bridgecrewio/checkov/pull/4098)
## [2.2.172](https://github.com/bridgecrewio/checkov/compare/2.2.168...2.2.172) - 2022-12-18
### Feature
- **general:** Add no-fail-on-crash flag - [#4097](https://github.com/bridgecrewio/checkov/pull/4097)
- **gha:** add fix for gha graphs and UT - [#4084](https://github.com/bridgecrewio/checkov/pull/4084)
- **kubernetes:** inject k8s FF flags to instance instead of constructor - [#4096](https://github.com/bridgecrewio/checkov/pull/4096)
### Bug Fix
- **terraform:** add a method for get the entity definition path from the entity itself - [#4095](https://github.com/bridgecrewio/checkov/pull/4095)
- **terraform:** add address attribute to all scanned terraform blocks - [#4074](https://github.com/bridgecrewio/checkov/pull/4074)
## [2.2.168](https://github.com/bridgecrewio/checkov/compare/2.2.158...2.2.168) - 2022-12-15
### Feature
- **kubernetes:** Add kubernetes YAML checks to checkov packaging - [#4073](https://github.com/bridgecrewio/checkov/pull/4073)
- **kubernetes:** move whorf to dedicated repo - [#4062](https://github.com/bridgecrewio/checkov/pull/4062)
- **terraform_plan:** add Image Referencer for Terraform plan files - [#4063](https://github.com/bridgecrewio/checkov/pull/4063)
- **terraform:** add CKV NCP rules about AutoScalingGroup, Load Balancer - [#3821](https://github.com/bridgecrewio/checkov/pull/3821)
- **terraform:** add CKV NCP rules about Nat Gateways and Route - [#3854](https://github.com/bridgecrewio/checkov/pull/3854)
- **terraform:** combine tf plan and tf graphs for nested modules - [#4066](https://github.com/bridgecrewio/checkov/pull/4066)
- **terraform:** More azurerm checks for terraform - [#3970](https://github.com/bridgecrewio/checkov/pull/3970)
### Bug Fix
- **openapi:** Fix in PathSchemeDefineHTTP opeAPI check - [#4079](https://github.com/bridgecrewio/checkov/pull/4079)
- **terraform:** CKV_AZURE_43 add new test case - [#4082](https://github.com/bridgecrewio/checkov/pull/4082)
## [2.2.158](https://github.com/bridgecrewio/checkov/compare/2.2.155...2.2.158) - 2022-12-14
### Feature
- **github:** more CIS checks- part3 - [#4057](https://github.com/bridgecrewio/checkov/pull/4057)
- **terraform:** Adding yaml based build time policies for corresponding PC run time policies - [#3962](https://github.com/bridgecrewio/checkov/pull/3962)
### Bug Fix
- **secrets:** fix secrets crash when secret is non string - [#4077](https://github.com/bridgecrewio/checkov/pull/4077)
## [2.2.155](https://github.com/bridgecrewio/checkov/compare/2.2.148...2.2.155) - 2022-12-13
### Feature
- **github:** more CIS checks- part2 - [#4017](https://github.com/bridgecrewio/checkov/pull/4017)
- **kubernetes:** added CKV2_K8S_EXAMPLE_1 only in tests as an example for k8s graph check for pod which is publicly accessible - [#4060](https://github.com/bridgecrewio/checkov/pull/4060)
- **kubernetes:** added deployment name to pod resource id - [#4040](https://github.com/bridgecrewio/checkov/pull/4040)
- **sca:** fix root packages fixed version - [#4070](https://github.com/bridgecrewio/checkov/pull/4070)
### Bug Fix
- **sca:** invoke packaging.Version instead of parse - [#4065](https://github.com/bridgecrewio/checkov/pull/4065)
- **secrets:** fix error when secret is None - [#4071](https://github.com/bridgecrewio/checkov/pull/4071)
- **terraform:** checkov fix as resource container_group modified - [#4061](https://github.com/bridgecrewio/checkov/pull/4061)
- **terraform:** fixed unexpected data for IAMPublicActionsPolicy - [#4067](https://github.com/bridgecrewio/checkov/pull/4067)
- **terraform:** fixed unexpected data for MonitorLogProfileRetentionDays - [#4068](https://github.com/bridgecrewio/checkov/pull/4068)
### Platform
- **general:** Apply licensing from platform - [#3961](https://github.com/bridgecrewio/checkov/pull/3961)
## [2.2.148](https://github.com/bridgecrewio/checkov/compare/2.2.139...2.2.148) - 2022-12-12
### Feature
- **gha:** Add gha graph infra - [#4058](https://github.com/bridgecrewio/checkov/pull/4058)
- **gha:** add infra for gha graphs - [#4052](https://github.com/bridgecrewio/checkov/pull/4052)
- **sca:** fixed dependencies default value - [#4056](https://github.com/bridgecrewio/checkov/pull/4056)
- **sca:** added indirect cves fix versions - [#4023](https://github.com/bridgecrewio/checkov/pull/4023)
- **secrets:** Inject secrets omitter to runner registry - [#4054](https://github.com/bridgecrewio/checkov/pull/4054)
- **terraform_plan:** support jsonpath queries in AWS IAM policy strings for Terraform plan - [#4033](https://github.com/bridgecrewio/checkov/pull/4033)
- **terraform:** Extend secret attributes to omit mapping - [#4028](https://github.com/bridgecrewio/checkov/pull/4028)
- **terraform:** tf plan combine graphs pass params - [#4051](https://github.com/bridgecrewio/checkov/pull/4051)
### Bug Fix
- **terraform:** add missing resource aws_route53_resolver_endpoint #3968 - [#3995](https://github.com/bridgecrewio/checkov/pull/3995)
- **terraform:** fix getting local dest module path - [#4055](https://github.com/bridgecrewio/checkov/pull/4055)
- **terraform:** Fix some errors in Dynamic Blocks rendering - [#4050](https://github.com/bridgecrewio/checkov/pull/4050)
## [2.2.139](https://github.com/bridgecrewio/checkov/compare/2.2.130...2.2.139) - 2022-12-11
### Feature
- **graph:** Added `not_within` attribute solver for graph checks - [#4041](https://github.com/bridgecrewio/checkov/pull/4041)
- **kubernetes:** Add CKV2_K8S_2 graph check for potential privilege escalation in `nodes/proxy` or `pods/exec` with `create` permissions - [#4034](https://github.com/bridgecrewio/checkov/pull/4034)
- **kubernetes:** Add CKV2_K8S_3 no `impersonate` permissions for `ServiceAccount/Node` - [#4037](https://github.com/bridgecrewio/checkov/pull/4037)
- **kubernetes:** Added CKV2_K8S_4 check to not allow modifying of services/status - [#4038](https://github.com/bridgecrewio/checkov/pull/4038)
- **kubernetes:** Added CKV2_K8S_5 check that no service account or node can read all secrets - [#4042](https://github.com/bridgecrewio/checkov/pull/4042)
- **secrets:** Accepting json reports from bucket in secrets_omitter - [#4039](https://github.com/bridgecrewio/checkov/pull/4039)
- **terraform:** add CKV NCP rules about Route Table Association - [#3856](https://github.com/bridgecrewio/checkov/pull/3856)
### Bug Fix
- **kubernetes:** Corrected list format for yaml files in new k8s graph check tests - [#4035](https://github.com/bridgecrewio/checkov/pull/4035)
- **secrets:** custom secret add support for value str and not only list - [#4024](https://github.com/bridgecrewio/checkov/pull/4024)
- **terraform:** Fix in dot separator in the dynamic argument - [#4036](https://github.com/bridgecrewio/checkov/pull/4036)
## [2.2.130](https://github.com/bridgecrewio/checkov/compare/2.2.124...2.2.130) - 2022-12-08
### Feature
- **general:** Apply policy-level suppressions as skipped checks - [#4020](https://github.com/bridgecrewio/checkov/pull/4020)
- **github:** Add 3 CIS checks: 1.1.3, 1.1.8, 1.1.10 - [#4003](https://github.com/bridgecrewio/checkov/pull/4003)
- **kubernetes:** Added CKV2_K8S_1 to ensure RoleBinding do not allow privilege escalation to a ServiceAccount/Node - [#4004](https://github.com/bridgecrewio/checkov/pull/4004)
- **secrets:** Omit secrets from reports based on secrets reports - [#3991](https://github.com/bridgecrewio/checkov/pull/3991)
- **secrets:** Omit secrets from reports based on secrets reports - [#4015](https://github.com/bridgecrewio/checkov/pull/4015)
### Bug Fix
- **github:** remove secrets from schema example - [#4019](https://github.com/bridgecrewio/checkov/pull/4019)
- **terraform:** fix resource block address - [#4018](https://github.com/bridgecrewio/checkov/pull/4018)
## [2.2.124](https://github.com/bridgecrewio/checkov/compare/2.2.116...2.2.124) - 2022-12-07
### Feature
- **sca:** change sca packages output to include dependencies structure - [#3957](https://github.com/bridgecrewio/checkov/pull/3957)
- **secrets:** Adding check length for secret - [#3985](https://github.com/bridgecrewio/checkov/pull/3985)
- **terraform:** nested modules support in graph - [#3935](https://github.com/bridgecrewio/checkov/pull/3935)
### Bug Fix
- **circleci:** fix executors in resource_id - [#4008](https://github.com/bridgecrewio/checkov/pull/4008)
- **secrets:** Bump detect secrets version - [#3997](https://github.com/bridgecrewio/checkov/pull/3997)
- **terraform:** Fix an issue in dynamic blocks - [#4006](https://github.com/bridgecrewio/checkov/pull/4006)
- **terraform:** fix CKV_AWS_283 check - [#4005](https://github.com/bridgecrewio/checkov/pull/4005)
- **terraform:** Fix CKV_AZURE_168 check - [#4000](https://github.com/bridgecrewio/checkov/pull/4000)
- **terraform:** Fix some issues in dynamic blocks flow - [#4002](https://github.com/bridgecrewio/checkov/pull/4002)
- **terraform:** Fix TF checks crashes - [#3992](https://github.com/bridgecrewio/checkov/pull/3992)
## [2.2.116](https://github.com/bridgecrewio/checkov/compare/2.2.114...2.2.116) - 2022-12-06
### Feature
- **general:** Report failed attempts at reporting contributor metrics - [#3984](https://github.com/bridgecrewio/checkov/pull/3984)
- **kubernetes:** create simple resources id for pods; allow enabling k8s graph features using env vars - [#3975](https://github.com/bridgecrewio/checkov/pull/3975)
- **terraform:** check for insecure protocols - [#3958](https://github.com/bridgecrewio/checkov/pull/3958)
- **terraform:** Check resource-based policies for public access - [#3989](https://github.com/bridgecrewio/checkov/pull/3989)
- **terraform:** Dynamic Blocks support for loop in for_each attribute - [#3982](https://github.com/bridgecrewio/checkov/pull/3982)
- **terraform:** new aks checks for Azure - [#3951](https://github.com/bridgecrewio/checkov/pull/3951)
### Bug Fix
- **dockerfile:** fix Dockerfile inline skip handling - [#3976](https://github.com/bridgecrewio/checkov/pull/3976)
- **secrets:** fix_Record_code_block_secrets - [#3987](https://github.com/bridgecrewio/checkov/pull/3987)
- **terraform:** azurerm kusto cluster encryption - wrong attribute tested for - [#3972](https://github.com/bridgecrewio/checkov/pull/3972)
## [2.2.114](https://github.com/bridgecrewio/checkov/compare/2.2.112...2.2.114) - 2022-12-04
### Feature
- **terraform:** add CKV NCP rules about ncloud access control group rule - [#3860](https://github.com/bridgecrewio/checkov/pull/3860)
### Bug Fix
- **secrets:** fix Issue with 'NoneType' error in the custom detectors load_detectors - [#3973](https://github.com/bridgecrewio/checkov/pull/3973)
### Platform
- **terraform:** remove redundant exc_info for module without source - [#3974](https://github.com/bridgecrewio/checkov/pull/3974)
## [2.2.112](https://github.com/bridgecrewio/checkov/compare/2.2.106...2.2.112) - 2022-12-01
### Feature
- **dockerfile:** add graph to Dockerfile - [#3948](https://github.com/bridgecrewio/checkov/pull/3948)
- **terraform:** add CKV NCP rules about access control group Inbound rule. - [#3859](https://github.com/bridgecrewio/checkov/pull/3859)
- **terraform:** Implement relative file path standard for tf plan file runs - [#3918](https://github.com/bridgecrewio/checkov/pull/3918)
### Bug Fix
- **general:** fix doc links on windows - [#3959](https://github.com/bridgecrewio/checkov/pull/3959)
- **secrets:** Fix omitting of secrets that are json encoded - [#3964](https://github.com/bridgecrewio/checkov/pull/3964)
- **terraform_plan:** Fix k8s checks edgecases for terraform plan - [#3966](https://github.com/bridgecrewio/checkov/pull/3966)
- **terraform:** OCI Security Group Control Problem - [#3933](https://github.com/bridgecrewio/checkov/pull/3933)
### Platform
- **secrets:** remove the use of enable_secret_scan_all_files for custom secrets - [#3954](https://github.com/bridgecrewio/checkov/pull/3954)
### Documentation
- **terraform:** update Terraform modules docs - [#3965](https://github.com/bridgecrewio/checkov/pull/3965)
## [2.2.106](https://github.com/bridgecrewio/checkov/compare/2.2.105...2.2.106) - 2022-11-30
- no noteworthy changes
## [2.2.105](https://github.com/bridgecrewio/checkov/compare/2.2.99...2.2.105) - 2022-11-29
### Feature
- **terraform:** add CKV NCP rules about Load Balancer Listener Using HTTPS - [#3858](https://github.com/bridgecrewio/checkov/pull/3858)
- **terraform:** add CKV NCP rules about server instance and public IP - [#3857](https://github.com/bridgecrewio/checkov/pull/3857)
- **terraform:** azurerm ACR check for retention policy - [#3927](https://github.com/bridgecrewio/checkov/pull/3927)
## [2.2.99](https://github.com/bridgecrewio/checkov/compare/2.2.96...2.2.99) - 2022-11-27
### Feature
- **github:** add CIS checks part 1. Most of the 1.1.x - [#3937](https://github.com/bridgecrewio/checkov/pull/3937)
- **terraform:** Azure ACR Enable Image Quarantine - [#3925](https://github.com/bridgecrewio/checkov/pull/3925)
- **terraform:** Azure use signed image in ACR - [#3923](https://github.com/bridgecrewio/checkov/pull/3923)
### Bug Fix
- **bicep:** ignore unresolvable properties for Bicep storage account checks - [#3946](https://github.com/bridgecrewio/checkov/pull/3946)
- **gha:** added test for step with no step name - [#3945](https://github.com/bridgecrewio/checkov/pull/3945)
## [2.2.96](https://github.com/bridgecrewio/checkov/compare/2.2.95...2.2.96) - 2022-11-26
- no noteworthy changes
## [2.2.95](https://github.com/bridgecrewio/checkov/compare/2.2.86...2.2.95) - 2022-11-24
### Feature
- **circleci:** add check for detecting images without check resource - [#3930](https://github.com/bridgecrewio/checkov/pull/3930)
- **terraform:** ACR container scanning - [#3922](https://github.com/bridgecrewio/checkov/pull/3922)
- **terraform:** add CKV NCP check about NKS(kubernetes) logging - [#3855](https://github.com/bridgecrewio/checkov/pull/3855)
- **terraform:** Adding yaml based build time policies for corresponding PC run time policies - [#3900](https://github.com/bridgecrewio/checkov/pull/3900)
### Bug Fix
- **general:** update checks_metadata structure - [#3929](https://github.com/bridgecrewio/checkov/pull/3929)
- **gha:** and circleci resource names - [#3914](https://github.com/bridgecrewio/checkov/pull/3914)
- **kubernetes:** Handle invalid helm chart meta - [#3939](https://github.com/bridgecrewio/checkov/pull/3939)
- **sca:** fix related resource id for helm and kustomize - [#3931](https://github.com/bridgecrewio/checkov/pull/3931)
- **terraform:** better check names to avoid confusion - addresses #3912 - [#3921](https://github.com/bridgecrewio/checkov/pull/3921)
- **terraform:** CKV_AZURE_144 passes on defaults - [#3938](https://github.com/bridgecrewio/checkov/pull/3938)
- **terraform:** Removed duplicate check CKV_AZURE_60 - [#3928](https://github.com/bridgecrewio/checkov/pull/3928)
### Platform
- **secrets:** Support custom detectors from the platform - [#3926](https://github.com/bridgecrewio/checkov/pull/3926)
## [2.2.86](https://github.com/bridgecrewio/checkov/compare/2.2.84...2.2.86) - 2022-11-23
### Feature
- **terraform:** add CKV_AWS_282 to ensure that Redshift Serverless namespace is encrypted by KMS - [#3915](https://github.com/bridgecrewio/checkov/pull/3915)
### Bug Fix
- **terraform:** Remove cross variables edges duplications - [#3920](https://github.com/bridgecrewio/checkov/pull/3920)
## [2.2.84](https://github.com/bridgecrewio/checkov/compare/2.2.80...2.2.84) - 2022-11-22
### Feature
- **general:** sign and push checkov image to GitHub registry - [#3906](https://github.com/bridgecrewio/checkov/pull/3906)
- **secrets:** Add Terraform multiline secrets handling - [#3907](https://github.com/bridgecrewio/checkov/pull/3907)
- **terraform:** ensure snapshots use encryption - [#3899](https://github.com/bridgecrewio/checkov/pull/3899)
- **terraform:** support cross-modules edges - [#3909](https://github.com/bridgecrewio/checkov/pull/3909)
## [2.2.80](https://github.com/bridgecrewio/checkov/compare/2.2.78...2.2.80) - 2022-11-21
### Feature
- **terraform:** add nested module address attribute - [#3904](https://github.com/bridgecrewio/checkov/pull/3904)
## [2.2.78](https://github.com/bridgecrewio/checkov/compare/2.2.75...2.2.78) - 2022-11-20
### Feature
- **general:** add output format cyclonedx_json - [#3902](https://github.com/bridgecrewio/checkov/pull/3902)
- **general:** add source to contributor metrics report - [#3905](https://github.com/bridgecrewio/checkov/pull/3905)
### Bug Fix
- **terraform:** Fix an edge case in AbsRDSParameter check - [#3903](https://github.com/bridgecrewio/checkov/pull/3903)
## [2.2.75](https://github.com/bridgecrewio/checkov/compare/2.2.72...2.2.75) - 2022-11-17
### Feature
- **github:** add output-file-path flag to checkov-action - [#3897](https://github.com/bridgecrewio/checkov/pull/3897)
### Bug Fix
- **terraform:** Dynamic blocks - added support for lookup null/true/false values - [#3893](https://github.com/bridgecrewio/checkov/pull/3893)
### Platform
- **sca:** added dependency tree format - [#3892](https://github.com/bridgecrewio/checkov/pull/3892)
## [2.2.72](https://github.com/bridgecrewio/checkov/compare/2.2.65...2.2.72) - 2022-11-16
### Feature
- **terraform:** add CKV NCP rules about NKSPublicAccess - [#3822](https://github.com/bridgecrewio/checkov/pull/3822)
- **terraform:** Censor secrets from tfplan graph - [#3894](https://github.com/bridgecrewio/checkov/pull/3894)
- **terraform:** create cross-variable edges between resources from the same module - [#3881](https://github.com/bridgecrewio/checkov/pull/3881)
### Bug Fix
- **general:** remove filter value validation - [#3896](https://github.com/bridgecrewio/checkov/pull/3896)
- **terraform:** Fix dynamic blocks nested module - [#3890](https://github.com/bridgecrewio/checkov/pull/3890)
- **terraform:** handle empty enabled_cluster_log_types list - [#3891](https://github.com/bridgecrewio/checkov/pull/3891)
### Platform
- **sca:** add scaCliScanId parameter - [#3789](https://github.com/bridgecrewio/checkov/pull/3789)
## [2.2.65](https://github.com/bridgecrewio/checkov/compare/2.2.58...2.2.65) - 2022-11-15
### Feature
- **terraform:** test checks for any port access - [#3882](https://github.com/bridgecrewio/checkov/pull/3882)
### Bug Fix
- **terraform:** Fixing some broke flow in dynamic blocks rendering - [#3879](https://github.com/bridgecrewio/checkov/pull/3879)
- **terraform:** Not adding dynamic blocks attributes to attributes - [#3872](https://github.com/bridgecrewio/checkov/pull/3872)
### Platform
- **general:** Support s3 client config for govcloud - [#3880](https://github.com/bridgecrewio/checkov/pull/3880)
- **sca:** Add repoId to GET request - [#3876](https://github.com/bridgecrewio/checkov/pull/3876)
- **sca:** Fix bom report - [#3867](https://github.com/bridgecrewio/checkov/pull/3867)
- **sca:** Poll sca scan results using Polling API - [#3841](https://github.com/bridgecrewio/checkov/pull/3841)
- **sca:** remove src from repo path - [#3884](https://github.com/bridgecrewio/checkov/pull/3884)
## [2.2.58](https://github.com/bridgecrewio/checkov/compare/2.2.50...2.2.58) - 2022-11-14
### Feature
- **general:** number of words larger/less than or equal operators - [#3827](https://github.com/bridgecrewio/checkov/pull/3827)
- **general:** remove env var for running contributor metrics report and add logs - [#3873](https://github.com/bridgecrewio/checkov/pull/3873)
- **terraform:** add CKV NCP rules about Load Balancer Exposed to Internet - [#3819](https://github.com/bridgecrewio/checkov/pull/3819)
- **terraform:** Mask secret values in Terraform plan file reports by resource - [#3868](https://github.com/bridgecrewio/checkov/pull/3868)
- **terraform:** Support dynamic blocks with nested attributes - [#3869](https://github.com/bridgecrewio/checkov/pull/3869)
### Bug Fix
- **general:** Fixed operator name for number_of_words_derivaties - [#3875](https://github.com/bridgecrewio/checkov/pull/3875)
- **terraform:** Fix dynamic attributes override each other - [#3866](https://github.com/bridgecrewio/checkov/pull/3866)
## [2.2.50](https://github.com/bridgecrewio/checkov/compare/2.2.44...2.2.50) - 2022-11-13
### Feature
- **general:** add reporting contributor metrics - [#3823](https://github.com/bridgecrewio/checkov/pull/3823)
- **terraform:** add CKV NCP rules about access key hard coding - [#3820](https://github.com/bridgecrewio/checkov/pull/3820)
- **terraform:** NSGRulePortAccessRestricted - Remove the condition for dynamic blocks - [#3862](https://github.com/bridgecrewio/checkov/pull/3862)
### Bug Fix
- **kubernetes:** handle empty spec object in k8s templates - [#3865](https://github.com/bridgecrewio/checkov/pull/3865)
- **openapi:** fixed error in invalid openapi template - [#3863](https://github.com/bridgecrewio/checkov/pull/3863)
- **terraform:** app_service Upgrade tests and add web app resources - [#3838](https://github.com/bridgecrewio/checkov/pull/3838)
- **terraform:** Handled nested unrendered vars - [#3853](https://github.com/bridgecrewio/checkov/pull/3853)
## [2.2.44](https://github.com/bridgecrewio/checkov/compare/2.2.43...2.2.44) - 2022-11-11
### Bug Fix
- **terraform:** fix an issue with dynamics replacing a whole block - [#3846](https://github.com/bridgecrewio/checkov/pull/3846)
## [2.2.43](https://github.com/bridgecrewio/checkov/compare/2.2.38...2.2.43) - 2022-11-10
### Feature
- **terraform:** Wrap render dynamic blocks flow with try except - [#3837](https://github.com/bridgecrewio/checkov/pull/3837)
### Bug Fix
- **bicep:** make ARM AKS checks compatible with Bicep - [#3836](https://github.com/bridgecrewio/checkov/pull/3836)
- **cloudformation:** only parse valid tag key-pairs in CloudFormation - [#3835](https://github.com/bridgecrewio/checkov/pull/3835)
- **general:** Clear details before next check run to avoid duplications in output - [#3711](https://github.com/bridgecrewio/checkov/pull/3711)
## [2.2.38](https://github.com/bridgecrewio/checkov/compare/2.2.35...2.2.38) - 2022-11-09
### Feature
- **secrets:** add abstract multiline parser + implement multiline json parser - [#3799](https://github.com/bridgecrewio/checkov/pull/3799)
- **terraform:** Support for nested dynamic modules - [#3813](https://github.com/bridgecrewio/checkov/pull/3813)
### Bug Fix
- **kubernetes:** fixed unexpected list object - [#3833](https://github.com/bridgecrewio/checkov/pull/3833)
## [2.2.35](https://github.com/bridgecrewio/checkov/compare/2.2.31...2.2.35) - 2022-11-08
### Feature
- **general:** Added Number of Words operator - [#3801](https://github.com/bridgecrewio/checkov/pull/3801)
- **terraform:** add CKV NCP rules about LBTargetGroupUsingHTTPS - [#3797](https://github.com/bridgecrewio/checkov/pull/3797)
- **terraform:** add CKV NCP rules about NASEncrytionEnabled - [#3796](https://github.com/bridgecrewio/checkov/pull/3796)
- **terraform:** Add Env Var for rendering Dynamic Blocks - [#3816](https://github.com/bridgecrewio/checkov/pull/3816)
- **terraform:** Dynamic blocks breadcrumbs support - [#3814](https://github.com/bridgecrewio/checkov/pull/3814)
- **terraform:** PC Policy Team Yaml Policies Check-in - [#3785](https://github.com/bridgecrewio/checkov/pull/3785)
- **terraform:** PC-Policy-Team: Ensure GCP compute firewall ingress does not allow unrestricted access to all ports - [#3786](https://github.com/bridgecrewio/checkov/pull/3786)
### Platform
- **sca:** Run package scan using API - [#3812](https://github.com/bridgecrewio/checkov/pull/3812)
## [2.2.31](https://github.com/bridgecrewio/checkov/compare/2.2.22...2.2.31) - 2022-11-07
### Feature
- **azure:** Add get resource names for azure_pipelines - [#3798](https://github.com/bridgecrewio/checkov/pull/3798)
- **github:** add graph to GitHub Actions - [#3672](https://github.com/bridgecrewio/checkov/pull/3672)
- **terraform:** add CKV NCP rules about LBListenerUsesSecureProtocols - [#3782](https://github.com/bridgecrewio/checkov/pull/3782)
- **terraform:** Dynamic Modules Support map type - [#3800](https://github.com/bridgecrewio/checkov/pull/3800)
- **terraform:** include pods of kubernetes_deployment in kubernetes_pod checks (1/4) - [#3691](https://github.com/bridgecrewio/checkov/pull/3691)
- **terraform:** include pods of kubernetes_deployment in kubernetes_pod checks (2/4) - [#3702](https://github.com/bridgecrewio/checkov/pull/3702)
- **terraform:** include pods of kubernetes_deployment in kubernetes_pod checks (3/4) - [#3703](https://github.com/bridgecrewio/checkov/pull/3703)
- **terraform:** include pods of kubernetes_deployment in kubernetes_pod checks (4/4) - [#3738](https://github.com/bridgecrewio/checkov/pull/3738)
### Bug Fix
- **arm:** CKV_AZURE_9 & CKV_AZURE_10 - Scan fails if protocol value is a wildcard - [#3750](https://github.com/bridgecrewio/checkov/pull/3750)
- **azure:** Remove redundant file path from resource name in azure pipelines - [#3818](https://github.com/bridgecrewio/checkov/pull/3818)
- **secrets:** fix slow secrets scan in yaml files - [#3803](https://github.com/bridgecrewio/checkov/pull/3803)
- **secrets:** fixed path of secrets tests to exclude - [#3817](https://github.com/bridgecrewio/checkov/pull/3817)
- **terraform:** fix gke resource name not string - [#3811](https://github.com/bridgecrewio/checkov/pull/3811)
### Platform
- **general:** rationalize policy metadata error handling behavior - [#3795](https://github.com/bridgecrewio/checkov/pull/3795)
- **sca:** add new sca package scan - [#3802](https://github.com/bridgecrewio/checkov/pull/3802)
- **sca:** Extract checkov check links - [#3790](https://github.com/bridgecrewio/checkov/pull/3790)
## [2.2.22](https://github.com/bridgecrewio/checkov/compare/2.2.21...2.2.22) - 2022-11-06
### Feature
- **kubernetes:** Create keyword and network policy edge builders - [#3763](https://github.com/bridgecrewio/checkov/pull/3763)
## [2.2.21](https://github.com/bridgecrewio/checkov/compare/2.2.17...2.2.21) - 2022-11-03
### Feature
- **general:** add range_includes and inverted operator - [#3752](https://github.com/bridgecrewio/checkov/pull/3752)
- **secrets:** Add multiline detection to entropy keyword combinator - [#3788](https://github.com/bridgecrewio/checkov/pull/3788)
### Bug Fix
- **terraform:** render list entries via modules correctly - [#3781](https://github.com/bridgecrewio/checkov/pull/3781)
## [2.2.17](https://github.com/bridgecrewio/checkov/compare/2.2.15...2.2.17) - 2022-11-02
### Feature
- **terraform:** Add CKV_AWS_276 to ensure that API Gateway Method Settings data_trace_enabled is not set to True - [#3761](https://github.com/bridgecrewio/checkov/pull/3761)
### Bug Fix
- **terraform:** Fix `related_resource_id` for ImageReferencer in `external_module` - [#3780](https://github.com/bridgecrewio/checkov/pull/3780)
### Documentation
- **general:** Fix typo in docs - [#3694](https://github.com/bridgecrewio/checkov/pull/3694)
## [2.2.15](https://github.com/bridgecrewio/checkov/compare/2.2.8...2.2.15) - 2022-10-31
### Feature
- **github:** split repo and org webhooks to separate files - [#3764](https://github.com/bridgecrewio/checkov/pull/3764)
- **gitlab:** Adding image detection check to gitlab ci - [#3774](https://github.com/bridgecrewio/checkov/pull/3774)
- **openapi:** pre-validate OpenAPI JSON files - [#3760](https://github.com/bridgecrewio/checkov/pull/3760)
### Bug Fix
- **azure:** Support .yaml extension - [#3767](https://github.com/bridgecrewio/checkov/pull/3767)
- **github:** print the result again in GHA - [#3751](https://github.com/bridgecrewio/checkov/pull/3751)
- **terraform:** reduce parsing time for large TF plan files - [#3757](https://github.com/bridgecrewio/checkov/pull/3757)
## [2.2.8](https://github.com/bridgecrewio/checkov/compare/2.2.5...2.2.8) - 2022-10-30
### Feature
- **terraform:** add CKV2_AWS_40 to Ensure AWS IAM policy does not allow full IAM privileges - [#3712](https://github.com/bridgecrewio/checkov/pull/3712)
### Platform
- **general:** Get resources from platform and filter taggable resources for policies - [#3621](https://github.com/bridgecrewio/checkov/pull/3621)
## [2.2.5](https://github.com/bridgecrewio/checkov/compare/2.2.0...2.2.5) - 2022-10-27
### Feature
- **graph:** add support for modules in graph checks - [#3635](https://github.com/bridgecrewio/checkov/pull/3635)
- **terraform:** add CKV NCP rules about Network ACL. - [#3668](https://github.com/bridgecrewio/checkov/pull/3668)
- **terraform:** TF Dynamic Blocks support - `for_each` lists type - [#3737](https://github.com/bridgecrewio/checkov/pull/3737)
### Bug Fix
- **terraform:** fix a TF plan issue with CKV_AWS_274 - [#3747](https://github.com/bridgecrewio/checkov/pull/3747)
- **terraform:** fix false positive for write ACL yaml check - [#3745](https://github.com/bridgecrewio/checkov/pull/3745)
### Documentation
- **general:** Update Jenkins page to use Checkov image - [#3725](https://github.com/bridgecrewio/checkov/pull/3725)
## [2.2.0](https://github.com/bridgecrewio/checkov/compare/2.1.294...2.2.0) - 2022-10-26
### Breaking Change
- **github:** Change github_failed_only output suffix to .md - [#3595](https://github.com/bridgecrewio/checkov/pull/3595)
- **terraform:** adjust the check result return for dependant variables to unknown in Python based checks - [#3743](https://github.com/bridgecrewio/checkov/pull/3743)
- **terraform:** return UNKNOWN for unrendered values in graph checks - [#3689](https://github.com/bridgecrewio/checkov/pull/3689)
### Feature
- **terraform:** add CKV NCP rule about block storage encryption. - [#3628](https://github.com/bridgecrewio/checkov/pull/3628)
- **terraform:** add CKV NCP rule about vpc volume encryption. - [#3629](https://github.com/bridgecrewio/checkov/pull/3629)
- **terraform:** add CKV NCP rules about Network ACL. - [#3630](https://github.com/bridgecrewio/checkov/pull/3630)
- **terraform:** Create checks for aws managed admin policy - [#3741](https://github.com/bridgecrewio/checkov/pull/3741)
### Bug Fix
- **terraform:** local_authentication_disabled - cosmodb check to look at SQL Api only CKV_AZURE_140 - [#3648](https://github.com/bridgecrewio/checkov/pull/3648)
## [2.1.294](https://github.com/bridgecrewio/checkov/compare/2.1.290...2.1.294) - 2022-10-25
### Feature
- **kubernetes:** Create label selector edge builder - [#3715](https://github.com/bridgecrewio/checkov/pull/3715)
- **terraform:** add CKV NCP rules about access control group Inbound rule. - [#3627](https://github.com/bridgecrewio/checkov/pull/3627)
- **terraform:** add versioned kubernetes resources to terraform kubernetes checks (5/5) - [#3657](https://github.com/bridgecrewio/checkov/pull/3657)
### Bug Fix
- **general:** skip scanning VCS configuration if only files are passed in - [#3729](https://github.com/bridgecrewio/checkov/pull/3729)
## [2.1.290](https://github.com/bridgecrewio/checkov/compare/2.1.288...2.1.290) - 2022-10-24
### Feature
- **circleci:** CircleCI Image Reference using Mixin class - [#3707](https://github.com/bridgecrewio/checkov/pull/3707)
### Bug Fix
- **kubernetes:** fix in CPURequests check - [#3727](https://github.com/bridgecrewio/checkov/pull/3727)
## [2.1.288](https://github.com/bridgecrewio/checkov/compare/2.1.286...2.1.288) - 2022-10-24
### Bug Fix
- **github:** fix GITHUB_OUTPUT and GITHUB_ENV issues of checkov-action - [#3726](https://github.com/bridgecrewio/checkov/pull/3726)
- **gitlab:** Modify gitlab ci resource id - [#3706](https://github.com/bridgecrewio/checkov/pull/3706)
## [2.1.286](https://github.com/bridgecrewio/checkov/compare/2.1.282...2.1.286) - 2022-10-23
### Feature
- **graph:** equals/not_equals_ignore_case operators (solvers) - [#3698](https://github.com/bridgecrewio/checkov/pull/3698)
### Bug Fix
- **github:** Fix GHA off value error resulting in checkov hanging - [#3713](https://github.com/bridgecrewio/checkov/pull/3713)
- **gitlab:** vcs gitlab groups retrieval - [#3716](https://github.com/bridgecrewio/checkov/pull/3716)
- **kubernetes:** fix in ServiceAccountTokens check - [#3717](https://github.com/bridgecrewio/checkov/pull/3717)
- **terraform:** Add debug logs to yaml parsing logic - [#3718](https://github.com/bridgecrewio/checkov/pull/3718)
## [2.1.282](https://github.com/bridgecrewio/checkov/compare/2.1.277...2.1.282) - 2022-10-20
### Bug Fix
- **general:** Custom Policies integration must run before Suppresion integration - [#3701](https://github.com/bridgecrewio/checkov/pull/3701)
- **terraform:** Add or condition for TLS 1.3 policy, supporting CKV_AWS_103 - [#3700](https://github.com/bridgecrewio/checkov/pull/3700)
- **terraform:** Fix TF AbsGoogleComputeFirewallUnrestrictedIngress check - [#3704](https://github.com/bridgecrewio/checkov/pull/3704)
## [2.1.277](https://github.com/bridgecrewio/checkov/compare/2.1.273...2.1.277) - 2022-10-19
### Feature
- **terraform:** add CKV NCP rules about access control group outbound rule. - [#3624](https://github.com/bridgecrewio/checkov/pull/3624)
- **terraform:** add versioned kubernetes resources to terraform kubernetes checks (2/5) - [#3654](https://github.com/bridgecrewio/checkov/pull/3654)
- **terraform:** add versioned kubernetes resources to terraform kubernetes checks (3/5) - [#3655](https://github.com/bridgecrewio/checkov/pull/3655)
- **terraform:** add versioned kubernetes resources to terraform kubernetes checks (4/5) - [#3656](https://github.com/bridgecrewio/checkov/pull/3656)
### Bug Fix
- **cloudformation:** Fix ALBListenerTLS12 check - [#3697](https://github.com/bridgecrewio/checkov/pull/3697)
- **helm:** undo file_abs_path manipulation for helm files - [#3692](https://github.com/bridgecrewio/checkov/pull/3692)
- **kubernetes:** Couple of fixes in Checks - [#3686](https://github.com/bridgecrewio/checkov/pull/3686)
- **terraform:** Fix CloudArmorWAFACLCVE202144228 check - [#3696](https://github.com/bridgecrewio/checkov/pull/3696)
## [2.1.273](https://github.com/bridgecrewio/checkov/compare/2.1.270...2.1.273) - 2022-10-18
### Feature
- **kustomize:** stop kustomize run, if there is nothing to process - [#3681](https://github.com/bridgecrewio/checkov/pull/3681)
- **sca:** Enable multiple image referencer framework results in the same scan - [#3652](https://github.com/bridgecrewio/checkov/pull/3652)
- **terraform:** add versioned kubernetes resources to terraform kubernetes checks (1/5) - [#3653](https://github.com/bridgecrewio/checkov/pull/3653)
### Documentation
- **general:** Fix broken links - [#3685](https://github.com/bridgecrewio/checkov/pull/3685)
## [2.1.270](https://github.com/bridgecrewio/checkov/compare/2.1.269...2.1.270) - 2022-10-13
### Bug Fix
- **terraform:** Outdated check for google_container_cluster binary authorization - [#3612](https://github.com/bridgecrewio/checkov/pull/3612)
## [2.1.269](https://github.com/bridgecrewio/checkov/compare/2.1.266...2.1.269) - 2022-10-12
### Feature
- **terraform:** Added new Terraform-AWS python IAMUserNotUsedForAccess(CKV_AWS_273) policy - [#3574](https://github.com/bridgecrewio/checkov/pull/3574)
### Bug Fix
- **argo:** only scan Argo Workflows files - [#3644](https://github.com/bridgecrewio/checkov/pull/3644)
- **kubernetes:** minor fix for getting entity type from template - [#3645](https://github.com/bridgecrewio/checkov/pull/3645)
- **kustomize:** add --client=true to kubectl version command, to prevent checkov waiting for timeout if cluster is unreachable - [#3641](https://github.com/bridgecrewio/checkov/pull/3641)
- **terraform:** update CKV_AWS_213 to also cover AWS predefined security policies - [#3615](https://github.com/bridgecrewio/checkov/pull/3615)
## [2.1.266](https://github.com/bridgecrewio/checkov/compare/2.1.258...2.1.266) - 2022-10-11
### Feature
- **general:** add Azure Pipelines framework - [#3579](https://github.com/bridgecrewio/checkov/pull/3579)
### Bug Fix
- **dockerfile:** handle quoted absolute path in CKV_DOCKER_10 - [#3626](https://github.com/bridgecrewio/checkov/pull/3626)
- **kubernetes:** handled missing field secretKeyRef in template - [#3639](https://github.com/bridgecrewio/checkov/pull/3639)
- **kubernetes:** handled missing key in k8s templates - [#3640](https://github.com/bridgecrewio/checkov/pull/3640)
- **terraform:** extend CKV2_AWS_15 to support aws_lb_target_group - [#3617](https://github.com/bridgecrewio/checkov/pull/3617)
- **terraform:** handle unexpected value for enabled_cloudwatch_logs_exports - [#3638](https://github.com/bridgecrewio/checkov/pull/3638)
## [2.1.258](https://github.com/bridgecrewio/checkov/compare/2.1.255...2.1.258) - 2022-10-06
### Feature
- **dockerfile:** add Image Referencer for Dockerfile - [#3571](https://github.com/bridgecrewio/checkov/pull/3571)
### Bug Fix
- **cloudformation:** Fixed unexpected null properties for LaunchConfigurationEBSEncryption - [#3620](https://github.com/bridgecrewio/checkov/pull/3620)
## [2.1.255](https://github.com/bridgecrewio/checkov/compare/2.1.254...2.1.255) - 2022-10-04
### Feature
- **general:** allow file destination mapping via output-file-path flag - [#3593](https://github.com/bridgecrewio/checkov/pull/3593)
## [2.1.254](https://github.com/bridgecrewio/checkov/compare/2.1.247...2.1.254) - 2022-10-03
### Feature
- **github:** GHA Image Referencer using IR Mixin class - [#3583](https://github.com/bridgecrewio/checkov/pull/3583)
- **graph:** add support for guideline field to custom graph checks - [#3600](https://github.com/bridgecrewio/checkov/pull/3600)
- **sca:** Add root path references to shorten file paths in Image Referencer results - [#3609](https://github.com/bridgecrewio/checkov/pull/3609)
- **sca:** support Image referencer in CLI - [#3601](https://github.com/bridgecrewio/checkov/pull/3601)
### Bug Fix
- **github:** bug fixes in CKV_GITHUB_6, CKV_GITHUB_7, CKV_GITHUB_9 - [#3605](https://github.com/bridgecrewio/checkov/pull/3605)
- **github:** Fix resource id and file path for GHA IR - [#3610](https://github.com/bridgecrewio/checkov/pull/3610)
- **terraform:** extend check for google cloud functions 2nd generation - [#3607](https://github.com/bridgecrewio/checkov/pull/3607)
- **terraform:** fix port is bool ingress rule - [#3606](https://github.com/bridgecrewio/checkov/pull/3606)
## [2.1.247](https://github.com/bridgecrewio/checkov/compare/2.1.242...2.1.247) - 2022-10-02
### Feature
- **general:** added cli argument for extra resources in report - [#3588](https://github.com/bridgecrewio/checkov/pull/3588)
- **serverless:** added extra resources for serverless and dockerfile - [#3576](https://github.com/bridgecrewio/checkov/pull/3576)
- **terraform:** add CKV_NCP_1 about lb target group health check, CKV_NCP_2 about access control group description - [#3569](https://github.com/bridgecrewio/checkov/pull/3569)
### Bug Fix
- **cloudformation:** fix lc ebs encryption - [#3598](https://github.com/bridgecrewio/checkov/pull/3598)
- **github:** changed the schema to accept no description for org - [#3589](https://github.com/bridgecrewio/checkov/pull/3589)
- **secrets:** Skip secrets from files encoded with special codecs - [#3597](https://github.com/bridgecrewio/checkov/pull/3597)
## [2.1.242](https://github.com/bridgecrewio/checkov/compare/2.1.236...2.1.242) - 2022-09-29
### Breaking Change
- **general:** switch from black-list to block-list - [#3581](https://github.com/bridgecrewio/checkov/pull/3581)
### Feature
- **kubernetes:** added resources mappings for roles objects - [#3582](https://github.com/bridgecrewio/checkov/pull/3582)
### Bug Fix
- **github:** fix variables initialization - [#3585](https://github.com/bridgecrewio/checkov/pull/3585)
- **kubernetes:** Handle templates without name for PeerClientCertAuthTrue check - [#3577](https://github.com/bridgecrewio/checkov/pull/3577)
- **openapi:** fix openapi schema bug - [#3587](https://github.com/bridgecrewio/checkov/pull/3587)
- **sca:** fix CycloneDX output for Docker images - [#3586](https://github.com/bridgecrewio/checkov/pull/3586)
- **secrets:** change entropy limit in Combinator plugin - [#3575](https://github.com/bridgecrewio/checkov/pull/3575)
- **terraform:** fix external modules ids in graph report - [#3584](https://github.com/bridgecrewio/checkov/pull/3584)
- **terraform:** Handle malformed database_flags for GCP DB checks - [#3578](https://github.com/bridgecrewio/checkov/pull/3578)
## [2.1.236](https://github.com/bridgecrewio/checkov/compare/2.1.229...2.1.236) - 2022-09-28
### Feature
- **general:** Add enforcement rules to entrypoint.sh - [#3573](https://github.com/bridgecrewio/checkov/pull/3573)
- **openapi:** add CKV_OPENAPI_7 to ensure http is not used in path definition - [#3547](https://github.com/bridgecrewio/checkov/pull/3547)
- **sca:** add Image Referencer for Kubernetes, Helm and Kustomize - [#3505](https://github.com/bridgecrewio/checkov/pull/3505)
- **terraform:** add CKV_AWS_272 to validate Lambda function code-signing - [#3556](https://github.com/bridgecrewio/checkov/pull/3556)
- **terraform:** add new gcp postgresql checks - [#3532](https://github.com/bridgecrewio/checkov/pull/3532)
- **terraform:** allow resources without values in TF plan - [#3563](https://github.com/bridgecrewio/checkov/pull/3563)
## [2.1.229](https://github.com/bridgecrewio/checkov/compare/2.1.228...2.1.229) - 2022-09-27
### Bug Fix
- **kubernetes:** [CKV_K8S_68] Remove unnecessary condition check from ApiServerAnonymousAuth.py - [#3543](https://github.com/bridgecrewio/checkov/pull/3543)
## [2.1.228](https://github.com/bridgecrewio/checkov/compare/2.1.227...2.1.228) - 2022-09-26
### Bug Fix
- **general:** use current branch name instead of master for the checkov-action - [#3568](https://github.com/bridgecrewio/checkov/pull/3568)
## [2.1.227](https://github.com/bridgecrewio/checkov/compare/2.1.226...2.1.227) - 2022-09-23
### Documentation
- **general:** Multi skip docs - [#3561](https://github.com/bridgecrewio/checkov/pull/3561)
## [2.1.226](https://github.com/bridgecrewio/checkov/compare/2.1.223...2.1.226) - 2022-09-22
### Feature
- **gitlab:** GitlabCI ImageReferencer - [#3544](https://github.com/bridgecrewio/checkov/pull/3544)
### Bug Fix
- **secrets:** Bump bc-detect-secrets - [#3555](https://github.com/bridgecrewio/checkov/pull/3555)
- **terraform:** fix check CKV2_AZURE_8 - [#3554](https://github.com/bridgecrewio/checkov/pull/3554)
### Documentation
- **general:** Fix TOC rendering issue on checkov.io - [#3551](https://github.com/bridgecrewio/checkov/pull/3551)
## [2.1.223](https://github.com/bridgecrewio/checkov/compare/2.1.219...2.1.223) - 2022-09-21
### Feature
- **general:** Improve ComplexSolver run time - [#3548](https://github.com/bridgecrewio/checkov/pull/3548)
- **kubernetes:** create complex k8s vertices - [#3549](https://github.com/bridgecrewio/checkov/pull/3549)
### Bug Fix
- **general:** only add `helpUri` to SARIF if it is non-empty - [#3542](https://github.com/bridgecrewio/checkov/pull/3542)
- **kubernetes:** [CKV_K8S_140] Update ApiServerTlsCertAndKey.py to check RHS values - [#3506](https://github.com/bridgecrewio/checkov/pull/3506)
- **kubernetes:** [CKV_K8S_90] Remove unnecessary condition check from ApiServerProfiling.py - [#3541](https://github.com/bridgecrewio/checkov/pull/3541)
## [2.1.219](https://github.com/bridgecrewio/checkov/compare/2.1.214...2.1.219) - 2022-09-20
### Feature
- **cloudformation:** add CKV_AWS_197 for CFN - [#3536](https://github.com/bridgecrewio/checkov/pull/3536)
- **sca:** Split `PRESENT_CACHED_RESULTS` env var to 2 feature flag like vars - [#3518](https://github.com/bridgecrewio/checkov/pull/3518)
### Bug Fix
- **general:** handle fixes for cloned OOTB policies - [#3535](https://github.com/bridgecrewio/checkov/pull/3535)
- **helm:** fix helm signal abort handler - [#3539](https://github.com/bridgecrewio/checkov/pull/3539)
- **terraform:** APIGatewayAuthorization check missing authorization - [#3545](https://github.com/bridgecrewio/checkov/pull/3545)
- **terraform:** fix tfvars rendering - [#3533](https://github.com/bridgecrewio/checkov/pull/3533)
## [2.1.214](https://github.com/bridgecrewio/checkov/compare/2.1.212...2.1.214) - 2022-09-19
### Feature
- **general:** leverage SARIF helpUri for guideline and SCA link - [#3492](https://github.com/bridgecrewio/checkov/pull/3492)
- **github:** Improving GHA schema validation - [#3513](https://github.com/bridgecrewio/checkov/pull/3513)
- **kubernetes:** added base class K8SEdgeBuilder - [#3530](https://github.com/bridgecrewio/checkov/pull/3530)
- **terraform:** GCP Cloud functions should not be public - [#3477](https://github.com/bridgecrewio/checkov/pull/3477)
### Bug Fix
- **github:** add missing schema files to distribution package - [#3537](https://github.com/bridgecrewio/checkov/pull/3537)
- **sca:** changes on cve suppressions to match package and image scan - [#3502](https://github.com/bridgecrewio/checkov/pull/3502)
- **sca:** send exception log when exceeded retries - [#3534](https://github.com/bridgecrewio/checkov/pull/3534)
- **terraform:** make test case insensitive for CKV_ALI_35,CKV_ALI_36,CKV_ALI_37 - [#3507](https://github.com/bridgecrewio/checkov/pull/3507)
- **terraform:** do not evaluate OCI policy statements - [#3411](https://github.com/bridgecrewio/checkov/pull/3411)
## [2.1.212](https://github.com/bridgecrewio/checkov/compare/2.1.210...2.1.212) - 2022-09-18
### Bug Fix
- **helm:** helm add timeout to dependencies command - [#3525](https://github.com/bridgecrewio/checkov/pull/3525)
- **helm:** Helm fix logs - [#3524](https://github.com/bridgecrewio/checkov/pull/3524)
## [2.1.210](https://github.com/bridgecrewio/checkov/compare/2.1.207...2.1.210) - 2022-09-15
### Feature
- **sca:** add Image Referencer for CloudFormation - [#3501](https://github.com/bridgecrewio/checkov/pull/3501)
### Bug Fix
- **helm:** add try catch to helm cmd run - [#3508](https://github.com/bridgecrewio/checkov/pull/3508)
### Platform
- **general:** upload run metadata to S3 - [#3461](https://github.com/bridgecrewio/checkov/pull/3461)
## [2.1.207](https://github.com/bridgecrewio/checkov/compare/2.1.205...2.1.207) - 2022-09-14
### Feature
- **general:** fix format of cli command reference table - [#3504](https://github.com/bridgecrewio/checkov/pull/3504)
### Bug Fix
- **sca:** skip old CVE suppressions (without 'accountIds') - [#3503](https://github.com/bridgecrewio/checkov/pull/3503)
## [2.1.205](https://github.com/bridgecrewio/checkov/compare/2.1.204...2.1.205) - 2022-09-13
### Feature
- **general:** add flag for summary position - [#3497](https://github.com/bridgecrewio/checkov/pull/3497)
## [2.1.204](https://github.com/bridgecrewio/checkov/compare/2.1.201...2.1.204) - 2022-09-12
### Feature
- **sca:** licenses suppressions by type - [#3491](https://github.com/bridgecrewio/checkov/pull/3491)
### Bug Fix
- **arm:** unexpected data type in ACRAnonymousPullDisabled - [#3496](https://github.com/bridgecrewio/checkov/pull/3496)
- **general:** remove duplicated reports - [#3495](https://github.com/bridgecrewio/checkov/pull/3495)
## [2.1.201](https://github.com/bridgecrewio/checkov/compare/2.1.196...2.1.201) - 2022-09-08
### Feature
- **general:** `intersects/not_intersects` operators (solvers) - [#3482](https://github.com/bridgecrewio/checkov/pull/3482)
### Bug Fix
- **gha:** Gracefully handle bad GHA job definitions - [#3489](https://github.com/bridgecrewio/checkov/pull/3489)
- **sca:** do not skip the scan if BC_LIC is used with --check - [#3488](https://github.com/bridgecrewio/checkov/pull/3488)
## [2.1.196](https://github.com/bridgecrewio/checkov/compare/2.1.193...2.1.196) - 2022-09-07
### Bug Fix
- **kubernetes:** Validate k8s spec type - [#3483](https://github.com/bridgecrewio/checkov/pull/3483)
- **terraform:** removed duplicate check CKV_ALI_34 - [#3467](https://github.com/bridgecrewio/checkov/pull/3467)
## [2.1.193](https://github.com/bridgecrewio/checkov/compare/2.1.188...2.1.193) - 2022-09-06
### Bug Fix
- **cloudformation:** fix bug in cfn parser - [#3473](https://github.com/bridgecrewio/checkov/pull/3473)
### Platform
- **sca:** Add images data to image_cached_results for ImageReferencer scan - [#3468](https://github.com/bridgecrewio/checkov/pull/3468)
- **secrets:** modify checkov secrets scanner to scan all files based on ff - [#3474](https://github.com/bridgecrewio/checkov/pull/3474)
## [2.1.188](https://github.com/bridgecrewio/checkov/compare/2.1.184...2.1.188) - 2022-09-05
## Feature
- **cloudformation:** json parser support triple quote string - [#3463](https://github.com/bridgecrewio/checkov/pull/3463)
## Bug Fix
- **terraform:** gcp postgresql default values - [#3457](https://github.com/bridgecrewio/checkov/pull/3457)
## [2.1.184](https://github.com/bridgecrewio/checkov/compare/2.1.182...2.1.184) - 2022-09-04
## Platform
- **general:** trim API urls - [#3460](https://github.com/bridgecrewio/checkov/pull/3460)
## Documentation
- **general:** adjust example for custom check with guideline - [#3459](https://github.com/bridgecrewio/checkov/pull/3459)
## [2.1.182](https://github.com/bridgecrewio/checkov/compare/2.1.179...2.1.182) - 2022-09-02
## Feature
- **sca:** Added fix details to junitxml - [#3456](https://github.com/bridgecrewio/checkov/pull/3456)
- **terraform:** Added 5 python (CKV_AWS_267-271) and 2 yaml (CKV2_AWS_38-39) policies. - [#3438](https://github.com/bridgecrewio/checkov/pull/3438)
## [2.1.179](https://github.com/bridgecrewio/checkov/compare/2.1.176...2.1.179) - 2022-09-01
## Bug Fix
- **graph:** cache jsonpath attributes parser results - [#3451](https://github.com/bridgecrewio/checkov/pull/3451)
## Platform
- **general:** revert dropping checks metadata for empty reports - [#3453](https://github.com/bridgecrewio/checkov/pull/3453)
================================================
FILE: CNAME
================================================
checkov.io
================================================
FILE: CODE_OF_CONDUCT.md
================================================
# Contributor Covenant Code of Conduct
## Our Pledge
In the interest of fostering an open and welcoming environment, we as
contributors and maintainers pledge to making participation in our project and
our community a harassment-free experience for everyone, regardless of age, body
size, disability, ethnicity, sex characteristics, gender identity and expression,
level of experience, education, socio-economic status, nationality, personal
appearance, race, religion, or sexual identity and orientation.
## Our Standards
Examples of behavior that contributes to creating a positive environment
include:
* Using welcoming and inclusive language
* Being respectful of differing viewpoints and experiences
* Gracefully accepting constructive criticism
* Focusing on what is best for the community
* Showing empathy towards other community members
Examples of unacceptable behavior by participants include:
* The use of sexualized language or imagery and unwelcome sexual attention or
advances
* Trolling, insulting/derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or electronic
address, without explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting
## Our Responsibilities
Project maintainers are responsible for clarifying the standards of acceptable
behavior and are expected to take appropriate and fair corrective action in
response to any instances of unacceptable behavior.
Project maintainers have the right and responsibility to remove, edit, or
reject comments, commits, code, wiki edits, issues, and other contributions
that are not aligned to this Code of Conduct, or to ban temporarily or
permanently any contributor for other behaviors that they deem inappropriate,
threatening, offensive, or harmful.
## Scope
This Code of Conduct applies both within project spaces and in public spaces
when an individual is representing the project or its community. Examples of
representing a project or community include using an official project e-mail
address, posting via an official social media account, or acting as an appointed
representative at an online or offline event. Representation of a project may be
further defined and clarified by project maintainers.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported by contacting the project team on our community slack. All
complaints will be reviewed and investigated and will result in a response that
is deemed necessary and appropriate to the circumstances. The project team is
obligated to maintain confidentiality with regard to the reporter of an incident.
Further details of specific enforcement policies may be posted separately.
Project maintainers who do not follow or enforce the Code of Conduct in good
faith may face temporary or permanent repercussions as determined by other
members of the project's leadership.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
[homepage]: https://www.contributor-covenant.org
For answers to common questions about this code of conduct, see
https://www.contributor-covenant.org/faq
================================================
FILE: CONTRIBUTING.md
================================================
# Contributing
The developer guide is for anyone wanting to contribute directly to the Checkov project.
If you've already developed new checks we'd be happy to take a look at them and merge them as part of the [fast-lane](https://github.com/bridgecrewio/checkov/issues?q=is%3Aopen+is%3Aissue+label%3Afast-lane).
## Open an issue
Checkov is an open source project maintained by
[Prisma Cloud by Palo Alto Networks](https://www.prismacloud.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov).
Our team of maintainers continuously works on developing new features and enhancing existing features. If you encounter
a bug or have a suggestion, please start by opening an Issue. When reporting, provide a detailed description with examples
to help us understand the context and specifics. Please note that while we review every issue, non-critical or
non-blocking issues may be prioritized based on their popularity or frequency. We appreciate your contributions and
engagement in helping us improve Checkov.
## Developing and contributing code
Dedicated Prisma Cloud maintainers are actively developing new content and adding more features. We would be delighted to
chat and look at your code. Here are a few guidelines we follow. Hopefully, these will ensure your contribution could
quickly be added to the project.
### Work locally
Most Checkov users run their own local instances of Checkov and either run it manually or routinely using Jenkins or
CircleCI. As Checkov is a non-intrusive library we recommend developing against a local repository and ensuring you are
able to add your contributions successfully on your local fork/repo.
If you are developing against remote libraries or repositories - that's great! We'd love to hear how you're doing with it.
In the meantime, before you open a PR, deploy and test your contributions locally.
### Keep your fork in sync
Checkov is usually updated on a weekly basis. Syncing your fork weekly ensures you are working on an updated version that will not break your PR.
### Rationalize your commits
Try to work on structured and well-defined contributions. If you are building a new feature try to build a unified
feature block that can be easily reviewed and tested.
If you are fixing or patching changing existing code break changes into logical blocks which individually make sense
and in aggregate solve a broader issue.
### Test where it matters
1. Unit: Unit tests, including check tests, are stored in checkov/tests/.
2. E2E: End-to-end tests will help us establish if the feature is in high readiness. They are not required for simple
or straight forward features but will help us in evaluating the PR.
#### Tests for new checks
When you add a new check, please write a test for it. While there are many different ways that tests have been written in the past, we have standardized on [this](https://github.com/bridgecrewio/checkov/blob/main/tests/terraform/checks/resource/aws/test_IAMAdminPolicyDocument.py) format. The key points are:
* The test defines templates as strings (in this case, in separate files, but hardcoding a string is also acceptable) and parses them using the runner. The configuration should NOT be hard-coded as an object, as in [this](https://github.com/bridgecrewio/checkov/blob/main/tests/terraform/checks/resource/aws/test_ALBListenerHTTPS.py) example. The reason is that parsers sometimes produce unexpected object structures, so it is quite common that hardcoding the object allows the test to pass but causes the check to be incorrect in practice.
* The test explicitly lists which resources should pass and which should fail. Merely checking the count of passes and failures is not enough. While rare, in the past this has resulted in tests that pass but checks that are incorrect in practice.
#### Running tests
Continuous integration will run these tests either as pre-submits on PRs and post-submits against master branch.
Results will appear under [actions](https://github.com/bridgecrewio/checkov/actions).
To run tests locally use the following commands (install dev dependencies, run tests and compute tests coverage):
If you are using conda, create a new environment with Python 3.10.14 version:
```sh
conda create -n python310 python=3.10.17
conda activate python310
```
Then, we need pipenv installation and run the tests and coverage modules
```sh
pip install pipenv
pipenv install --dev
pipenv run python -m coverage run -m pytest tests
```
### Build package locally
Change the version number on the file with your version : `/checkov/version.py`
To build package locally run the following on `` root folder:
```sh
pipenv run python setup.py sdist bdist_wheel
```
- This will create a `*.whl` package under a new folder named `dist`
To install package from local directory, update the release version value and run the installation:
```sh
RELEASE_VERSION='xxx'
pip install dist/checkov-${RELEASE_VERSION}-py3-none-any.whl
```
### Test the package
First verify you have the right version installed:
```sh
checkov --version
```
Then, optionally, you can run on a terraform file/directory with your success and failure test scenarios.
### Setting up the pre-commit hooks
After setting up your Python environment simply run
```shell
pre-commit install
```
To check the code base against the pre-commit hooks just run
```shell
pre-commit run -a
```
### Using regex
Use re.compile for all regex in order to scan them in flake8.
### Documentation is awesome
Contributing to the documentation is not mandatory but it will ensure people are aware of your important contribution.
The best way to add documentation is by including suggestions to the [docs](https://github.com/bridgecrewio/checkov/tree/main/docs)
library as part of your PR. If you'd rather send us a short blurb on slack that's also fine.
## Creating a pull-request
If a trivial fix such as a broken link, typo or grammar mistake, review the entire document for other potential mistakes.
Try not to open multiple PRs for small fixes in the same document.
Reference any issues related to your PR, or issues that PR may solve.
Comment on your own PR where you believe something may need further explanation.
No need to assign explicit reviewers. We have maintainers reviewing contributions on a daily basis
If your PR is considered a "Work in progress" prefix the name with [WIP] or use the /hold command. This will prevent
the PR from being merged till the [WIP] or hold is lifted.
If your PR isn't getting enough attention, don't hesitate to ping one of the maintainers on Slack to find additional reviewers.
## Fast-lane for new checks
If you would like to contribute a new check, please label your issue or PR with a `fast-lane` label. This ensures your
inputs are seen and reviewed quickly and get distributed back to the entire community.
================================================
FILE: Dockerfile
================================================
FROM python:3.11-slim
ENV RUN_IN_DOCKER=True
RUN set -eux; \
apt-get update; \
apt-get -y upgrade; \
apt-get install -y --no-install-recommends \
ca-certificates \
git \
curl \
openssh-client \
; \
\
pip install setuptools==78.1.1 urllib3==2.2.2; \
curl -sSLo get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3; \
chmod 700 get_helm.sh; \
VERIFY_CHECKSUM=true ./get_helm.sh; \
rm ./get_helm.sh; \
\
curl -sSLo get_kustomize.sh https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh; \
chmod 700 get_kustomize.sh; \
./get_kustomize.sh; mv /kustomize /usr/bin/kustomize; \
rm ./get_kustomize.sh; \
\
apt-get remove -y curl; \
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
rm -rf /var/lib/apt/lists/*
RUN pip install --no-cache-dir -U checkov
COPY ./github_action_resources/entrypoint.sh /entrypoint.sh
COPY ./github_action_resources/checkov-problem-matcher.json /usr/local/lib/checkov-problem-matcher.json
COPY ./github_action_resources/checkov-problem-matcher-softfail.json /usr/local/lib/checkov-problem-matcher-softfail.json
# Code file to execute when the docker container starts up (`entrypoint.sh`)
ENTRYPOINT ["/entrypoint.sh"]
================================================
FILE: INTHEWILD.md
================================================
# Who uses checkov?
As the checkov community grows, we'd like to keep track of who is using the OSS tool.
Please send a PR with your company name and @githubhandle.
## Currently, officially using Checkov:
1. [Nationwide Building Society](https://www.nationwide.co.uk/) [[@njgibbon](https://github.com/njgibbon)]
1. [globaldatanet](https://globaldatanet.com/) [[@gruebel](https://github.com/gruebel)]
1. [Steamhaus](https://www.steamhaus.co.uk/) [[@bilco105](https://github.com/bilco105)]
1. [Jim Smith](https://www.linkedin.com/in/mr-j-smith/) [[@jimsmith](https://github.com/jimsmith)]
1. [Chaser Systems](https://chasersystems.com/) [[@new23d](https://github.com/new23d)]
1. [Palo Alto Networks](https://www.paloaltonetworks.com/) [[@jameswoolfenden](https://github.com/JamesWoolfenden)]
1. [Appvia](https://www.appvia.io/) [[@abdelhegazi](https://github.com/abdelhegazi)]
1. [Square](https://squareup.com/) [[@ac-square](https://github.com/ac-square), [@santoshankr](https://github.com/santoshankr)]
1. [Madhu Akula](https://madhuakula.com/) [[@madhuakula](https://github.com/madhuakula)]
1. [Royal Vopak N.V.](https://vopak.com/) [[@xmariopereira](https://github.com/xmariopereira)]
1. [Punk Security (UK)](https://punksecurity.co.uk/) [[@punksecurity](https://github.com/punk-security)]
================================================
FILE: LICENSE
================================================
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2019 Palo Alto Networks
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
================================================
FILE: Pipfile
================================================
[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true
[dev-packages]
pytest = "<8.0.0"
pytest-xdist = "*"
pytest-asyncio = "*"
pytest-cov = "*"
pytest-mock = "*"
pytest-benchmark = "*"
exceptiongroup = {version = "*", markers="python_version < '3.11'"}
coverage ="==7.6.1"
coverage-badge = "*"
bandit = "*"
urllib3-mock = "*"
jsonschema = "*"
importlib-resources = ">=1.3"
responses = "*"
aioresponses = "*"
types-cachetools = ">=5.2.0,<6.0.0"
types-jmespath = ">=1.0.0,<2.0.0"
types-jsonschema = ">=4.17.0,<5.0.0"
types-pyyaml = ">=6.0.0,<7.0.0"
types-requests = ">=2.28.0,<3.0.0"
types-tabulate = ">=0.9.0,<0.10.0"
types-tqdm = ">=4.65.0,<5.0.0"
types-urllib3 = "*"
pre-commit = "*"
flake8 = "*"
dlint = "*"
mypy = "*"
flake8-bugbear = "*"
parameterized = "*"
time-machine = "*"
boto3-stubs-lite = {extras = ["s3"], version = "*"}
types-colorama = "<0.5.0,>=0.4.3"
tomli = "*"
setuptools = "==78.1.1"
iniconfig = "*"
[packages]
bc-jsonpath-ng = "==1.6.1"
pycep-parser = "==0.5.1"
tabulate = ">=0.9.0,<0.10.0"
colorama = ">=0.4.3,<0.5.0"
termcolor=">=1.1.0,<2.4.0"
junit-xml = ">=1.9,<2.0"
dpath = "==2.1.3"
pyyaml = ">=6.0.0,<7.0.0"
boto3 = "==1.35.49"
gitpython = ">=3.1.30,<4.0.0"
jmespath = ">=1.0.0,<2.0.0"
tqdm = ">=4.65.0,<5.0.0"
packaging = ">=23.0,<24.0"
cloudsplaining = ">=0.7.0,<0.8.0"
networkx = "<2.7"
dockerfile-parse =">=2.0.0,<3.0.0"
docker = ">=6.0.1,<8.0.0"
configargparse = ">=1.5.3,<2.0.0"
argcomplete = ">=3.0.0,<4.0.0"
typing-extensions = ">=4.5.0,<5.0.0"
importlib-metadata = ">=6.0.0,<8.0.0"
cachetools = ">=5.2.0,<6.0.0"
cyclonedx-python-lib = ">=6.0.0,<8.0.0"
packageurl-python = ">=0.11.1,<0.14.0"
click = ">=8.1.0,<9.0.0"
aiohttp = ">=3.8.0,<4.0.0"
aiodns = ">=3.0.0,<4.0.0"
aiomultiprocess = ">=0.9.0,<0.10.0"
schema = "<=0.7.5"
jsonschema = ">=4.17.0,<5.0.0"
prettytable = ">=3.6.0,<4.0.0"
charset-normalizer = ">=3.1.0,<4.0.0"
pyston-autoload = {version = "==2.3.5", markers="python_version < '3.11' and (sys_platform == 'linux' or sys_platform == 'darwin') and platform_machine == 'x86_64' and implementation_name == 'cpython'", index="pypi"}
pyston = {version = "==2.3.5", markers="python_version < '3.11' and (sys_platform == 'linux' or sys_platform == 'darwin') and platform_machine == 'x86_64' and implementation_name == 'cpython'", index="pypi"}
requests = ">=2.28.0,<3.0.0"
yarl = ">=1.9.1,<2.0.0"
spdx-tools = ">=0.8.0,<0.9.0"
license-expression = ">=30.1.0,<31.0.0"
rustworkx = ">=0.13.0,<1.0.0"
pydantic = ">=2.0.0,<3.0.0"
asteval = "==1.0.6"
bc-detect-secrets = "==1.5.47"
urllib3 = ">=1.26.20"
bc-python-hcl2 = "==0.4.3"
[requires]
python_version = "3.9"
================================================
FILE: README.md
================================================
[](#)
[](https://prismacloud.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov)
[](https://github.com/bridgecrewio/checkov/actions?query=workflow%3Abuild)
[](https://github.com/bridgecrewio/checkov/actions?query=event%3Apush+branch%3Amaster+workflow%3Asecurity)
[](https://github.com/bridgecrewio/checkov/actions?query=workflow%3Acoverage)
[](https://www.checkov.io/1.Welcome/What%20is%20Checkov.html?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov)
[](https://pypi.org/project/checkov/)
[](#)
[](#)
[](https://pepy.tech/project/checkov)
[](https://hub.docker.com/r/bridgecrew/checkov)
[](https://codifiedsecurity.slack.com/)
**Checkov** is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages.
It scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), [Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md), [Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md), [Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md), [OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md), [ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md), or [OpenTofu](https://opentofu.org/) and detects security and compliance misconfigurations using graph-based scanning.
It performs [Software Composition Analysis (SCA) scanning](docs/7.Scan%20Examples/Sca.md) which is a scan of open source packages and images for Common Vulnerabilities and Exposures (CVEs).
Checkov also powers [**Prisma Cloud Application Security**](https://www.prismacloud.io/prisma/cloud/cloud-code-security/?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov), the developer-first platform that codifies and streamlines cloud security throughout the development lifecycle. Prisma Cloud identifies, fixes, and prevents misconfigurations in cloud resources and infrastructure-as-code files.
## **Table of contents**
- [Features](#features)
- [Screenshots](#screenshots)
- [Getting Started](#getting-started)
- [Disclaimer](#disclaimer)
- [Support](#support)
- [Migration - v2 to v3](https://github.com/bridgecrewio/checkov/blob/main/docs/1.Welcome/Migration.md)
## Features
* [Over 1000 built-in policies](https://github.com/bridgecrewio/checkov/blob/main/docs/5.Policy%20Index/all.md) cover security and compliance best practices for AWS, Azure and Google Cloud.
* Scans Terraform, Terraform Plan, Terraform JSON, CloudFormation, AWS SAM, Kubernetes, Helm, Kustomize, Dockerfile, Serverless framework, Ansible, Bicep, ARM, and OpenTofu template files.
* Scans Argo Workflows, Azure Pipelines, BitBucket Pipelines, Circle CI Pipelines, GitHub Actions and GitLab CI workflow files
* Supports Context-awareness policies based on in-memory graph-based scanning.
* Supports Python format for attribute policies and YAML format for both attribute and composite policies.
* Detects [AWS credentials](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Scanning%20Credentials%20and%20Secrets.md) in EC2 Userdata, Lambda environment variables and Terraform providers.
* [Identifies secrets](https://www.prismacloud.io/prisma/cloud/secrets-security) using regular expressions, keywords, and entropy based detection.
* Evaluates [Terraform Provider](https://registry.terraform.io/browse/providers) settings to regulate the creation, management, and updates of IaaS, PaaS or SaaS managed through Terraform.
* Policies support evaluation of [variables](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Handling%20Variables.md) to their optional default value.
* Supports in-line [suppression](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Suppressing%20and%20Skipping%20Policies.md) of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
* [Output](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Reviewing%20Scan%20Results.md) currently available as CLI, [CycloneDX](https://cyclonedx.org), JSON, JUnit XML, CSV, SARIF and github markdown and link to remediation [guides](https://docs.prismacloud.io/en/enterprise-edition/policy-reference/).
## Screenshots
Scan results in CLI
Scheduled scan result in Jenkins
## Getting started
### Requirements
* Python >= 3.9, <=3.12
* Terraform >= 0.12
### Installation
To install pip follow the official [docs](https://pip.pypa.io/en/stable/cli/pip_install/)
```sh
pip3 install checkov
```
Certain environments (e.g., Debian 12) may require you to install Checkov in a virtual environment
```sh
# Create and activate a virtual environment
python3 -m venv /path/to/venv/checkov
cd /path/to/venv/checkov
source ./bin/activate
# Install Checkov with pip
pip install checkov
# Optional: Create a symlink for easy access
sudo ln -s /path/to/venv/checkov/bin/checkov /usr/local/bin/checkov
```
or with [Homebrew](https://formulae.brew.sh/formula/checkov) (macOS or Linux)
```sh
brew install checkov
```
### Enabling bash autocomplete
```sh
source <(register-python-argcomplete checkov)
```
### Upgrade
if you installed checkov with pip3
```sh
pip3 install -U checkov
```
or with Homebrew
```sh
brew upgrade checkov
```
### Configure an input folder or file
```sh
checkov --directory /user/path/to/iac/code
```
Or a specific file or files
```sh
checkov --file /user/tf/example.tf
```
Or
```sh
checkov -f /user/cloudformation/example1.yml -f /user/cloudformation/example2.yml
```
Or a terraform plan file in json format
```sh
terraform init
terraform plan -out tf.plan
terraform show -json tf.plan > tf.json
checkov -f tf.json
```
Note: `terraform show` output file `tf.json` will be a single line.
For that reason all findings will be reported line number 0 by Checkov
```sh
check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.customer
File: /tf/tf.json:0-0
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
```
If you have installed `jq` you can convert json file into multiple lines with the following command:
```sh
terraform show -json tf.plan | jq '.' > tf.json
```
Scan result would be much user friendly.
```sh
checkov -f tf.json
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.customer
File: /tf/tf1.json:224-268
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
225 | "values": {
226 | "acceleration_status": "",
227 | "acl": "private",
228 | "arn": "arn:aws:s3:::mybucket",
```
Alternatively, specify the repo root of the hcl files used to generate the plan file, using the `--repo-root-for-plan-enrichment` flag, to enrich the output with the appropriate file path, line numbers, and codeblock of the resource(s). An added benefit is that check suppressions will be handled accordingly.
```sh
checkov -f tf.json --repo-root-for-plan-enrichment /user/path/to/iac/code
```
### Scan result sample (CLI)
```sh
Passed Checks: 1, Failed Checks: 1, Suppressed Checks: 0
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
/main.tf:
Passed for resource: aws_s3_bucket.template_bucket
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
/../regionStack/main.tf:
Failed for resource: aws_s3_bucket.sls_deployment_bucket_name
```
Start using Checkov by reading the [Getting Started](https://github.com/bridgecrewio/checkov/blob/main/docs/1.Welcome/Quick%20Start.md) page.
### Using Docker
```sh
docker pull bridgecrew/checkov
docker run --tty --rm --volume /user/tf:/tf --workdir /tf bridgecrew/checkov --directory /tf
```
Note: if you are using Python 3.6(Default version in Ubuntu 18.04) checkov will not work, and it will fail with `ModuleNotFoundError: No module named 'dataclasses'` error message. In this case, you can use the docker version instead.
Note that there are certain cases where redirecting `docker run --tty` output to a file - for example, if you want to save the Checkov JUnit output to a file - will cause extra control characters to be printed. This can break file parsing. If you encounter this, remove the `--tty` flag.
The `--workdir /tf` flag is optional to change the working directory to the mounted volume. If you are using the SARIF output `-o sarif` this will output the results.sarif file to the mounted volume (`/user/tf` in the example above). If you do not include that flag, the working directory will be "/".
### Running or skipping checks
By using command line flags, you can specify to run only named checks (allow list) or run all checks except
those listed (deny list). If you are using the platform integration via API key, you can also specify a severity threshold to skip and / or include.
Moreover, as json files can't contain comments, one can pass regex pattern to skip json file secret scan.
See the docs for more detailed information about how these flags work together.
## Examples
Allow only the two specified checks to run:
```sh
checkov --directory . --check CKV_AWS_20,CKV_AWS_57
```
Run all checks except the one specified:
```sh
checkov -d . --skip-check CKV_AWS_20
```
Run all checks except checks with specified patterns:
```sh
checkov -d . --skip-check CKV_AWS*
```
Run all checks that are MEDIUM severity or higher (requires API key):
```sh
checkov -d . --check MEDIUM --bc-api-key ...
```
Run all checks that are MEDIUM severity or higher, as well as check CKV_123 (assume this is a LOW severity check):
```sh
checkov -d . --check MEDIUM,CKV_123 --bc-api-key ...
```
Skip all checks that are MEDIUM severity or lower:
```sh
checkov -d . --skip-check MEDIUM --bc-api-key ...
```
Skip all checks that are MEDIUM severity or lower, as well as check CKV_789 (assume this is a high severity check):
```sh
checkov -d . --skip-check MEDIUM,CKV_789 --bc-api-key ...
```
Run all checks that are MEDIUM severity or higher, but skip check CKV_123 (assume this is a medium or higher severity check):
```sh
checkov -d . --check MEDIUM --skip-check CKV_123 --bc-api-key ...
```
Run check CKV_789, but skip it if it is a medium severity (the --check logic is always applied before --skip-check)
```sh
checkov -d . --skip-check MEDIUM --check CKV_789 --bc-api-key ...
```
For Kubernetes workloads, you can also use allow/deny namespaces. For example, do not report any results for the
kube-system namespace:
```sh
checkov -d . --skip-check kube-system
```
Run a scan of a container image. First pull or build the image then refer to it by the hash, ID, or name:tag:
```sh
checkov --framework sca_image --docker-image sha256:1234example --dockerfile-path /Users/path/to/Dockerfile --repo-id ... --bc-api-key ...
checkov --docker-image :tag --dockerfile-path /User/path/to/Dockerfile --repo-id ... --bc-api-key ...
```
You can use --image flag also to scan container image instead of --docker-image for shortener:
```sh
checkov --image :tag --dockerfile-path /User/path/to/Dockerfile --repo-id ... --bc-api-key ...
```
Run an SCA scan of packages in a repo:
```sh
checkov -d . --framework sca_package --bc-api-key ... --repo-id
```
Run a scan of a directory with environment variables removing buffering, adding debug level logs:
```sh
PYTHONUNBUFFERED=1 LOG_LEVEL=DEBUG checkov -d .
```
OR enable the environment variables for multiple runs
```sh
export PYTHONUNBUFFERED=1 LOG_LEVEL=DEBUG
checkov -d .
```
Run secrets scanning on all files in MyDirectory. Skip CKV_SECRET_6 check on json files that their suffix is DontScan
```sh
checkov -d /MyDirectory --framework secrets --repo-id ... --bc-api-key ... --skip-check CKV_SECRET_6:.*DontScan.json$
```
Run secrets scanning on all files in MyDirectory. Skip CKV_SECRET_6 check on json files that contains "skip_test" in path
```sh
checkov -d /MyDirectory --framework secrets --repo-id ... --bc-api-key ... --skip-check CKV_SECRET_6:.*skip_test.*json$
```
One can mask values from scanning results by supplying a configuration file (using --config-file flag) with mask entry.
The masking can apply on resource & value (or multiple values, separated with a comma).
Examples:
```sh
mask:
- aws_instance:user_data
- azurerm_key_vault_secret:admin_password,user_passwords
```
In the example above, the following values will be masked:
- user_data for aws_instance resource
- both admin_password &user_passwords for azurerm_key_vault_secret
### Suppressing/Ignoring a check
Like any static-analysis tool it is limited by its analysis scope.
For example, if a resource is managed manually, or using subsequent configuration management tooling,
suppression can be inserted as a simple code annotation.
#### Suppression comment format
To skip a check on a given Terraform definition block or CloudFormation resource, apply the following comment pattern inside it's scope:
`checkov:skip=:`
* `` is one of the [available check scanners](docs/5.Policy Index/all.md)
* `` is an optional suppression reason to be included in the output
#### Example
The following comment skips the `CKV_AWS_20` check on the resource identified by `foo-bucket`, where the scan checks if an AWS S3 bucket is private.
In the example, the bucket is configured with public read access; Adding the suppress comment would skip the appropriate check instead of the check to fail.
```hcl-terraform
resource "aws_s3_bucket" "foo-bucket" {
region = var.region
#checkov:skip=CKV_AWS_20:The bucket is a public static content host
bucket = local.bucket_name
force_destroy = true
acl = "public-read"
}
```
The output would now contain a ``SKIPPED`` check result entry:
```bash
...
...
Check: "S3 Bucket has an ACL defined which allows public access."
SKIPPED for resource: aws_s3_bucket.foo-bucket
Suppress comment: The bucket is a public static content host
File: /example_skip_acl.tf:1-25
...
```
To skip multiple checks, add each as a new line.
```
#checkov:skip=CKV2_AWS_6
#checkov:skip=CKV_AWS_20:The bucket is a public static content host
```
To suppress checks in Kubernetes manifests, annotations are used with the following format:
`checkov.io/skip#: =`
For example:
```bash
apiVersion: v1
kind: Pod
metadata:
name: mypod
annotations:
checkov.io/skip1: CKV_K8S_20=I don't care about Privilege Escalation :-O
checkov.io/skip2: CKV_K8S_14
checkov.io/skip3: CKV_K8S_11=I have not set CPU limits as I want BestEffort QoS
spec:
containers:
...
```
#### Logging
For detailed logging to stdout set up the environment variable `LOG_LEVEL` to `DEBUG`.
Default is `LOG_LEVEL=WARNING`.
#### Skipping directories
To skip files or directories, use the argument `--skip-path`, which can be specified multiple times. This argument accepts regular expressions for paths relative to the current working directory. You can use it to skip entire directories and / or specific files.
By default, all directories named `node_modules`, `.terraform`, and `.serverless` will be skipped, in addition to any files or directories beginning with `.`.
To cancel skipping directories beginning with `.` override `CKV_IGNORE_HIDDEN_DIRECTORIES` environment variable `export CKV_IGNORE_HIDDEN_DIRECTORIES=false`
You can override the default set of directories to skip by setting the environment variable `CKV_IGNORED_DIRECTORIES`.
Note that if you want to preserve this list and add to it, you must include these values. For example, `CKV_IGNORED_DIRECTORIES=mynewdir` will skip only that directory, but not the others mentioned above. This variable is legacy functionality; we recommend using the `--skip-file` flag.
#### Console Output
The console output is in colour by default, to switch to a monochrome output, set the environment variable:
`ANSI_COLORS_DISABLED`
#### VS Code Extension
If you want to use Checkov within VS Code, give the [Prisma Cloud extension](https://marketplace.visualstudio.com/items?itemName=PrismaCloud.prisma-cloud) a try.
### Configuration using a config file
Checkov can be configured using a YAML configuration file. By default, checkov looks for a `.checkov.yaml` or `.checkov.yml` file in the following places in order of precedence:
* Directory against which checkov is run. (`--directory`)
* Current working directory where checkov is called.
* User's home directory.
**Attention**: it is a best practice for checkov configuration file to be loaded from a trusted source composed by a verified identity, so that scanned files, check ids and loaded custom checks are as desired.
Users can also pass in the path to a config file via the command line. In this case, the other config files will be ignored. For example:
```sh
checkov --config-file path/to/config.yaml
```
Users can also create a config file using the `--create-config` command, which takes the current command line args and writes them out to a given path. For example:
```sh
checkov --compact --directory test-dir --docker-image sample-image --dockerfile-path Dockerfile --download-external-modules True --external-checks-dir sample-dir --quiet --repo-id prisma-cloud/sample-repo --skip-check CKV_DOCKER_3,CKV_DOCKER_2 --skip-framework dockerfile secrets --soft-fail --branch develop --check CKV_DOCKER_1 --create-config /Users/sample/config.yml
```
Will create a `config.yaml` file which looks like this:
```yaml
branch: develop
check:
- CKV_DOCKER_1
compact: true
directory:
- test-dir
docker-image: sample-image
dockerfile-path: Dockerfile
download-external-modules: true
evaluate-variables: true
external-checks-dir:
- sample-dir
external-modules-download-path: .external_modules
framework:
- all
output: cli
quiet: true
repo-id: prisma-cloud/sample-repo
skip-check:
- CKV_DOCKER_3
- CKV_DOCKER_2
skip-framework:
- dockerfile
- secrets
soft-fail: true
```
Users can also use the `--show-config` flag to view all the args and settings and where they came from i.e. commandline, config file, environment variable or default. For example:
```sh
checkov --show-config
```
Will display:
```sh
Command Line Args: --show-config
Environment Variables:
BC_API_KEY: your-api-key
Config File (/Users/sample/.checkov.yml):
soft-fail: False
branch: master
skip-check: ['CKV_DOCKER_3', 'CKV_DOCKER_2']
Defaults:
--output: cli
--framework: ['all']
--download-external-modules:False
--external-modules-download-path:.external_modules
--evaluate-variables:True
```
## Contributing
Contribution is welcomed!
Start by reviewing the [contribution guidelines](https://github.com/bridgecrewio/checkov/blob/main/CONTRIBUTING.md). After that, take a look at a [good first issue](https://github.com/bridgecrewio/checkov/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22).
You can even start this with one-click dev in your browser through Gitpod at the following link:
[](https://gitpod.io/#https://github.com/bridgecrewio/checkov)
Looking to contribute new checks? Learn how to write a new check (AKA policy) [here](https://github.com/bridgecrewio/checkov/blob/main/docs/6.Contribution/Contribution%20Overview.md).
## Disclaimer
`checkov` does not save, publish or share with anyone any identifiable customer information.
No identifiable customer information is used to query Prisma Cloud's publicly accessible guides.
`checkov` uses Prisma Cloud's API to enrich the results with links to remediation guides.
To skip this API call use the flag `--skip-download`.
## Support
[Prisma Cloud](https://www.prismacloud.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov) builds and maintains Checkov to make policy-as-code simple and accessible.
Start with our [Documentation](https://www.checkov.io/1.Welcome/Quick%20Start.html) for quick tutorials and examples.
## Python Version Support
We follow the official support cycle of Python, and we use automated tests for supported versions of Python.
This means we currently support Python 3.9 - 3.13, inclusive.
Note that Python 3.8 reached EOL on October 2024 and Python 3.9 will reach EOL in October 2025.
If you run into any issues with any non-EOL Python version, please open an Issue.
================================================
FILE: SECURITY.md
================================================
# Security
## Reporting a Vulnerability
If you think you have found a potential security vulnerability in `checkov`,
please email psirt@paloaltonetworks.com directly. Do not file a public issue. If
English is not your first language, please try to describe the problem
and its impact to the best of your ability. For greater detail, please
use your native language and we will try our best to translate it using
online services.
Please also include the code you used to find the problem and the
shortest amount of code necessary to reproduce it.
Please do not disclose this to anyone else. We will retrieve a CVE
identifier if necessary and give you full credit under whatever name or
alias you provide. We will only request an identifier when we have a fix
and can publish it in a release.
We will respect your privacy and will only publicize your involvement if
you grant us permission.
## Process
This following information discusses the process the `checkov` project
follows in response to vulnerability disclosures. If you are disclosing
a vulnerability, this section of the documentation lets you know how we
will respond to your disclosure.
### Timeline
When you report an issue, one of the project members will respond to you
within few days. This initial response will at the very least confirm
receipt of the report.
If we were able to rapidly reproduce the issue, the initial response
will also contain confirmation of the issue. If we are not, we will
often ask for more information about the reproduction scenario.
Our goal is to have a fix for any vulnerability released within two
weeks of the initial disclosure. This may potentially involve shipping
an interim release that simply disables function while a more mature fix
can be prepared, but will in the vast majority of cases mean shipping a
complete release as soon as possible.
Throughout the fix process we will keep you up to speed with how the fix
is progressing. Once the fix is prepared, we will notify you that we
believe we have a fix. Often we will ask you to confirm the fix resolves
the problem in your environment, especially if we are not confident of
our reproduction scenario.
At this point, we will prepare for the release. We will obtain a CVE
number if one is required, providing you with full credit for the
discovery. We will also decide on a planned release date, and let you
know when it is.
On release day, we will push the patch to our public repository, along
with an updated changelog that describes the issue. The change log is
generated automatically from commit messages. We will then issue a
PyPI release containing the patch.
At this point, we will publicise the release. This will involve
announcement on our Slack channel (https://codifiedsecurity.slack.com)
and all other communication mechanisms available to the core team.
We will also explicitly mention which commits contain the fix to make it
easier for other distributors and users to easily patch their own
versions of `checkov` if upgrading is not an option.
================================================
FILE: bin/checkov
================================================
#!/usr/bin/env python
from checkov.main import Checkov
import warnings
import sys
if __name__ == '__main__':
with warnings.catch_warnings():
warnings.simplefilter("ignore", category=SyntaxWarning)
sys.exit(Checkov().run())
================================================
FILE: bin/checkov.cmd
================================================
@echo OFF
REM="""
setlocal
set PythonExe=""
set PythonExeFlags=
for %%i in (cmd bat exe) do (
for %%j in (python.%%i) do (
call :SetPythonExe "%%~$PATH:j"
)
)
for /f "tokens=2 delims==" %%i in ('assoc .py') do (
for /f "tokens=2 delims==" %%j in ('ftype %%i') do (
for /f "tokens=1" %%k in ("%%j") do (
call :SetPythonExe %%k
)
)
)
%PythonExe% -x %PythonExeFlags% "%~f0" %*
exit /B %ERRORLEVEL%
goto :EOF
:SetPythonExe
if not ["%~1"]==[""] (
if [%PythonExe%]==[""] (
set PythonExe="%~1"
)
)
goto :EOF
"""
# ===================================================
# Python script starts here
# ===================================================
#!/usr/bin/env python
from checkov.main import Checkov
import warnings
import sys
if __name__ == '__main__':
with warnings.catch_warnings():
warnings.simplefilter("ignore", category=SyntaxWarning)
sys.exit(Checkov().run())
================================================
FILE: cdk_integration_tests/__init__.py
================================================
================================================
FILE: cdk_integration_tests/prepare_data.sh
================================================
#!/bin/bash
# iterate over all the cdk python checks
#for file in "checkov/cdk/checks/python"/*; do
# # Ensure it's a yaml file
# if [[ -f "$file" && "$file" == *.yaml ]]; then
# basename=$(basename -- "$file")
# filename="${basename%.*}"
# check_id=$(grep 'id:' $file | awk '{print $2}')
# if [[ $check_id != CKV* ]]; then
# #expects only CKV check ids
# continue
# fi
# # create a report for this check
# echo "creating report for check: $filename, id: $check_id"
# pipenv run checkov -s --framework cdk --repo-id cli/cdk -o json --check $check_id \
# -d "cdk_integration_tests/src/python/$filename" --external-checks-dir "checkov/cdk/checks/python" \
# > "checkov_report_cdk_python_$filename.json"
# fi
#done
echo "creating report for CDK"
pipenv run checkov -s --framework cdk --repo-id cli/cdk -o json \
-d "cdk_integration_tests/src" > "checkov_report_cdk.json"
#todo: iterate over all the cdk typescript checks - when ts supported in sast
================================================
FILE: cdk_integration_tests/run_integration_tests.sh
================================================
#!/bin/bash
# In order to run this script set the following environment variables:
# BC_API_URL - your API url.
# BC_KEY - generate API key via Platform.
# You can also add the local SAST_ARTIFACT_PATH and LOG_LEVEL.
# You can also set those vars in the set_env_vars() function, and uncomment the call to it.
# The working dir should be the checkov project dir.
# For example: on /Users/ajbara/dev2/checkov dir run BC_API_URL=https://ws342vj2ze.execute-api.us-west-2.amazonaws.com/v1 BC_KEY=xyz LOG_LEVEL=Info /Users/ajbara/dev2/checkov/sast_integration_tests/run_integration_tests.sh
set_env_vars() {
export SAST_ARTIFACT_PATH=""
export BC_API_KEY=""
export LOG_LEVEL=DEBUG
export PRISMA_API_URL="https://api0.prismacloud.io"
}
prepare_data () {
echo "creating report for CDK"
python checkov/main.py -s --framework cdk --repo-id prisma/cdk -o json \
-d "cdk_integration_tests/src" > "checkov_report_cdk.json"
}
delete_reports () {
rm -r checkov_report*
rm results.sarif
rm checkov_checks_list.txt
}
#echo "calling set_env_vars"
#set_env_vars
if [[ -z "BC_API_KEY" ]]; then
echo "BC_API_KEY is missing."
exit 1
fi
echo $PRISMA_API_URL
if [[ -z "PRISMA_API_URL" ]]; then
echo "PRISMA_API_URL is missing."
exit 1
fi
cd ..
echo $VIRTUAL_ENV
if [ ! -z "$VIRTUAL_ENV" ]; then
deactivate
fi
#activate virtual env
ENV_PATH=$(pipenv --venv)
echo $ENV_PATH
source $ENV_PATH/bin/activate
echo $(pwd)
working_dir=$(pwd) # should be the path of local checkov project
export PYTHONPATH="$working_dir/checkov:$PYTHONPATH"
prepare_data
#Run integration tests.
echo "running integration tests"
pytest cdk_integration_tests
deactivate
echo "Deleting reports"
delete_reports
================================================
FILE: cdk_integration_tests/src/python/ALBDropHttpHeaders/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticloadbalancingv2 as elbv2
class MyALBStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define ALB with Load Balancer Attributes
alb = elbv2.CfnLoadBalancer(
self, 'MyALB',
name='my-alb',
type='application',
load_balancer_attributes=[
{
'key': 'routing.http.drop_invalid_header_fields.enabled',
'value': 'false'
}
]
# Other properties for your ALB
)
app = core.App()
MyALBStack(app, "MyALBStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ALBDropHttpHeaders/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticloadbalancingv2 as elbv2
class MyALBStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define ALB with Load Balancer Attributes
alb = elbv2.CfnLoadBalancer(
self, 'MyALB',
name='my-alb',
type='application',
load_balancer_attributes=[
{
'key': 'routing.http.drop_invalid_header_fields.enabled',
'value': 'true'
}
]
# Other properties for your ALB
)
app = core.App()
MyALBStack(app, "MyALBStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ALBListenerHTTPS/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticloadbalancingv2 as elbv2
class MyListenerStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define HTTPS Redirect Listener
listener = elbv2.CfnListener(
self, 'MyHTTPSRedirectListener',
load_balancer_arn='your-load-balancer-arn', # Replace with your ALB ARN
protocol='HTTP',
port=80,
default_actions=[{
'type': 'abc',
'redirectConfig': {
'protocol': 'HTTP',
}
}]
# Other properties for your Redirect Listener
)
app = core.App()
MyListenerStack(app, "MyListenerStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ALBListenerHTTPS/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticloadbalancingv2 as elbv2
class MyListenerStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define HTTPS Listener
listener = elbv2.CfnListener(
self, 'MyHTTPSListener',
load_balancer_arn='your-load-balancer-arn', # Replace with your ALB ARN
protocol='HTTPS',
# Other properties for your Listener
)
app = core.App()
MyListenerStack(app, "MyListenerStack")
app.synth()
class MyListenerStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define HTTPS Redirect Listener
listener = elbv2.CfnListener(
self, 'MyHTTPSRedirectListener',
load_balancer_arn='your-load-balancer-arn', # Replace with your ALB ARN
protocol='HTTP',
port=80,
default_actions=[{
'type': 'redirect',
'redirectConfig': {
'protocol': 'HTTPS',
}
}]
# Other properties for your Redirect Listener
)
app = core.App()
MyListenerStack(app, "MyListenerStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/APIGatewayAccessLogging/fail__2__.py
================================================
from aws_cdk import aws_apigateway as apigateway
cfn_stage = apigateway.CfnStage(self, "MyCfnStage",
rest_api_id="restApiId",
# the properties below are optional
cache_cluster_enabled=False,
cache_cluster_size="cacheClusterSize",
canary_setting=apigateway.CfnStage.CanarySettingProperty(
deployment_id="deploymentId",
percent_traffic=123,
stage_variable_overrides={
"stage_variable_overrides_key": "stageVariableOverrides"
},
use_stage_cache=False
),
client_certificate_id="clientCertificateId",
deployment_id="deploymentId",
description="description",
documentation_version="documentationVersion",
method_settings=[apigateway.CfnStage.MethodSettingProperty(
cache_data_encrypted=False,
cache_ttl_in_seconds=123,
caching_enabled=False,
data_trace_enabled=False,
http_method="httpMethod",
logging_level="loggingLevel",
metrics_enabled=False,
resource_path="resourcePath",
throttling_burst_limit=123,
throttling_rate_limit=123
)],
stage_name="stageName",
tags=[CfnTag(
key="key",
value="value"
)],
tracing_enabled=False,
variables={
"variables_key": "variables"
}
)
from aws_cdk import core
from aws_cdk import aws_serverless as serverless
class ServerlessApiWithAccessLogStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a Serverless API
serverless.Api(
self, "MyApi",
default_stage={
"stage_name": "prod",
"access_log_setting": serverless.AccessLogSetting(
format=serverless.AccessLogFormat.json_with_standard_fields()
)
}
)
app = core.App()
ServerlessApiWithAccessLogStack(app, "ServerlessApiWithAccessLogStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/APIGatewayAccessLogging/pass.py
================================================
from aws_cdk import aws_apigateway as apigateway
cfn_stage = apigateway.CfnStage(self, "MyCfnStage",
rest_api_id="restApiId",
# the properties below are optional
access_log_setting=apigateway.CfnStage.AccessLogSettingProperty(
destination_arn="destinationArn",
format="format"
),
cache_cluster_enabled=False,
cache_cluster_size="cacheClusterSize",
canary_setting=apigateway.CfnStage.CanarySettingProperty(
deployment_id="deploymentId",
percent_traffic=123,
stage_variable_overrides={
"stage_variable_overrides_key": "stageVariableOverrides"
},
use_stage_cache=False
),
client_certificate_id="clientCertificateId",
deployment_id="deploymentId",
description="description",
documentation_version="documentationVersion",
method_settings=[apigateway.CfnStage.MethodSettingProperty(
cache_data_encrypted=False,
cache_ttl_in_seconds=123,
caching_enabled=False,
data_trace_enabled=False,
http_method="httpMethod",
logging_level="loggingLevel",
metrics_enabled=False,
resource_path="resourcePath",
throttling_burst_limit=123,
throttling_rate_limit=123
)],
stage_name="stageName",
tags=[CfnTag(
key="key",
value="value"
)],
tracing_enabled=False,
variables={
"variables_key": "variables"
}
)
from aws_cdk import core
from aws_cdk import aws_serverless as serverless
class ServerlessApiWithAccessLogStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a Serverless API
serverless.Api(
self, "MyApi",
default_stage={
"stage_name": "prod",
"access_log_setting": serverless.AccessLogSetting(
destination_arn="arn:aws:logs:us-east-1:123456789012:log-group/MyLogGroup",
format=serverless.AccessLogFormat.json_with_standard_fields()
)
}
)
app = core.App()
ServerlessApiWithAccessLogStack(app, "ServerlessApiWithAccessLogStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/APIGatewayAuthorization/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_apigateway as apigw
class MyApiGatewayMethodStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create the API Gateway Method based on the conditions
api_method = apigw.Method(
self, 'MyApiGatewayMethod',
http_method='GET', # Replace with your desired HTTP method
resource=self.node.try_get_context('resource'), # Replace with your API resource
rest_api=self.node.try_get_context('rest_api'), # Replace with your REST API
authorization_type=apigw.AuthorizationType.NONE, # Set the AuthorizationType to NONE
api_key_required=False # Set ApiKeyRequired to false
# You can add other properties as needed for your method
)
app = core.App()
MyApiGatewayMethodStack(app, "MyApiGatewayMethodStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/APIGatewayAuthorization/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_apigateway as apigw
class MyApiGatewayMethodStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create the API Gateway Method based on the conditions
api_method = apigw.Method(
self, 'MyApiGatewayMethod',
http_method='OPTIONS', # Replace with your desired HTTP method
resource=self.node.try_get_context('resource'), # Replace with your API resource
rest_api=self.node.try_get_context('rest_api'), # Replace with your REST API
authorization_type=apigw.AuthorizationType.NONE, # Set the AuthorizationType to NONE
api_key_required=True # Set ApiKeyRequired to false
# You can add other properties as needed for your method
)
app = core.App()
MyApiGatewayMethodStack(app, "MyApiGatewayMethodStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/APIGatewayCacheEnable/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_apigateway as apigateway
from aws_cdk import aws_sam as sam
class MyApiGatewayStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an API Gateway stage with cache cluster enabled
api = apigateway.RestApi(
self,
"MyApi",
rest_api_name="MyApiName",
)
stage = apigateway.Stage(
self,
"MyApiStage",
stage_name="prod", # Replace with your desired stage name
deployment=api.latest_deployment,
)
class MySAMApiStack2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a Serverless API with cache cluster enabled
sam_api = sam.CfnApi(
self,
"MySAMApi",
stage_name="prod", # Specify the stage name
definition_body={
"openapi": "3.0.1",
"info": {
"title": "MyAPI",
},
"paths": {
"/example": {
"get": {
"responses": {
"200": {
"description": "A sample response",
},
},
},
},
},
},
)
================================================
FILE: cdk_integration_tests/src/python/APIGatewayCacheEnable/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_apigateway as apigateway
from aws_cdk import aws_sam as sam
class MyApiGatewayStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an API Gateway stage with cache cluster enabled
api = apigateway.RestApi(
self,
"MyApi",
rest_api_name="MyApiName",
)
stage = apigateway.Stage(
self,
"MyApiStage",
stage_name="prod", # Replace with your desired stage name
deployment=api.latest_deployment,
cache_cluster_enabled=True, # Enable cache cluster
cache_cluster_size="0.5", # Specify the cache cluster size
)
class MySAMApiStack2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a Serverless API with cache cluster enabled
sam_api = sam.CfnApi(
self,
"MySAMApi",
cacheClusterEnabled=True, # Enable cache cluster
cacheClusterSize="0.5", # Specify the cache cluster size
stage_name="prod", # Specify the stage name
definition_body={
"openapi": "3.0.1",
"info": {
"title": "MyAPI",
},
"paths": {
"/example": {
"get": {
"responses": {
"200": {
"description": "A sample response",
},
},
},
},
},
},
)
================================================
FILE: cdk_integration_tests/src/python/APIGatewayV2AccessLogging/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_apigatewayv2 as apigatewayv2
class MyApiGatewayV2StageStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define API Gateway V2 Stage with AccessLogSettings/DestinationArn set
api_stage = apigatewayv2.CfnStage(
self, 'MyApiGatewayV2Stage',
api_id='api_id_here', # Replace with your API ID
stage_name='myStage',
# Add other properties as needed for your stage
)
app = core.App()
MyApiGatewayV2StageStack(app, "MyApiGatewayV2StageStack")
app.synth()
from aws_cdk import core
from aws_cdk import aws_apigatewayv2 as apigatewayv2
class MyServerlessHttpApiStack2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define a Serverless HTTP API with access log settings
serverless_api = apigatewayv2.CfnApi(
self, 'MyServerlessHttpApi',
name='MyHTTPAPI',
protocol_type='HTTP',
# Add other properties as needed for your HTTP API
)
app = core.App()
MyServerlessHttpApiStack2(app, "MyServerlessHttpApiStack2")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/APIGatewayV2AccessLogging/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_apigatewayv2 as apigatewayv2
class MyApiGatewayV2StageStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define API Gateway V2 Stage with AccessLogSettings/DestinationArn set
api_stage = apigatewayv2.CfnStage(
self, 'MyApiGatewayV2Stage',
api_id='api_id_here', # Replace with your API ID
stage_name='myStage',
access_log_settings=apigatewayv2.CfnStage.AccessLogSettingsProperty(
destination_arn='arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME'
# Replace with the actual DestinationArn value
)
# Add other properties as needed for your stage
)
app = core.App()
MyApiGatewayV2StageStack(app, "MyApiGatewayV2StageStack")
app.synth()
from aws_cdk import core
from aws_cdk import aws_apigatewayv2 as apigatewayv2
class MyServerlessHttpApiStack2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define a Serverless HTTP API with access log settings
serverless_api = apigatewayv2.CfnApi(
self, 'MyServerlessHttpApi',
name='MyHTTPAPI',
protocol_type='HTTP',
access_log_settings=apigatewayv2.CfnApi.AccessLogSettingsProperty(
destination_arn='arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME'
# Replace with the actual DestinationArn value
)
# Add other properties as needed for your HTTP API
)
app = core.App()
MyServerlessHttpApiStack2(app, "MyServerlessHttpApiStack2")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/APIGatewayXray/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_apigateway as apigateway
from aws_cdk import aws_apigatewayv2 as apigatewayv2
class MyApiGatewayStageStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define API Gateway Stage with Tracing Enabled
apigateway.CfnStage(
self, 'MyApiGatewayStage',
stage_name='my-stage',
rest_api_id='your-rest-api-id', # Replace with your RestApi Id
tracing_enabled=False
# Other properties for your API Gateway Stage
)
app = core.App()
MyApiGatewayStageStack(app, "MyApiGatewayStageStack")
app.synth()
class MyServerlessApiStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Serverless API with Tracing Enabled
api = apigatewayv2.CfnApi(
self, 'MyServerlessApi',
name='my-serverless-api',
protocol_type='HTTP'
# Other properties for your Serverless API
)
stage = apigatewayv2.CfnStage(
self, 'MyServerlessApiStage',
api_id=api.ref,
stage_name='my-stage',
tracing_enabled=False
# Other properties for your API Gatewayv2 Stage
)
app = core.App()
MyServerlessApiStack(app, "MyServerlessApiStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/APIGatewayXray/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_apigateway as apigateway
from aws_cdk import aws_apigatewayv2 as apigatewayv2
class MyApiGatewayStageStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define API Gateway Stage with Tracing Enabled
apigateway.CfnStage(
self, 'MyApiGatewayStage',
stage_name='my-stage',
rest_api_id='your-rest-api-id', # Replace with your RestApi Id
tracing_enabled=True
# Other properties for your API Gateway Stage
)
app = core.App()
MyApiGatewayStageStack(app, "MyApiGatewayStageStack")
app.synth()
class MyServerlessApiStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Serverless API with Tracing Enabled
api = apigatewayv2.CfnApi(
self, 'MyServerlessApi',
name='my-serverless-api',
protocol_type='HTTP'
# Other properties for your Serverless API
)
stage = apigatewayv2.CfnStage(
self, 'MyServerlessApiStage',
api_id=api.ref,
stage_name='my-stage',
tracing_enabled=True
# Other properties for your API Gatewayv2 Stage
)
app = core.App()
MyServerlessApiStack(app, "MyServerlessApiStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/AmazonMQBrokerPublicAccess/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_amazonmq as amazonmq
class AmazonMQStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an Amazon MQ broker with PubliclyAccessible set to false
amazonmq_broker = amazonmq.CfnBroker(
self,
"MyAmazonMQBroker",
broker_name="my-amazon-mq-broker",
engine_type="ACTIVEMQ",
host_instance_type="mq.t2.micro",
publicly_accessible=True, # Set PubliclyAccessible to false
)
app = core.App()
AmazonMQStack(app, "AmazonMQStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/AmazonMQBrokerPublicAccess/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_amazonmq as amazonmq
class AmazonMQStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an Amazon MQ broker with PubliclyAccessible set to false
amazonmq_broker = amazonmq.CfnBroker(
self,
"MyAmazonMQBroker",
broker_name="my-amazon-mq-broker",
engine_type="ACTIVEMQ",
host_instance_type="mq.t2.micro",
publicly_accessible=False, # Set PubliclyAccessible to false
)
app = core.App()
AmazonMQStack(app, "AmazonMQStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/AppSyncFieldLevelLogs/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_appsync as appsync
class AppSyncStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define the GraphQL API using CfnGraphQLApi
graphql_api = appsync.CfnGraphQLApi(
self,
"AppSyncGraphQLApi",
name="MyAppSyncAPI",
authentication_type="API_KEY", # You can change the authentication type
log_config=appsync.CfnGraphQLApi.LogConfigProperty(
cloud_watch_logs_role_arn="cloudWatchLogsRoleArn",
exclude_verbose_content=False,
),
)
app = core.App()
AppSyncStack(app, "AppSyncStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/AppSyncFieldLevelLogs/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_appsync as appsync
class AppSyncStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define the GraphQL API using CfnGraphQLApi
graphql_api = appsync.CfnGraphQLApi(
self,
"AppSyncGraphQLApi",
name="MyAppSyncAPI",
authentication_type="API_KEY", # You can change the authentication type
log_config=appsync.CfnGraphQLApi.LogConfigProperty(
cloud_watch_logs_role_arn="cloudWatchLogsRoleArn",
exclude_verbose_content=False,
field_log_level=appsync.FieldLogLevel.ALL
),
)
app = core.App()
AppSyncStack(app, "AppSyncStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/AppSyncLogging/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_appsync as appsync
class AppSyncStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define the GraphQL API using CfnGraphQLApi
graphql_api = appsync.CfnGraphQLApi(
self,
"AppSyncGraphQLApi",
name="MyAppSyncAPI",
authentication_type="API_KEY", # You can change the authentication type
log_config=appsync.CfnGraphQLApi.LogConfigProperty(
exclude_verbose_content=False,
field_log_level="fieldLogLevel"
),
)
app = core.App()
AppSyncStack(app, "AppSyncStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/AppSyncLogging/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_appsync as appsync
class AppSyncStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define the GraphQL API using CfnGraphQLApi
graphql_api = appsync.CfnGraphQLApi(
self,
"AppSyncGraphQLApi",
name="MyAppSyncAPI",
authentication_type="API_KEY", # You can change the authentication type
log_config=appsync.CfnGraphQLApi.LogConfigProperty(
cloud_watch_logs_role_arn="cloudWatchLogsRoleArn",
exclude_verbose_content=False,
field_log_level="fieldLogLevel"
),
)
app = core.App()
AppSyncStack(app, "AppSyncStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/AthenaWorkgroupConfiguration/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_athena as athena
class AthenaStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an Athena WorkGroup
workgroup = athena.CfnWorkGroup(
self,
"MyAthenaWorkGroup",
name="my-workgroup",
description="My Athena WorkGroup",
state="ENABLED", # You can change the state
work_group_configuration=athena.CfnWorkGroup.WorkGroupConfigurationProperty(
additional_configuration="additionalConfiguration",
bytes_scanned_cutoff_per_query=123,
customer_content_encryption_configuration=athena.CfnWorkGroup.CustomerContentEncryptionConfigurationProperty(
kms_key="kmsKey"
),
enforce_work_group_configuration=False,
)
)
app = core.App()
AthenaStack(app, "AthenaStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/AthenaWorkgroupConfiguration/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_athena as athena
class AthenaStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an Athena WorkGroup
workgroup = athena.CfnWorkGroup(
self,
"MyAthenaWorkGroup",
name="my-workgroup",
description="My Athena WorkGroup",
state="ENABLED", # You can change the state
work_group_configuration=athena.CfnWorkGroup.WorkGroupConfigurationProperty(
additional_configuration="additionalConfiguration",
bytes_scanned_cutoff_per_query=123,
customer_content_encryption_configuration=athena.CfnWorkGroup.CustomerContentEncryptionConfigurationProperty(
kms_key="kmsKey"
),
enforce_work_group_configuration=True,
)
)
app = core.App()
AthenaStack(app, "AthenaStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/AuroraEncryption/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_rds as rds
class MyDBClusterStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define RDS Aurora Serverless DB cluster
my_db_cluster = rds.CfnDBCluster(
self, 'MyDBCluster',
engine='aurora', # Change this to your desired engine type
engine_mode='serverless',
storage_encrypted=False,
# Other properties for your DB cluster
)
app = core.App()
MyDBClusterStack(app, "MyDBClusterStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/AuroraEncryption/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_rds as rds
class MyDBClusterStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define RDS Aurora Serverless DB cluster
my_db_cluster = rds.CfnDBCluster(
self, 'MyDBCluster',
engine='aurora', # Change this to your desired engine type
engine_mode='serverless',
storage_encrypted=True,
# Other properties for your DB cluster
)
app = core.App()
MyDBClusterStack(app, "MyDBClusterStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/BackupVaultEncrypted/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_backup as backup
class MyBackupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a Backup Vault with the specified encryption key ARN
backup_vault = backup.CfnBackupVault(
self,
"MyBackupVault",
name="MyBackupVault",
)
================================================
FILE: cdk_integration_tests/src/python/BackupVaultEncrypted/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_backup as backup
class MyBackupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Replace 'your-encryption-key-arn' with the actual KMS key ARN you want to use
encryption_key_arn = 'your-encryption-key-arn'
# Create a Backup Vault with the specified encryption key ARN
backup_vault = backup.CfnBackupVault(
self,
"MyBackupVault",
name="MyBackupVault",
encryption_key_arn=encryption_key_arn,
)
================================================
FILE: cdk_integration_tests/src/python/CloudFrontTLS12/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_cloudfront as cloudfront
class MyCloudFrontDistributionStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
distribution = cloudfront.CfnDistribution(
self, 'MyCloudFrontDistribution',
distribution_config=cloudfront.CfnDistribution.DistributionConfigProperty(
viewer_certificate=cloudfront.CfnDistribution.ViewerCertificateProperty(
cloudfront_default_certificate=False,
minimum_protocol_version='TLSv1.1' # Define the minimum supported TLS version
),
# Other distribution configuration properties
)
)
app = core.App()
MyCloudFrontDistributionStack(app, "MyCloudFrontDistributionStack")
app.synth()
class MyCloudFrontDistributionStack2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
distribution = cloudfront.CfnDistribution(
self, 'MyCloudFrontDistribution',
distribution_config=cloudfront.CfnDistribution.DistributionConfigProperty(
viewer_certificate=cloudfront.CfnDistribution.ViewerCertificateProperty(
cloudfront_default_certificate=False,
minimum_protocol_version='TLSv1.0' # Define the minimum supported TLS version
),
# Other distribution configuration properties
)
)
app = core.App()
MyCloudFrontDistributionStack2(app, "MyCloudFrontDistributionStack2")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/CloudFrontTLS12/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_cloudfront as cloudfront
class MyCloudFrontDistributionStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
distribution = cloudfront.CfnDistribution(
self, 'MyCloudFrontDistribution',
distribution_config=cloudfront.CfnDistribution.DistributionConfigProperty(
viewer_certificate=cloudfront.CfnDistribution.ViewerCertificateProperty(
cloudfront_default_certificate=False,
minimum_protocol_version='TLSv1.2' # Define the minimum supported TLS version
),
# Other distribution configuration properties
)
)
app = core.App()
MyCloudFrontDistributionStack(app, "MyCloudFrontDistributionStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/CloudTrailLogValidation/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_cloudtrail as cloudtrail
from aws_cdk import aws_iam as iam
class CloudTrailStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an AWS CloudTrail trail using CfnTrail
trail = cloudtrail.CfnTrail(
self,
"MyCloudTrail",
is_logging=True,
enable_log_file_validation=False,
management_events=[
cloudtrail.ReadWriteType.WRITE_ONLY,
],
include_global_service_events=True,
)
app = core.App()
CloudTrailStack(app, "CloudTrailStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/CloudTrailLogValidation/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_cloudtrail as cloudtrail
from aws_cdk import aws_iam as iam
class CloudTrailStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an AWS CloudTrail trail using CfnTrail
trail = cloudtrail.CfnTrail(
self,
"MyCloudTrail",
is_logging=True,
enable_log_file_validation=True, # Enable log file validation
management_events=[
cloudtrail.ReadWriteType.WRITE_ONLY,
],
include_global_service_events=True,
)
app = core.App()
CloudTrailStack(app, "CloudTrailStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/CloudWatchLogGroupKMSKey/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_logs as logs
class MyBadLogGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a CloudWatch Logs log group without specifying KMS key
log_group = logs.LogGroup(
self,
"MyBadLogGroup",
log_group_name="MyLogGroupName",
retention=logs.RetentionDays.ONE_MONTH, # Set the retention policy as needed
# KMS key is not specified
)
================================================
FILE: cdk_integration_tests/src/python/CloudWatchLogGroupKMSKey/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_logs as logs
class MyLogGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a CloudWatch Logs log group with KMS key ID
log_group = logs.LogGroup(
self,
"MyLogGroup",
log_group_name="MyLogGroupName",
retention=logs.RetentionDays.ONE_MONTH, # Set the retention policy as needed
kms_key=1, # Specify the KMS key
)
================================================
FILE: cdk_integration_tests/src/python/CloudWatchLogGroupRetention/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_logs as logs
class MyLogGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define CloudWatch Logs Log Group with Retention Period
logs.CfnLogGroup(
self, 'MyLogGroup',
log_group_name='my-log-group',
)
app = core.App()
MyLogGroupStack(app, "MyLogGroupStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/CloudWatchLogGroupRetention/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_logs as logs
class MyLogGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define CloudWatch Logs Log Group with Retention Period
logs.CfnLogGroup(
self, 'MyLogGroup',
log_group_name='my-log-group',
retention_in_days=30 # Replace with your desired retention period in days
# Other properties for your Log Group
)
app = core.App()
MyLogGroupStack(app, "MyLogGroupStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/CloudfrontDistributionEncryption/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_cloudfront as cloudfront
class MyCloudFrontDistributionStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define CloudFront Distribution with ViewerProtocolPolicy set to allow_all
distribution = cloudfront.CfnDistribution(
self, 'MyCloudFrontDistribution',
distribution_config=cloudfront.CfnDistribution.DistributionConfigProperty(
default_cache_behavior=cloudfront.CfnDistribution.DefaultCacheBehaviorProperty(
viewer_protocol_policy='allow-all'
),
# Add other properties for the distribution config as needed
)
)
app = core.App()
MyCloudFrontDistributionStack(app, "MyCloudFrontDistributionStack")
app.synth()
class MyCloudFrontDistributionStack2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define CloudFront Distribution with CacheBehavior and ViewerProtocolPolicy
distribution = cloudfront.CfnDistribution(
self, 'MyCloudFrontDistribution',
distribution_config=cloudfront.CfnDistribution.DistributionConfigProperty(
cache_behaviors=[
cloudfront.CfnDistribution.CacheBehaviorProperty(
path_pattern='/path-to-cache',
target_origin_id='my-target-origin-id',
viewer_protocol_policy='allow-all'
)
],
# Other distribution configuration properties
)
)
app = core.App()
MyCloudFrontDistributionStack2(app, "MyCloudFrontDistributionStack2")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/CloudfrontDistributionEncryption/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_cloudfront as cloudfront
class MyCloudFrontDistributionStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define CloudFront Distribution with ViewerProtocolPolicy set to allow_all
distribution = cloudfront.CfnDistribution(
self, 'MyCloudFrontDistribution',
distribution_config=cloudfront.CfnDistribution.DistributionConfigProperty(
default_cache_behavior=cloudfront.CfnDistribution.DefaultCacheBehaviorProperty(
viewer_protocol_policy='abc'
),
# Add other properties for the distribution config as needed
)
)
app = core.App()
MyCloudFrontDistributionStack(app, "MyCloudFrontDistributionStack")
app.synth()
class MyCloudFrontDistributionStack2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define CloudFront Distribution with CacheBehavior and ViewerProtocolPolicy
distribution = cloudfront.CfnDistribution(
self, 'MyCloudFrontDistribution',
distribution_config=cloudfront.CfnDistribution.DistributionConfigProperty(
cache_behaviors=[
cloudfront.CfnDistribution.CacheBehaviorProperty(
path_pattern='/path-to-cache',
target_origin_id='my-target-origin-id',
)
],
# Other distribution configuration properties
)
)
app = core.App()
MyCloudFrontDistributionStack2(app, "MyCloudFrontDistributionStack2")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/CloudfrontDistributionLogging/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_cloudfront as cloudfront
class MyCloudFrontDistributionStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define CloudFront Distribution with logging settings
distribution = cloudfront.CfnDistribution(
self, 'MyCloudFrontDistribution',
)
app = core.App()
MyCloudFrontDistributionStack(app, "MyCloudFrontDistributionStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/CloudfrontDistributionLogging/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_cloudfront as cloudfront
class MyCloudFrontDistributionStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define CloudFront Distribution with logging settings
distribution = cloudfront.CfnDistribution(
self, 'MyCloudFrontDistribution',
distribution_config=cloudfront.CfnDistribution.DistributionConfigProperty(
logging=cloudfront.CfnDistribution.LoggingProperty(
bucket='arn:aws:s3:::my-cloudfront-logs-bucket' # Replace with your S3 bucket ARN
),
# Other distribution configuration properties
)
)
app = core.App()
MyCloudFrontDistributionStack(app, "MyCloudFrontDistributionStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/CloudtrailEncryption/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_cloudtrail as cloudtrail
class MyCloudTrailTrailStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define CloudTrail Trail with a specific KMS Key ID
cloudtrail.CfnTrail(
self, 'MyCloudTrail',
)
app = core.App()
MyCloudTrailTrailStack(app, "MyCloudTrailTrailStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/CloudtrailEncryption/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_cloudtrail as cloudtrail
class MyCloudTrailTrailStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define CloudTrail Trail with a specific KMS Key ID
cloudtrail.CfnTrail(
self, 'MyCloudTrail',
kms_key_id='arn:aws:kms:REGION:ACCOUNT_ID:key/KMS_KEY_ID', # Replace with your KMS Key ID ARN
# Other properties for your CloudTrail Trail
)
app = core.App()
MyCloudTrailTrailStack(app, "MyCloudTrailTrailStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/CloudtrailMultiRegion/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_cloudtrail as cloudtrail
class MyCloudTrailStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define CloudTrail Trail with IsMultiRegionTrail set to true
cloudtrail.Trail(
self, 'MyCloudTrail',
is_multi_region_trail=False,
# Other properties as needed for your CloudTrail Trail
)
app = core.App()
MyCloudTrailStack(app, "MyCloudTrailStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/CloudtrailMultiRegion/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_cloudtrail as cloudtrail
class MyCloudTrailStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define CloudTrail Trail with IsMultiRegionTrail set to true
cloudtrail.Trail(
self, 'MyCloudTrail',
is_multi_region_trail=True,
# Other properties as needed for your CloudTrail Trail
)
app = core.App()
MyCloudTrailStack(app, "MyCloudTrailStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/CodeBuildProjectEncryption/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_codebuild as codebuild
class MyCodeBuildProjectStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define a CodeBuild project with S3 artifacts and encryption disabled
my_project = codebuild.Project(
self, 'MyCodeBuildProject',
project_name='MyProject',
source=codebuild.Source.git_hub(owner='owner', repo='repo'),
artifacts=codebuild.Artifacts(
type=codebuild.ArtifactsType.S3,
encryption_disabled=True
),
environment=codebuild.BuildEnvironment(build_image=codebuild.LinuxBuildImage.STANDARD_5_0),
)
app = core.App()
MyCodeBuildProjectStack(app, "MyCodeBuildProjectStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/CodeBuildProjectEncryption/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_codebuild as codebuild
class MyCodeBuildProjectStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define a CodeBuild project with S3 artifacts and encryption disabled
my_project = codebuild.Project(
self, 'MyCodeBuildProject',
project_name='MyProject',
source=codebuild.Source.git_hub(owner='owner', repo='repo'),
artifacts=codebuild.Artifacts(
type=codebuild.ArtifactsType.S3,
encryption_disabled=False
),
environment=codebuild.BuildEnvironment(build_image=codebuild.LinuxBuildImage.STANDARD_5_0),
)
app = core.App()
MyCodeBuildProjectStack(app, "MyCodeBuildProjectStack")
app.synth()
class MyCodeBuildProjectStack2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define a CodeBuild project with S3 artifacts and encryption disabled
my_project = codebuild.Project(
self, 'MyCodeBuildProject',
project_name='MyProject',
source=codebuild.Source.git_hub(owner='owner', repo='repo'),
artifacts=codebuild.Artifacts(
encryption_disabled=True
),
environment=codebuild.BuildEnvironment(build_image=codebuild.LinuxBuildImage.STANDARD_5_0),
)
app = core.App()
MyCodeBuildProjectStack2(app, "MyCodeBuildProjectStack2")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/DAXEncryption/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_dax as dax
class DAXClusterStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a DAX cluster
dax_cluster = dax.CfnCluster(
self, "MyDAXCluster",
cluster_name="MyDAXCluster",
description="My DAX Cluster",
iam_role_arn="arn:aws:iam::123456789012:role/DAXServiceRole",
node_type="dax.r5.large",
replication_factor=2,
)
app = core.App()
DAXClusterStack(app, "DAXClusterStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/DAXEncryption/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_dax as dax
class DAXClusterStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a DAX cluster
dax_cluster = dax.CfnCluster(
self, "MyDAXCluster",
cluster_name="MyDAXCluster",
description="My DAX Cluster",
iam_role_arn="arn:aws:iam::123456789012:role/DAXServiceRole",
node_type="dax.r5.large",
replication_factor=2,
sse_specification=dax.CfnCluster.SSESpecificationProperty(
enabled=True, # Enable server-side encryption
kms_key_id="arn:aws:kms:us-east-1:123456789012:key/your-kms-key-id"
)
)
app = core.App()
DAXClusterStack(app, "DAXClusterStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/DMSReplicationInstancePubliclyAccessible/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_dms as dms
class MyDMSReplicationInstanceStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define DMS Replication Instance with PubliclyAccessible set to False
dms.ReplicationInstance(
self, 'MyDMSReplicationInstance',
replication_instance_identifier='MyReplicationInstance',
allocated_storage=100,
engine_version='3.4.3',
publicly_accessible=True # Set PubliclyAccessible to False
# Add other properties as needed for your replication instance
)
app = core.App()
MyDMSReplicationInstanceStack(app, "MyDMSReplicationInstanceStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/DMSReplicationInstancePubliclyAccessible/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_dms as dms
class MyDMSReplicationInstanceStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define DMS Replication Instance with PubliclyAccessible set to False
dms.ReplicationInstance(
self, 'MyDMSReplicationInstance',
replication_instance_identifier='MyReplicationInstance',
allocated_storage=100,
engine_version='3.4.3',
publicly_accessible=False # Set PubliclyAccessible to False
# Add other properties as needed for your replication instance
)
app = core.App()
MyDMSReplicationInstanceStack(app, "MyDMSReplicationInstanceStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/DocDBAuditLogs/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_docdb as docdb
class DocDBStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define the DocDB Cluster Parameter Group
db_parameter_group = docdb.CfnDBClusterParameterGroup(
self,
"DocDBClusterParameterGroup",
description="Custom DocDB Cluster Parameter Group",
family="docdb4.0",
parameters={
"audit_logs": "disabled",
}
)
app = core.App()
DocDBStack(app, "DocDBStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/DocDBAuditLogs/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_docdb as docdb
class DocDBStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define the DocDB Cluster Parameter Group
db_parameter_group = docdb.CfnDBClusterParameterGroup(
self,
"DocDBClusterParameterGroup",
description="Custom DocDB Cluster Parameter Group",
family="docdb4.0",
parameters={
"audit_logs": "enabled",
}
)
app = core.App()
DocDBStack(app, "DocDBStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/DocDBEncryption/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_docdb as docdb
class MyDocDBClusterStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an Amazon DocumentDB cluster with storage encryption disabled
docdb_cluster = docdb.CfnDBCluster(
self,
"MyDocDBCluster",
db_cluster_identifier="my-docdb-cluster",
master_username="admin",
master_user_password="mypassword", # checkov:skip=CKV_SECRET_6 test secret
availability_zones=["us-east-1a", "us-east-1b"], # Specify the availability zones
port=27017, # Specify the port as needed
)
================================================
FILE: cdk_integration_tests/src/python/DocDBEncryption/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_docdb as docdb
class MyDocDBClusterStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an Amazon DocumentDB cluster with storage encryption enabled
docdb_cluster = docdb.CfnDBCluster(
self,
"MyDocDBCluster",
db_cluster_identifier="my-docdb-cluster",
master_username="admin",
master_user_password="mypassword", # checkov:skip=CKV_SECRET_6 test secret
storage_encrypted=True, # Enable storage encryption
availability_zones=["us-east-1a", "us-east-1b"], # Specify the availability zones
port=27017, # Specify the port as needed
)
================================================
FILE: cdk_integration_tests/src/python/DocDBTLS/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_docdb as docdb
class MyDocDBParameterGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define DocDB Cluster Parameter Group with 'tls' parameter set to 'disabled'
docdb.CfnDBClusterParameterGroup(
self, 'MyDocDBClusterParameterGroup',
description='My DocDB Parameter Group',
family='docdb4.0',
parameters={
'tls': 'disabled'
}
# Other properties as needed
)
app = core.App()
MyDocDBParameterGroupStack(app, "MyDocDBParameterGroupStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/DocDBTLS/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_docdb as docdb
class MyDocDBParameterGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define DocDB Cluster Parameter Group with 'tls' parameter set to 'disabled'
docdb.CfnDBClusterParameterGroup(
self, 'MyDocDBClusterParameterGroup',
description='My DocDB Parameter Group',
family='docdb4.0',
parameters={
'tls': 'enabled'
}
# Other properties as needed
)
app = core.App()
MyDocDBParameterGroupStack(app, "MyDocDBParameterGroupStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/DynamodbGlobalTableRecovery/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_dynamodb as dynamodb
class DynamoDBGlobalTableStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a DynamoDB Global Table
global_table = dynamodb.CfnGlobalTable(
self, "MyGlobalTable",
replication_group=[{"region_name": "us-east-1"}, {"region_name": "us-west-2"}],
table_name="MyGlobalTable",
replicas=[
dynamodb.CfnGlobalTable.ReplicaSpecificationProperty(
point_in_time_recovery_specification=dynamodb.CfnGlobalTable.PointInTimeRecoverySpecificationProperty(
point_in_time_recovery_enabled=False
)
)
]
)
================================================
FILE: cdk_integration_tests/src/python/DynamodbGlobalTableRecovery/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_dynamodb as dynamodb
class DynamoDBGlobalTableStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a DynamoDB Global Table
global_table = dynamodb.CfnGlobalTable(
self, "MyGlobalTable",
replication_group=[{"region_name": "us-east-1"}, {"region_name": "us-west-2"}],
table_name="MyGlobalTable",
replicas=[
dynamodb.CfnGlobalTable.ReplicaSpecificationProperty(
point_in_time_recovery_specification=dynamodb.CfnGlobalTable.PointInTimeRecoverySpecificationProperty(
point_in_time_recovery_enabled=True
)
)
]
)
================================================
FILE: cdk_integration_tests/src/python/DynamodbRecovery/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_dynamodb as dynamodb
class MyDynamoDBStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a DynamoDB table with PointInTimeRecoveryEnabled set to True
dynamodb_table = dynamodb.Table(
self,
"MyDynamoDBTable",
table_name="MyTableName",
partition_key=dynamodb.Attribute(name="PartitionKey", type=dynamodb.AttributeType.STRING),
point_in_time_recovery=False, # Set PointInTimeRecoveryEnabled to True
removal_policy=core.RemovalPolicy.DESTROY, # Specify the removal policy as needed
)
================================================
FILE: cdk_integration_tests/src/python/DynamodbRecovery/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_dynamodb as dynamodb
class MyDynamoDBStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a DynamoDB table with PointInTimeRecoveryEnabled set to True
dynamodb_table = dynamodb.Table(
self,
"MyDynamoDBTable",
table_name="MyTableName",
partition_key=dynamodb.Attribute(name="PartitionKey", type=dynamodb.AttributeType.STRING),
point_in_time_recovery=True, # Set PointInTimeRecoveryEnabled to True
removal_policy=core.RemovalPolicy.DESTROY, # Specify the removal policy as needed
)
================================================
FILE: cdk_integration_tests/src/python/EBSEncryption/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_ec2 as ec2
class MyVolumeStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an EBS volume without encryption
ebs_volume = ec2.Volume(
self,
"MyEBSVolume",
availability_zone="us-east-1a", # Replace with your desired availability zone
size=100, # Set the size of the volume as needed
encrypted=False, # Disable encryption (default is False)
volume_type=ec2.EbsDeviceVolumeType.GP2, # Specify the volume type
)
================================================
FILE: cdk_integration_tests/src/python/EBSEncryption/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_ec2 as ec2
class MyVolumeStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an EBS volume with encryption enabled
ebs_volume = ec2.Volume(
self,
"MyEBSVolume",
availability_zone="us-east-1a", # Replace with your desired availability zone
size=100, # Set the size of the volume as needed
encrypted=True, # Enable encryption
volume_type=ec2.EbsDeviceVolumeType.GP2, # Specify the volume type
)
================================================
FILE: cdk_integration_tests/src/python/EC2PublicIP/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_ec2 as ec2
class MyEC2InstanceStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define VPC for the EC2 Instance
vpc = ec2.Vpc(
self, 'MyVpc',
max_azs=2 # Replace with the desired number of Availability Zones
)
# Define EC2 Instance with Network Interface having Public IP
instance = ec2.CfnInstance(
self, 'MyEC2Instance',
image_id='ami-12345678', # Replace with your desired AMI ID
instance_type='t2.micro', # Replace with your desired instance type
network_interfaces=[{
'associate_public_ip_address': True
}]
# Other properties for your EC2 Instance
)
app = core.App()
MyEC2InstanceStack(app, "MyEC2InstanceStack")
app.synth()
class MyEC2LaunchTemplateStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Launch Template for the EC2 Instance
launch_template = ec2.CfnLaunchTemplate(
self, 'MyLaunchTemplate',
launch_template_name='my-launch-template',
launch_template_data={
'network_interfaces': [{
'associate_public_ip_address': True
}]
# Other properties for your Launch Template Data
}
)
app = core.App()
MyEC2LaunchTemplateStack(app, "MyEC2LaunchTemplateStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/EC2PublicIP/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_ec2 as ec2
class MyEC2InstanceStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define VPC for the EC2 Instance
vpc = ec2.Vpc(
self, 'MyVpc',
max_azs=2 # Replace with the desired number of Availability Zones
)
# Define EC2 Instance with Network Interface having Public IP
instance = ec2.CfnInstance(
self, 'MyEC2Instance',
image_id='ami-12345678', # Replace with your desired AMI ID
instance_type='t2.micro', # Replace with your desired instance type
network_interfaces=[{
'deviceIndex': '0',
'subnet_id': vpc.public_subnets[0].subnet_id,
'associate_public_ip_address': False
}]
# Other properties for your EC2 Instance
)
app = core.App()
MyEC2InstanceStack(app, "MyEC2InstanceStack")
app.synth()
class MyEC2LaunchTemplateStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Launch Template for the EC2 Instance
launch_template = ec2.CfnLaunchTemplate(
self, 'MyLaunchTemplate',
launch_template_name='my-launch-template',
launch_template_data={
'network_interfaces': [{
'deviceIndex': '0',
'associate_public_ip_address': False
}]
# Other properties for your Launch Template Data
}
)
app = core.App()
MyEC2LaunchTemplateStack(app, "MyEC2LaunchTemplateStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ECRImageScanning/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_ecr as ecr
class MyECRStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an ECR repository with image scanning on push enabled
ecr_repository = ecr.Repository(
self,
"MyECRRepository",
repository_name="my-ecr-repo",
)
================================================
FILE: cdk_integration_tests/src/python/ECRImageScanning/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_ecr as ecr
class MyECRStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an ECR repository with image scanning on push enabled
ecr_repository = ecr.Repository(
self,
"MyECRRepository",
repository_name="my-ecr-repo",
image_scan_on_push=True, # Enable image scanning on push
)
================================================
FILE: cdk_integration_tests/src/python/ECRImmutableTags/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_ecr as ecr
class MyECRStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an ECR repository with immutable image tags
ecr_repository = ecr.Repository(
self,
"MyECRRepository",
repository_name="my-ecr-repo",
image_tag_mutability=ecr.TagMutability.MUTABLE, # Set image tag mutability to IMMUTABLE
)
================================================
FILE: cdk_integration_tests/src/python/ECRImmutableTags/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_ecr as ecr
class MyECRStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an ECR repository with immutable image tags
ecr_repository = ecr.Repository(
self,
"MyECRRepository",
repository_name="my-ecr-repo",
image_tag_mutability=ecr.TagMutability.IMMUTABLE, # Set image tag mutability to IMMUTABLE
)
================================================
FILE: cdk_integration_tests/src/python/ECRRepositoryEncrypted/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_ecr as ecr
class MyECRRepositoryStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define ECR Repository with Encryption Configuration
ecr.CfnRepository(
self, 'MyECRRepository',
repository_name='my-ecr-repo',
)
app = core.App()
MyECRRepositoryStack(app, "MyECRRepositoryStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ECRRepositoryEncrypted/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_ecr as ecr
class MyECRRepositoryStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define ECR Repository with Encryption Configuration
ecr.CfnRepository(
self, 'MyECRRepository',
repository_name='my-ecr-repo',
encryption_configuration={
'encryptionType': 'KMS'
}
# Other properties for your ECR Repository
)
app = core.App()
MyECRRepositoryStack(app, "MyECRRepositoryStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ECSClusterContainerInsights/fail__1__.py
================================================
import aws_cdk as core
from constructs import Construct
from aws_cdk import aws_ecs as ecs
from aws_cdk import aws_ec2 as ec2
class MyECSClusterStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
vpc = ec2.Vpc(self, "Vpc",
ip_protocol=ec2.IpProtocol.DUAL_STACK
)
cluster = ecs.Cluster(self, "EcsCluster", vpc=vpc, container_insights=False)
cluster2 = ecs.Cluster(self, "EcsCluster2", vpc=vpc)
cluster3 = ecs.Cluster(self, "EcsCluster3", vpc=vpc, container_insights_v2=ecs.ContainerInsights.DISABLED)
cluster4 = ecs.CfnCluster(
self, 'MyECSCluster4',
cluster_name='my-ecs-cluster',
cluster_settings=[{
'name': 'containerInsights',
'value': 'disabled'
}]
# Other properties for your ECS Cluster
)
cluster5 = ecs.CfnCluster(
self, 'MyECSCluster5',
cluster_name='my-ecs-cluster'
# Other properties for your ECS Cluster
)
app = core.App()
MyECSClusterStack(app, "MyECSClusterStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ECSClusterContainerInsights/pass.py
================================================
import aws_cdk as core
from constructs import Construct
from aws_cdk import aws_ecs as ecs
from aws_cdk import aws_ec2 as ec2
class MyECSClusterStack(core.Stack):
def __init__(self, scope: Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
vpc = ec2.Vpc(self, "Vpc",
ip_protocol=ec2.IpProtocol.DUAL_STACK
)
cluster = ecs.Cluster(self, "EcsCluster", vpc=vpc, container_insights=True)
cluster2 = ecs.Cluster(self, "EcsCluster2", vpc=vpc, container_insights_v2=ecs.ContainerInsights.ENHANCED)
cluster3 = ecs.Cluster(self, "EcsCluster3", vpc=vpc, container_insights_v2=ecs.ContainerInsights.ENABLED)
cluster4 = ecs.CfnCluster(
self, 'MyECSCluster4',
cluster_name='my-ecs-cluster',
cluster_settings=[{
'name': 'containerInsights',
'value': 'enabled'
}]
# Other properties for your ECS Cluster
)
cluster5 = ecs.CfnCluster(
self, 'MyECSCluster5',
cluster_name='my-ecs-cluster',
cluster_settings=[{
'name': 'containerInsights',
'value': 'enhanced'
}]
# Other properties for your ECS Cluster
)
app = core.App()
MyECSClusterStack(app, "MyECSClusterStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ECSTaskDefinitionEFSVolumeEncryption/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_ecs as ecs
class MyECSTaskDefinitionStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define ECS Task Definition with an EFS volume configuration and transit encryption disabled
task_definition = ecs.CfnTaskDefinition(
self, 'MyTaskDefinition',
volumes=[
{
'efs_volume_configuration': {
'transit_encryption': 'DISABLED'
}
}
]
# Other properties for your ECS Task Definition
)
app = core.App()
MyECSTaskDefinitionStack(app, "MyECSTaskDefinitionStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ECSTaskDefinitionEFSVolumeEncryption/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_ecs as ecs
class MyECSTaskDefinitionStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define ECS Task Definition with an EFS volume configuration and transit encryption disabled
task_definition = ecs.CfnTaskDefinition(
self, 'MyTaskDefinition',
volumes=[
{
'efs_volume_configuration': {
'transit_encryption': 'ENABLED'
}
}
]
# Other properties for your ECS Task Definition
)
app = core.App()
MyECSTaskDefinitionStack(app, "MyECSTaskDefinitionStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/EFSEncryptionEnabled/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_efs as efs
class EfsStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
efs_file_system = efs.FileSystem(
self,
"EfsFileSystem",
encrypted=False, # Set Encrypted property to False
lifecycle_policy=efs.LifecyclePolicy.AFTER_7_DAYS,
)
app = core.App()
EfsStack(app, "EfsStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/EFSEncryptionEnabled/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_efs as efs
class EfsStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an EFS file system with the Encrypted property set to True
efs_file_system = efs.FileSystem(
self,
"EfsFileSystem",
encrypted=True, # Set Encrypted property to True
lifecycle_policy=efs.LifecyclePolicy.AFTER_7_DAYS,
)
app = core.App()
EfsStack(app, "EfsStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/EKSSecretsEncryption/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_eks as eks
class MyEKSClusterStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define EKS Cluster with Encryption Configuration
cluster = eks.CfnCluster(
self, 'MyEKSCluster',
name='my-eks-cluster',
encryption_config=[{
'resources': ['abc']
}]
# Other properties for your EKS Cluster
)
app = core.App()
MyEKSClusterStack(app, "MyEKSClusterStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/EKSSecretsEncryption/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_eks as eks
class MyEKSClusterStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define EKS Cluster with Encryption Configuration
cluster = eks.CfnCluster(
self, 'MyEKSCluster',
name='my-eks-cluster',
encryption_config=[{
'resources': ['secrets']
}]
# Other properties for your EKS Cluster
)
app = core.App()
MyEKSClusterStack(app, "MyEKSClusterStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ELBAccessLogs/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticloadbalancing as elb
class MyLoadBalancerStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Elastic Load Balancer with access logging policy enabled
load_balancer = elb.CfnLoadBalancer(
self, 'MyLoadBalancer',
listeners=[
{
'instancePort': '80',
'instanceProtocol': 'HTTP',
'loadBalancerPort': '80',
'protocol': 'HTTP'
}
],
access_logging_policy=elb.CfnLoadBalancer.AccessLoggingPolicyProperty(
enabled=False,
s3_bucket_name='my-access-logs-bucket', # Replace with your S3 bucket name
emit_interval=5 # Adjust the interval as needed
)
# Other properties as needed for your Load Balancer
)
app = core.App()
MyLoadBalancerStack(app, "MyLoadBalancerStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ELBAccessLogs/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticloadbalancing as elb
class MyLoadBalancerStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Elastic Load Balancer with access logging policy enabled
load_balancer = elb.CfnLoadBalancer(
self, 'MyLoadBalancer',
listeners=[
{
'instancePort': '80',
'instanceProtocol': 'HTTP',
'loadBalancerPort': '80',
'protocol': 'HTTP'
}
],
access_logging_policy=elb.CfnLoadBalancer.AccessLoggingPolicyProperty(
enabled=True,
s3_bucket_name='my-access-logs-bucket', # Replace with your S3 bucket name
emit_interval=5 # Adjust the interval as needed
)
# Other properties as needed for your Load Balancer
)
app = core.App()
MyLoadBalancerStack(app, "MyLoadBalancerStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ELBv2AccessLogs/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticloadbalancingv2 as elbv2
class MyALBWithAccessLogs(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Elastic Load Balancer V2 with access logs enabled
alb = elbv2.CfnLoadBalancer(
self, 'MyALB',
load_balancer_attributes=[
elbv2.CfnLoadBalancer.LoadBalancerAttributeProperty(
key="access_logs.s3.enabled",
value="false"
)
],
# Other properties for your Application Load Balancer
)
app = core.App()
MyALBWithAccessLogs(app, "MyALBWithAccessLogs")
app.synth()
class MyALBWithAccessLogs2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Elastic Load Balancer V2 with access logs enabled
alb = elbv2.CfnLoadBalancer(
self, 'MyALB'
)
app = core.App()
MyALBWithAccessLogs2(app, "MyALBWithAccessLogs2")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ELBv2AccessLogs/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticloadbalancingv2 as elbv2
class MyALBWithAccessLogs(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Elastic Load Balancer V2 with access logs enabled
alb = elbv2.CfnLoadBalancer(
self, 'MyALB',
load_balancer_attributes=[
elbv2.CfnLoadBalancer.LoadBalancerAttributeProperty(
key="access_logs.s3.enabled",
value="true"
)
],
# Other properties for your Application Load Balancer
)
app = core.App()
MyALBWithAccessLogs(app, "MyALBWithAccessLogs")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtRest/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticache as elasticache
class ElastiCacheReplicationGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an Amazon ElastiCache replication group
replication_group = elasticache.CfnReplicationGroup(
self,
"MyElastiCacheReplicationGroup",
replication_group_description="My Replication Group",
automatic_failover_enabled=True,
replication_group_id="my-replication-group",
cache_node_type="cache.m4.large",
engine="redis",
engine_version="5.0.6",
num_node_groups=2,
cache_subnet_group_name="my-subnet-group",
security_group_ids=["sg-0123456789abcdef0"],
)
app = core.App()
ElastiCacheReplicationGroupStack(app, "ElastiCacheReplicationGroupStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtRest/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticache as elasticache
class ElastiCacheReplicationGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an Amazon ElastiCache replication group
replication_group = elasticache.CfnReplicationGroup(
self,
"MyElastiCacheReplicationGroup",
replication_group_description="My Replication Group",
automatic_failover_enabled=True,
replication_group_id="my-replication-group",
cache_node_type="cache.m4.large",
engine="redis",
engine_version="5.0.6",
num_node_groups=2,
cache_subnet_group_name="my-subnet-group",
security_group_ids=["sg-0123456789abcdef0"],
at_rest_encryption_enabled=True # Enable encryption at rest
)
app = core.App()
ElastiCacheReplicationGroupStack(app, "ElastiCacheReplicationGroupStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransit/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticache as elasticache
class ElastiCacheReplicationGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an AWS ElastiCache Replication Group
replication_group = elasticache.CfnReplicationGroup(
self,
"MyElastiCacheReplicationGroup",
replication_group_id="my-replication-group",
replication_group_description="My ElastiCache Replication Group",
cache_node_type="cache.m4.large",
engine="redis",
engine_version="5.0.6",
port=6379,
num_cache_clusters=2,
automatic_failover_enabled=True,
)
app = core.App()
ElastiCacheReplicationGroupStack(app, "ElastiCacheReplicationGroupStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransit/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticache as elasticache
class ElastiCacheReplicationGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an AWS ElastiCache Replication Group
replication_group = elasticache.CfnReplicationGroup(
self,
"MyElastiCacheReplicationGroup",
replication_group_id="my-replication-group",
replication_group_description="My ElastiCache Replication Group",
cache_node_type="cache.m4.large",
engine="redis",
engine_version="5.0.6",
port=6379,
num_cache_clusters=2,
automatic_failover_enabled=True,
transit_encryption_enabled=True # Enable transit encryption
)
app = core.App()
ElastiCacheReplicationGroupStack(app, "ElastiCacheReplicationGroupStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticache as elasticache
class MyElastiCacheReplicationGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define ElastiCache Replication Group with encryption and auth token
elasticache.CfnReplicationGroup(
self, 'MyElastiCacheReplicationGroup',
replication_group_description='MyReplicationGroup',
cache_node_type='cache.t2.small',
engine='redis',
engine_version='6.x',
num_node_groups=1,
automatic_failover_enabled=True,
transit_encryption_enabled=False, # Enable transit encryption
auth_token='YourAuthTokenHere' # Provide the auth token
# ... other properties as needed
)
app = core.App()
MyElastiCacheReplicationGroupStack(app, "MyElastiCacheReplicationGroupStack")
app.synth()
class MyElastiCacheReplicationGroupStack2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define ElastiCache Replication Group with encryption and auth token
elasticache.CfnReplicationGroup(
self, 'MyElastiCacheReplicationGroup',
replication_group_description='MyReplicationGroup',
cache_node_type='cache.t2.small',
engine='redis',
engine_version='6.x',
num_node_groups=1,
automatic_failover_enabled=True,
transit_encryption_enabled=True, # Enable transit encryption
# ... other properties as needed
)
app = core.App()
MyElastiCacheReplicationGroupStack2(app, "MyElastiCacheReplicationGroupStack2")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticache as elasticache
class MyElastiCacheReplicationGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define ElastiCache Replication Group with encryption and auth token
elasticache.CfnReplicationGroup(
self, 'MyElastiCacheReplicationGroup',
replication_group_description='MyReplicationGroup',
cache_node_type='cache.t2.small',
engine='redis',
engine_version='6.x',
num_node_groups=1,
automatic_failover_enabled=True,
transit_encryption_enabled=True, # Enable transit encryption
auth_token='YourAuthTokenHere' # Provide the auth token
# ... other properties as needed
)
app = core.App()
MyElastiCacheReplicationGroupStack(app, "MyElastiCacheReplicationGroupStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ElasticsearchDomainEnforceHTTPS/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticsearch as elasticsearch
class ElasticsearchStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an Amazon Elasticsearch domain
elasticsearch_domain = elasticsearch.CfnDomain(
self, "MyElasticsearchDomain",
domain_name="my-elasticsearch-domain",
elasticsearch_version="7.10",
node_to_node_encryption_options={
"enabled": True
},
ebs_options={
"ebsEnabled": True,
"volumeSize": 10
},
)
# Create the CDK app and stack
app = core.App()
ElasticsearchStack(app, "ElasticsearchStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ElasticsearchDomainEnforceHTTPS/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticsearch as elasticsearch
class ElasticsearchStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an Amazon Elasticsearch domain
elasticsearch_domain = elasticsearch.CfnDomain(
self, "MyElasticsearchDomain",
domain_name="my-elasticsearch-domain",
elasticsearch_version="7.10",
node_to_node_encryption_options={
"enabled": True
},
domain_endpoint_options=elasticsearch.CfnDomain.DomainEndpointOptionsProperty(
custom_endpoint="customEndpoint",
custom_endpoint_certificate_arn="customEndpointCertificateArn",
custom_endpoint_enabled=False,
enforce_https=True,
tls_security_policy="tlsSecurityPolicy"
),
ebs_options={
"ebsEnabled": True,
"volumeSize": 10
},
)
# Create the CDK app and stack
app = core.App()
ElasticsearchStack(app, "ElasticsearchStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ElasticsearchDomainLogging/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticsearch as elasticsearch
from aws_cdk import aws_opensearchservice as opensearchservice
class MyElasticsearchDomainStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Elasticsearch Domain with LogPublishingOptions for different log types
elasticsearch.CfnDomain(
self, 'MyElasticsearchDomain',
domain_name='my-elasticsearch-domain',
elasticsearch_version='7.10', # Replace with your desired Elasticsearch version
node_to_node_encryption_options={
'enabled': True
},
log_publishing_options={
'logPublishingOptionsKey': elasticsearch.CfnDomain.LogPublishingOptionProperty(
cloud_watch_logs_log_group_arn='arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME',
enabled=False
)
}
# Other properties for your Elasticsearch Domain
)
app = core.App()
MyElasticsearchDomainStack(app, "MyElasticsearchDomainStack")
app.synth()
class MyOpenSearchDomainStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define OpenSearch Service Domain with LogPublishingOptions for different log types
opensearchservice.CfnDomain(
self, 'MyOpenSearchDomain',
domain_name='my-opensearch-domain',
elasticsearch_version='7.10', # Replace with your desired OpenSearch version
node_to_node_encryption_options={
'enabled': True
},
log_publishing_options={
'logPublishingOptionsKey': opensearchservice.CfnDomain.LogPublishingOptionProperty(
cloud_watch_logs_log_group_arn='arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME',
enabled=True
)
}
# Other properties for your OpenSearch Service Domain
)
app = core.App()
MyOpenSearchDomainStack(app, "MyOpenSearchDomainStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ElasticsearchDomainLogging/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticsearch as elasticsearch
from aws_cdk import aws_opensearchservice as opensearchservice
class MyElasticsearchDomainStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Elasticsearch Domain with LogPublishingOptions for different log types
elasticsearch.CfnDomain(
self, 'MyElasticsearchDomain',
domain_name='my-elasticsearch-domain',
elasticsearch_version='7.10', # Replace with your desired Elasticsearch version
node_to_node_encryption_options={
'enabled': True
},
log_publishing_options={
'logPublishingOptionsKey': elasticsearch.CfnDomain.LogPublishingOptionProperty(
cloud_watch_logs_log_group_arn='arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME',
enabled=True
)
}
# Other properties for your Elasticsearch Domain
)
app = core.App()
MyElasticsearchDomainStack(app, "MyElasticsearchDomainStack")
app.synth()
class MyOpenSearchDomainStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define OpenSearch Service Domain with LogPublishingOptions for different log types
opensearchservice.CfnDomain(
self, 'MyOpenSearchDomain',
domain_name='my-opensearch-domain',
elasticsearch_version='7.10', # Replace with your desired OpenSearch version
node_to_node_encryption_options={
'enabled': True
},
log_publishing_options={
'logPublishingOptionsKey': opensearchservice.CfnDomain.LogPublishingOptionProperty(
cloud_watch_logs_log_group_arn='arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME',
enabled=True
)
}
# Other properties for your OpenSearch Service Domain
)
app = core.App()
MyOpenSearchDomainStack(app, "MyOpenSearchDomainStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ElasticsearchEncryption/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticsearch as elasticsearch
class MyElasticsearchDomainStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Elasticsearch Domain with Encryption At Rest Enabled
elasticsearch.CfnDomain(
self, 'MyElasticsearchDomain',
domain_name='my-elasticsearch-domain',
elasticsearch_version='7.10', # Replace with your desired Elasticsearch version
encryption_at_rest_options={
'enabled': False
}
# Other properties for your Elasticsearch Domain
)
app = core.App()
MyElasticsearchDomainStack(app, "MyElasticsearchDomainStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ElasticsearchEncryption/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticsearch as elasticsearch
class MyElasticsearchDomainStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Elasticsearch Domain with Encryption At Rest Enabled
elasticsearch.CfnDomain(
self, 'MyElasticsearchDomain',
domain_name='my-elasticsearch-domain',
elasticsearch_version='7.10', # Replace with your desired Elasticsearch version
encryption_at_rest_options={
'enabled': True
}
# Other properties for your Elasticsearch Domain
)
app = core.App()
MyElasticsearchDomainStack(app, "MyElasticsearchDomainStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ElasticsearchNodeToNodeEncryption/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticsearch as elasticsearch
class MyElasticsearchDomainStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Elasticsearch Domain with Node-to-Node Encryption Enabled
elasticsearch.CfnDomain(
self, 'MyElasticsearchDomain',
domain_name='my-elasticsearch-domain',
elasticsearch_version='7.10', # Replace with your desired Elasticsearch version
node_to_node_encryption_options={
'enabled': False
}
# Other properties for your Elasticsearch Domain
)
app = core.App()
MyElasticsearchDomainStack(app, "MyElasticsearchDomainStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/ElasticsearchNodeToNodeEncryption/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_elasticsearch as elasticsearch
class MyElasticsearchDomainStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Elasticsearch Domain with Node-to-Node Encryption Enabled
elasticsearch.CfnDomain(
self, 'MyElasticsearchDomain',
domain_name='my-elasticsearch-domain',
elasticsearch_version='7.10', # Replace with your desired Elasticsearch version
node_to_node_encryption_options={
'enabled': True
}
# Other properties for your Elasticsearch Domain
)
app = core.App()
MyElasticsearchDomainStack(app, "MyElasticsearchDomainStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/GlueDataCatalogEncryption/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_glue as glue
class MyGlueDataCatalogEncryptionSettingsStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Data Catalog encryption settings
data_catalog_encryption_settings = glue.CfnDataCatalogEncryptionSettings(
self, 'MyGlueDataCatalogEncryptionSettings',
data_catalog_encryption_settings={
'ConnectionPasswordEncryption': {
'ReturnConnectionPasswordEncrypted': False
},
'EncryptionAtRest': {
'CatalogEncryptionMode': 'SSE-KMS'
}
}
)
app = core.App()
MyGlueDataCatalogEncryptionSettingsStack(app, "MyGlueDataCatalogEncryptionSettingsStack")
app.synth()
class MyGlueDataCatalogEncryptionSettingsStack2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Data Catalog encryption settings
data_catalog_encryption_settings = glue.CfnDataCatalogEncryptionSettings(
self, 'MyGlueDataCatalogEncryptionSettings',
data_catalog_encryption_settings={
'ConnectionPasswordEncryption': {
'ReturnConnectionPasswordEncrypted': True
},
}
)
app = core.App()
MyGlueDataCatalogEncryptionSettingsStack2(app, "MyGlueDataCatalogEncryptionSettingsStack2")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/GlueDataCatalogEncryption/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_glue as glue
class MyGlueDataCatalogEncryptionSettingsStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Data Catalog encryption settings
data_catalog_encryption_settings = glue.CfnDataCatalogEncryptionSettings(
self, 'MyGlueDataCatalogEncryptionSettings',
data_catalog_encryption_settings={
'ConnectionPasswordEncryption': {
'ReturnConnectionPasswordEncrypted': True
},
'EncryptionAtRest': {
'CatalogEncryptionMode': 'SSE-KMS'
}
}
)
app = core.App()
MyGlueDataCatalogEncryptionSettingsStack(app, "MyGlueDataCatalogEncryptionSettingsStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/GlueSecurityConfiguration/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_glue as glue
class MyGlueSecurityConfigurationStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define the security configuration with encryption settings
security_configuration = glue.CfnSecurityConfiguration(
self, 'MyGlueSecurityConfiguration',
encryption_configuration={
'CloudWatchEncryption': {
'CloudWatchEncryptionMode': 'SSE-KMS'
},
'JobBookmarksEncryption': {
'JobBookmarksEncryptionMode': 'DISABLED'
},
'S3Encryptions': [
{
'S3EncryptionMode': 'SSE-KMS'
}
]
}
)
app = core.App()
MyGlueSecurityConfigurationStack(app, "MyGlueSecurityConfigurationStack")
app.synth()
class MyGlueSecurityConfigurationStack2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define the security configuration with encryption settings
security_configuration = glue.CfnSecurityConfiguration(
self, 'MyGlueSecurityConfiguration',
encryption_configuration={
'JobBookmarksEncryption': {
'JobBookmarksEncryptionMode': 'CSE-KMS'
},
'S3Encryptions': [
{
'S3EncryptionMode': 'SSE-KMS'
}
]
}
)
app = core.App()
MyGlueSecurityConfigurationStack2(app, "MyGlueSecurityConfigurationStack2")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/GlueSecurityConfiguration/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_glue as glue
class MyGlueSecurityConfigurationStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define the security configuration with encryption settings
security_configuration = glue.CfnSecurityConfiguration(
self, 'MyGlueSecurityConfiguration',
encryption_configuration={
'CloudWatchEncryption': {
'CloudWatchEncryptionMode': 'SSE-KMS'
},
'JobBookmarksEncryption': {
'JobBookmarksEncryptionMode': 'CSE-KMS'
},
'S3Encryptions': [
{
'S3EncryptionMode': 'SSE-KMS'
}
]
}
)
app = core.App()
MyGlueSecurityConfigurationStack(app, "MyGlueSecurityConfigurationStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/GlueSecurityConfigurationEnabled/fail__3__.py
================================================
from aws_cdk import core
from aws_cdk import aws_glue as glue
class GlueCrawlerStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
crawler = glue.CfnCrawler(
self,
"MyCrawler",
name="MyCrawler",
database_name="mydatabase",
role=crawler_role.role_arn,
targets={
"s3Targets": [
{
"path": "s3://your-s3-bucket/path/to/crawl",
}
]
},
)
app = core.App()
GlueCrawlerStack(app, "GlueCrawlerStack")
app.synth()
class GlueDevEndpointStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an AWS Glue DevEndpoint
dev_endpoint = glue.CfnDevEndpoint(
self,
"MyDevEndpoint",
role_arn="arn:aws:iam::YOUR_ACCOUNT_ID:role/YourGlueDevEndpointRole",
worker_type="Standard",
glue_version="1.0",
)
app = core.App()
GlueDevEndpointStack(app, "GlueDevEndpointStack")
app.synth()
class GlueJobStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an AWS Glue Job
job = glue.CfnJob(
self,
"MyGlueJob",
command={
"name": "glueetl",
"pythonVersion": "3"
},
default_arguments={
"--job-language": "python"
},
max_capacity=10,
glue_version="1.0"
)
app = core.App()
GlueJobStack(app, "GlueJobStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/GlueSecurityConfigurationEnabled/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_glue as glue
from aws_cdk import aws_iam as iam
class GlueCrawlerStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
crawler = glue.CfnCrawler(
self,
"MyCrawler",
name="MyCrawler",
database_name="mydatabase",
role=crawler_role.role_arn,
targets={
"s3Targets": [
{
"path": "s3://your-s3-bucket/path/to/crawl",
}
]
},
crawler_security_configuration="aaa"
)
app = core.App()
GlueCrawlerStack(app, "GlueCrawlerStack")
app.synth()
class GlueDevEndpointStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an AWS Glue Security Configuration (You need to create one separately)
security_configuration_name = "MySecurityConfiguration" # Replace with your security config name
# Create an AWS Glue DevEndpoint
dev_endpoint = glue.CfnDevEndpoint(
self,
"MyDevEndpoint",
role_arn="arn:aws:iam::YOUR_ACCOUNT_ID:role/YourGlueDevEndpointRole",
security_configuration=security_configuration_name,
worker_type="Standard",
glue_version="1.0",
)
app = core.App()
GlueDevEndpointStack(app, "GlueDevEndpointStack")
app.synth()
class GlueJobStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an AWS Glue Security Configuration (You need to create one separately)
security_configuration_name = "MySecurityConfiguration" # Replace with your security config name
# Create an AWS Glue Job
job = glue.CfnJob(
self,
"MyGlueJob",
command={
"name": "glueetl",
"pythonVersion": "3"
},
default_arguments={
"--job-language": "python"
},
security_configuration=security_configuration_name,
max_capacity=10,
glue_version="1.0"
)
app = core.App()
GlueJobStack(app, "GlueJobStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/IAMPolicyAttachedToGroupOrRoles/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_iam as iam
class IAMStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an IAM policy
custom_policy = iam.Policy(
self,
"CustomPolicy",
policy_name="MyCustomPolicy",
statements=[
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=["s3:GetObject"],
resources=["arn:aws:s3:::my-bucket/*"],
),
],
users=["a"]
)
app = core.App()
IAMStack(app, "IAMStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/IAMPolicyAttachedToGroupOrRoles/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_iam as iam
class IAMStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an IAM policy
custom_policy = iam.Policy(
self,
"CustomPolicy",
policy_name="MyCustomPolicy",
statements=[
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=["s3:GetObject"],
resources=["arn:aws:s3:::my-bucket/*"],
),
],
)
app = core.App()
IAMStack(app, "IAMStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/KinesisStreamEncryptionType/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_kinesis as kinesis
class KinesisStreamStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an Amazon Kinesis stream
kinesis_stream = kinesis.CfnStream(
self,
"MyKinesisStream",
name="my-kinesis-stream",
shard_count=2, # The number of shards in the stream
stream_encryption={
"encryption_type": "ABC",
"key_id": "YOUR_KMS_KEY_ID" # Replace with your KMS key ID
}
)
app = core.App()
KinesisStreamStack(app, "KinesisStreamStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/KinesisStreamEncryptionType/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_kinesis as kinesis
class KinesisStreamStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an Amazon Kinesis stream
kinesis_stream = kinesis.CfnStream(
self,
"MyKinesisStream",
name="my-kinesis-stream",
shard_count=2, # The number of shards in the stream
stream_encryption={
"encryption_type": "KMS", # Use KMS encryption
"key_id": "YOUR_KMS_KEY_ID" # Replace with your KMS key ID
}
)
app = core.App()
KinesisStreamStack(app, "KinesisStreamStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/LambdaDLQConfigured/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_lambda as _lambda
from aws_cdk import aws_sqs as sqs
from aws_cdk import aws_sam as sam
class MyLambdaStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create the Dead Letter Queue
dlq = sqs.Queue(
self,
"MyDeadLetterQueue",
visibility_timeout=core.Duration.seconds(300), # Adjust as needed
)
# Create the Lambda function with a DLQ
my_lambda_function = _lambda.Function(
self,
"MyLambdaFunction",
runtime=_lambda.Runtime.PYTHON_3_8,
handler="index.handler",
code=_lambda.Code.from_asset("path/to/your/code"),
function_name="my-function-name",
)
class MySAMLambdaStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create the Dead Letter Queue
dlq = sqs.Queue(
self,
"MyDeadLetterQueue",
visibility_timeout=core.Duration.seconds(300), # Adjust as needed
)
# Create the SAM Lambda function with a DLQ
my_sam_lambda_function = sam.CfnFunction(
self,
"MySAMLambdaFunction",
handler="index.handler",
runtime="nodejs14.x",
code_uri="./my-code",
function_name="my-function-name",
)
================================================
FILE: cdk_integration_tests/src/python/LambdaDLQConfigured/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_lambda as _lambda
from aws_cdk import aws_sqs as sqs
from aws_cdk import aws_sam as sam
class MyLambdaStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create the Dead Letter Queue
dlq = sqs.Queue(
self,
"MyDeadLetterQueue",
visibility_timeout=core.Duration.seconds(300), # Adjust as needed
)
# Create the Lambda function with a DLQ
my_lambda_function = _lambda.Function(
self,
"MyLambdaFunction",
runtime=_lambda.Runtime.PYTHON_3_8,
handler="index.handler",
code=_lambda.Code.from_asset("path/to/your/code"),
function_name="my-function-name",
dead_letter_queue=dlq,
)
class MySAMLambdaStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create the Dead Letter Queue
dlq = sqs.Queue(
self,
"MyDeadLetterQueue",
visibility_timeout=core.Duration.seconds(300), # Adjust as needed
)
# Create the SAM Lambda function with a DLQ
my_sam_lambda_function = sam.CfnFunction(
self,
"MySAMLambdaFunction",
handler="index.handler",
runtime="nodejs14.x",
code_uri="./my-code",
function_name="my-function-name",
dead_letter_queue=sam.CfnFunction.DeadLetterQueueProperty(
target_arn=dlq.queue_arn
),
)
================================================
FILE: cdk_integration_tests/src/python/LambdaEnvironmentCredentials/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_lambda as _lambda
from aws_cdk import aws_sam as sam
class MyLambdaFunctionStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Lambda Function
my_lambda = _lambda.Function(
self, 'MyLambdaFunction',
runtime=_lambda.Runtime.PYTHON_3_8,
handler='index.handler',
code=_lambda.Code.from_asset('lambda'), # Replace 'lambda' with your function code directory
environment={
'MY_VARIABLE': 'pass'
}
)
app = core.App()
MyLambdaFunctionStack(app, "MyLambdaFunctionStack")
app.synth()
class MyServerlessFunctionStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Serverless Lambda Function
my_lambda = sam.CfnFunction(
self, 'MyServerlessFunction',
code_uri='lambda/', # Replace 'lambda/' with your function code directory
handler='index.handler',
runtime='python3.9',
environment={
'MY_VARIABLE': 'pass'
}
# Other properties for your Serverless Lambda Function
)
app = core.App()
MyServerlessFunctionStack(app, "MyServerlessFunctionStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/LambdaEnvironmentCredentials/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_lambda as _lambda
from aws_cdk import aws_sam as sam
class MyLambdaFunctionStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Lambda Function
my_lambda = _lambda.Function(
self, 'MyLambdaFunction',
runtime=_lambda.Runtime.PYTHON_3_8,
handler='index.handler',
code=_lambda.Code.from_asset('lambda'), # Replace 'lambda' with your function code directory
environment={
'MY_VARIABLE': {'a':'b'}
}
)
app = core.App()
MyLambdaFunctionStack(app, "MyLambdaFunctionStack")
app.synth()
class MyServerlessFunctionStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Serverless Lambda Function
my_lambda = sam.CfnFunction(
self, 'MyServerlessFunction',
code_uri='lambda/', # Replace 'lambda/' with your function code directory
handler='index.handler',
runtime='python3.9',
environment={
'MY_VARIABLE': {'a':'b'}
}
# Other properties for your Serverless Lambda Function
)
app = core.App()
MyServerlessFunctionStack(app, "MyServerlessFunctionStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/LambdaEnvironmentEncryptionSettings/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_lambda as _lambda
from aws_cdk import aws_sam as sam
class MyLambdaFunctionStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Lambda function
my_lambda_function = _lambda.Function(
self, 'MyLambdaFunction',
runtime=_lambda.Runtime.PYTHON_3_8,
handler='index.handler',
code=_lambda.Code.from_asset('path/to/your/function/code'),
environment={
'MY_VARIABLE_1': 'Value1',
'MY_VARIABLE_2': 'Value2'
},
)
app = core.App()
MyLambdaFunctionStack(app, "MyLambdaFunctionStack")
app.synth()
class MyServerlessFunctionStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define SAM Function
my_sam_function = sam.CfnFunction(
self, 'MySAMFunction',
handler='index.handler',
runtime='python3.9',
code_uri='./path/to/your/function/code',
environment={
'MY_VARIABLE_1': 'Value1',
'MY_VARIABLE_2': 'Value2'
},
)
app = core.App()
MyServerlessFunctionStack(app, "MyServerlessFunctionStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/LambdaEnvironmentEncryptionSettings/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_lambda as _lambda
from aws_cdk import aws_sam as sam
class MyLambdaFunctionStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Lambda function
my_lambda_function = _lambda.Function(
self, 'MyLambdaFunction',
runtime=_lambda.Runtime.PYTHON_3_8,
handler='index.handler',
code=_lambda.Code.from_asset('path/to/your/function/code'),
environment={
'MY_VARIABLE_1': 'Value1',
'MY_VARIABLE_2': 'Value2'
},
kms_key=_lambda.Key.from_key_arn(self, 'MyKmsKey', 'arn:aws:kms:region:account-id:key/key-id')
)
app = core.App()
MyLambdaFunctionStack(app, "MyLambdaFunctionStack")
app.synth()
class MyServerlessFunctionStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define SAM Function
my_sam_function = sam.CfnFunction(
self, 'MySAMFunction',
handler='index.handler',
runtime='python3.9',
code_uri='./path/to/your/function/code',
environment={
'MY_VARIABLE_1': 'Value1',
'MY_VARIABLE_2': 'Value2'
},
kms_key_arn='arn:aws:kms:region:account-id:key/key-id'
)
app = core.App()
MyServerlessFunctionStack(app, "MyServerlessFunctionStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/LambdaFunctionLevelConcurrentExecutionLimit/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk.aws_lambda import Function, Runtime, Code
from aws_cdk.aws_sam import CfnFunction
class MyLambdaStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
my_lambda_function = Function(
self,
"MyLambdaFunction",
runtime=Runtime.PYTHON_3_8, # Set the Lambda function's runtime
handler="index.handler", # Specify the Lambda handler
code=Code.from_asset("path/to/your/code"), # Define the code location
function_name="my-function-name", # Optionally set the function name
role=my_lambda_execution_role, # Provide an IAM role for the function
timeout=core.Duration.seconds(10), # Set the function timeout
)
class MyLambdaStack2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
my_lambda_function = CfnFunction(
self,
"MyLambdaFunction",
handler="index.handler", # Specify the Lambda handler
runtime="nodejs14.x", # Set the Lambda function's runtime
code_uri="./my-code", # Specify the location of your code
function_name="my-function-name", # Optionally set the function name
role=my_lambda_execution_role, # Provide an IAM role for the function
timeout=10, # Set the function timeout
)
# You can add other configurations and permissions for your Lambda function here
================================================
FILE: cdk_integration_tests/src/python/LambdaFunctionLevelConcurrentExecutionLimit/pass.py
================================================
from aws_cdk import core
from aws_cdk.aws_lambda import Function, Runtime, Code
from aws_cdk.aws_sam import CfnFunction
class MyLambdaStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
my_lambda_function = Function(
self,
"MyLambdaFunction",
runtime=Runtime.PYTHON_3_8, # Set the Lambda function's runtime
handler="index.handler", # Specify the Lambda handler
code=Code.from_asset("path/to/your/code"), # Define the code location
function_name="my-function-name", # Optionally set the function name
role=my_lambda_execution_role, # Provide an IAM role for the function
timeout=core.Duration.seconds(10), # Set the function timeout
reserved_concurrent_executions=5
)
class MyLambdaStack2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
my_lambda_function = CfnFunction(
self,
"MyLambdaFunction",
handler="index.handler", # Specify the Lambda handler
runtime="nodejs14.x", # Set the Lambda function's runtime
code_uri="./my-code", # Specify the location of your code
function_name="my-function-name", # Optionally set the function name
role=my_lambda_execution_role, # Provide an IAM role for the function
timeout=10, # Set the function timeout
reserved_concurrent_executions=5
)
# You can add other configurations and permissions for your Lambda function here
================================================
FILE: cdk_integration_tests/src/python/LambdaInVPC/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_lambda as _lambda
from aws_cdk import aws_ec2 as ec2
from aws_cdk import aws_sam as sam
class MyLambdaStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a Lambda function in the VPC
my_lambda_function = _lambda.Function(
self,
"MyLambdaFunction",
runtime=_lambda.Runtime.PYTHON_3_8,
handler="index.handler",
code=_lambda.Code.from_asset("path/to/your/code"),
function_name="my-function-name",
security_group=my_vpc.vpc_default_security_group,
allow_public_subnet=False, # Set to True if you want public subnets
)
class MySAMLambdaStack2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a custom VPC
my_vpc = ec2.Vpc(
self,
"MyVPC",
max_azs=2, # Set the number of Availability Zones as needed
)
# Define the Serverless::Function within the VPC
my_sam_lambda_function = sam.CfnFunction(
self,
"MySAMLambdaFunction",
handler="index.handler",
runtime="nodejs14.x",
code_uri="./my-code",
)
================================================
FILE: cdk_integration_tests/src/python/LambdaInVPC/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_lambda as _lambda
from aws_cdk import aws_ec2 as ec2
from aws_cdk import aws_sam as sam
class MyLambdaStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a VPC
my_vpc = ec2.Vpc(
self,
"MyVPC",
max_azs=2, # Set the number of Availability Zones as needed
)
# Create a Lambda function in the VPC
my_lambda_function = _lambda.Function(
self,
"MyLambdaFunction",
runtime=_lambda.Runtime.PYTHON_3_8,
handler="index.handler",
code=_lambda.Code.from_asset("path/to/your/code"),
function_name="my-function-name",
vpc=my_vpc,
security_group=my_vpc.vpc_default_security_group,
allow_public_subnet=False, # Set to True if you want public subnets
)
class MySAMLambdaStack2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a custom VPC
my_vpc = ec2.Vpc(
self,
"MyVPC",
max_azs=2, # Set the number of Availability Zones as needed
)
# Define the Serverless::Function within the VPC
my_sam_lambda_function = sam.CfnFunction(
self,
"MySAMLambdaFunction",
handler="index.handler",
runtime="nodejs14.x",
code_uri="./my-code",
function_name="my-function-name",
vpc_config=sam.CfnFunction.VpcConfigProperty(
security_group_ids=[my_vpc.vpc_default_security_group],
subnet_ids=my_vpc.select_subnets(
subnet_group_name="your-subnet-group-name"
).subnet_ids,
),
)
================================================
FILE: cdk_integration_tests/src/python/LaunchConfigurationEBSEncryption/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_autoscaling as autoscaling
class MyAutoScalingLaunchConfig(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Launch Configuration
launch_config = autoscaling.CfnLaunchConfiguration(
self, 'MyLaunchConfiguration',
image_id='ami-12345678', # Replace with your desired AMI ID
instance_type='t2.micro', # Replace with your desired instance type
block_device_mappings=[{
'ebs': {
'encrypted': False
}
}]
# Other properties for your Launch Configuration
)
app = core.App()
MyAutoScalingLaunchConfig(app, "MyAutoScalingLaunchConfig")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/LaunchConfigurationEBSEncryption/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_autoscaling as autoscaling
class MyAutoScalingLaunchConfig(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Launch Configuration
launch_config = autoscaling.CfnLaunchConfiguration(
self, 'MyLaunchConfiguration',
image_id='ami-12345678', # Replace with your desired AMI ID
instance_type='t2.micro', # Replace with your desired instance type
block_device_mappings=[{
'deviceName': '/dev/xvda',
'ebs': {
'encrypted': True
}
}]
# Other properties for your Launch Configuration
)
app = core.App()
MyAutoScalingLaunchConfig(app, "MyAutoScalingLaunchConfig")
app.synth()
class MyAutoScalingLaunchConfig(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Launch Configuration
launch_config = autoscaling.CfnLaunchConfiguration(
self, 'MyLaunchConfiguration',
image_id='ami-12345678', # Replace with your desired AMI ID
instance_type='t2.micro', # Replace with your desired instance type
block_device_mappings=[{
'deviceName': '/dev/xvda',
}]
# Other properties for your Launch Configuration
)
app = core.App()
MyAutoScalingLaunchConfig(app, "MyAutoScalingLaunchConfig")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/NeptuneClusterStorageEncrypted/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_neptune as neptune
class MyNeptuneStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a Neptune DB cluster with storage encryption enabled
neptune_cluster = neptune.CfnDBCluster(
self,
"MyNeptuneCluster",
engine="neptune",
db_cluster_identifier="my-neptune-cluster",
master_username="admin",
master_user_password="mypassword", # checkov:skip=CKV_SECRET_6 test secret
storage_encrypted=False, # Enable storage encryption
port=8182, # Specify the port as needed
availability_zones=["us-east-1a", "us-east-1b"], # Specify the availability zones
)
class MyNeptuneStack2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a Neptune DB cluster with storage encryption enabled
neptune_cluster = neptune.DatabaseCluster(
self,
"MyNeptuneCluster",
engine=neptune.DatabaseClusterEngine.NEPTUNE,
master_user=neptune.Login(
username="admin",
password="mypassword", # checkov:skip=CKV_SECRET_6 test secret
),
default_database_name="mydb",
removal_policy=core.RemovalPolicy.DESTROY, # Set the removal policy as needed
vpc=your_vpc, # Specify the VPC where the cluster should be deployed
instances=1, # Specify the number of instances
)
================================================
FILE: cdk_integration_tests/src/python/NeptuneClusterStorageEncrypted/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_neptune as neptune
class MyNeptuneStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a Neptune DB cluster with storage encryption enabled
neptune_cluster = neptune.CfnDBCluster(
self,
"MyNeptuneCluster",
engine="neptune",
db_cluster_identifier="my-neptune-cluster",
master_username="admin",
master_user_password="mypassword", # checkov:skip=CKV_SECRET_6 test secret
storage_encrypted=True, # Enable storage encryption
port=8182, # Specify the port as needed
availability_zones=["us-east-1a", "us-east-1b"], # Specify the availability zones
)
class MyNeptuneStack2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a Neptune DB cluster with storage encryption enabled
neptune_cluster = neptune.DatabaseCluster(
self,
"MyNeptuneCluster",
engine=neptune.DatabaseClusterEngine.NEPTUNE,
master_user=neptune.Login(
username="admin",
password="mypassword", # checkov:skip=CKV_SECRET_6 test secret
),
default_database_name="mydb",
storage_encrypted=True, # Enable storage encryption
removal_policy=core.RemovalPolicy.DESTROY, # Set the removal policy as needed
vpc=your_vpc, # Specify the VPC where the cluster should be deployed
instances=1, # Specify the number of instances
)
================================================
FILE: cdk_integration_tests/src/python/RDSEnhancedMonitorEnabled/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_rds as rds
class RDSStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an RDS DB instance with a custom MonitoringInterval
rds_instance = rds.DatabaseInstance(
self,
"MyRDSInstance",
engine=rds.DatabaseInstanceEngine.mysql(
version=rds.MysqlEngineVersion.VER_8_0
),
instance_type=core.Fn.select(0, core.Fn.split(" ", "db.m5.large")),
allocated_storage=20,
max_allocated_storage=100,
vpc_subnets={
"subnetType": core.Fn.select(0, core.Fn.split(",", "private")),
},
storage_type=rds.StorageType.GP2,
removal_policy=core.RemovalPolicy.DESTROY,
)
app = core.App()
RDSStack(app, "RDSStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/RDSEnhancedMonitorEnabled/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_rds as rds
class RDSStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an RDS DB instance with a custom MonitoringInterval
rds_instance = rds.DatabaseInstance(
self,
"MyRDSInstance",
engine=rds.DatabaseInstanceEngine.mysql(
version=rds.MysqlEngineVersion.VER_8_0
),
instance_type=core.Fn.select(0, core.Fn.split(" ", "db.m5.large")),
monitoring_interval=60, # Set MonitoringInterval to 60 seconds
allocated_storage=20,
max_allocated_storage=100,
vpc_subnets={
"subnetType": core.Fn.select(0, core.Fn.split(",", "private")),
},
storage_type=rds.StorageType.GP2,
removal_policy=core.RemovalPolicy.DESTROY,
)
app = core.App()
RDSStack(app, "RDSStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/RDSMultiAZEnabled/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_rds as rds
class MyDBInstanceStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define RDS DB instance
my_db_instance = rds.CfnDBInstance(
self, 'MyDBInstance',
engine='mysql', # Change this to your desired engine type
db_instance_class='db.t2.micro',
allocated_storage=20,
multi_az=False,
# Other properties for your DB instance
)
app = core.App()
MyDBInstanceStack(app, "MyDBInstanceStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/RDSMultiAZEnabled/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_rds as rds
class MyDBInstanceStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define RDS DB instance
my_db_instance = rds.CfnDBInstance(
self, 'MyDBInstance',
engine='mysql', # Change this to your desired engine type
db_instance_class='db.t2.micro',
allocated_storage=20,
multi_az=True,
# Other properties for your DB instance
)
app = core.App()
MyDBInstanceStack(app, "MyDBInstanceStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/RDSPubliclyAccessible/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_rds as rds
class RDSStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an RDS DB instance with PubliclyAccessible set to True
rds_instance = rds.DatabaseInstance(
self,
"MyRDSInstance",
engine=rds.DatabaseInstanceEngine.mysql(
version=rds.MysqlEngineVersion.VER_8_0
),
instance_type=core.Fn.select(0, core.Fn.split(" ", "db.m5.large")),
publicly_accessible=True, # Set PubliclyAccessible to True
allocated_storage=20,
max_allocated_storage=100,
vpc_subnets={
"subnetType": core.Fn.select(0, core.Fn.split(",", "private")),
},
storage_type=rds.StorageType.GP2,
removal_policy=core.RemovalPolicy.DESTROY,
)
app = core.App()
RDSStack(app, "RDSStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/RDSPubliclyAccessible/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_rds as rds
class RDSStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an RDS DB instance with PubliclyAccessible set to false
rds_instance = rds.DatabaseInstance(
self,
"MyRDSInstance",
engine=rds.DatabaseInstanceEngine.mysql(
version=rds.MysqlEngineVersion.VER_8_0
),
instance_type=core.Fn.select(0, core.Fn.split(" ", "db.m5.large")),
publicly_accessible=False, # Set PubliclyAccessible to false
allocated_storage=20,
max_allocated_storage=100,
vpc_subnets={
"subnetType": core.Fn.select(0, core.Fn.split(",", "private")),
},
storage_type=rds.StorageType.GP2,
removal_policy=core.RemovalPolicy.DESTROY,
)
app = core.App()
RDSStack(app, "RDSStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/RedShiftSSL/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_redshift as redshift
class MyRedshiftClusterParameterGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Redshift Cluster Parameter Group with require_ssl parameter
redshift.CfnClusterParameterGroup(
self, 'MyRedshiftClusterParameterGroup',
description='My Redshift Parameter Group',
parameter_group_family='redshift-1.0',
parameters=[
redshift.CfnClusterParameterGroup.ParameterProperty(
parameter_name='require_ssl',
parameter_value='false'
)
# Add other parameters if needed
]
)
app = core.App()
MyRedshiftClusterParameterGroupStack(app, "MyRedshiftClusterParameterGroupStack")
app.synth()
class MyRedshiftClusterParameterGroupStack2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Redshift Cluster Parameter Group with require_ssl parameter
redshift.CfnClusterParameterGroup(
self, 'MyRedshiftClusterParameterGroup',
description='My Redshift Parameter Group',
parameter_group_family='redshift-1.0',
parameters=[
redshift.CfnClusterParameterGroup.ParameterProperty(
parameter_name='abc',
parameter_value='true'
)
# Add other parameters if needed
]
)
app = core.App()
MyRedshiftClusterParameterGroupStack2(app, "MyRedshiftClusterParameterGroupStack2")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/RedShiftSSL/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_redshift as redshift
class MyRedshiftClusterParameterGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Redshift Cluster Parameter Group with require_ssl parameter
redshift.CfnClusterParameterGroup(
self, 'MyRedshiftClusterParameterGroup',
description='My Redshift Parameter Group',
parameter_group_family='redshift-1.0',
parameters=[
redshift.CfnClusterParameterGroup.ParameterProperty(
parameter_name='require_ssl',
parameter_value='true'
)
# Add other parameters if needed
]
)
app = core.App()
MyRedshiftClusterParameterGroupStack(app, "MyRedshiftClusterParameterGroupStack")
app.synth()
class MyRedshiftClusterParameterGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Redshift Cluster Parameter Group with require_ssl parameter
redshift.CfnClusterParameterGroup(
self, 'MyRedshiftClusterParameterGroup',
description='My Redshift Parameter Group',
parameter_group_family='redshift-1.0',
parameters=[
redshift.CfnClusterParameterGroup.ParameterProperty(
parameter_value='true',
parameter_name='require_ssl'
)
# Add other parameters if needed
]
)
app = core.App()
MyRedshiftClusterParameterGroupStack(app, "MyRedshiftClusterParameterGroupStack")
app.synth()
class MyRedshiftClusterParameterGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Redshift Cluster Parameter Group with require_ssl parameter
redshift.CfnClusterParameterGroup(
self, 'MyRedshiftClusterParameterGroup',
description='My Redshift Parameter Group',
parameter_group_family='redshift-1.0',
parameters=[
{'parameterName': 'require_ssl','parameterValue': 'true'}
# Add other parameters if needed
]
)
app = core.App()
MyRedshiftClusterParameterGroupStack(app, "MyRedshiftClusterParameterGroupStack")
app.synth()
class MyRedshiftClusterParameterGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Redshift Cluster Parameter Group with require_ssl parameter
redshift.CfnClusterParameterGroup(
self, 'MyRedshiftClusterParameterGroup',
description='My Redshift Parameter Group',
parameter_group_family='redshift-1.0',
parameters=[
{'parameterValue': 'true','parameterName': 'require_ssl'}
# Add other parameters if needed
]
)
app = core.App()
MyRedshiftClusterParameterGroupStack(app, "MyRedshiftClusterParameterGroupStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/RedshiftClusterEncryption/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_redshift as redshift
class RedshiftClusterStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an Amazon Redshift cluster
redshift_cluster = redshift.CfnCluster(
self,
"MyRedshiftCluster",
cluster_identifier="my-redshift-cluster",
master_username="admin",
master_user_password="MySecurePassword123", # checkov:skip=CKV_SECRET_6 test secret
node_type="dc2.large",
cluster_type="single-node",
)
app = core.App()
RedshiftClusterStack(app, "RedshiftClusterStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/RedshiftClusterEncryption/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_redshift as redshift
class RedshiftClusterStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an Amazon Redshift cluster
redshift_cluster = redshift.CfnCluster(
self,
"MyRedshiftCluster",
cluster_identifier="my-redshift-cluster",
master_username="admin",
master_user_password="MySecurePassword123", # checkov:skip=CKV_SECRET_6 test secret
node_type="dc2.large",
cluster_type="single-node",
encrypted=True # Enable encryption
)
app = core.App()
RedshiftClusterStack(app, "RedshiftClusterStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/RedshiftClusterLogging/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_redshift as redshift
class MyRedshiftClusterStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Redshift Cluster with logging properties
redshift.CfnCluster(
self, 'MyRedshiftCluster',
cluster_type='single-node', # Or 'multi-node' based on your configuration
db_name='mydb',
master_username='admin',
master_user_password='password',
# Other properties as needed for your Redshift cluster
)
app = core.App()
MyRedshiftClusterStack(app, "MyRedshiftClusterStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/RedshiftClusterLogging/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_redshift as redshift
class MyRedshiftClusterStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Redshift Cluster with logging properties
redshift.CfnCluster(
self, 'MyRedshiftCluster',
cluster_type='single-node', # Or 'multi-node' based on your configuration
db_name='mydb',
master_username='admin',
master_user_password='password',
logging_properties=redshift.CfnCluster.LoggingPropertiesProperty(
bucket_name='my-redshift-logs-bucket' # Replace with your S3 bucket name
)
# Other properties as needed for your Redshift cluster
)
app = core.App()
MyRedshiftClusterStack(app, "MyRedshiftClusterStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_redshift as redshift
class RedshiftStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a Redshift cluster with PubliclyAccessible set to true
redshift_cluster = redshift.CfnCluster(
self,
"MyRedshiftCluster",
cluster_identifier="my-redshift-cluster",
node_type="dc2.large",
publicly_accessible=True, # Set PubliclyAccessible to true
master_username="admin",
master_user_password="MyPassword123", # checkov:skip=CKV_SECRET_6 test secret
)
app = core.App()
RedshiftStack(app, "RedshiftStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_redshift as redshift
class RedshiftStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a Redshift cluster with PubliclyAccessible set to False
redshift_cluster = redshift.CfnCluster(
self,
"MyRedshiftCluster",
cluster_identifier="my-redshift-cluster",
node_type="dc2.large",
publicly_accessible=False, # Set PubliclyAccessible to False
master_username="admin",
master_user_password="MyPassword123", # checkov:skip=CKV_SECRET_6 test secret
)
app = core.App()
RedshiftStack(app, "RedshiftStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/RedshiftInEc2ClassicMode/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_redshift as redshift
class MyRedshiftClusterStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Redshift Cluster with a specific Cluster Subnet Group name
redshift.CfnCluster(
self, 'MyRedshiftCluster',
)
app = core.App()
MyRedshiftClusterStack(app, "MyRedshiftClusterStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/RedshiftInEc2ClassicMode/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_redshift as redshift
class MyRedshiftClusterStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Redshift Cluster with a specific Cluster Subnet Group name
redshift.CfnCluster(
self, 'MyRedshiftCluster',
cluster_subnet_group_name='my-redshift-subnet-group', # Replace with your Cluster Subnet Group name
# Other properties for your Redshift Cluster
)
app = core.App()
MyRedshiftClusterStack(app, "MyRedshiftClusterStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3BlockPublicACLs/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_s3 as s3
class S3BucketWithBlockPublicAclsStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
s3.Bucket(
self,
"MyBucket",
block_public_access=s3.BlockPublicAccess(block_public_acls=False)
)
app = core.App()
S3BucketWithBlockPublicAclsStack(app, "S3BucketWithBlockPublicAclsStack")
app.synth()
class S3BucketWithBlockPublicAclsStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
s3.CfnBucket(
self,
"MyBucket",
public_access_block_configuration={
"blockPublicAcls": False,
"blockPublicPolicy": True,
"ignorePublicAcls": True,
"restrictPublicBuckets": True
}
)
app = core.App()
S3BucketWithBlockPublicAclsStack(app, "S3BucketWithBlockPublicAclsStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3BlockPublicACLs/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_s3 as s3
class S3BucketWithBlockPublicAclsStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
s3.CfnBucket(
self,
"MyBucket",
public_access_block_configuration={
"blockPublicAcls": True,
"blockPublicPolicy": True,
"ignorePublicAcls": True,
"restrictPublicBuckets": True
}
)
app = core.App()
S3BucketWithBlockPublicAclsStack(app, "S3BucketWithBlockPublicAclsStack")
app.synth()
class S3BucketWithBlockPublicAclsStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
s3.Bucket(
self,
"MyBucket",
block_public_access=s3.BlockPublicAccess(block_public_acls=True)
)
app = core.App()
S3BucketWithBlockPublicAclsStack(app, "S3BucketWithBlockPublicAclsStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3BlockPublicPolicy/fail__2__.py
================================================
from constructs import Construct
from aws_cdk import App, Stack
from aws_cdk import (
aws_s3 as s4
)
class MyS3Stack(Stack):
def __init__(self, scope: Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
bucket = s4.Bucket(self, "MyBlockedBucket",
block_public_access=s4.BlockPublicAccess(block_public_policy=False)
)
bucket2 = s4.Bucket(self, "MyBlockedBucket2"
)
app = App()
MyS3Stack(app, "MyS3Stack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3BlockPublicPolicy/pass.py
================================================
from constructs import Construct
from aws_cdk import App, Stack
from aws_cdk import (
aws_s3 as s4
)
class MyS3Stack(Stack):
def __init__(self, scope: Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
bucket = s4.Bucket(self, "MyBlockedBucket",
block_public_access=s4.BlockPublicAccess(block_public_policy=True)
)
bucket2 = s4.Bucket(self, "MyBlockedBucket2",
block_public_access=s4.BlockPublicAccess.BLOCK_ALL
)
app = App()
MyS3Stack(app, "MyS3Stack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3BucketEncryption/fail__2__.py
================================================
from aws_cdk import App, Stack, aws_s3 as s3
class AppStack(Stack):
def __init__(self, app: App, id: str) -> None:
super().__init__(app, id)
fail_1 = s3.Bucket(
self,
"example",
)
fail_2 = s3.Bucket(
self,
"example",
encryption=s3.BucketEncryption.UNENCRYPTED,
)
app = App()
AppStack(app, "example-stack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3BucketEncryption/pass.py
================================================
from aws_cdk import App, Stack, aws_s3 as s3
class AppStack(Stack):
def __init__(self, app: App, id: str) -> None:
super().__init__(app, id)
pass_1 = s3.Bucket(
self,
"example",
encryption=s3.BucketEncryption.S3_MANAGED,
)
app = App()
AppStack(app, "example-stack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3BucketKMSEncryption/fail__3__.py
================================================
from aws_cdk import App, Stack, aws_s3 as s3
class AppStack(Stack):
def __init__(self, app: App, id: str) -> None:
super().__init__(app, id)
fail_1 = s3.Bucket(
self,
"example",
)
fail_2 = s3.Bucket(
self,
"example",
encryption=s3.BucketEncryption.UNENCRYPTED,
)
fail_3 = s3.Bucket(
self,
"example",
encryption=s3.BucketEncryption.S3_MANAGED,
)
app = App()
AppStack(app, "example-stack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3BucketKMSEncryption/pass.py
================================================
from aws_cdk import App, Stack, aws_s3 as s3
class AppStack(Stack):
def __init__(self, app: App, id: str) -> None:
super().__init__(app, id)
pass_1 = s3.Bucket(
self,
"example",
encryption=s3.BucketEncryption.KMS_MANAGED,
)
app = App()
AppStack(app, "example-stack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3BucketLogging/fail.py
================================================
from aws_cdk import App, Stack, aws_s3 as s3
class AppStack(Stack):
def __init__(self, app: App, id: str) -> None:
super().__init__(app, id)
fail_1 = s3.Bucket(
self,
"example",
)
app = App()
AppStack(app, "example-stack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3BucketLogging/pass.py
================================================
from aws_cdk import App, Stack, aws_s3 as s3
class AppStack(Stack):
def __init__(self, app: App, id: str) -> None:
super().__init__(app, id)
pass_1 = s3.Bucket(
self,
"example",
# this would normally reference another bucket, but then I can't separate the tests
server_access_logs_bucket=bucket,
)
app = App()
AppStack(app, "example-stack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3BucketPublicAccessBlock/fail.py
================================================
from aws_cdk import App, Stack, aws_s3 as s3
class AppStack(Stack):
def __init__(self, app: App, id: str) -> None:
super().__init__(app, id)
fail_1 = s3.Bucket(
self,
"example",
)
app = App()
AppStack(app, "example-stack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3BucketPublicAccessBlock/pass.py
================================================
from aws_cdk import App, Stack, aws_s3 as s3
class AppStack(Stack):
def __init__(self, app: App, id: str) -> None:
super().__init__(app, id)
pass_1 = s3.Bucket(
self,
"example",
block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
)
app = App()
AppStack(app, "example-stack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3BucketVersioning/fail__2__.py
================================================
from aws_cdk import App, Stack, aws_s3 as s3
class AppStack(Stack):
def __init__(self, app: App, id: str) -> None:
super().__init__(app, id)
fail_1 = s3.Bucket(
self,
"example",
)
fail_2 = s3.Bucket(
self,
"example",
versioned=False,
)
app = App()
AppStack(app, "example-stack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3BucketVersioning/pass.py
================================================
from aws_cdk import App, Stack, aws_s3 as s3
class AppStack(Stack):
def __init__(self, app: App, id: str) -> None:
super().__init__(app, id)
pass_1 = s3.Bucket(
self,
"example",
versioned=True,
)
app = App()
AppStack(app, "example-stack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3IgnorePublicACLs/fail__2__.py
================================================
from constructs import Construct
from aws_cdk import App, Stack
from aws_cdk import (
aws_s3 as s4
)
class MyStack(Stack):
def __init__(self, scope: Construct, id: str, **kwargs):
super().__init__(scope, id, **kwargs)
# fail
bucket = s4.Bucket(self, "MyS3Bucket",
bucket_name='my-s3-bucket',
public_read_access=False,
block_public_access=s4.BlockPublicAccess(
ignore_public_acls=False
)
)
value = False
# fail
bucket2 = s4.Bucket(self, "MyS3Bucket2",
bucket_name='my-s3-bucket2',
public_read_access=False,
block_public_access=s4.BlockPublicAccess(
ignore_public_acls=value
)
)
app = App()
MyStack(app, "my-stack-name")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3IgnorePublicACLs/pass.py
================================================
from constructs import Construct
from aws_cdk import App, Stack
from aws_cdk import (
aws_s3 as s4
)
class MyStac2(Stack):
def __init__(self, scope: Construct, id: str, **kwargs):
super().__init__(scope, id, **kwargs)
# pass
bucket = s4.Bucket(self, "MyS3Bucket",
bucket_name='my-s3-bucket',
public_read_access=False,
block_public_access=s4.BlockPublicAccess(
ignore_public_acls=True
)
)
# pass
bucket2 = s4.Bucket(self, "MyS3Bucket2",
bucket_name='my-s3-bucket2',
public_read_access=False,
block_public_access=s4.BlockPublicAccess(
ignore_public_acls=True
)
)
app = App()
MyStack(app, "my-stack-name")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3PublicACLRead/fail__3__.py
================================================
from constructs import Construct
from aws_cdk import App, Stack
from aws_cdk import (
aws_s3 as s3
)
class MyS3Stack(Stack):
def __init__(self, scope: Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
bucket = s3.Bucket(self, "MyPublicReadBucket",
bucket_name="my-public-read-bucket",
access_control=s3.BucketAccessControl.PUBLIC_READ
)
bucket2 = s3.Bucket(self, "MyPublicReadBucket2",
bucket_name="my-public-read-bucket2",
access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE
)
bucket3 = s3.Bucket(self, "MyPublicReadBucket3",
bucket_name="my-public-read-bucket3",
public_read_access=True
)
app = App()
MyS3Stack(app, "MyS3Stack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3PublicACLRead/pass.py
================================================
from constructs import Construct
from aws_cdk import App, Stack
from aws_cdk import (
aws_s3 as s3
)
class MyS3Stack(Stack):
def __init__(self, scope: Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
bucket = s3.Bucket(self, "MyPublicReadBucket",
bucket_name="my-public-read-bucket"
)
bucket2 = s3.Bucket(self, "MyPublicReadBucket2",
bucket_name="my-public-read-bucket2",
access_control=s3.BucketAccessControl.PRIVATE
)
app = App()
MyS3Stack(app, "MyS3Stack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3PublicACLWrite/fail__2__.py
================================================
from constructs import Construct
from aws_cdk import App, Stack
from aws_cdk import (
aws_s3 as s3
)
class MyS3Stack(Stack):
def __init__(self, scope: Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
bucket2 = s3.Bucket(self, "MyPublicReadBucket2",
bucket_name="my-public-read-bucket2",
access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE
)
bucket3 = s3.Bucket(self, "MyPublicReadBucket3",
bucket_name="my-public-read-bucket3",
public_read_access=True
)
app = App()
MyS3Stack(app, "MyS3Stack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3PublicACLWrite/pass.py
================================================
from constructs import Construct
from aws_cdk import App, Stack
from aws_cdk import (
aws_s3 as s3
)
class MyS3Stack(Stack):
def __init__(self, scope: Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
bucket = s3.Bucket(self, "MyPublicReadBucket",
bucket_name="my-public-read-bucket"
)
bucket2 = s3.Bucket(self, "MyPublicReadBucket2",
bucket_name="my-public-read-bucket2",
access_control=s3.BucketAccessControl.PRIVATE
)
app = App()
MyS3Stack(app, "MyS3Stack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3RestrictPublicBuckets/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_s3 as s3
class S3BucketWithPublicAccessStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
s3.Bucket(
self,
"aaa",
versioned=False, # You can enable versioning if needed
removal_policy=core.RemovalPolicy.DESTROY, # Change this according to your retention policy
block_public_acls=True,
block_public_policy=True,
ignore_public_acls=True,
restrict_public_buckets=False
)
app = core.App()
S3BucketWithPublicAccessStack(app, "S3BucketWithPublicAccessStack")
app.synth()
class PublicS3BucketStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a CloudFormation S3 bucket resource
public_bucket = s3.CfnBucket(
self,
"PublicBucket",
versioning_configuration={
"status": "Suspended" # You can enable versioning if needed
},
public_access_block_configuration={
"blockPublicAcls": True,
"blockPublicPolicy": True,
"ignorePublicAcls": True,
"restrictPublicBuckets": False
}
)
app = core.App()
PublicS3BucketStack(app, "PublicS3BucketStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/S3RestrictPublicBuckets/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_s3 as s3
class S3BucketWithPublicAccessStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
s3.Bucket(
self,
"aaa",
versioned=False, # You can enable versioning if needed
removal_policy=core.RemovalPolicy.DESTROY, # Change this according to your retention policy
block_public_acls=True,
block_public_policy=True,
ignore_public_acls=True,
restrict_public_buckets=True
)
app = core.App()
S3BucketWithPublicAccessStack(app, "S3BucketWithPublicAccessStack")
app.synth()
class PublicS3BucketStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a CloudFormation S3 bucket resource
public_bucket = s3.CfnBucket(
self,
"PublicBucket",
versioning_configuration={
"status": "Suspended" # You can enable versioning if needed
},
public_access_block_configuration={
"blockPublicAcls": True,
"blockPublicPolicy": True,
"ignorePublicAcls": True,
"restrictPublicBuckets": True
}
)
app = core.App()
PublicS3BucketStack(app, "PublicS3BucketStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/SNSTopicEncryption/fail.py
================================================
from constructs import Construct
from aws_cdk import (
App,
Stack,
aws_sns as sns,
aws_kms as kms
)
class MyStack(Stack):
def __init__(self, scope: Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
topic = sns.Topic(self, "Topic",
topic_name="my-topic",
)
app = App()
MyStack(app, "MyStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/SNSTopicEncryption/pass.py
================================================
from constructs import Construct
from aws_cdk import (
App,
Stack,
aws_sns as sns,
aws_kms as kms
)
class MyStack(Stack):
def __init__(self, scope: Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
key = kms.Key(self, "MyKey")
topic = sns.Topic(self, "Topic",
topic_name="my-topic",
master_key=key)
app = App()
MyStack(app, "MyStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/SQSQueueEncryption/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_sqs as sqs
class SqsQueueWithKmsKeyStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create an SQS queue with KMS encryption
queue = sqs.Queue(self, "MySqsQueue",
encryption=sqs.QueueEncryption.KMS,
visibility_timeout=300 # Other properties for the queue
)
app = core.App()
SqsQueueWithKmsKeyStack(app, "SqsQueueWithKmsKeyStack")
app.synth()
class SqsQueueWithKmsKeyIdStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define an SQS queue with a specific KmsMasterKeyId
queue = sqs.CfnQueue(self, "MySqsQueue",
visibility_timeout=300 # Other properties for the queue
)
app = core.App()
SqsQueueWithKmsKeyIdStack(app, "SqsQueueWithKmsKeyIdStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/SQSQueueEncryption/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_sqs as sqs
from aws_cdk import aws_kms as kms
from aws_cdk import aws_cloudformation as cfn
class SqsQueueWithKmsKeyStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a KMS key for encryption
kms_key = kms.Key(self, "MyKmsKey", enable_key_rotation=True)
# Create an SQS queue with KMS encryption
queue = sqs.Queue(self, "MySqsQueue",
encryption=sqs.QueueEncryption.KMS,
encryption_master_key=kms_key,
visibility_timeout=300 # Other properties for the queue
)
app = core.App()
SqsQueueWithKmsKeyStack(app, "SqsQueueWithKmsKeyStack")
app.synth()
class SqsQueueWithKmsKeyIdStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define a custom KMS key
kms_key = cfn.CfnCustomResource(self, "MyKmsKeyResource",
service_token="arn:aws:lambda:::function/",
# Add other properties as needed
)
# Define an SQS queue with a specific KmsMasterKeyId
queue = sqs.CfnQueue(self, "MySqsQueue",
kms_master_key_id=kms_key.get_att("KmsKeyId"),
visibility_timeout=300 # Other properties for the queue
)
app = core.App()
SqsQueueWithKmsKeyIdStack(app, "SqsQueueWithKmsKeyIdStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/SecretManagerSecretEncrypted/fail__2__.py
================================================
from aws_cdk import core
from aws_cdk import aws_secretsmanager as secretsmanager
class MySecretsStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define a SecretsManager secret with KMS key ID containing "aws/"
my_secret = secretsmanager.Secret(
self, 'MySecret',
secret_name='MySecretName',
kms_key_id='arn:aws:kms:REGION:ACCOUNT_ID:key/aws/KMS_KEY_ID'
)
class MySecretsStack2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
my_secret = secretsmanager.Secret(
self, 'MySecret',
secret_name='MySecretName',
)
app = core.App()
MySecretsStack(app, "MySecretsStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/SecretManagerSecretEncrypted/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_secretsmanager as secretsmanager
class MySecretsStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define a SecretsManager secret with KMS key ID containing "aws/"
my_secret = secretsmanager.Secret(
self, 'MySecret',
secret_name='MySecretName',
kms_key_id='arn:aws:kms:REGION:ACCOUNT_ID:key/KMS_KEY_ID'
)
app = core.App()
MySecretsStack(app, "MySecretsStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/SecurityGroupRuleDescription/fail__4__.py
================================================
from aws_cdk import core
from aws_cdk import aws_ec2 as ec2
class MySecurityGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define EC2 Security Group
security_group = ec2.CfnSecurityGroup(
self, 'MySecurityGroup',
group_description='My security group',
security_group_ingress=[
{
'description': 'False',
'ipProtocol': 'tcp',
'fromPort': 80,
'toPort': 80,
'cidrIp': '0.0.0.0/0'
}
],
# Other properties for your Security Group
)
app = core.App()
MySecurityGroupStack(app, "MySecurityGroupStack")
app.synth()
class MySecurityGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define EC2 Security Group
security_group = ec2.CfnSecurityGroup(
self, 'MySecurityGroup',
group_description='My security group',
security_group_egress=[
{
'description': 'False',
'ipProtocol': 'tcp',
'fromPort': 80,
'toPort': 80,
'cidrIp': '0.0.0.0/0'
}
],
# Other properties for your Security Group
)
app = core.App()
MySecurityGroupStack(app, "MySecurityGroupStack")
app.synth()
class MySecurityGroupIngressStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define EC2 Security Group Ingress
security_group_ingress = ec2.CfnSecurityGroupIngress(
self, 'MySecurityGroupIngress',
group_id='your-security-group-id', # Replace with your Security Group ID
ip_protocol='tcp',
from_port=80,
to_port=80,
cidr_ip='0.0.0.0/0',
# Other properties for your Security Group Ingress
)
app = core.App()
MySecurityGroupIngressStack(app, "MySecurityGroupIngressStack")
app.synth()
class MySecurityGroupEgressStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define EC2 Security Group Ingress
security_group_ingress = ec2.CfnSecurityGroupEgress(
self, 'MySecurityGroupIngress',
group_id='your-security-group-id', # Replace with your Security Group ID
ip_protocol='tcp',
from_port=80,
to_port=80,
cidr_ip='0.0.0.0/0',
# Other properties for your Security Group Ingress
)
app = core.App()
MySecurityGroupEgressStack(app, "MySecurityGroupEgressStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/SecurityGroupRuleDescription/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_ec2 as ec2
class MySecurityGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define EC2 Security Group
security_group = ec2.CfnSecurityGroup(
self, 'MySecurityGroup',
group_description='My security group',
security_group_ingress=[
{
'description': 'True',
'ipProtocol': 'tcp',
'fromPort': 80,
'toPort': 80,
'cidrIp': '0.0.0.0/0'
}
],
# Other properties for your Security Group
)
app = core.App()
MySecurityGroupStack(app, "MySecurityGroupStack")
app.synth()
class MySecurityGroupStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define EC2 Security Group
security_group = ec2.CfnSecurityGroup(
self, 'MySecurityGroup',
group_description='My security group',
security_group_egress=[
{
'description': 'True',
'ipProtocol': 'tcp',
'fromPort': 80,
'toPort': 80,
'cidrIp': '0.0.0.0/0'
}
],
# Other properties for your Security Group
)
app = core.App()
MySecurityGroupStack(app, "MySecurityGroupStack")
app.synth()
class MySecurityGroupIngressStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define EC2 Security Group Ingress
security_group_ingress = ec2.CfnSecurityGroupIngress(
self, 'MySecurityGroupIngress',
group_id='your-security-group-id', # Replace with your Security Group ID
ip_protocol='tcp',
from_port=80,
to_port=80,
cidr_ip='0.0.0.0/0',
description='abc'
# Other properties for your Security Group Ingress
)
app = core.App()
MySecurityGroupIngressStack(app, "MySecurityGroupIngressStack")
app.synth()
class MySecurityGroupEgressStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define EC2 Security Group Ingress
security_group_ingress = ec2.CfnSecurityGroupEgress(
self, 'MySecurityGroupIngress',
group_id='your-security-group-id', # Replace with your Security Group ID
ip_protocol='tcp',
from_port=80,
to_port=80,
cidr_ip='0.0.0.0/0',
description='abc'
# Other properties for your Security Group Ingress
)
app = core.App()
MySecurityGroupEgressStack(app, "MySecurityGroupEgressStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/TransferServerIsPublic/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_transfer as transfer
class MyTransferServerStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Transfer Server with EndpointType set to VPC
transfer.CfnServer(
self, 'MyTransferServer',
endpoint_type='abc',
# Other properties as needed for your Transfer Server
)
app = core.App()
MyTransferServerStack(app, "MyTransferServerStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/TransferServerIsPublic/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_transfer as transfer
class MyTransferServerStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Transfer Server with EndpointType set to VPC
transfer.CfnServer(
self, 'MyTransferServer',
endpoint_type='VPC',
# Other properties as needed for your Transfer Server
)
app = core.App()
MyTransferServerStack(app, "MyTransferServerStack")
app.synth()
class MyTransferServerStack2(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define Transfer Server with EndpointType set to VPC
transfer.CfnServer(
self, 'MyTransferServer',
endpoint_type='VPC_ENDPOINT',
# Other properties as needed for your Transfer Server
)
app = core.App()
MyTransferServerStack2(app, "MyTransferServerStack2")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/VPCEndpointAcceptanceConfigured/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_ec2 as ec2
class MyVpcEndpointServiceStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define VPC Endpoint Service with acceptance required
vpc_endpoint_service = ec2.CfnVPCEndpointService(
self, 'MyVPCEndpointService',
acceptance_required=False,
# Other properties for your VPC Endpoint Service
)
app = core.App()
MyVpcEndpointServiceStack(app, "MyVpcEndpointServiceStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/VPCEndpointAcceptanceConfigured/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_ec2 as ec2
class MyVpcEndpointServiceStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Define VPC Endpoint Service with acceptance required
vpc_endpoint_service = ec2.CfnVPCEndpointService(
self, 'MyVPCEndpointService',
acceptance_required=True,
# Other properties for your VPC Endpoint Service
)
app = core.App()
MyVpcEndpointServiceStack(app, "MyVpcEndpointServiceStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/WAFEnabled/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_cloudfront as cloudfront
class CloudFrontDistributionStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a CloudFront distribution
distribution = cloudfront.CfnDistribution(
self,
"MyCloudFrontDistribution",
distribution_config={
"defaultCacheBehavior": {
# Configure your cache behavior as needed
},
"enabled": True,
}
)
app = core.App()
CloudFrontDistributionStack(app, "CloudFrontDistributionStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/WAFEnabled/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_cloudfront as cloudfront
from aws_cdk import aws_wafv2 as wafv2
class CloudFrontDistributionStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a WebACL
web_acl = wafv2.CfnWebACL(
self,
"MyWebACL",
default_action={
"allow": {}
},
# Configure your WebACL as needed
)
# Create a CloudFront distribution
distribution = cloudfront.CfnDistribution(
self,
"MyCloudFrontDistribution",
distribution_config={
"defaultCacheBehavior": {
# Configure your cache behavior as needed
},
"enabled": True,
"webAclId": web_acl.attr_arn # Set the WebACL association
}
)
app = core.App()
CloudFrontDistributionStack(app, "CloudFrontDistributionStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/WorkspaceRootVolumeEncrypted/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_workspaces as workspaces
class WorkSpacesStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a WorkSpaces directory
directory = workspaces.CfnWorkspaceDirectory(
self, "MyWorkspaceDirectory",
directory_name="my-workspace-directory",
subnet_ids=["subnet-12345678"], # Replace with your subnet IDs
self_service_permissions="ENABLED",
)
# Create a WorkSpaces workspace with root volume encryption enabled
workspace = workspaces.CfnWorkspace(
self, "MyWorkspace",
bundle_id="wsb-12345678", # Replace with your bundle ID
user_name="my-user",
root_volume_encryption_enabled=False,
user_volume_encryption_enabled=False, # Set to True if you want user volume encryption
workspace_properties={"directoryId": directory.ref},
)
app = core.App()
WorkSpacesStack(app, "WorkSpacesStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/WorkspaceRootVolumeEncrypted/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_workspaces as workspaces
class WorkSpacesStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a WorkSpaces directory
directory = workspaces.CfnWorkspaceDirectory(
self, "MyWorkspaceDirectory",
directory_name="my-workspace-directory",
subnet_ids=["subnet-12345678"], # Replace with your subnet IDs
self_service_permissions="ENABLED",
)
# Create a WorkSpaces workspace with root volume encryption enabled
workspace = workspaces.CfnWorkspace(
self, "MyWorkspace",
bundle_id="wsb-12345678", # Replace with your bundle ID
user_name="my-user",
root_volume_encryption_enabled=True,
user_volume_encryption_enabled=False, # Set to True if you want user volume encryption
workspace_properties={"directoryId": directory.ref},
)
app = core.App()
WorkSpacesStack(app, "WorkSpacesStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/WorkspaceUserVolumeEncrypted/fail__1__.py
================================================
from aws_cdk import core
from aws_cdk import aws_workspaces as workspaces
class WorkSpacesStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a WorkSpaces directory
directory = workspaces.CfnWorkspaceDirectory(
self, "MyWorkspaceDirectory",
directory_name="my-workspace-directory",
subnet_ids=["subnet-12345678"], # Replace with your subnet IDs
self_service_permissions="ENABLED",
)
# Create a WorkSpaces workspace with root volume encryption enabled
workspace = workspaces.CfnWorkspace(
self, "MyWorkspace",
bundle_id="wsb-12345678", # Replace with your bundle ID
user_name="my-user",
root_volume_encryption_enabled=False,
user_volume_encryption_enabled=False,
workspace_properties={"directoryId": directory.ref},
)
app = core.App()
WorkSpacesStack(app, "WorkSpacesStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/WorkspaceUserVolumeEncrypted/pass.py
================================================
from aws_cdk import core
from aws_cdk import aws_workspaces as workspaces
class WorkSpacesStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a WorkSpaces directory
directory = workspaces.CfnWorkspaceDirectory(
self, "MyWorkspaceDirectory",
directory_name="my-workspace-directory",
subnet_ids=["subnet-12345678"], # Replace with your subnet IDs
self_service_permissions="ENABLED",
)
# Create a WorkSpaces workspace with root volume encryption enabled
workspace = workspaces.CfnWorkspace(
self, "MyWorkspace",
bundle_id="wsb-12345678", # Replace with your bundle ID
user_name="my-user",
root_volume_encryption_enabled=True,
user_volume_encryption_enabled=True,
workspace_properties={"directoryId": directory.ref},
)
app = core.App()
WorkSpacesStack(app, "WorkSpacesStack")
app.synth()
================================================
FILE: cdk_integration_tests/src/python/s3.py
================================================
from aws_cdk import App, Stack, aws_s3
class AppStack(Stack):
def __init__(self, app: App, id: str) -> None:
super().__init__(app, id)
bucket = aws_s3.Bucket(
self,
"example",
encryption=aws_s3.BucketEncryption.S3_MANAGED,
)
app = App()
AppStack(app, "example-stack")
app.synth()
================================================
FILE: cdk_integration_tests/src/typescript/ALBDropHttpHeaders/fail.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
class ALBDropHttpHeadersStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new elbv2.CfnLoadBalancer(this, { type: 'not_application', loadBalancerAttributes: [{'key': 'routing.http.drop_invalid_header_fields.enabled', 'value': 'true'}] })
new elbv2.CfnLoadBalancer(this, { type: 'application', loadBalancerAttributes: [{'value': 'false', 'key': 'routing.http.drop_invalid_header_fields.enabled'}] })
new elbv2.CfnLoadBalancer(this, { loadBalancerAttributes: [{'key': 'routing.http.drop_invalid_header_fields.disable', 'value': 'true'}], type: 'application' })
new elbv2.CfnLoadBalancer(this, { loadBalancerAttributes: [], type: 'application' })
}
}
const app = new App();
new ALBDropHttpHeadersStack(app, 'ALBDropHttpHeadersStack');
================================================
FILE: cdk_integration_tests/src/typescript/ALBDropHttpHeaders/pass.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
class ALBDropHttpHeadersStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new elbv2.CfnLoadBalancer(this, { type: 'application', loadBalancerAttributes: [{'key': 'routing.http.drop_invalid_header_fields.enabled', 'value': 'true'}] })
new elbv2.CfnLoadBalancer(this, { type: 'application', loadBalancerAttributes: [{'value': 'true', 'key': 'routing.http.drop_invalid_header_fields.enabled'}] })
new elbv2.CfnLoadBalancer(this, { loadBalancerAttributes: [{'key': 'routing.http.drop_invalid_header_fields.enabled', 'value': 'true'}], type: 'application' })
new elbv2.CfnLoadBalancer(this, { loadBalancerAttributes: [{'value': 'true', 'key': 'routing.http.drop_invalid_header_fields.enabled'}], type: 'application' })
}
}
const app = new App();
new ALBDropHttpHeadersStack(app, 'ALBDropHttpHeadersStack');
================================================
FILE: cdk_integration_tests/src/typescript/ALBListenerHTTPS/fail.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
class ALBListenerHTTPSStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new elbv2.CfnListener(this, {})
}
}
const app = new App();
new ALBListenerHTTPSStack(app, 'ALBListenerHTTPSStack');
================================================
FILE: cdk_integration_tests/src/typescript/ALBListenerHTTPS/pass.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
class ALBListenerHTTPSStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new elbv2.CfnListener(this, {protocol: 'HTTPS'})
new elbv2.CfnListener(this, {protocol: 'TLS'})
new elbv2.CfnListener(this, {protocol: 'TCP'})
new elbv2.CfnListener(this, {protocol: 'UDP'})
new elbv2.CfnListener(this, {protocol: 'TCP_UDP'})
new elbv2.CfnListener(this, {defaultActions: [{type: 'redirect', redirectConfig:{protocol: 'HTTPS'}}]})
}
}
const app = new App();
new ALBListenerHTTPSStack(app, 'ALBListenerHTTPSStack');
================================================
FILE: cdk_integration_tests/src/typescript/APIGatewayAccessLogging/fail.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { apigateway as api } from 'aws-cdk-lib';
class APIGatewayAccessLoggingStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new api.CfnStage(this, {})
}
}
const app = new App();
new APIGatewayAccessLoggingStack(app, 'APIGatewayAccessLoggingStack');
================================================
FILE: cdk_integration_tests/src/typescript/APIGatewayAccessLogging/pass.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { apigateway as api } from 'aws-cdk-lib';
class APIGatewayAccessLoggingStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new api.CfnStage(this, { accessLogSetting: { destinationArn: "1" }} )
}
}
const app = new App();
new APIGatewayAccessLoggingStack(app, 'APIGatewayAccessLoggingStack');
================================================
FILE: cdk_integration_tests/src/typescript/APIGatewayAuthorization/fail.ts
================================================
// Import necessary AWS CDK packages
import * as apigateway from '@aws-cdk/aws-apigateway';
import { Resource } from '@aws-cdk/core';
// Example resource and method declarations
const resource: Resource = new Resource(); // Placeholder for actual resource initialization
// Test cases for the policy patterns
// This should match the first pattern and not be sanitized by the second pattern
// SOURCE
const method1 = resource.addMethod('GET', new apigateway.MockIntegration(), {
apiKeyRequired: false
});
================================================
FILE: cdk_integration_tests/src/typescript/APIGatewayAuthorization/fail__2__.ts
================================================
// Import necessary AWS CDK packages
import * as apigateway from '@aws-cdk/aws-apigateway';
import { Resource } from '@aws-cdk/core';
// Example resource and method declarations
const resource: Resource = new Resource(); // Placeholder for actual resource initialization
// Test cases for the policy patterns
// This should match the second pattern
// SINK
const method2 = resource.addMethod('POST', new apigateway.MockIntegration(), {
authorizationType: apigateway.AuthorizationType.NONE
});
================================================
FILE: cdk_integration_tests/src/typescript/APIGatewayAuthorization/pass.ts
================================================
// Import necessary AWS CDK packages
import * as apigateway from '@aws-cdk/aws-apigateway';
import { Resource } from '@aws-cdk/core';
// Example resource and method declarations
const resource: Resource = new Resource(); // Placeholder for actual resource initialization
// Test cases for the policy patterns
// This should not match any pattern as it includes an authorization type
// SANITIZER
const method3 = resource.addMethod('PUT', new apigateway.MockIntegration(), {
authorizationType: apigateway.AuthorizationType.COGNITO,
apiKeyRequired: true
});
================================================
FILE: cdk_integration_tests/src/typescript/APIGatewayAuthorization/pass__2__.ts
================================================
// Import necessary AWS CDK packages
import * as apigateway from '@aws-cdk/aws-apigateway';
import { Resource } from '@aws-cdk/core';
// Example resource and method declarations
const resource: Resource = new Resource(); // Placeholder for actual resource initialization
// Test cases for the policy patterns
// This should not match any pattern as it includes an authorization type and is not open
const method4 = resource.addMethod('DELETE', new apigateway.MockIntegration(), {
authorizationType: apigateway.AuthorizationType.IAM
});
================================================
FILE: cdk_integration_tests/src/typescript/APIGatewayCacheEnable/fail.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
class APIGatewayCacheEnableStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new elbv2.Stage(this, {})
}
}
const app = new App();
new APIGatewayCacheEnableStack(app, 'APIGatewayCacheEnableStack');
================================================
FILE: cdk_integration_tests/src/typescript/APIGatewayCacheEnable/pass.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
class APIGatewayCacheEnableStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new elbv2.Stage(this, { cacheClusterEnabled: true} )
}
}
const app = new App();
new APIGatewayCacheEnableStack(app, 'APIGatewayCacheEnableStack');
================================================
FILE: cdk_integration_tests/src/typescript/APIGatewayV2AccessLogging/fail.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
class APIGatewayV2AccessLoggingStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new elbv2.CfnApi(this, {})
}
}
const app = new App();
new APIGatewayV2AccessLoggingStack(app, 'APIGatewayV2AccessLoggingStack');
================================================
FILE: cdk_integration_tests/src/typescript/APIGatewayV2AccessLogging/pass.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
class APIGatewayV2AccessLoggingStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new elbv2.CfnApi(this, {accessLogSettings: {destinationArn: "1"}})
}
}
const app = new App();
new APIGatewayV2AccessLoggingStack(app, 'APIGatewayV2AccessLoggingStack');
================================================
FILE: cdk_integration_tests/src/typescript/APIGatewayXray/fail.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
class APIGatewayXrayStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new elbv2.CfnStage(this, {})
new elbv2.CfnStage(this, {tracingEnabled: false})
}
}
const app = new App();
new APIGatewayXrayStack(app, 'APIGatewayXrayStack');
================================================
FILE: cdk_integration_tests/src/typescript/APIGatewayXray/pass.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
class APIGatewayXrayStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new elbv2.CfnStage(this, {tracingEnabled: true})
}
}
const app = new App();
new APIGatewayXrayStack(app, 'APIGatewayXrayStack');
================================================
FILE: cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/fail.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
class AmazonMQBrokerPublicAccessStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new elbv2.CfnBroker(this, {publiclyAccessible: true})
}
}
const app = new App();
new AmazonMQBrokerPublicAccessStack(app, 'AmazonMQBrokerPublicAccessStack');
================================================
FILE: cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/pass.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
class AmazonMQBrokerPublicAccessStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new elbv2.CfnBroker(this, {})
new elbv2.CfnBroker(this, {publiclyAccessible: false})
}
}
const app = new App();
new AmazonMQBrokerPublicAccessStack(app, 'AmazonMQBrokerPublicAccessStack');
================================================
FILE: cdk_integration_tests/src/typescript/AppSyncFieldLevelLogs/fail.ts
================================================
// Import necessary AWS CDK packages
import * as appsync from '@aws-cdk/aws-appsync';
// Example of a log configuration that does not enable field-level logging
// FINDING
const logConfig: appsync.LogConfig = {
// log configuration details
};
// This should match the pattern and be flagged as a vulnerability
// SINK
const graphqlApiWithoutLogs = new appsync.GraphqlApi(this, 'apiWithoutLogs', {
// other configuration details
logConfig: {
// Incorrect or missing fieldLogLevel configuration
}
});
// The SAST engine should flag 1 vulnerability: `graphqlApiWithoutLogs`.
================================================
FILE: cdk_integration_tests/src/typescript/AppSyncFieldLevelLogs/pass.ts
================================================
// Import necessary AWS CDK packages
import * as appsync from '@aws-cdk/aws-appsync';
// Example of a log configuration that does not enable field-level logging
// FINDING
const logConfig: appsync.LogConfig = {
fieldLogLevel: appsync.FieldLogLevel.ALL
};
// This should not match the pattern as it includes a logConfig with FieldLogLevel
const graphqlApiWithLogs = new appsync.GraphqlApi(this, 'apiWithLogs', {
// other configuration details
logConfig: {
fieldLogLevel: appsync.FieldLogLevel.ALL // This is the correct configuration
}
});
================================================
FILE: cdk_integration_tests/src/typescript/AppSyncLogging/fail.ts
================================================
// Import necessary AWS CDK packages
import * as appsync from '@aws-cdk/aws-appsync';
// Example of a log configuration
// FINDING
const logConfig: appsync.LogConfig = {
// log configuration details
};
// This should match the pattern and be flagged as a vulnerability
// SINK
const graphqlApiWithoutRole = new appsync.GraphqlApi(this, 'apiWithoutRole', {
// other configuration details
logConfig: {
// log configuration details without role
}
});
// The SAST engine should flag 1 vulnerability: `graphqlApiWithoutRole`.
================================================
FILE: cdk_integration_tests/src/typescript/AppSyncLogging/pass.ts
================================================
// Import necessary AWS CDK packages
import * as appsync from '@aws-cdk/aws-appsync';
// Example of a log configuration
// FINDING
const logConfig: appsync.LogConfig = {
// log configuration details
};
// This should match the pattern and be flagged as a vulnerability
// SINK
const graphqlApiWithoutRole = new appsync.GraphqlApi(this, 'apiWithoutRole', {
// other configuration details
logConfig: {
// log configuration details without role
}
});
// The SAST engine should flag 1 vulnerability: `graphqlApiWithoutRole`.
================================================
FILE: cdk_integration_tests/src/typescript/AthenaWorkgroupConfiguration/fail.ts
================================================
// Import necessary AWS CDK packages
import * as athena from '@aws-cdk/aws-athena';
// This should match the pattern and be flagged as a vulnerability
// SINK
const workgroupWithoutEnforcement = new athena.CfnWorkGroup(this, 'workgroupWithoutEnforcement', {
// other configuration details
workGroupConfiguration: {
// Workgroup configuration details without enforceWorkGroupConfiguration
}
});
================================================
FILE: cdk_integration_tests/src/typescript/AthenaWorkgroupConfiguration/fail__2__.ts
================================================
// Import necessary AWS CDK packages
import * as athena from '@aws-cdk/aws-athena';
// Example of a Workgroup configuration
// FINDING
const workgroupConfig: athena.CfnWorkGroup.WorkGroupConfigurationProperty = {
// Workgroup configuration details
};
const workgroupWithoutEnforcement2 = new athena.CfnWorkGroup(this, 'workgroupWithoutEnforcement', {
// other configuration details
workGroupConfiguration: workgroupConfig
});
================================================
FILE: cdk_integration_tests/src/typescript/AthenaWorkgroupConfiguration/pass.ts
================================================
// Import necessary AWS CDK packages
import * as athena from '@aws-cdk/aws-athena';
// Example of a Workgroup configuration
// FINDING
const workgroupConfig: athena.CfnWorkGroup.WorkGroupConfigurationProperty = {
enforceWorkGroupConfiguration: true
};
// This should not match the pattern as it includes enforceWorkGroupConfiguration set to true
const workgroupWithEnforcement = new athena.CfnWorkGroup(this, 'workgroupWithEnforcement', {
// other configuration details
enforceWorkGroupConfiguration: true
});
// This should not match the pattern as it includes enforceWorkGroupConfiguration set to true
const workgroupWithEnforcement2 = new athena.CfnWorkGroup(this, 'workgroupWithEnforcement', workgroupConfig);
================================================
FILE: cdk_integration_tests/src/typescript/AuroraEncryption/fail.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
class AuroraEncryptionStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new elbv2.CfnDBCluster(this, {})
new elbv2.CfnDBCluster(this, {storageEncrypted: false})
}
}
const app = new App();
new AuroraEncryptionStack(app, 'AuroraEncryptionStack');
================================================
FILE: cdk_integration_tests/src/typescript/AuroraEncryption/pass.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
class AuroraEncryptionStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new elbv2.CfnDBCluster(this, {storageEncrypted: true})
}
}
const app = new App();
new AuroraEncryptionStack(app, 'AuroraEncryptionStack');
================================================
FILE: cdk_integration_tests/src/typescript/BackupVaultEncrypted/fail.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
class BackupVaultEncryptedStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new elbv2.CfnBackupVault(this, {})
new elbv2.CfnBackupVault(this, {encryptionKeyArn: false})
}
}
const app = new App();
new BackupVaultEncryptedStack(app, 'BackupVaultEncryptedStack');
================================================
FILE: cdk_integration_tests/src/typescript/BackupVaultEncrypted/pass.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
class BackupVaultEncryptedStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new elbv2.CfnBackupVault(this, {encryptionKeyArn: true})
}
}
const app = new App();
new BackupVaultEncryptedStack(app, 'BackupVaultEncryptedStack');
================================================
FILE: cdk_integration_tests/src/typescript/CloudFrontTLS12/fail.ts
================================================
// Import necessary AWS CDK packages
import * as cloudfront from '@aws-cdk/aws-cloudfront';
import { Construct } from '@aws-cdk/core';
// Example of a ViewerCertificateProperty that does not specify TLS v1.2
// FINDING
const viewerCertificateConfig: cloudfront.CfnDistribution.ViewerCertificateProperty = {
// Viewer certificate configuration details
};
// This should match the pattern and be flagged as a vulnerability
// SINK
const distributionWithoutTLSv12 = new cloudfront.CfnDistribution(new Construct(), 'distributionWithoutTLSv12', {
// other configuration details
viewerCertificate: {
// Incorrect or missing minimumProtocolVersion configuration
}
});
// The SAST engine should flag 1 vulnerability: `distributionWithoutTLSv12`.
================================================
FILE: cdk_integration_tests/src/typescript/CloudFrontTLS12/pass.ts
================================================
// Import necessary AWS CDK packages
import * as cloudfront from '@aws-cdk/aws-cloudfront';
import { Construct } from '@aws-cdk/core';
// Example of a ViewerCertificateProperty that does not specify TLS v1.2
// FINDING
const viewerCertificateConfig: cloudfront.CfnDistribution.ViewerCertificateProperty = {
// Viewer certificate configuration details
};
// This should not match the pattern as it includes a ViewerCertificate with TLSv1.2
const distributionWithTLSv12 = new cloudfront.CfnDistribution(new Construct(), 'distributionWithTLSv12', {
// other configuration details
viewerCertificate: {
minimumProtocolVersion: 'TLSv1.2' // This is the correct configuration
}
});
================================================
FILE: cdk_integration_tests/src/typescript/CloudTrailLogValidation/fail.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
class CloudTrailLogValidationStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new elbv2.CfnTrail(this, {})
new elbv2.CfnTrail(this, {enableLogFileValidation: false})
}
}
const app = new App();
new CloudTrailLogValidationStack(app, 'CloudTrailLogValidationStack');
================================================
FILE: cdk_integration_tests/src/typescript/CloudTrailLogValidation/pass.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
class CloudTrailLogValidationStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new elbv2.CfnTrail(this, {enableLogFileValidation: true})
}
}
const app = new App();
new CloudTrailLogValidationStack(app, 'CloudTrailLogValidationStack');
================================================
FILE: cdk_integration_tests/src/typescript/CloudWatchLogGroupKMSKey/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as logs from 'aws-cdk-lib/aws-logs';
export class MyLogGroupStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
new logs.LogGroup(this, 'MyLogGroup', {
logGroupName: 'MyLogGroupName', // Name of the log group
removalPolicy: cdk.RemovalPolicy.DESTROY, // Setting removal policy
retention: logs.RetentionDays.ONE_MONTH, // Set the retention policy as needed
});
// You can add other resources or configurations to the stack here
}
}
// Example usage
const app = new cdk.App();
new MyLogGroupStack(app, 'MyLogGroupStack');
================================================
FILE: cdk_integration_tests/src/typescript/CloudWatchLogGroupKMSKey/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as logs from 'aws-cdk-lib/aws-logs';
import * as kms from 'aws-cdk-lib/aws-kms';
export class MyLogGroupStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
new logs.LogGroup(this, 'MyLogGroup', {
logGroupName: 'MyLogGroupName', // Name of the log group
removalPolicy: cdk.RemovalPolicy.DESTROY, // Setting removal policy
retention: logs.RetentionDays.ONE_MONTH, // Set the retention policy as needed
encryptionKey: new kms.Key(this, 'Key'),
});
// You can add other resources or configurations to the stack here
}
}
// Example usage
const app = new cdk.App();
new MyLogGroupStack(app, 'MyLogGroupStack');
================================================
FILE: cdk_integration_tests/src/typescript/CloudWatchLogGroupRetention/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as logs from 'aws-cdk-lib/aws-logs';
export class MyLogGroupStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Creating a CloudFormation LogGroup resource
const logGroup = new logs.CfnLogGroup(this, 'MyLogGroup', {
logGroupName: 'MyLogGroupName', // Name of the log group
kmsKeyId: '1', // Specify the KMS key ID
});
// Optionally set removal policy
logGroup.applyRemovalPolicy(cdk.RemovalPolicy.DESTROY);
}
}
// Example usage
const app = new cdk.App();
new MyLogGroupStack(app, 'MyLogGroupStack');
================================================
FILE: cdk_integration_tests/src/typescript/CloudWatchLogGroupRetention/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as logs from 'aws-cdk-lib/aws-logs';
export class MyLogGroupStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Creating a CloudFormation LogGroup resource
const logGroup = new logs.CfnLogGroup(this, 'MyLogGroup', {
logGroupName: 'MyLogGroupName', // Name of the log group
retentionInDays: 30, // Set the retention policy as needed
kmsKeyId: '1', // Specify the KMS key ID
});
// Optionally set removal policy
logGroup.applyRemovalPolicy(cdk.RemovalPolicy.DESTROY);
}
}
// Example usage
const app = new cdk.App();
new MyLogGroupStack(app, 'MyLogGroupStack');
================================================
FILE: cdk_integration_tests/src/typescript/CloudfrontDistributionEncryption/fail__2__.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
export class CloudFrontStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Creating an origin for the CloudFront distribution
const myOrigin = new origins.S3Origin({ domainName: 'my-bucket.s3.amazonaws.com' });
// Creating a CloudFront distribution
const distribution = new cloudfront.CfnDistribution(this, 'MyDistribution', {
distributionConfig: {
defaultCacheBehavior: {
targetOriginId: 'myOrigin1',
viewerProtocolPolicy: 'allow-all',
},
origins: [
{
id: 'myOrigin1',
domainName: 'my-bucket.s3.amazonaws.com',
s3OriginConfig: {},
},
],
enabled: true,
},
});
}
}
// Example usage
const app = new cdk.App();
new CloudFrontStack(app, 'CloudFrontStack');
export class CloudFrontStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Creating an origin for the CloudFront distribution
const myOrigin = new origins.S3Origin({ domainName: 'my-bucket.s3.amazonaws.com' });
// Creating a CloudFront distribution using the Distribution construct
const distribution = new cloudfront.Distribution(this, 'MyDistribution', {
defaultBehavior: {
origin: myOrigin,
viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.ALLOW_ALL, // Allow all protocols
},
});
}
}
// Example usage
const app = new cdk.App();
new CloudFrontStack(app, 'CloudFrontStack');
================================================
FILE: cdk_integration_tests/src/typescript/CloudfrontDistributionEncryption/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
export class CloudFrontStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Creating an origin for the CloudFront distribution
const myOrigin = new origins.S3Origin({ domainName: 'my-bucket.s3.amazonaws.com' });
// Creating a CloudFront distribution
const distribution = new cloudfront.CfnDistribution(this, 'MyDistribution', {
distributionConfig: {
defaultCacheBehavior: {
targetOriginId: 'myOrigin1',
viewerProtocolPolicy: 'redirect-to-https',
},
origins: [
{
id: 'myOrigin1',
domainName: 'my-bucket.s3.amazonaws.com',
s3OriginConfig: {},
},
],
enabled: true,
},
});
}
}
// Example usage
const app = new cdk.App();
new CloudFrontStack(app, 'CloudFrontStack');
export class CloudFrontStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Creating an origin for the CloudFront distribution
const myOrigin = new origins.S3Origin({ domainName: 'my-bucket.s3.amazonaws.com' });
// Creating a CloudFront distribution using the Distribution construct
const distribution = new cloudfront.Distribution(this, 'MyDistribution', {
defaultBehavior: {
origin: myOrigin,
viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS, // Allow all protocols
},
});
}
}
// Example usage
const app = new cdk.App();
new CloudFrontStack(app, 'CloudFrontStack');
================================================
FILE: cdk_integration_tests/src/typescript/CloudfrontDistributionLogging/fail__2__.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
import * as s3 from 'aws-cdk-lib/aws-s3';
import * as logs from 'aws-cdk-lib/aws-logs';
export class CloudFrontStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// S3 bucket for storing CloudFront access logs
const logBucket = new s3.Bucket(this, 'LogBucket');
// Creating an origin for the CloudFront distribution
const myOrigin = new cloudfront.Origins.S3Origin({ domainName: 'my-bucket.s3.amazonaws.com' });
// Creating a CloudFront distribution using the Distribution construct
const distribution = new cloudfront.Distribution(this, 'MyDistribution', {
defaultBehavior: {
origin: myOrigin,
viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.ALLOW_ALL,
},
enableLogging: false, // Enable access logging
logBucket: logBucket,
logFilePrefix: 'cf-access-logs/', // Optional: prefix for log file names
});
// Optionally grant CloudFront permission to write access logs to the S3 bucket
logBucket.grantWrite(distribution.logBucketDelivery);
}
}
// Example usage
const app = new cdk.App();
new CloudFrontStack(app, 'CloudFrontStack');
export class CloudFrontStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// S3 bucket for storing CloudFront access logs
const logBucket = new s3.Bucket(this, 'LogBucket');
// Creating an origin for the CloudFront distribution
const myOrigin = new cloudfront.CfnDistribution.OriginProperty({
domainName: 'my-bucket.s3.amazonaws.com',
id: 'myOrigin',
s3OriginConfig: {},
});
// Creating a CloudFront distribution using the CfnDistribution construct
const distribution = new cloudfront.CfnDistribution(this, 'MyDistribution', {
distributionConfig: {
defaultCacheBehavior: {
targetOriginId: 'myOrigin',
viewerProtocolPolicy: 'allow-all',
},
origins: [myOrigin],
enabled: true,
},
});
// Optionally grant CloudFront permission to write access logs to the S3 bucket
logBucket.grantWrite(distribution.logBucketDeliveryWrite);
}
}
// Example usage
const app = new cdk.App();
new CloudFrontStack(app, 'CloudFrontStack');
================================================
FILE: cdk_integration_tests/src/typescript/CloudfrontDistributionLogging/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
import * as s3 from 'aws-cdk-lib/aws-s3';
import * as logs from 'aws-cdk-lib/aws-logs';
export class CloudFrontStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// S3 bucket for storing CloudFront access logs
const logBucket = new s3.Bucket(this, 'LogBucket');
// Creating an origin for the CloudFront distribution
const myOrigin = new cloudfront.Origins.S3Origin({ domainName: 'my-bucket.s3.amazonaws.com' });
// Creating a CloudFront distribution using the Distribution construct
const distribution = new cloudfront.Distribution(this, 'MyDistribution', {
defaultBehavior: {
origin: myOrigin,
viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.ALLOW_ALL,
},
enableLogging: true, // Enable access logging
logBucket: logBucket,
logFilePrefix: 'cf-access-logs/', // Optional: prefix for log file names
});
// Optionally grant CloudFront permission to write access logs to the S3 bucket
logBucket.grantWrite(distribution.logBucketDelivery);
}
}
// Example usage
const app = new cdk.App();
new CloudFrontStack(app, 'CloudFrontStack');
export class CloudFrontStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// S3 bucket for storing CloudFront access logs
const logBucket = new s3.Bucket(this, 'LogBucket');
// Creating an origin for the CloudFront distribution
const myOrigin = new cloudfront.CfnDistribution.OriginProperty({
domainName: 'my-bucket.s3.amazonaws.com',
id: 'myOrigin',
s3OriginConfig: {},
});
// Creating a CloudFront distribution using the CfnDistribution construct
const distribution = new cloudfront.CfnDistribution(this, 'MyDistribution', {
distributionConfig: {
defaultCacheBehavior: {
targetOriginId: 'myOrigin',
viewerProtocolPolicy: 'allow-all',
},
origins: [myOrigin],
enabled: true,
logging: {
bucket: logBucket.bucketName,
prefix: 'cf-access-logs/', // Optional: prefix for log file names
includeCookies: false, // Optional: whether to include cookies in access logs
},
},
});
// Optionally grant CloudFront permission to write access logs to the S3 bucket
logBucket.grantWrite(distribution.logBucketDeliveryWrite);
}
}
// Example usage
const app = new cdk.App();
new CloudFrontStack(app, 'CloudFrontStack');
================================================
FILE: cdk_integration_tests/src/typescript/CloudtrailEncryption/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as cloudtrail from 'aws-cdk-lib/aws-cloudtrail';
import * as kms from 'aws-cdk-lib/aws-kms';
export class CloudTrailStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define a KMS key for CloudTrail encryption
const kmsKey = new kms.Key(this, 'CloudTrailKmsKey');
// Create a CloudTrail trail with the specified KMS key ID
const trail = new cloudtrail.CfnTrail(this, 'MyTrail', {
enableLogFileValidation: true,
includeGlobalServiceEvents: true,
isMultiRegionTrail: true,
trailName: 'MyCloudTrail',
});
}
}
// Example usage
const app = new cdk.App();
new CloudTrailStack(app, 'CloudTrailStack');
================================================
FILE: cdk_integration_tests/src/typescript/CloudtrailEncryption/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as cloudtrail from 'aws-cdk-lib/aws-cloudtrail';
import * as kms from 'aws-cdk-lib/aws-kms';
export class CloudTrailStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define a KMS key for CloudTrail encryption
const kmsKey = new kms.Key(this, 'CloudTrailKmsKey');
// Create a CloudTrail trail with the specified KMS key ID
const trail = new cloudtrail.CfnTrail(this, 'MyTrail', {
enableLogFileValidation: true,
includeGlobalServiceEvents: true,
isMultiRegionTrail: true,
kmsKeyId: kmsKey.keyId, // Use the KMS key ID
trailName: 'MyCloudTrail',
});
}
}
// Example usage
const app = new cdk.App();
new CloudTrailStack(app, 'CloudTrailStack');
export class CloudTrailStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Create a CloudTrail trail with the specified KMS key ID
const trail = new cloudtrail.CfnTrail(this, 'MyTrail', {
enableLogFileValidation: true,
includeGlobalServiceEvents: true,
isMultiRegionTrail: true,
kmsKeyId: new kms.Key(this, 'CloudTrailKmsKey').keyId,
trailName: 'MyCloudTrail',
});
}
}
// Example usage
const app = new cdk.App();
new CloudTrailStack(app, 'CloudTrailStack');
================================================
FILE: cdk_integration_tests/src/typescript/CloudtrailMultiRegion/fail__2__.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as cloudtrail from 'aws-cdk-lib/aws-cloudtrail';
import * as kms from 'aws-cdk-lib/aws-kms';
export class CloudTrailStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define a KMS key for CloudTrail encryption
const kmsKey = new kms.Key(this, 'CloudTrailKmsKey');
// Create a CloudTrail trail using CfnTrail
const trail = new cloudtrail.CfnTrail(this, 'MyCfnTrail', {
isMultiRegionTrail: false,
enableLogFileValidation: true,
includeGlobalServiceEvents: true,
kmsKeyId: kmsKey.keyId,
trailName: 'MyCloudTrail',
});
}
}
export class CloudTrailStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define a KMS key for CloudTrail encryption
const kmsKey = new kms.Key(this, 'CloudTrailKmsKey');
// Create a CloudTrail trail using Trail construct
const trail = new cloudtrail.Trail(this, 'MyTrail', {
enableFileValidation: true,
includeGlobalServiceEvents: true,
encryptionKey: kmsKey,
trailName: 'MyCloudTrail',
});
}
}
================================================
FILE: cdk_integration_tests/src/typescript/CloudtrailMultiRegion/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as cloudtrail from 'aws-cdk-lib/aws-cloudtrail';
import * as kms from 'aws-cdk-lib/aws-kms';
export class CloudTrailStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define a KMS key for CloudTrail encryption
const kmsKey = new kms.Key(this, 'CloudTrailKmsKey');
// Create a CloudTrail trail using CfnTrail
const trail = new cloudtrail.CfnTrail(this, 'MyCfnTrail', {
isMultiRegionTrail: true,
enableLogFileValidation: true,
includeGlobalServiceEvents: true,
kmsKeyId: kmsKey.keyId,
trailName: 'MyCloudTrail',
});
}
}
export class CloudTrailStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define a KMS key for CloudTrail encryption
const kmsKey = new kms.Key(this, 'CloudTrailKmsKey');
// Create a CloudTrail trail using Trail construct
const trail = new cloudtrail.Trail(this, 'MyTrail', {
isMultiRegionTrail: true,
enableFileValidation: true,
includeGlobalServiceEvents: true,
encryptionKey: kmsKey,
trailName: 'MyCloudTrail',
});
}
}
================================================
FILE: cdk_integration_tests/src/typescript/CodeBuildProjectEncryption/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as codebuild from 'aws-cdk-lib/aws-codebuild';
export class CodeBuildStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Create a CodeBuild project
const project = new codebuild.Project(this, 'MyCodeBuildProject', {
projectName: 'MyCodeBuildProject',
environment: {
buildImage: codebuild.LinuxBuildImage.STANDARD_4_0,
environmentVariables: {
'EXAMPLE_ENV_VARIABLE': { value: 'example-value' },
},
},
buildSpec: codebuild.BuildSpec.fromObject({
version: '0.2',
phases: {
install: {
commands: [
'npm install',
],
},
build: {
commands: [
'npm run build',
],
},
},
}),
});
// Ensure that encryption is not disabled
project.node.addDependency(kmsKey);
}
}
// Example usage
const app = new cdk.App();
new CodeBuildStack(app, 'CodeBuildStack');
================================================
FILE: cdk_integration_tests/src/typescript/CodeBuildProjectEncryption/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as codebuild from 'aws-cdk-lib/aws-codebuild';
import * as kms from 'aws-cdk-lib/aws-kms';
export class CodeBuildStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define a KMS key for CodeBuild encryption
const kmsKey = new kms.Key(this, 'CodeBuildKmsKey');
// Create a CodeBuild project
const project = new codebuild.Project(this, 'MyCodeBuildProject', {
projectName: 'MyCodeBuildProject',
encryptionKey: kmsKey, // Specify the KMS key
environment: {
buildImage: codebuild.LinuxBuildImage.STANDARD_4_0,
environmentVariables: {
'EXAMPLE_ENV_VARIABLE': { value: 'example-value' },
},
},
buildSpec: codebuild.BuildSpec.fromObject({
version: '0.2',
phases: {
install: {
commands: [
'npm install',
],
},
build: {
commands: [
'npm run build',
],
},
},
}),
});
// Ensure that encryption is not disabled
project.node.addDependency(kmsKey);
}
}
// Example usage
const app = new cdk.App();
new CodeBuildStack(app, 'CodeBuildStack');
export class CodeBuildStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Create a CodeBuild project
const project = new codebuild.Project(this, 'MyCodeBuildProject', {
projectName: 'MyCodeBuildProject',
encryptionKey: new kms.Key(this, 'CodeBuildKmsKey'), // Specify the KMS key
environment: {
buildImage: codebuild.LinuxBuildImage.STANDARD_4_0,
environmentVariables: {
'EXAMPLE_ENV_VARIABLE': { value: 'example-value' },
},
},
buildSpec: codebuild.BuildSpec.fromObject({
version: '0.2',
phases: {
install: {
commands: [
'npm install',
],
},
build: {
commands: [
'npm run build',
],
},
},
}),
});
// Ensure that encryption is not disabled
project.node.addDependency(kmsKey);
}
}
// Example usage
const app = new cdk.App();
new CodeBuildStack(app, 'CodeBuildStack');
================================================
FILE: cdk_integration_tests/src/typescript/DAXEncryption/fail__2__.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as dax from 'aws-cdk-lib/aws-dax';
export class DAXClusterStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Create a DAX cluster
const daxCluster = new dax.CfnCluster(this, 'MyDAXCluster', {
clusterName: 'MyDAXCluster',
description: 'My DAX Cluster',
iamRoleArn: 'arn:aws:iam::123456789012:role/DAXServiceRole',
nodeType: 'dax.r5.large',
replicationFactor: 2,
sseSpecification: {
enabled: false, // Disable server-side encryption
},
});
}
}
// Example usage
const app = new cdk.App();
new DAXClusterStack(app, 'DAXClusterStack');
app.synth();
export class DAXClusterStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Create a DAX cluster
const daxCluster = new dax.CfnCluster(this, 'MyDAXCluster', {
clusterName: 'MyDAXCluster',
description: 'My DAX Cluster',
iamRoleArn: 'arn:aws:iam::123456789012:role/DAXServiceRole',
nodeType: 'dax.r5.large',
replicationFactor: 2,
});
}
}
// Example usage
const app = new cdk.App();
new DAXClusterStack(app, 'DAXClusterStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/DAXEncryption/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as dax from 'aws-cdk-lib/aws-dax';
export class DAXClusterStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Create a DAX cluster
const daxCluster = new dax.CfnCluster(this, 'MyDAXCluster', {
clusterName: 'MyDAXCluster',
description: 'My DAX Cluster',
iamRoleArn: 'arn:aws:iam::123456789012:role/DAXServiceRole',
nodeType: 'dax.r5.large',
replicationFactor: 2,
sseSpecification: {
enabled: true, // Enable server-side encryption
},
});
}
}
// Example usage
const app = new cdk.App();
new DAXClusterStack(app, 'DAXClusterStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/DMSReplicationInstancePubliclyAccessible/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as dms from 'aws-cdk-lib/aws-dms';
export class DMSStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Create a DMS replication instance
const replicationInstance = new dms.CfnReplicationInstance(this, 'MyCfnReplicationInstance', {
replicationInstanceClass: 'replicationInstanceClass',
// Optional properties
allocatedStorage: 123,
allowMajorVersionUpgrade: false,
autoMinorVersionUpgrade: false,
availabilityZone: 'availabilityZone',
engineVersion: 'engineVersion',
kmsKeyId: 'kmsKeyId',
multiAz: false,
preferredMaintenanceWindow: 'preferredMaintenanceWindow',
publiclyAccessible: true, // Set publiclyAccessible to true
replicationInstanceIdentifier: 'replicationInstanceIdentifier',
replicationSubnetGroupIdentifier: 'replicationSubnetGroupIdentifier',
resourceIdentifier: 'resourceIdentifier',
tags: [{ key: 'key', value: 'value' }],
vpcSecurityGroupIds: ['vpcSecurityGroupIds'],
});
}
}
// Example usage
const app = new cdk.App();
new DMSStack(app, 'DMSStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/DMSReplicationInstancePubliclyAccessible/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as dms from 'aws-cdk-lib/aws-dms';
export class DMSStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Create a DMS replication instance
const replicationInstance = new dms.CfnReplicationInstance(this, 'MyCfnReplicationInstance', {
replicationInstanceClass: 'replicationInstanceClass',
// Optional properties
allocatedStorage: 123,
allowMajorVersionUpgrade: false,
autoMinorVersionUpgrade: false,
availabilityZone: 'availabilityZone',
engineVersion: 'engineVersion',
kmsKeyId: 'kmsKeyId',
multiAz: false,
preferredMaintenanceWindow: 'preferredMaintenanceWindow',
publiclyAccessible: false, // Set publiclyAccessible to true
replicationInstanceIdentifier: 'replicationInstanceIdentifier',
replicationSubnetGroupIdentifier: 'replicationSubnetGroupIdentifier',
resourceIdentifier: 'resourceIdentifier',
tags: [{ key: 'key', value: 'value' }],
vpcSecurityGroupIds: ['vpcSecurityGroupIds'],
});
}
}
// Example usage
const app = new cdk.App();
new DMSStack(app, 'DMSStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/DocDBAuditLogs/fail__2__.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as docdb from 'aws-cdk-lib/aws-docdb';
export class DocDBStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define the DocDB Cluster Parameter Group
const dbParameterGroup = new docdb.CfnDBClusterParameterGroup(this, 'DocDBClusterParameterGroup', {
description: 'Custom DocDB Cluster Parameter Group',
family: 'docdb4.0',
parameters: {
audit_logs: 'disabled',
},
});
}
}
// Example usage
const app = new cdk.App();
new DocDBStack(app, 'DocDBStack');
app.synth();
export class DocDBStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define the DocDB Cluster Parameter Group
const dbParameterGroup = new docdb.CfnDBClusterParameterGroup(this, 'DocDBClusterParameterGroup', {
description: 'Custom DocDB Cluster Parameter Group',
family: 'docdb4.0',
});
}
}
// Example usage
const app = new cdk.App();
new DocDBStack(app, 'DocDBStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/DocDBAuditLogs/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as docdb from 'aws-cdk-lib/aws-docdb';
export class DocDBStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define the DocDB Cluster Parameter Group
const dbParameterGroup = new docdb.CfnDBClusterParameterGroup(this, 'DocDBClusterParameterGroup', {
description: 'Custom DocDB Cluster Parameter Group',
family: 'docdb4.0',
parameters: {
audit_logs: 'enabled',
},
});
}
}
// Example usage
const app = new cdk.App();
new DocDBStack(app, 'DocDBStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/DocDBEncryption/fail__2__.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as docdb from 'aws-cdk-lib/aws-docdb';
import * as kms from 'aws-cdk-lib/aws-kms';
export class DocDBStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define a KMS key for DocumentDB storage encryption
const kmsKey = new kms.Key(this, 'DocDBEncryptionKey');
// Create an Amazon DocumentDB cluster
const cluster = new docdb.CfnDBCluster(this, 'MyCluster', {
dbClusterIdentifier: 'MyCluster',
masterUsername: 'admin',
masterUserPassword: 'mysecretpassword',
dbSubnetGroupName: 'MySubnetGroup',
engineVersion: '4.0.0',
storageEncrypted: false, // Enable storage encryption
kmsKeyId: kmsKey.keyArn,
vpcSecurityGroupIds: ['sg-12345678'],
});
}
}
// Example usage
const app = new cdk.App();
new DocDBStack(app, 'DocDBStack');
app.synth();
export class DocDBStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define a KMS key for DocumentDB storage encryption
const kmsKey = new kms.Key(this, 'DocDBEncryptionKey');
// Create an Amazon DocumentDB cluster
const cluster = new docdb.CfnDBCluster(this, 'MyCluster', {
dbClusterIdentifier: 'MyCluster',
masterUsername: 'admin',
masterUserPassword: 'mysecretpassword',
dbSubnetGroupName: 'MySubnetGroup',
engineVersion: '4.0.0',
kmsKeyId: kmsKey.keyArn,
vpcSecurityGroupIds: ['sg-12345678'],
});
}
}
// Example usage
const app = new cdk.App();
new DocDBStack(app, 'DocDBStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/DocDBEncryption/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as docdb from 'aws-cdk-lib/aws-docdb';
import * as kms from 'aws-cdk-lib/aws-kms';
export class DocDBStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define a KMS key for DocumentDB storage encryption
const kmsKey = new kms.Key(this, 'DocDBEncryptionKey');
// Create an Amazon DocumentDB cluster
const cluster = new docdb.CfnDBCluster(this, 'MyCluster', {
dbClusterIdentifier: 'MyCluster',
masterUsername: 'admin',
masterUserPassword: 'mysecretpassword',
dbSubnetGroupName: 'MySubnetGroup',
engineVersion: '4.0.0',
storageEncrypted: true, // Enable storage encryption
kmsKeyId: kmsKey.keyArn,
vpcSecurityGroupIds: ['sg-12345678'],
});
}
}
// Example usage
const app = new cdk.App();
new DocDBStack(app, 'DocDBStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/DocDBTLS/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as docdb from 'aws-cdk-lib/aws-docdb';
export class DocDBStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define the DocDB Cluster Parameter Group
const dbParameterGroup = new docdb.CfnDBClusterParameterGroup(this, 'DocDBClusterParameterGroup', {
description: 'Custom DocDB Cluster Parameter Group',
family: 'docdb4.0',
parameters: {
tls: 'disabled',
},
});
}
}
// Example usage
const app = new cdk.App();
new DocDBStack(app, 'DocDBStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/DocDBTLS/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as docdb from 'aws-cdk-lib/aws-docdb';
export class DocDBStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define the DocDB Cluster Parameter Group
const dbParameterGroup = new docdb.CfnDBClusterParameterGroup(this, 'DocDBClusterParameterGroup', {
description: 'Custom DocDB Cluster Parameter Group',
family: 'docdb4.0',
parameters: {
tls: 'enabled',
},
});
}
}
// Example usage
const app = new cdk.App();
new DocDBStack(app, 'DocDBStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/DynamodbGlobalTableRecovery/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
export class DynamoDBStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define the DynamoDB table
const table = new dynamodb.CfnTable(this, 'MyTable', {
tableName: 'MyTable',
attributeDefinitions: [{ attributeName: 'id', attributeType: 'S' }],
keySchema: [{ attributeName: 'id', keyType: 'HASH' }],
provisionedThroughput: {
readCapacityUnits: 5,
writeCapacityUnits: 5,
},
});
// Define the DynamoDB global table
const globalTable = new dynamodb.CfnGlobalTable(this, 'MyGlobalTable', {
globalTableName: 'MyGlobalTable',
replicationGroup: [{
region: 'us-east-1', // Replace with your preferred region
}],
sourceTableName: table.ref,
pointInTimeRecoverySpecification: {
pointInTimeRecoveryEnabled: false, // Enable point-in-time recovery for the global table
},
});
}
}
// Example usage
const app = new cdk.App();
new DynamoDBStack(app, 'DynamoDBStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/DynamodbGlobalTableRecovery/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
export class DynamoDBStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define the DynamoDB table
const table = new dynamodb.CfnTable(this, 'MyTable', {
tableName: 'MyTable',
attributeDefinitions: [{ attributeName: 'id', attributeType: 'S' }],
keySchema: [{ attributeName: 'id', keyType: 'HASH' }],
provisionedThroughput: {
readCapacityUnits: 5,
writeCapacityUnits: 5,
},
});
// Define the DynamoDB global table
const globalTable = new dynamodb.CfnGlobalTable(this, 'MyGlobalTable', {
globalTableName: 'MyGlobalTable',
replicationGroup: [{
region: 'us-east-1', // Replace with your preferred region
}],
sourceTableName: table.ref,
pointInTimeRecoverySpecification: {
pointInTimeRecoveryEnabled: true, // Enable point-in-time recovery for the global table
},
});
}
}
// Example usage
const app = new cdk.App();
new DynamoDBStack(app, 'DynamoDBStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/DynamodcRecovery/fail__2__.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
export class DynamoDBStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define the DynamoDB table
const table = new dynamodb.CfnTable(this, 'MyTable', {
tableName: 'MyTable',
attributeDefinitions: [{ attributeName: 'id', attributeType: 'S' }],
keySchema: [{ attributeName: 'id', keyType: 'HASH' }],
provisionedThroughput: {
readCapacityUnits: 5,
writeCapacityUnits: 5,
},
pointInTimeRecoverySpecification: {
pointInTimeRecoveryEnabled: false, // disable point-in-time recovery for the table
},
});
}
}
// Example usage
const app = new cdk.App();
new DynamoDBStack(app, 'DynamoDBStack');
app.synth();
export class DynamoDBStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define the DynamoDB table with point-in-time recovery enabled
const table = new dynamodb.Table(this, 'MyTable', {
tableName: 'MyTable',
partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING },
readCapacity: 5,
writeCapacity: 5,
removalPolicy: cdk.RemovalPolicy.DESTROY, // Optional: specify removal policy
timeToLiveAttribute: 'ttlAttribute', // Enable point-in-time recovery
pointInTimeRecovery: false, // Enable point-in-time recovery
});
}
}
// Example usage
const app = new cdk.App();
new DynamoDBStack(app, 'DynamoDBStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/DynamodcRecovery/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
export class DynamoDBStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define the DynamoDB table
const table = new dynamodb.CfnTable(this, 'MyTable', {
tableName: 'MyTable',
attributeDefinitions: [{ attributeName: 'id', attributeType: 'S' }],
keySchema: [{ attributeName: 'id', keyType: 'HASH' }],
provisionedThroughput: {
readCapacityUnits: 5,
writeCapacityUnits: 5,
},
pointInTimeRecoverySpecification: {
pointInTimeRecoveryEnabled: true, // Enable point-in-time recovery for the table
},
});
}
}
// Example usage
const app = new cdk.App();
new DynamoDBStack(app, 'DynamoDBStack');
app.synth();
export class DynamoDBStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define the DynamoDB table with point-in-time recovery enabled
const table = new dynamodb.Table(this, 'MyTable', {
tableName: 'MyTable',
partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING },
readCapacity: 5,
writeCapacity: 5,
removalPolicy: cdk.RemovalPolicy.DESTROY, // Optional: specify removal policy
timeToLiveAttribute: 'ttlAttribute', // Enable point-in-time recovery
pointInTimeRecovery: true, // Enable point-in-time recovery
});
}
}
// Example usage
const app = new cdk.App();
new DynamoDBStack(app, 'DynamoDBStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/EBSEncryption/fail__2__.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
export class EC2Stack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Create an EC2 instance
const instance = new ec2.Instance(this, 'MyInstance', {
instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),
machineImage: ec2.MachineImage.latestAmazonLinux(),
vpc: new ec2.Vpc(this, 'MyVpc'),
});
// Create an EBS volume with encryption enabled
const volume = new ec2.Volume(this, 'MyVolume', {
availabilityZone: instance.instanceAvailabilityZone,
size: ec2.Size.gibibytes(10), // Specify the volume size
encrypted: false, // Disable encryption for the volume
});
// Attach the volume to the instance
instance.instance.addVolumeAttachment('MyVolumeAttachment', {
volume,
device: '/dev/sdf', // Specify the device name
});
}
}
// Example usage
const app = new cdk.App();
new EC2Stack(app, 'EC2Stack');
app.synth();
export class EC2Stack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Create an EC2 instance
const instance = new ec2.Instance(this, 'MyInstance', {
instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),
machineImage: ec2.MachineImage.latestAmazonLinux(),
vpc: new ec2.Vpc(this, 'MyVpc'),
});
// Create an EBS volume with encryption enabled
const volume = new ec2.CfnVolume(this, 'MyVolume', {
availabilityZone: instance.instanceAvailabilityZone,
size: 10, // Specify the volume size in GiB
encrypted: false, // Enable encryption for the volume
});
// Attach the volume to the instance
new ec2.CfnVolumeAttachment(this, 'MyVolumeAttachment', {
instanceId: instance.instanceId,
volumeId: volume.ref,
device: '/dev/sdf', // Specify the device name
});
}
}
// Example usage
const app = new cdk.App();
new EC2Stack(app, 'EC2Stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/EBSEncryption/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
export class EC2Stack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Create an EC2 instance
const instance = new ec2.Instance(this, 'MyInstance', {
instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),
machineImage: ec2.MachineImage.latestAmazonLinux(),
vpc: new ec2.Vpc(this, 'MyVpc'),
});
// Create an EBS volume with encryption enabled
const volume = new ec2.Volume(this, 'MyVolume', {
availabilityZone: instance.instanceAvailabilityZone,
size: ec2.Size.gibibytes(10), // Specify the volume size
encrypted: true, // Enable encryption for the volume
});
// Attach the volume to the instance
instance.instance.addVolumeAttachment('MyVolumeAttachment', {
volume,
device: '/dev/sdf', // Specify the device name
});
}
}
// Example usage
const app = new cdk.App();
new EC2Stack(app, 'EC2Stack');
app.synth();
export class EC2Stack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Create an EC2 instance
const instance = new ec2.Instance(this, 'MyInstance', {
instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),
machineImage: ec2.MachineImage.latestAmazonLinux(),
vpc: new ec2.Vpc(this, 'MyVpc'),
});
// Create an EBS volume with encryption enabled
const volume = new ec2.CfnVolume(this, 'MyVolume', {
availabilityZone: instance.instanceAvailabilityZone,
size: 10, // Specify the volume size in GiB
encrypted: true, // Enable encryption for the volume
});
// Attach the volume to the instance
new ec2.CfnVolumeAttachment(this, 'MyVolumeAttachment', {
instanceId: instance.instanceId,
volumeId: volume.ref,
device: '/dev/sdf', // Specify the device name
});
}
}
// Example usage
const app = new cdk.App();
new EC2Stack(app, 'EC2Stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/EC2PublicIP/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const vpc = new ec2.Vpc(this, 'VPC', {
cidr: '10.0.0.0/16',
natGateways: 0,
maxAzs: 2,
subnetConfiguration: [
{
name: 'public-subnet-1',
subnetType: ec2.SubnetType.PUBLIC,
cidrMask: 24,
},
],
});
const instance = new ec2.Instance(this, 'Instance', {
vpc,
vpcSubnets: {subnetGroupName: 'public-subnet-1'},
instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.NANO),
machineImage: new ec2.AmazonLinuxImage({generation: ec2.AmazonLinuxGeneration.AMAZON_LINUX_2}),
detailedMonitoring: true,
associatePublicIpAddress: true
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/EC2PublicIP/fail_2.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const vpc = new ec2.Vpc(this, 'VPC', {
cidr: '10.0.0.0/16',
natGateways: 0,
maxAzs: 2,
subnetConfiguration: [
{
name: 'public-subnet-1',
subnetType: ec2.SubnetType.PUBLIC,
cidrMask: 24,
},
],
});
const sg1 = new ec2.SecurityGroup(this, 'sg1', {
vpc: vpc,
});
const launchTemplate = new ec2.LaunchTemplate(this, 'LaunchTemplate', {
machineImage: ec2.MachineImage.latestAmazonLinux2023(),
securityGroup: sg1,
associatePublicIpAddress: true
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/EC2PublicIP/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const vpc = new ec2.Vpc(this, 'VPC', {
cidr: '10.0.0.0/16',
natGateways: 0,
maxAzs: 2,
subnetConfiguration: [
{
name: 'public-subnet-1',
subnetType: ec2.SubnetType.PUBLIC,
cidrMask: 24,
},
],
});
const instance = new ec2.Instance(this, 'Instance', {
vpc,
vpcSubnets: {subnetGroupName: 'public-subnet-1'},
instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.NANO),
machineImage: new ec2.AmazonLinuxImage({generation: ec2.AmazonLinuxGeneration.AMAZON_LINUX_2}),
detailedMonitoring: true,
associatePublicIpAddress: false
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ECRImageScanning/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ecr from 'aws-cdk-lib/aws-ecr';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const repository = new ecr.Repository(this, 'Repo', {} );
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ECRImageScanning/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ecr from 'aws-cdk-lib/aws-ecr';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const repository = new ecr.Repository(this, 'Repo', {
imageScanOnPush: true
} );
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ECRImmutableTags/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ecr from 'aws-cdk-lib/aws-ecr';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const repository = new ecr.Repository(this, 'Repo', {} );
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ECRImmutableTags/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ecr from 'aws-cdk-lib/aws-ecr';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const repository = new ecr.Repository(this, 'Repo', {
imageTagMutability: ecr.TagMutability.IMMUTABLE
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ECRRepositoryEncrypted/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ecr from 'aws-cdk-lib/aws-ecr';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const repository = new ecr.Repository(this, 'Repo', {} );
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ECRRepositoryEncrypted/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ecr from 'aws-cdk-lib/aws-ecr';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const repository = new ecr.Repository(this, 'Repo', {
encryption: ecr.RepositoryEncryption.KMS
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ECRRepositoryEncrypted/pass_2.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ecr from 'aws-cdk-lib/aws-ecr';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const repository = new ecr.Repository(this, 'Repo', {
encryptionKey: new kms.Key(this, 'Key')
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ECSClusterContainerInsights/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ecs from 'aws-cdk-lib/aws-ecs';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const vpc = new ec2.Vpc(this, 'Vpc', {maxAzs: 1});
const cluster = new ecs.Cluster(this, 'EcsCluster', {vpc});
const cluster2 = new ecs.Cluster(this, 'EcsCluster2', {vpc, containerInsights: false});
const cluster3 = new ecs.Cluster(this, 'EcsCluster3', {vpc, containerInsightsV2: ecs.ContainerInsights.DISABLED});
const cluster4 = new ecs.CfnCluster(this, 'EcsCluster4', {clusterSettings: []});
const cluster5 = new ecs.CfnCluster(this, 'EcsCluster5', {clusterSettings: [{name: 'containerInsights', value: 'disabled'}]});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ECSClusterContainerInsights/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ecs from 'aws-cdk-lib/aws-ecs';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const vpc = new ec2.Vpc(this, 'Vpc', {maxAzs: 1});
const cluster = new ecs.Cluster(this, 'EcsCluster', {vpc, containerInsights: true});
const cluster2 = new ecs.Cluster(this, 'EcsCluster2', {vpc, containerInsightsV2: ecs.ContainerInsights.ENABLED});
const cluster3 = new ecs.Cluster(this, 'EcsCluster6', {vpc, containerInsightsV2: ecs.ContainerInsights.ENHANCED});
const cluster4 = new ecs.CfnCluster(this, 'EcsCluster4', {clusterSettings: [{name: 'containerInsights', value: 'enabled'}]});
const cluster5 = new ecs.CfnCluster(this, 'EcsCluster5', {clusterSettings: [{value: 'enhanced', name: 'containerInsights'}]});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ECSTaskDefinitionEFSVolumeEncryption/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ecs from 'aws-cdk-lib/aws-ecs';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const taskDefinition = new ecs.Ec2TaskDefinition(this, 'TaskDef', {
volumes:
[
{
name:"my-volume",
efsVolumeConfiguration:{
transitEncryption: "DISABLED"
}
}
]
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ECSTaskDefinitionEFSVolumeEncryption/fail_2.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ecs from 'aws-cdk-lib/aws-ecs';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const taskDefinition = new ecs.FargateTaskDefinition(this, 'TaskDef', {
volumes:
[
{
name:"my-volume",
efsVolumeConfiguration:{
transitEncryption: "DISABLED"
}
}
]
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ECSTaskDefinitionEFSVolumeEncryption/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ecs from 'aws-cdk-lib/aws-ecs';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const taskDefinition = new ecs.Ec2TaskDefinition(this, 'TaskDef', {
volumes:
[
{
name:"my-volume",
efsVolumeConfiguration:{
transitEncryption: "ENABLED"
}
}
]
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/EFSEncryptionEnabled/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as efs from 'aws-cdk-lib/aws-efs';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const fileSystem = new efs.FileSystem(this, 'MyEfsFileSystem', {
vpc: new ec2.Vpc(this, 'VPC')
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/EFSEncryptionEnabled/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as efs from 'aws-cdk-lib/aws-efs';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const fileSystem = new efs.FileSystem(this, 'MyEfsFileSystem', {
vpc: new ec2.Vpc(this, 'VPC'),
encrypted: true
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/EKSSecretsEncryption/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import {aws_eks as eks} from 'aws-cdk-lib';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const cfnCluster = new eks.CfnCluster(this, 'MyCfnCluster', {
resourcesVpcConfig: {
subnetIds: ['subnetIds']
},
roleArn: 'roleArn',
name: 'name',
version: 'version'
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/EKSSecretsEncryption/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import {aws_eks as eks} from 'aws-cdk-lib';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const cfnCluster = new eks.CfnCluster(this, 'MyCfnCluster', {
resourcesVpcConfig: {
subnetIds: ['subnetIds']
},
roleArn: 'roleArn',
encryptionConfig: [{
resources: ['secrets']
}],
name: 'name',
version: 'version'
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ELBAccessLogs/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as elb from 'aws-cdk-lib/aws-elasticloadbalancing';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const vpc = new ec2.Vpc(this, 'VPC')
const lb = new elb.LoadBalancer(this, 'LB', {
vpc
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ELBAccessLogs/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as elb from 'aws-cdk-lib/aws-elasticloadbalancing';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const vpc = new ec2.Vpc(this, 'VPC')
const lb = new elb.LoadBalancer(this, 'LB', {
vpc, accessLoggingPolicy: {
enabled: true
}
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ELBv2AccessLogs/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as s3 from 'aws-cdk-lib/aws-s3';
import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const vpc = new ec2.Vpc(this, 'VPC')
const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', {
vpc
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ELBv2AccessLogs/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as s3 from 'aws-cdk-lib/aws-s3';
import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const vpc = new ec2.Vpc(this, 'VPC')
const loggingBucket = new s3.Bucket(this, 'loggingBucket', {
encryption: s3.BucketEncryption.S3_MANAGED,
});
const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', {
vpc
});
lb.logAccessLogs(loggingBucket);
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtRest/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import {aws_elasticache as elasticache} from 'aws-cdk-lib';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {
replicationGroupDescription: 'replicationGroupDescription',
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtRest/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import {aws_elasticache as elasticache} from 'aws-cdk-lib';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {
replicationGroupDescription: 'replicationGroupDescription',
atRestEncryptionEnabled: true,
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransit/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import {aws_elasticache as elasticache} from 'aws-cdk-lib';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {
replicationGroupDescription: 'replicationGroupDescription',
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransit/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import {aws_elasticache as elasticache} from 'aws-cdk-lib';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {
replicationGroupDescription: 'replicationGroupDescription',
transitEncryptionEnabled: true
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import {aws_elasticache as elasticache} from 'aws-cdk-lib';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {
replicationGroupDescription: 'replicationGroupDescription',
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import {aws_elasticache as elasticache} from 'aws-cdk-lib';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {
replicationGroupDescription: 'replicationGroupDescription',
transitEncryptionEnabled: true,
authToken: 'token'
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass_2.ts
================================================
import * as cdk from 'aws-cdk-lib';
import {aws_elasticache as elasticache} from 'aws-cdk-lib';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {
replicationGroupDescription: 'replicationGroupDescription',
authToken: 'token',
transitEncryptionEnabled: true,
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as es from 'aws-cdk-lib/aws-elasticsearch';
import * as opensearch from 'aws-cdk-lib/aws-opensearchservice';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const domain = new es.Domain(this, 'Domain', {
version: es.ElasticsearchVersion.V7_4
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/fail_2.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as opensearch from 'aws-cdk-lib/aws-opensearchservice';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const domain = new opensearch.Domain(this, 'Domain', {
version: es.ElasticsearchVersion.V7_4
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as es from 'aws-cdk-lib/aws-elasticsearch';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const domain = new es.Domain(this, 'Domain', {
version: es.ElasticsearchVersion.V7_4,
enforceHttps: true
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/pass_2.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as opensearch from 'aws-cdk-lib/aws-opensearchservice';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const domain = new opensearch.Domain(this, 'Domain', {
version: es.ElasticsearchVersion.V7_4,
enforceHttps: true
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as es from 'aws-cdk-lib/aws-elasticsearch';
import * as opensearch from 'aws-cdk-lib/aws-opensearchservice';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const domain = new es.Domain(this, 'Domain', {
version: es.ElasticsearchVersion.V7_4
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/fail_2.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as opensearch from 'aws-cdk-lib/aws-opensearchservice';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const domain = new opensearch.Domain(this, 'Domain', {
version: es.ElasticsearchVersion.V7_4
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as es from 'aws-cdk-lib/aws-elasticsearch';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const domain = new es.Domain(this, 'Domain', {
version: es.ElasticsearchVersion.V7_4,
logging: {
appLogEnabled: true
}
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/pass_2.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as opensearch from 'aws-cdk-lib/aws-opensearchservice';
import {Construct} from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const domain = new opensearch.Domain(this, 'Domain', {
version: es.ElasticsearchVersion.V7_4,
logging: {
appLogEnabled: true
}
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/ElasticsearchEncryption/fail.ts
================================================
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import {aws_elasticsearch as elasticsearch} from 'aws-cdk-lib';
const encryptionAtRestOptionsProperty1: elasticsearch.CfnDomain.EncryptionAtRestOptionsProperty = {
enabled: false,
kmsKeyId: 'kmsKeyId',
};
let encryptionAtRestOptionsProperty2: elasticsearch.CfnDomain.EncryptionAtRestOptionsProperty = {
enabled: false,
};
================================================
FILE: cdk_integration_tests/src/typescript/ElasticsearchEncryption/fail2.ts
================================================
import {aws_elasticsearch as elasticsearch} from 'aws-cdk-lib';
const domain = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {
encryptionAtRestOptions: {
enabled: false, // Enable encryption at rest
kmsKeyId: 'your-KMS-key-ID', // Specify your KMS key ID
}
});
const domain2 = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {
encryptionAtRestOptions: {
enabled: false, // Enable encryption at rest
}
});
================================================
FILE: cdk_integration_tests/src/typescript/ElasticsearchEncryption/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as elasticsearch from 'aws-cdk-lib/aws-elasticsearch';
const domain = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {
encryptionAtRestOptions: {
enabled: true, // Enable encryption at rest
kmsKeyId: 'your-KMS-key-ID', // Specify your KMS key ID
},
});
const domain3 = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {
encryptionAtRestOptions: {
enabled: true, // Enable encryption at rest
}
});
const encryptionAtRestOptionsProperty3: elasticsearch.CfnDomain.EncryptionAtRestOptionsProperty = {
enabled: true,
};
================================================
FILE: cdk_integration_tests/src/typescript/ElasticsearchNodeToNodeEncryption/fail.ts
================================================
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import { aws_elasticsearch as elasticsearch } from 'aws-cdk-lib';
const encryptionAtRestOptionsProperty1: elasticsearch.CfnDomain.NodeToNodeEncryptionOptionsProperty = {
enabled: false,
};
let encryptionAtRestOptionsProperty2: elasticsearch.CfnDomain.NodeToNodeEncryptionOptionsProperty = {
enabled: false,
};
================================================
FILE: cdk_integration_tests/src/typescript/ElasticsearchNodeToNodeEncryption/fail2.ts
================================================
import { aws_elasticsearch as elasticsearch } from 'aws-cdk-lib';
const domain = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {
nodeToNodeEncryptionOptions: {
enabled: false, // Enable encryption at rest
kmsKeyId: 'your-KMS-key-ID', // Specify your KMS key ID
}
});
const domain2 = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {
nodeToNodeEncryptionOptions: {
enabled: false, // Enable encryption at rest
}
});
================================================
FILE: cdk_integration_tests/src/typescript/ElasticsearchNodeToNodeEncryption/pass.ts
================================================
import { aws_elasticsearch as elasticsearch } from 'aws-cdk-lib';
const domain = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {
nodeToNodeEncryptionOptions: {
enabled: true, // Enable encryption at rest
},
});
const domain3 = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {
nodeToNodeEncryptionOptions: {
enabled: true, // Enable encryption at rest
}
});
const encryptionAtRestOptionsProperty3: elasticsearch.CfnDomain.NodeToNodeEncryptionOptionsProperty = {
enabled: true,
};
================================================
FILE: cdk_integration_tests/src/typescript/GlueDataCatalogEncryption/fail.ts
================================================
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import {aws_glue as glue} from 'aws-cdk-lib';
const cfnDataCatalogEncryptionSettingsProps1: glue.CfnDataCatalogEncryptionSettingsProps = {
catalogId: 'catalogId',
dataCatalogEncryptionSettings: {
connectionPasswordEncryption: {
kmsKeyId: 'kmsKeyId',
returnConnectionPasswordEncrypted: false,
},
encryptionAtRest: {
catalogEncryptionMode: 'DISABLED',
catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',
sseAwsKmsKeyId: 'sseAwsKmsKeyId',
},
},
};
let cfnDataCatalogEncryptionSettingsProps2: glue.CfnDataCatalogEncryptionSettingsProps = {
catalogId: 'catalogId',
dataCatalogEncryptionSettings: {
connectionPasswordEncryption: {
returnConnectionPasswordEncrypted: true,
},
},
encryptionAtRest: {
catalogEncryptionMode: 'DISABLED',
catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',
sseAwsKmsKeyId: 'sseAwsKmsKeyId',
},
};
================================================
FILE: cdk_integration_tests/src/typescript/GlueDataCatalogEncryption/fail2.ts
================================================
import { aws_glue as glue } from 'aws-cdk-lib';
const cfnDataCatalogEncryptionSettings = new glue.CfnDataCatalogEncryptionSettings(this, 'MyCfnDataCatalogEncryptionSettings', {
catalogId: 'catalogId',
dataCatalogEncryptionSettings: {
connectionPasswordEncryption: {
kmsKeyId: 'kmsKeyId',
returnConnectionPasswordEncrypted: false,
},
encryptionAtRest: {
catalogEncryptionMode: 'SSE-KMS',
catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',
sseAwsKmsKeyId: 'sseAwsKmsKeyId',
},
},
});
const cfnDataCatalogEncryptionSettings2 = new glue.CfnDataCatalogEncryptionSettings(this, 'MyCfnDataCatalogEncryptionSettings', {
catalogId: 'catalogId',
dataCatalogEncryptionSettings: {
connectionPasswordEncryption: {
returnConnectionPasswordEncrypted: true,
},
encryptionAtRest: {
catalogEncryptionMode: 'DISABLED',
catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',
sseAwsKmsKeyId: 'sseAwsKmsKeyId',
},
},
});
================================================
FILE: cdk_integration_tests/src/typescript/GlueDataCatalogEncryption/pass.ts
================================================
import { aws_glue as glue } from 'aws-cdk-lib';
const cfnDataCatalogEncryptionSettings = new glue.CfnDataCatalogEncryptionSettings(this, 'MyCfnDataCatalogEncryptionSettings', {
catalogId: 'catalogId',
dataCatalogEncryptionSettings: {
connectionPasswordEncryption: {
kmsKeyId: 'kmsKeyId',
returnConnectionPasswordEncrypted: true,
},
encryptionAtRest: {
catalogEncryptionMode: "SSE-KMS",
catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',
sseAwsKmsKeyId: 'sseAwsKmsKeyId',
},
},
});
const cfnDataCatalogEncryptionSettingsProps: glue.CfnDataCatalogEncryptionSettingsProps = {
catalogId: 'catalogId',
dataCatalogEncryptionSettings: {
connectionPasswordEncryption: {
kmsKeyId: 'kmsKeyId',
returnConnectionPasswordEncrypted: true,
},
encryptionAtRest: {
catalogEncryptionMode : "SSE-KMS",
catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',
sseAwsKmsKeyId: 'sseAwsKmsKeyId',
},
},
};
================================================
FILE: cdk_integration_tests/src/typescript/GlueSecurityConfiguration/fail.ts
================================================
import { aws_glue as glue } from 'aws-cdk-lib';
const cfnSecurityConfigurationProps1: glue.CfnSecurityConfigurationProps = {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'SSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'DISABLE',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [],
},
name: 'name',
};
const cfnSecurityConfigurationProps2: glue.CfnSecurityConfigurationProps = {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'SSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'DISABLE',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [{ s3EncryptionMode: "SSE-S3" }],
},
name: 'name',
};
const cfnSecurityConfigurationProps3: glue.CfnSecurityConfigurationProps = {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'SSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'DISABLE',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [{ s3EncryptionMode: "SSE-KMS" }],
},
name: 'name',
};
const cfnSecurityConfigurationProps4: glue.CfnSecurityConfigurationProps = {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'SSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'DISABLE',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [{ s3EncryptionMode: "DISABLE" }],
},
name: 'name',
};
const cfnSecurityConfigurationProps5: glue.CfnSecurityConfigurationProps = {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'DISABLE',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'CSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [{ s3EncryptionMode: "DISABLE" }],
},
name: 'name',
};
const cfnSecurityConfigurationProps6: glue.CfnSecurityConfigurationProps = {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'DISABLE',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'CSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [{ s3EncryptionMode: "SSE-S3" }],
},
name: 'name',
};
const cfnSecurityConfigurationProps7: glue.CfnSecurityConfigurationProps = {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'DISABLE',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'CSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [{ s3EncryptionMode: "SSE-KMS" }],
},
name: 'name',
};
const cfnSecurityConfigurationProps8: glue.CfnSecurityConfigurationProps = {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'SSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'CSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [{ s3EncryptionMode: "DISABLE" }],
},
name: 'name',
};
const cfnSecurityConfigurationProps9: glue.CfnSecurityConfigurationProps = {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'SSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'CSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [{ s3EncryptionMode: "SSE-KMS" }],
},
name: 'name',
};
const cfnSecurityConfigurationProps10: glue.CfnSecurityConfigurationProps = {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'SSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'CSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [{ s3EncryptionMode: "SSE-S3" }],
},
name: 'name',
};
================================================
FILE: cdk_integration_tests/src/typescript/GlueSecurityConfiguration/fail2.ts
================================================
import { aws_glue as glue } from 'aws-cdk-lib';
const cfnSecurityConfiguration1 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'SSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'DISABLE',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [],
},
name: 'name',
});
const cfnSecurityConfiguration2 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'SSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'DISABLE',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [{ s3EncryptionMode: "SSE-S3" }],
},
name: 'name',
});
const cfnSecurityConfiguration3 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'SSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'DISABLE',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [{ s3EncryptionMode: "SSE-KMS" }],
},
name: 'name',
});
const cfnSecurityConfiguration4 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'SSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'DISABLE',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [{ s3EncryptionMode: "DISABLE" }],
},
name: 'name',
});
const cfnSecurityConfiguration5 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'DISABLE',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'CSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [{ s3EncryptionMode: "DISABLE" }],
},
name: 'name',
});
const cfnSecurityConfiguration6 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'DISABLE',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'CSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [{ s3EncryptionMode: "SSE-S3" }],
},
name: 'name',
});
const cfnSecurityConfiguration7 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'DISABLE',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'CSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [{ s3EncryptionMode: "SSE-KMS" }],
},
name: 'name',
});
const cfnSecurityConfiguration8 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'SSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'CSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [{ s3EncryptionMode: "DISABLE" }],
},
name: 'name',
});
const cfnSecurityConfiguration9 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'SSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'CSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [{ s3EncryptionMode: "SSE-KMS" }],
},
name: 'name',
});
const cfnSecurityConfiguration10 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'SSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'CSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [{ s3EncryptionMode: "SSE-S3" }],
},
name: 'name',
});
================================================
FILE: cdk_integration_tests/src/typescript/GlueSecurityConfiguration/pass.ts
================================================
import { aws_glue as glue } from 'aws-cdk-lib';
const cfnSecurityConfiguration = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'SSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'CSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [{
kmsKeyArn: 'kmsKeyArn',
s3EncryptionMode: 'SSE-KMS',
}],
},
name: 'name',
});
const cfnSecurityConfiguration2 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
encryptionConfiguration: {
cloudWatchEncryption: {
cloudWatchEncryptionMode: 'SSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
jobBookmarksEncryption: {
jobBookmarksEncryptionMode: 'CSE-KMS',
kmsKeyArn: 'kmsKeyArn',
},
s3Encryptions: [{
kmsKeyArn: 'kmsKeyArn',
s3EncryptionMode: 'SSE-S3',
}],
},
name: 'name',
});
const cfnDataCatalogEncryptionSettingsProps: glue.CfnDataCatalogEncryptionSettingsProps = {
catalogId: 'catalogId',
dataCatalogEncryptionSettings: {
connectionPasswordEncryption: {
kmsKeyId: 'kmsKeyId',
returnConnectionPasswordEncrypted: true,
},
encryptionAtRest: {
catalogEncryptionMode : "SSE-KMS",
catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',
sseAwsKmsKeyId: 'sseAwsKmsKeyId',
},
},
};
================================================
FILE: cdk_integration_tests/src/typescript/GlueSecurityConfigurationEnabled/fail.ts
================================================
import { aws_glue as glue } from 'aws-cdk-lib';
const cfnSecurityConfigurationProps1: glue.CfnCrawlerProps = {
name: 'name',
};
const cfnSecurityConfigurationProps2: glue.CfnDevEndpointProps = {
name: 'name',
};
const cfnSecurityConfigurationProps3: glue.CfnJobProps = {
name: 'name',
};
================================================
FILE: cdk_integration_tests/src/typescript/GlueSecurityConfigurationEnabled/fail2.ts
================================================
import { aws_glue as glue } from 'aws-cdk-lib';
const cfnSecurityConfiguration1 = new glue.CfnCrawler(this, 'MyCfnSecurityConfiguration', {
name: 'name',
});
const cfnSecurityConfiguration2 = new glue.CfnDevEndpoint(this, 'MyCfnSecurityConfiguration', {
name: 'name',
});
const cfnSecurityConfiguration3 = new glue.CfnJob(this, 'MyCfnSecurityConfiguration', {
name: 'name',
});
================================================
FILE: cdk_integration_tests/src/typescript/GlueSecurityConfigurationEnabled/pass.ts
================================================
import {aws_glue as glue} from 'aws-cdk-lib';
const cfnSecurityConfiguration1 = new glue.CfnCrawler(this, 'MyCfnSecurityConfiguration', {
crawlerSecurityConfiguration: 'securityConfiguration',
name: 'name',
});
const cfnSecurityConfiguration2 = new glue.CfnDevEndpoint(this, 'MyCfnSecurityConfiguration', {
securityConfiguration: 'securityConfiguration',
name: 'name',
});
const cfnSecurityConfiguration3 = new glue.CfnJob(this, 'MyCfnSecurityConfiguration', {
securityConfiguration: 'securityConfiguration',
name: 'name',
});
const cfnSecurityConfigurationProps1: glue.CfnCrawlerProps = {
name: 'name',
crawlerSecurityConfiguration: 'securityConfiguration',
};
const cfnSecurityConfigurationProps2: glue.CfnDevEndpointProps = {
name: 'name',
securityConfiguration: 'securityConfiguration',
};
const cfnSecurityConfigurationProps3: glue.CfnJobProps = {
name: 'name',
securityConfiguration: 'securityConfiguration',
};
================================================
FILE: cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/fail.ts
================================================
import { aws_iam as iam } from 'aws-cdk-lib';
const cfnSecurityConfigurationProps1: iam.PolicyProps = {
statements: [{}],
users: [{}]
};
================================================
FILE: cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/fail2.ts
================================================
import { aws_iam as iam } from 'aws-cdk-lib';
const a = new iam.Policy(this, 'userpool-policy', {
statements: [new iam.PolicyStatement({
actions: ['cognito-idp:DescribeUserPool'],
resources: ['Arn'],
})],
users: ['sdsd']
});
const b = new iam.Policy(this, 'userpool-policy', {
statements: [new iam.PolicyStatement({
actions: ['cognito-idp:DescribeUserPool'],
resources: ['Arn'],
})],
});
console.log('dsd')
b.attachToUser({})
const c = new iam.Policy(this, 'userpool-policy', {
statements: [new iam.PolicyStatement({
actions: ['cognito-idp:DescribeUserPool'],
resources: ['Arn'],
})],
});
c.attachToUser({})
================================================
FILE: cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/pass.ts
================================================
import { aws_iam as iam } from 'aws-cdk-lib';
const a = new iam.Policy(this, 'userpool-policy', {
statements: [new iam.PolicyStatement({
actions: ['cognito-idp:DescribeUserPool'],
resources: ['Arn'],
})],
});
const cfnSecurityConfigurationProps1: iam.PolicyProps = {
statements: [new iam.PolicyStatement({
actions: ['cognito-idp:DescribeUserPool'],
resources: ['Arn'],
})],
};
================================================
FILE: cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/fail.ts
================================================
import { aws_kinesis as kinesis } from 'aws-cdk-lib';
const cfnSecurityConfigurationProps1: kinesis.CfnStreamProps = {
streamEncryption: { encryptionType: "None", keyId: "dfdf"},
name: 'name',
};
const cfnSecurityConfigurationProps2: kinesis.CfnStreamProps = {
name: 'name',
};
================================================
FILE: cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/fail2.ts
================================================
import { aws_kinesis as kinesis } from 'aws-cdk-lib';
const cfnSecurityConfiguration1 = new kinesis.CfnStream(this, 'MyCfnSecurityConfiguration', {
streamEncryption: { encryptionType: "None", keyId: "dfdf"},
name: 'name',
});
const cfnSecurityConfiguration2 = new kinesis.CfnStream(this, 'MyCfnSecurityConfiguration', {
name: 'name',
});
================================================
FILE: cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/pass.ts
================================================
import { aws_kinesis as kinesis } from 'aws-cdk-lib';
const cfnSecurityConfigurationProps1: kinesis.CfnStreamProps = {
streamEncryption: { encryptionType: "KMS", keyId: "dfdf"},
name: 'name',
};
================================================
FILE: cdk_integration_tests/src/typescript/LambdaDLQConfigured/fail.ts
================================================
import { aws_lambda as lambda } from 'aws-cdk-lib';
import { aws_sam as sam } from 'aws-cdk-lib';
const cfnSecurityConfigurationProps1: lambda.FunctionProps = {
name: 'name',
role: "",
};
const cfnSecurityConfigurationProps1: lambda.CfnFunctionProps = {
name: 'name',
role: "",
};
const cfnSecurityConfigurationProps2: sam.CfnFunctionProps = {
name: 'name',
};
================================================
FILE: cdk_integration_tests/src/typescript/LambdaDLQConfigured/fail2.ts
================================================
import { aws_lambda as lambda } from 'aws-cdk-lib';
import { aws_sam as sam } from 'aws-cdk-lib';
const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
});
const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
});
const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
});
================================================
FILE: cdk_integration_tests/src/typescript/LambdaDLQConfigured/pass.ts
================================================
import {aws_lambda as lambda} from 'aws-cdk-lib';
import {aws_sam as sam} from 'aws-cdk-lib';
const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
deadLetterQueue: {},
deadLetterQueueEnabled: true,
});
const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
deadLetterConfig: {},
});
const cfnSecurityConfiguration2 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
deadLetterQueue: {},
});
================================================
FILE: cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/fail.ts
================================================
import {aws_lambda as lambda} from 'aws-cdk-lib';
import {aws_sam as sam} from 'aws-cdk-lib';
const cfnSecurityConfigurationProps1: lambda.FunctionProps = {
name: 'name',
role: "",
environment: {
"bla": "bla",
}
};
const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {
name: 'name',
role: "",
environment: {
variables: {
"bla": "bla",
}
}
};
const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {
name: 'name',
environment: {
variables: {
bla: "bla",
}
}
};
================================================
FILE: cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/fail2.ts
================================================
import { aws_lambda as lambda } from 'aws-cdk-lib';
import { aws_sam as sam } from 'aws-cdk-lib';
const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
environment: {
"bla": "bla",
}
});
const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
environment: {
variables: {
"bla": "bla",
}
}
});
const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
environment: {
variables: {
bla: "bla",
}
}
});
================================================
FILE: cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/pass.ts
================================================
import {aws_lambda as lambda} from 'aws-cdk-lib';
import {aws_sam as sam} from 'aws-cdk-lib';
const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
environment: {
"bla": "bla",
},
environmentEncryption: {}
});
const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
environment: {
variables: {
"bla": "bla",
}
},
kmsKeyArn: "arn"
});
const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
environment: {
variables: {
bla: "bla",
}
},
kmsKeyArn: "arn"
});
const cfnSecurityConfigurationProps1: lambda.FunctionProps = {
name: 'name',
role: "",
environment: {
"bla": "bla",
},
environmentEncryption: {}
};
const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {
name: 'name',
role: "",
environment: {
variables: {
"bla": "bla",
}
},
kmsKeyArn: "arn"
};
const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {
name: 'name',
environment: {
variables: {
bla: "bla",
}
},
kmsKeyArn: "arn"
};
================================================
FILE: cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/fail.ts
================================================
import {aws_lambda as lambda} from 'aws-cdk-lib';
import {aws_sam as sam} from 'aws-cdk-lib';
const cfnSecurityConfigurationProps1: lambda.FunctionProps = {
name: 'name',
role: "",
environment: {
"bla": "bla",
}
};
const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {
name: 'name',
role: "",
environment: {
variables: {
"bla": "bla",
}
}
};
const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {
name: 'name',
environment: {
variables: {
bla: "bla",
}
}
};
================================================
FILE: cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/fail2.ts
================================================
import { aws_lambda as lambda } from 'aws-cdk-lib';
import { aws_sam as sam } from 'aws-cdk-lib';
const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
environment: {
"bla": "bla",
},
});
const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
environment: {
variables: {
"bla": "bla",
}
}
});
const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
environment: {
variables: {
bla: "bla",
}
}
});
================================================
FILE: cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/pass.ts
================================================
import {aws_lambda as lambda} from 'aws-cdk-lib';
import {aws_sam as sam} from 'aws-cdk-lib';
const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
});
const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
});
const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
});
const cfnSecurityConfigurationProps1: lambda.FunctionProps = {
name: 'name',
role: "",
};
const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {
name: 'name',
role: "",
};
const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {
name: 'name',
};
================================================
FILE: cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/fail.ts
================================================
import {aws_lambda as lambda} from 'aws-cdk-lib';
import {aws_sam as sam} from 'aws-cdk-lib';
const cfnSecurityConfigurationProps1: lambda.FunctionProps = {
name: 'name',
role: "",
environment: {
"bla": "bla",
}
};
const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {
name: 'name',
role: "",
environment: {
variables: {
"bla": "bla",
}
}
};
const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {
name: 'name',
environment: {
variables: {
bla: "bla",
}
}
};
================================================
FILE: cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/fail2.ts
================================================
import { aws_lambda as lambda } from 'aws-cdk-lib';
import { aws_sam as sam } from 'aws-cdk-lib';
const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
environment: {
"bla": "bla",
}
});
const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
environment: {
variables: {
"bla": "bla",
}
}
});
const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
environment: {
variables: {
bla: "bla",
}
}
});
================================================
FILE: cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/pass.ts
================================================
import {aws_lambda as lambda} from 'aws-cdk-lib';
import {aws_sam as sam} from 'aws-cdk-lib';
const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
environment: {
"bla": "bla",
},
environmentEncryption: {},
"reservedConcurrentExecutions": 1,
});
const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
environment: {
variables: {
"bla": "bla",
}
},
kmsKeyArn: "arn",
reservedConcurrentExecutions: 1,
});
const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
environment: {
variables: {
bla: "bla",
}
},
kmsKeyArn: "arn",
reservedConcurrentExecutions: 1,
});
const cfnSecurityConfigurationProps1: lambda.FunctionProps = {
name: 'name',
role: "",
environment: {
"bla": "bla",
},
environmentEncryption: {},
reservedConcurrentExecutions: 1,
};
const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {
name: 'name',
role: "",
environment: {
variables: {
"bla": "bla",
}
},
kmsKeyArn: "arn",
reservedConcurrentExecutions: 1,
};
const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {
name: 'name',
environment: {
variables: {
bla: "bla",
}
},
kmsKeyArn: "arn",
reservedConcurrentExecutions: 1,
};
================================================
FILE: cdk_integration_tests/src/typescript/LambdaInVPC/fail.ts
================================================
import {aws_lambda as lambda} from 'aws-cdk-lib';
import {aws_sam as sam} from 'aws-cdk-lib';
const cfnSecurityConfigurationProps1: lambda.FunctionProps = {
name: 'name',
role: "",
environment: {
"bla": "bla",
}
};
const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {
name: 'name',
role: "",
environment: {
variables: {
"bla": "bla",
}
}
};
const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {
name: 'name',
environment: {
variables: {
bla: "bla",
}
}
};
================================================
FILE: cdk_integration_tests/src/typescript/LambdaInVPC/fail2.ts
================================================
import { aws_lambda as lambda } from 'aws-cdk-lib';
import { aws_sam as sam } from 'aws-cdk-lib';
const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
});
const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
environment: {
variables: {
"bla": "bla",
}
}
});
const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
environment: {
variables: {
bla: "bla",
}
}
});
================================================
FILE: cdk_integration_tests/src/typescript/LambdaInVPC/pass.ts
================================================
import {aws_lambda as lambda} from 'aws-cdk-lib';
import {aws_sam as sam} from 'aws-cdk-lib';
const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
environment: {
"bla": "bla",
},
environmentEncryption: {},
"vpc": {},
});
const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
environment: {
variables: {
"bla": "bla",
}
},
kmsKeyArn: "arn",
vpcConfig: {},
});
const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {
role: "",
name: 'name',
environment: {
variables: {
bla: "bla",
}
},
kmsKeyArn: "arn",
vpcConfig: {},
});
const cfnSecurityConfigurationProps1: lambda.FunctionProps = {
name: 'name',
role: "",
environment: {
"bla": "bla",
},
environmentEncryption: {},
reservedConcurrentExecutions: 1,
};
const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {
name: 'name',
role: "",
environment: {
variables: {
"bla": "bla",
}
},
kmsKeyArn: "arn",
reservedConcurrentExecutions: 1,
};
const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {
name: 'name',
environment: {
variables: {
bla: "bla",
}
},
kmsKeyArn: "arn",
reservedConcurrentExecutions: 1,
};
================================================
FILE: cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/fail.ts
================================================
import {aws_autoscaling as autoscaling} from 'aws-cdk-lib';
const cfnSecurityConfigurationProps1: autoscaling.CfnLaunchConfigurationProps = {
imageId: 'imageId',
instanceType: 'instanceType',
// the properties below are optional
associatePublicIpAddress: false,
blockDeviceMappings: [{
deviceName: 'deviceName',
// the properties below are optional
ebs: {
deleteOnTermination: false,
encrypted: false,
iops: 123,
snapshotId: 'snapshotId',
throughput: 123,
volumeSize: 123,
volumeType: 'volumeType',
},
noDevice: false,
virtualName: 'virtualName',
}],
classicLinkVpcId: 'classicLinkVpcId',
classicLinkVpcSecurityGroups: ['classicLinkVpcSecurityGroups'],
ebsOptimized: false,
iamInstanceProfile: 'iamInstanceProfile',
instanceId: 'instanceId',
instanceMonitoring: false,
kernelId: 'kernelId',
keyName: 'keyName',
launchConfigurationName: 'launchConfigurationName',
metadataOptions: {
httpEndpoint: 'httpEndpoint',
httpPutResponseHopLimit: 123,
httpTokens: 'httpTokens',
},
placementTenancy: 'placementTenancy',
ramDiskId: 'ramDiskId',
securityGroups: ['securityGroups'],
spotPrice: 'spotPrice',
userData: 'userData',
};
================================================
FILE: cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/fail2.ts
================================================
import {aws_autoscaling as autoscaling} from 'aws-cdk-lib';
const cfnSecurityConfiguration1 = new autoscaling.CfnLaunchConfiguration(this, 'MyCfnSecurityConfiguration', {
imageId: 'imageId',
instanceType: 'instanceType',
blockDeviceMappings: [{
deviceName: 'deviceName',
// the properties below are optional
ebs: {
deleteOnTermination: false,
encrypted: false,
iops: 123,
snapshotId: 'snapshotId',
throughput: 123,
volumeSize: 123,
volumeType: 'volumeType',
},
noDevice: false,
virtualName: 'virtualName',
}],
});
const cfnSecurityConfiguration2 = new autoscaling.CfnLaunchConfiguration(this, 'MyCfnSecurityConfiguration', {
blockDeviceMappings: [{
ebs: {
encrypted: false,
},
}],
});
================================================
FILE: cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/pass.ts
================================================
import { aws_autoscaling as autoscaling } from 'aws-cdk-lib';
const cfnSecurityConfiguration1 = new autoscaling.CfnLaunchConfiguration(this, 'MyCfnSecurityConfiguration', {
imageId: 'imageId',
instanceType: 'instanceType',
blockDeviceMappings: [{
deviceName: 'deviceName',
// the properties below are optional
ebs: {
deleteOnTermination: false,
encrypted: true,
iops: 123,
snapshotId: 'snapshotId',
throughput: 123,
volumeSize: 123,
volumeType: 'volumeType',
},
noDevice: false,
virtualName: 'virtualName',
}],
});
const cfnSecurityConfiguration2 = new autoscaling.CfnLaunchConfiguration(this, 'MyCfnSecurityConfiguration', {
imageId: 'imageId',
instanceType: 'instanceType',
blockDeviceMappings: [{
deviceName: 'deviceName',
// the properties below are optional
ebs: {
deleteOnTermination: false,
iops: 123,
snapshotId: 'snapshotId',
throughput: 123,
volumeSize: 123,
volumeType: 'volumeType',
},
noDevice: false,
virtualName: 'virtualName',
}],
});
const cfnSecurityConfiguration3 = new autoscaling.CfnLaunchConfiguration(this, 'MyCfnSecurityConfiguration', {
imageId: 'imageId',
instanceType: 'instanceType',
blockDeviceMappings: [{
deviceName: 'deviceName',
noDevice: false,
virtualName: 'virtualName',
}],
});
const cfnSecurityConfigurationProps1: autoscaling.CfnLaunchConfigurationProps = {
imageId: 'imageId',
instanceType: 'instanceType',
// the properties below are optional
associatePublicIpAddress: false,
blockDeviceMappings: [{
deviceName: 'deviceName',
// the properties below are optional
ebs: {
deleteOnTermination: false,
encrypted: true,
iops: 123,
snapshotId: 'snapshotId',
throughput: 123,
volumeSize: 123,
volumeType: 'volumeType',
},
noDevice: false,
virtualName: 'virtualName',
}],
classicLinkVpcId: 'classicLinkVpcId',
classicLinkVpcSecurityGroups: ['classicLinkVpcSecurityGroups'],
ebsOptimized: false,
iamInstanceProfile: 'iamInstanceProfile',
instanceId: 'instanceId',
instanceMonitoring: false,
kernelId: 'kernelId',
keyName: 'keyName',
launchConfigurationName: 'launchConfigurationName',
metadataOptions: {
httpEndpoint: 'httpEndpoint',
httpPutResponseHopLimit: 123,
httpTokens: 'httpTokens',
},
placementTenancy: 'placementTenancy',
ramDiskId: 'ramDiskId',
securityGroups: ['securityGroups'],
spotPrice: 'spotPrice',
userData: 'userData',
};
const cfnSecurityConfigurationProps2: autoscaling.CfnLaunchConfigurationProps = {
imageId: 'imageId',
instanceType: 'instanceType',
// the properties below are optional
associatePublicIpAddress: false,
blockDeviceMappings: [{
deviceName: 'deviceName',
noDevice: false,
virtualName: 'virtualName',
}],
classicLinkVpcId: 'classicLinkVpcId',
classicLinkVpcSecurityGroups: ['classicLinkVpcSecurityGroups'],
ebsOptimized: false,
iamInstanceProfile: 'iamInstanceProfile',
instanceId: 'instanceId',
instanceMonitoring: false,
kernelId: 'kernelId',
keyName: 'keyName',
launchConfigurationName: 'launchConfigurationName',
metadataOptions: {
httpEndpoint: 'httpEndpoint',
httpPutResponseHopLimit: 123,
httpTokens: 'httpTokens',
},
placementTenancy: 'placementTenancy',
ramDiskId: 'ramDiskId',
securityGroups: ['securityGroups'],
spotPrice: 'spotPrice',
userData: 'userData',
};
const cfnSecurityConfigurationProps3: autoscaling.CfnLaunchConfigurationProps = {
imageId: 'imageId',
instanceType: 'instanceType',
// the properties below are optional
associatePublicIpAddress: false,
classicLinkVpcId: 'classicLinkVpcId',
classicLinkVpcSecurityGroups: ['classicLinkVpcSecurityGroups'],
ebsOptimized: false,
iamInstanceProfile: 'iamInstanceProfile',
instanceId: 'instanceId',
instanceMonitoring: false,
kernelId: 'kernelId',
keyName: 'keyName',
launchConfigurationName: 'launchConfigurationName',
metadataOptions: {
httpEndpoint: 'httpEndpoint',
httpPutResponseHopLimit: 123,
httpTokens: 'httpTokens',
},
placementTenancy: 'placementTenancy',
ramDiskId: 'ramDiskId',
securityGroups: ['securityGroups'],
spotPrice: 'spotPrice',
userData: 'userData',
};
================================================
FILE: cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/fail.ts
================================================
import { aws_neptune as neptune } from 'aws-cdk-lib';
const cfnDBCluster1: neptune.CfnDBClusterProps = {
associatedRoles: [{
roleArn: 'roleArn',
// the properties below are optional
featureName: 'featureName',
}],
availabilityZones: ['availabilityZones'],
backupRetentionPeriod: 123,
copyTagsToSnapshot: false,
dbClusterIdentifier: 'dbClusterIdentifier',
dbClusterParameterGroupName: 'dbClusterParameterGroupName',
dbInstanceParameterGroupName: 'dbInstanceParameterGroupName',
dbPort: 123,
dbSubnetGroupName: 'dbSubnetGroupName',
deletionProtection: false,
enableCloudwatchLogsExports: ['enableCloudwatchLogsExports'],
engineVersion: 'engineVersion',
iamAuthEnabled: false,
kmsKeyId: 'kmsKeyId',
preferredBackupWindow: 'preferredBackupWindow',
preferredMaintenanceWindow: 'preferredMaintenanceWindow',
restoreToTime: 'restoreToTime',
restoreType: 'restoreType',
serverlessScalingConfiguration: {
maxCapacity: 123,
minCapacity: 123,
},
snapshotIdentifier: 'snapshotIdentifier',
sourceDbClusterIdentifier: 'sourceDbClusterIdentifier',
storageEncrypted: false,
tags: [{
key: 'key',
value: 'value',
}],
useLatestRestorableTime: false,
vpcSecurityGroupIds: ['vpcSecurityGroupIds'],
});
const cfnDBCluster2: neptune.CfnDBClusterProps = {
storageEncrypted: false,
};
================================================
FILE: cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/fail2.ts
================================================
import { aws_neptune as neptune } from 'aws-cdk-lib';
const cfnDBCluster1 = new neptune.CfnDBCluster(this, 'MyCfnDBCluster', /* all optional props */ {
associatedRoles: [{
roleArn: 'roleArn',
// the properties below are optional
featureName: 'featureName',
}],
availabilityZones: ['availabilityZones'],
backupRetentionPeriod: 123,
copyTagsToSnapshot: false,
dbClusterIdentifier: 'dbClusterIdentifier',
dbClusterParameterGroupName: 'dbClusterParameterGroupName',
dbInstanceParameterGroupName: 'dbInstanceParameterGroupName',
dbPort: 123,
dbSubnetGroupName: 'dbSubnetGroupName',
deletionProtection: false,
enableCloudwatchLogsExports: ['enableCloudwatchLogsExports'],
engineVersion: 'engineVersion',
iamAuthEnabled: false,
kmsKeyId: 'kmsKeyId',
preferredBackupWindow: 'preferredBackupWindow',
preferredMaintenanceWindow: 'preferredMaintenanceWindow',
restoreToTime: 'restoreToTime',
restoreType: 'restoreType',
serverlessScalingConfiguration: {
maxCapacity: 123,
minCapacity: 123,
},
snapshotIdentifier: 'snapshotIdentifier',
sourceDbClusterIdentifier: 'sourceDbClusterIdentifier',
storageEncrypted: false,
tags: [{
key: 'key',
value: 'value',
}],
useLatestRestorableTime: false,
vpcSecurityGroupIds: ['vpcSecurityGroupIds'],
});
const cfnDBCluster2 = new neptune.CfnDBCluster(this, 'MyCfnDBCluster', /* all optional props */ {
storageEncrypted: false,
});
================================================
FILE: cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/pass.ts
================================================
import {aws_neptune as neptune} from 'aws-cdk-lib';
const cfnDBCluster1 = new neptune.CfnDBCluster(this, 'MyCfnDBCluster', /* all optional props */ {
associatedRoles: [{
roleArn: 'roleArn',
// the properties below are optional
featureName: 'featureName',
}],
availabilityZones: ['availabilityZones'],
backupRetentionPeriod: 123,
copyTagsToSnapshot: false,
dbClusterIdentifier: 'dbClusterIdentifier',
dbClusterParameterGroupName: 'dbClusterParameterGroupName',
dbInstanceParameterGroupName: 'dbInstanceParameterGroupName',
dbPort: 123,
dbSubnetGroupName: 'dbSubnetGroupName',
deletionProtection: false,
enableCloudwatchLogsExports: ['enableCloudwatchLogsExports'],
engineVersion: 'engineVersion',
iamAuthEnabled: false,
kmsKeyId: 'kmsKeyId',
preferredBackupWindow: 'preferredBackupWindow',
preferredMaintenanceWindow: 'preferredMaintenanceWindow',
restoreToTime: 'restoreToTime',
restoreType: 'restoreType',
serverlessScalingConfiguration: {
maxCapacity: 123,
minCapacity: 123,
},
snapshotIdentifier: 'snapshotIdentifier',
sourceDbClusterIdentifier: 'sourceDbClusterIdentifier',
storageEncrypted: true,
tags: [{
key: 'key',
value: 'value',
}],
useLatestRestorableTime: false,
vpcSecurityGroupIds: ['vpcSecurityGroupIds'],
});
const cfnDBCluster2 = new neptune.CfnDBCluster(this, 'MyCfnDBCluster', /* all optional props */ {
storageEncrypted: true,
});
const cfnDBCluster4: neptune.CfnDBClusterProps = {
associatedRoles: [{
roleArn: 'roleArn',
// the properties below are optional
featureName: 'featureName',
}],
availabilityZones: ['availabilityZones'],
backupRetentionPeriod: 123,
copyTagsToSnapshot: false,
dbClusterIdentifier: 'dbClusterIdentifier',
dbClusterParameterGroupName: 'dbClusterParameterGroupName',
dbInstanceParameterGroupName: 'dbInstanceParameterGroupName',
dbPort: 123,
dbSubnetGroupName: 'dbSubnetGroupName',
deletionProtection: false,
enableCloudwatchLogsExports: ['enableCloudwatchLogsExports'],
engineVersion: 'engineVersion',
iamAuthEnabled: false,
kmsKeyId: 'kmsKeyId',
preferredBackupWindow: 'preferredBackupWindow',
preferredMaintenanceWindow: 'preferredMaintenanceWindow',
restoreToTime: 'restoreToTime',
restoreType: 'restoreType',
serverlessScalingConfiguration: {
maxCapacity: 123,
minCapacity: 123,
},
snapshotIdentifier: 'snapshotIdentifier',
sourceDbClusterIdentifier: 'sourceDbClusterIdentifier',
storageEncrypted: true,
tags: [{
key: 'key',
value: 'value',
}],
useLatestRestorableTime: false,
vpcSecurityGroupIds: ['vpcSecurityGroupIds'],
});
const cfnDBCluster5: neptune.CfnDBClusterProps = {
storageEncrypted: true,
};
================================================
FILE: cdk_integration_tests/src/typescript/RDSEnhancedMonitorEnabled/fail2.ts
================================================
import {aws_rds as rds} from 'aws-cdk-lib';
const instance2 = new rds.DatabaseInstance(this, "PostgresInstance2", {
engine: rds.DatabaseInstanceEngine.POSTGRES,
credentials: {
username: 'username',
password: 'password'
},
monitoringInterval: 0,
});
const instance1 = new rds.DatabaseInstance(this, "PostgresInstance2", {
engine: rds.DatabaseInstanceEngine.POSTGRES,
credentials: {
username: 'username',
password: 'password'
},
monitoringInterval: -1,
});
const instance3 = new rds.DatabaseInstance(this, "PostgresInstance2", {
engine: rds.DatabaseInstanceEngine.POSTGRES,
credentials: {
username: 'username',
password: 'password'
},
});
================================================
FILE: cdk_integration_tests/src/typescript/RDSEnhancedMonitorEnabled/pass.ts
================================================
import {aws_rds as rds} from 'aws-cdk-lib';
const instance2 = new rds.DatabaseInstance(this, "PostgresInstance2", {
engine: rds.DatabaseInstanceEngine.POSTGRES,
credentials: {
username: 'username',
password: 'password'
},
monitoringInterval: 1,
});
const instance1 = new rds.DatabaseInstance(this, "PostgresInstance2", {
engine: rds.DatabaseInstanceEngine.POSTGRES,
credentials: {
username: 'username',
password: 'password'
},
monitoringInterval: 322424,
});
================================================
FILE: cdk_integration_tests/src/typescript/RDSMultiAZEnabled/fail.ts
================================================
// SOURCE
import { DatabaseInstance } from '@aws-cdk/aws-rds';
// SINK
// SINK: Vulnerability found due to missing Multi-AZ setting
new DatabaseInstance(stack, 'MyDatabaseInstance', {
instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
vpc
// missing Multi-AZ setting
});
================================================
FILE: cdk_integration_tests/src/typescript/RDSMultiAZEnabled/pass.ts
================================================
// SOURCE
import { DatabaseInstance } from '@aws-cdk/aws-rds';
// SINK
// SINK: Vulnerability found due to missing Multi-AZ setting
new DatabaseInstance(stack, 'MyDatabaseInstance', {
instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
vpc,
multiAZ: true
});
================================================
FILE: cdk_integration_tests/src/typescript/RDSPubliclyAccessible/fail.ts
================================================
// SOURCE
import { DatabaseInstance } from '@aws-cdk/aws-rds';
// SINK
// SINK: Vulnerability found due to publicly accessible setting
new DatabaseInstance(stack, 'MyDatabaseInstance', {
instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
vpc
// publicly accessible setting missing
});
================================================
FILE: cdk_integration_tests/src/typescript/RDSPubliclyAccessible/pass.ts
================================================
// SOURCE
import { DatabaseInstance } from '@aws-cdk/aws-rds';
// SINK
new DatabaseInstance(stack, 'MyDatabaseInstance', {
instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
vpc, publicly_accessible: true
});
================================================
FILE: cdk_integration_tests/src/typescript/RedShiftSSL/fail__2__.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as redshift from 'aws-cdk-lib/aws-redshift';
class MyRedshiftClusterParameterGroupStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define Redshift Cluster Parameter Group with require_ssl parameter
new redshift.CfnClusterParameterGroup(this, 'MyRedshiftClusterParameterGroup', {
description: 'My Redshift Parameter Group',
parameterGroupFamily: 'redshift-1.0',
parameters: [
{
parameterName: 'require_ssl',
parameterValue: 'false',
},
// Add other parameters if needed
],
});
}
}
const app = new cdk.App();
new MyRedshiftClusterParameterGroupStack(app, 'MyRedshiftClusterParameterGroupStack');
app.synth();
class MyRedshiftClusterParameterGroupStack2 extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define Redshift Cluster Parameter Group with abc parameter
new redshift.CfnClusterParameterGroup(this, 'MyRedshiftClusterParameterGroup2', {
description: 'My Redshift Parameter Group 2',
parameterGroupFamily: 'redshift-1.0',
});
}
}
new MyRedshiftClusterParameterGroupStack2(app, 'MyRedshiftClusterParameterGroupStack2');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/RedShiftSSL/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as redshift from 'aws-cdk-lib/aws-redshift';
class MyRedshiftClusterParameterGroupStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Define Redshift Cluster Parameter Group with require_ssl parameter
new redshift.CfnClusterParameterGroup(this, 'MyRedshiftClusterParameterGroup', {
description: 'My Redshift Parameter Group',
parameterGroupFamily: 'redshift-1.0',
parameters: [
{
parameterName: 'require_ssl',
parameterValue: 'true',
},
// Add other parameters if needed
],
});
}
}
const app = new cdk.App();
new MyRedshiftClusterParameterGroupStack(app, 'MyRedshiftClusterParameterGroupStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/RedshiftClusterEncryption/fail__2__.ts
================================================
import * as redshift from '@aws-cdk/aws-redshift-alpha';
import * as kms from 'aws-cdk-lib/aws-kms';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import { Stack, App } from 'aws-cdk-lib';
const app = new App();
const stack = new Stack(app, 'RedshiftStack');
// Create a VPC
const vpc = new ec2.Vpc(stack, 'Vpc', {
maxAzs: 2
});
// Create a KMS key for encryption
const kmsKey = new kms.Key(stack, 'KmsKey');
const cluster = new redshift.Cluster(stack, 'MyCluster', {
masterUser: {
masterUsername: 'admin',
},
vpc,
});
import * as redshift from 'aws-cdk-lib/aws_redshift';
import * as kms from 'aws-cdk-lib/aws-kms';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import { Stack, App } from 'aws-cdk-lib';
const app = new App();
const stack = new Stack(app, 'RedshiftStack');
// Create a VPC
const vpc = new ec2.Vpc(stack, 'Vpc', {
maxAzs: 2
});
// Create a KMS key for encryption
const kmsKey = new kms.Key(stack, 'KmsKey');
const cfnCluster = new redshift.CfnCluster(stack, 'MyCfnCluster', {
clusterType: 'multi-node',
dbName: 'mydatabase',
masterUsername: 'admin',
masterUserPassword: 'password',
nodeType: 'ds2.xlarge',
numberOfNodes: 3,
kmsKeyId: kmsKey.keyArn, // Use the specific KMS key
vpcSecurityGroupIds: [ /* security group IDs */ ],
clusterSubnetGroupName: vpc.selectSubnets({ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }).subnetIds[0],
});
================================================
FILE: cdk_integration_tests/src/typescript/RedshiftClusterEncryption/pass.ts
================================================
import * as redshift from '@aws-cdk/aws-redshift-alpha';
import * as kms from 'aws-cdk-lib/aws-kms';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import { Stack, App } from 'aws-cdk-lib';
const app = new App();
const stack = new Stack(app, 'RedshiftStack');
// Create a VPC
const vpc = new ec2.Vpc(stack, 'Vpc', {
maxAzs: 2
});
// Create a KMS key for encryption
const kmsKey = new kms.Key(stack, 'KmsKey');
const cluster = new redshift.Cluster(stack, 'MyCluster', {
masterUser: {
masterUsername: 'admin',
},
vpc,
encryption: true,
});
import * as redshift from 'aws-cdk-lib/aws_redshift';
import * as kms from 'aws-cdk-lib/aws-kms';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import { Stack, App } from 'aws-cdk-lib';
const app = new App();
const stack = new Stack(app, 'RedshiftStack');
// Create a VPC
const vpc = new ec2.Vpc(stack, 'Vpc', {
maxAzs: 2
});
// Create a KMS key for encryption
const kmsKey = new kms.Key(stack, 'KmsKey');
const cfnCluster = new redshift.CfnCluster(stack, 'MyCfnCluster', {
clusterType: 'multi-node',
dbName: 'mydatabase',
masterUsername: 'admin',
masterUserPassword: 'password',
nodeType: 'ds2.xlarge',
numberOfNodes: 3,
encryption: true,
kmsKeyId: kmsKey.keyArn, // Use the specific KMS key
vpcSecurityGroupIds: [ /* security group IDs */ ],
clusterSubnetGroupName: vpc.selectSubnets({ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }).subnetIds[0],
});
================================================
FILE: cdk_integration_tests/src/typescript/RedshiftClusterLogging/fail.ts
================================================
// SOURCE
import { Cluster } from '@aws-cdk/aws-redshift';
// SINK
// SINK: Vulnerability found due to missing logging enabled
new Cluster(stack, 'MyRedshiftCluster', {
masterUser: {
masterUsername: 'admin',
masterPassword: 'password',
},
vpc
// logging enabled missing
});
================================================
FILE: cdk_integration_tests/src/typescript/RedshiftClusterLogging/pass.ts
================================================
// SOURCE
import { Cluster } from '@aws-cdk/aws-redshift';
// SINK
// SINK: Vulnerability found due to missing logging enabled
let bucketName;
let stack;
new Cluster(stack, 'MyRedshiftCluster', {
masterUser: {
masterUsername: 'admin',
masterPassword: 'password',
},
logging_properties: Cluster.LoggingPropertiesProperty = {bucketName: 'name'}
// logging enabled missing
});
================================================
FILE: cdk_integration_tests/src/typescript/RedshiftClusterPubliclyAccessible/fail.ts
================================================
// SOURCE
import { Cluster } from '@aws-cdk/aws-redshift';
// SINK
// SINK: Vulnerability found due to publicly accessible cluster
new Cluster(stack, 'MyRedshiftCluster', {
masterUser: {
masterUsername: 'admin',
masterPassword: 'password',
},
vpc,
publiclyAccessible: true, // publicly accessible cluster
});
================================================
FILE: cdk_integration_tests/src/typescript/RedshiftClusterPubliclyAccessible/pass.ts
================================================
// SOURCE
import { Cluster } from '@aws-cdk/aws-redshift';
// SINK
// SINK: Vulnerability found due to publicly accessible cluster
new Cluster(stack, 'MyRedshiftCluster', {
masterUser: {
masterUsername: 'admin',
masterPassword: 'password',
},
vpc,
publiclyAccessible: false,
});
new Cluster(stack, 'MyRedshiftCluster', {
masterUser: {
masterUsername: 'admin',
masterPassword: 'password',
},
vpc
});
================================================
FILE: cdk_integration_tests/src/typescript/RedshiftInEc2ClassicMode/fail.ts
================================================
// SOURCE
import { Cluster } from '@aws-cdk/aws-redshift';
// SINK
// SINK: Vulnerability found due to Redshift cluster deployed outside of a VPC
new Cluster(stack, 'MyRedshiftCluster', {
masterUser: {
masterUsername: 'admin',
masterPassword: 'password',
},
vpc: vpc
});
================================================
FILE: cdk_integration_tests/src/typescript/RedshiftInEc2ClassicMode/pass.ts
================================================
// SOURCE
import { Cluster } from '@aws-cdk/aws-redshift';
// SINK
new Cluster(stack, 'MyRedshiftCluster', {
masterUser: {
masterUsername: 'admin',
masterPassword: 'password',
},
vpc: vpc,
clusterSubnetGroupName: 'name'
});
================================================
FILE: cdk_integration_tests/src/typescript/S3BlockPublicACLs/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import { Stack, App } from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
const app = new App();
const stack = new Stack(app, 'S3BucketStack');
// Create an S3 bucket with blockPublicAcls enabled
const bucket = new s3.Bucket(stack, 'MyBucket', {
blockPublicAccess: s3.BlockPublicAccess.IGNORE_ACLS,
versioned: true,
removalPolicy: cdk.RemovalPolicy.DESTROY,
autoDeleteObjects: true,
});
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BlockPublicACLs/fail__3__.ts
================================================
import * as cdk from 'aws-cdk-lib';
import { Stack, App } from 'aws-cdk-lib';
import { Bucket, BlockPublicAccess } from 'aws-cdk-lib/aws-s3';
const app = new App();
const stack = new Stack(app, 'S3BucketStack');
// Create an S3 bucket with blockPublicAcls enabled
const bucket = new Bucket(stack, 'MyBucket', {
blockPublicAccess: BlockPublicAccess.IGNORE_ACLS,
versioned: true,
removalPolicy: cdk.RemovalPolicy.DESTROY,
autoDeleteObjects: true,
});
const bucket2 = new Bucket(stack, 'MyBucket', {
versioned: true,
removalPolicy: cdk.RemovalPolicy.DESTROY,
autoDeleteObjects: true,
});
app.synth();
import * as cdk from 'aws-cdk-lib';
import { Stack, App } from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
const app = new App();
const stack = new Stack(app, 'S3BucketStack');
// Create an S3 bucket with blockPublicAcls enabled
const bucket = new s3.CfnBucket(stack, 'MyBucket', {
bucketName: 'my-bucket-name', // Optional: Specify a bucket name
versioningConfiguration: {
status: 'Enabled',
},
publicAccessBlockConfiguration: {
blockPublicAcls: false, // Only block public ACLs
ignorePublicAcls: true,
},
});
bucket.applyRemovalPolicy(cdk.RemovalPolicy.DESTROY);
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BlockPublicACLs/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import { Stack, App } from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
const app = new App();
const stack = new Stack(app, 'S3BucketStack');
// Create an S3 bucket with blockPublicAcls enabled
const bucket = new s3.Bucket(stack, 'MyBucket', {
blockPublicAccess: s3.BlockPublicAccess.BLOCK_ACLS, // Only block public ACLs
versioned: true,
removalPolicy: cdk.RemovalPolicy.DESTROY, // NOT recommended for production code
autoDeleteObjects: true, // NOT recommended for production code
});
const bucket2 = new s3.Bucket(stack, 'MyBucket', {
blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, // Only block public ACLs
versioned: true,
removalPolicy: cdk.RemovalPolicy.DESTROY, // NOT recommended for production code
autoDeleteObjects: true, // NOT recommended for production code
});
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BlockPublicACLs/pass2.ts
================================================
import * as cdk from 'aws-cdk-lib';
import { Stack, App } from 'aws-cdk-lib';
import { Bucket, BlockPublicAccess } from 'aws-cdk-lib/aws-s3';
const app = new App();
const stack = new Stack(app, 'S3BucketStack');
// Create an S3 bucket with blockPublicAcls enabled
const bucket = new Bucket(stack, 'MyBucket', {
blockPublicAccess: BlockPublicAccess.BLOCK_ACLS, // Only block public ACLs
versioned: true,
removalPolicy: cdk.RemovalPolicy.DESTROY, // NOT recommended for production code
autoDeleteObjects: true, // NOT recommended for production code
});
const bucket2 = new Bucket(stack, 'MyBucket', {
blockPublicAccess: BlockPublicAccess.BLOCK_ALL, // Only block public ACLs
versioned: true,
removalPolicy: cdk.RemovalPolicy.DESTROY, // NOT recommended for production code
autoDeleteObjects: true, // NOT recommended for production code
});
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BlockPublicACLs/pass3.ts
================================================
import * as cdk from 'aws-cdk-lib';
import { Stack, App } from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
const app = new App();
const stack = new Stack(app, 'S3BucketStack');
// Create an S3 bucket with blockPublicAcls enabled
const bucket = new s3.CfnBucket(stack, 'MyBucket', {
bucketName: 'my-bucket-name', // Optional: Specify a bucket name
versioningConfiguration: {
status: 'Enabled',
},
publicAccessBlockConfiguration: {
blockPublicAcls: true, // Only block public ACLs
ignorePublicAcls: true,
},
});
// Add deletion policy to the bucket
bucket.applyRemovalPolicy(cdk.RemovalPolicy.DESTROY); // NOT recommended for production code
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BlockPublicPolicy/fail.ts
================================================
// FINDING
import { Bucket } from '@aws-cdk/aws-s3';
// SINK
// SINK: Vulnerability found due to S3 bucket missing block public policy
new Bucket(stack, 'MyBucket', {
publicReadAccess: true, // This should be 'false' to block public policy
});
================================================
FILE: cdk_integration_tests/src/typescript/S3BlockPublicPolicy/pass.ts
================================================
// FINDING
import { Bucket } from '@aws-cdk/aws-s3';
// SINK
// SINK: Vulnerability found due to S3 bucket missing block public policy
new Bucket(stack, 'MyBucket', {
publicReadAccess: false, // This should be 'false' to block public policy
});
new Bucket(stack, 'MyBucket', {
random_param: false,
});
================================================
FILE: cdk_integration_tests/src/typescript/S3BucketEncryption/fail2__2__.ts
================================================
import * as cdk from 'aws-cdk-lib';
import { Bucket, BucketEncryption } from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const fail = new Bucket(this, 'example', {});
const fail2 = new Bucket(this, 'example', {
encryption: BucketEncryption.UNENCRYPTED
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BucketEncryption/fail__2__.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const fail = new s3.Bucket(this, 'example', {});
const fail2 = new s3.Bucket(this, 'example', {
encryption: s3.BucketEncryption.UNENCRYPTED
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BucketEncryption/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const pass = new s3.Bucket(this, 'example', {
encryption: s3.BucketEncryption.S3_MANAGED,
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BucketEncryption/pass2.ts
================================================
import * as cdk from 'aws-cdk-lib';
import { Bucket, BucketEncryption } from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const pass = new Bucket(this, 'example', {
encryption: BucketEncryption.KMS
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BucketKMSEncryption/fail2__3__.ts
================================================
import * as cdk from 'aws-cdk-lib';
import { Bucket, BucketEncryption } from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const fail = new Bucket(this, 'example', {});
const fail2 = new Bucket(this, 'example', {
encryption: BucketEncryption.UNENCRYPTED
});
const fail3 = new Bucket(this, 'example', {
encryption: BucketEncryption.S3_MANAGED
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BucketKMSEncryption/fail__3__.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const fail = new s3.Bucket(this, 'example', {});
const fail2 = new s3.Bucket(this, 'example', {
encryption: s3.BucketEncryption.UNENCRYPTED
});
const fail3 = new s3.Bucket(this, 'example', {
encryption: s3.BucketEncryption.S3_MANAGED
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BucketKMSEncryption/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const pass = new s3.Bucket(this, 'example', {
encryption: s3.BucketEncryption.KMS_MANAGED
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BucketKMSEncryption/pass2.ts
================================================
import * as cdk from 'aws-cdk-lib';
import { Bucket, BucketEncryption } from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const pass = new Bucket(this, 'example', {
encryption: BucketEncryption.KMS
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BucketLogging/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const fail = new s3.Bucket(this, 'example', {});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BucketLogging/fail2.ts
================================================
import * as cdk from 'aws-cdk-lib';
import { Bucket } from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const fail = new Bucket(this, 'example', {});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BucketLogging/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const pass = new s3.Bucket(this, 'example', {
// this would normally reference another bucket, but then I can't separate the tests
serverAccessLogsBucket: bucket
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BucketLogging/pass2.ts
================================================
import * as cdk from 'aws-cdk-lib';
import { Bucket } from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const pass = new Bucket(this, 'example', {
// this would normally reference another bucket, but then I can't separate the tests
serverAccessLogsBucket: bucket
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BucketPublicAccessBlock/fail.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const fail = new s3.Bucket(this, 'example', {});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BucketPublicAccessBlock/fail2.ts
================================================
import * as cdk from 'aws-cdk-lib';
import { Bucket } from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const fail = new Bucket(this, 'example', {});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BucketPublicAccessBlock/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const pass = new s3.Bucket(this, 'example', {
blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BucketPublicAccessBlock/pass2.ts
================================================
import * as cdk from 'aws-cdk-lib';
import { Bucket, BlockPublicAccess } from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const pass = new Bucket(this, 'example', {
blockPublicAccess: BlockPublicAccess.BLOCK_ALL
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BucketVersioning/fail2__2__.ts
================================================
import * as cdk from 'aws-cdk-lib';
import { Bucket } from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const fail = new Bucket(this, 'example', {});
const fail2 = new Bucket(this, 'example', {
versioned: false
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BucketVersioning/fail__2__.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const fail = new s3.Bucket(this, 'example', {});
const fail2 = new s3.Bucket(this, 'example', {
versioned: false
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BucketVersioning/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const pass = new s3.Bucket(this, 'example', {
versioned: true
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3BucketVersioning/pass2.ts
================================================
import * as cdk from 'aws-cdk-lib';
import { Bucket } from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const pass = new Bucket(this, 'example', {
versioned: true
});
}
}
const app = new cdk.App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3PublicACLRead/fail__3__.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as s3 from 'aws-cdk-lib/aws-s3';
class S3BucketExampleStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
// Bucket with PUBLIC_READ access - Match
new s3.Bucket(this, 'MyPublicReadBucket', {
accessControl: s3.BucketAccessControl.PUBLIC_READ,
});
new s3.Bucket(this, 'MyPrivateReadBucket');
// Bucket with PUBLIC_READ_WRITE access
new s3.Bucket(this, 'MyPublicReadWriteBucket', {
accessControl: s3.BucketAccessControl.PUBLIC_READ_WRITE,
});
// Bucket with publicReadAccess set to true
new s3.Bucket(this, 'MyPublicReadAccessBucket', {
publicReadAccess: true,
});
// Bucket with publicReadAccess set to true
new s3.Bucket(this, 'MyPublicReadAccessBucket', {
publicReadAccess: false,
});
}
}
const app = new App();
new S3BucketExampleStack(app, 'S3BucketExampleStack');
================================================
FILE: cdk_integration_tests/src/typescript/S3PublicACLRead/pass.ts
================================================
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as s3 from 'aws-cdk-lib/aws-s3';
class S3BucketExampleStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
// Bucket with PUBLIC_READ access - Match
new s3.Bucket(this, 'MyPublicReadBucket');
new s3.Bucket(this, 'MyPrivateReadBucket');
// Bucket with PUBLIC_READ_WRITE access
new s3.Bucket(this, 'MyPublicReadWriteBucket', {
accessControl: s3.BucketAccessControl.Private,
});
// Bucket with publicReadAccess set to true
new s3.Bucket(this, 'MyPublicReadAccessBucket', {});
// Bucket with publicReadAccess set to true
new s3.Bucket(this, 'MyPublicReadAccessBucket', {
publicReadAccess: false,
});
}
}
const app = new App();
new S3BucketExampleStack(app, 'S3BucketExampleStack');
================================================
FILE: cdk_integration_tests/src/typescript/S3RestrictPublicBuckets/fail__2__.ts
================================================
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as s3 from 'aws-cdk-lib/aws-s3';
class S3BucketWithPublicAccessStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
new s3.Bucket(this, 'aaa', {
versioned: false, // You can enable versioning if needed
removalPolicy: cdk.RemovalPolicy.DESTROY, // Change this according to your retention policy
blockPublicAccess: new s3.BlockPublicAccess({
blockPublicAcls: true,
blockPublicPolicy: true,
ignorePublicAcls: true,
restrictPublicBuckets: false,
}),
});
}
}
class PublicS3BucketStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
new s3.CfnBucket(this, 'PublicBucket', {
versioningConfiguration: {
status: 'Suspended', // You can enable versioning if needed
},
publicAccessBlockConfiguration: {
blockPublicAcls: true,
blockPublicPolicy: true,
ignorePublicAcls: true,
restrictPublicBuckets: false,
},
});
}
}
const app = new cdk.App();
new S3BucketWithPublicAccessStack(app, 'S3BucketWithPublicAccessStack');
new PublicS3BucketStack(app, 'PublicS3BucketStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/S3RestrictPublicBuckets/pass.ts
================================================
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as s3 from 'aws-cdk-lib/aws-s3';
class S3BucketWithPublicAccessStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
new s3.Bucket(this, 'aaa', {
versioned: false, // You can enable versioning if needed
removalPolicy: cdk.RemovalPolicy.DESTROY, // Change this according to your retention policy
blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, // Enforce all public access restrictions
});
}
}
class PublicS3BucketStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
new s3.CfnBucket(this, 'PublicBucket', {
versioningConfiguration: {
status: 'Suspended', // You can enable versioning if needed
},
publicAccessBlockConfiguration: {
blockPublicAcls: true,
blockPublicPolicy: true,
ignorePublicAcls: true,
restrictPublicBuckets: true,
},
});
}
}
const app = new cdk.App();
new S3BucketWithPublicAccessStack(app, 'S3BucketWithPublicAccessStack');
new PublicS3BucketStack(app, 'PublicS3BucketStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/SNSTopicEncryption/fail.ts
================================================
import { App, Stack } from 'aws-cdk-lib';
import * as sns from 'aws-cdk-lib/aws-sns';
import { Construct } from 'constructs';
class MyStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
new sns.Topic(this, 'Topic', {
topicName: 'my-topic',
});
}
}
const app = new App();
new MyStack(app, 'MyStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/SNSTopicEncryption/pass.ts
================================================
import { App, Stack } from 'aws-cdk-lib';
import * as sns from 'aws-cdk-lib/aws-sns';
import * as kms from 'aws-cdk-lib/aws-kms';
import { Construct } from 'constructs';
class MyStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Create a new KMS Key
const key = new kms.Key(this, 'MyKey');
// Create a new SNS Topic using the KMS Key for encryption
new sns.Topic(this, 'Topic', {
topicName: 'my-topic',
masterKey: key,
});
}
}
const app = new App();
new MyStack(app, 'MyStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/SQSQueueEncryption/fail__2__.ts
================================================
import { App, Stack } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as sqs from 'aws-cdk-lib/aws-sqs';
class SqsQueueWithKmsKeyStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
new sqs.Queue(this, "MySqsQueue", {
encryption: sqs.QueueEncryption.KMS,
visibilityTimeout: cdk.Duration.seconds(300) // Other properties for the queue
});
}
}
const app = new App();
new SqsQueueWithKmsKeyStack(app, "SqsQueueWithKmsKeyStack");
app.synth();
class SqsQueueWithKmsKeyIdStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
var mySqs = new sqs.CfnQueue(this, "MySqsQueue", {
visibilityTimeout: 300 // Other properties for the queue
// Specify the KMS key ID if needed here, e.g., kmsMasterKeyId: 'alias/aws/sqs'
});
}
}
const app2 = new App();
new SqsQueueWithKmsKeyIdStack(app2, "SqsQueueWithKmsKeyIdStack");
app2.synth();
================================================
FILE: cdk_integration_tests/src/typescript/SQSQueueEncryption/pass.ts
================================================
import { App, Stack } from 'aws-cdk-lib';
import * as sqs from 'aws-cdk-lib/aws-sqs';
import * as kms from 'aws-cdk-lib/aws-kms';
import * as cfn from 'aws-cdk-lib/aws-cloudformation';
import { Construct } from 'constructs';
class SqsQueueWithKmsKeyStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Create a KMS key for encryption
const kmsKey = new kms.Key(this, 'MyKmsKey', {
enableKeyRotation: true,
});
// Create an SQS queue with KMS encryption
new sqs.Queue(this, 'MySqsQueue', {
encryption: sqs.QueueEncryption.KMS,
encryptionMasterKey: kmsKey,
visibilityTimeout: cdk.Duration.seconds(300), // Other properties for the queue
});
}
}
const app = new App();
new SqsQueueWithKmsKeyStack(app, 'SqsQueueWithKmsKeyStack');
app.synth();
class SqsQueueWithKmsKeyIdStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Define a custom KMS key
const kmsKey = new cfn.CfnCustomResource(this, 'MyKmsKeyResource', {
serviceToken: 'arn:aws:lambda:::function/',
// Add other properties as needed
});
// Define an SQS queue with a specific KmsMasterKeyId
new sqs.CfnQueue(this, 'MySqsQueue', {
kmsMasterKeyId: kmsKey.getAtt('KmsKeyId').toString(),
visibilityTimeout: 300, // Other properties for the queue
});
}
}
const app2 = new App();
new SqsQueueWithKmsKeyIdStack(app2, 'SqsQueueWithKmsKeyIdStack');
app2.synth();
================================================
FILE: cdk_integration_tests/src/typescript/SecretManagerSecretEncrypted/fail__2__.ts
================================================
import { App, Stack } from 'aws-cdk-lib';
import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
import * as kms from 'aws-cdk-lib/aws-kms';
import { Construct } from 'constructs';
class MySecretsStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Define a SecretsManager secret with KMS key ID
const mySecret = new secretsmanager.Secret(this, 'MySecret', {
secretName: 'MySecretName',
encryptionKey: kms.Key.fromKeyArn(this, 'MyKmsKey', 'arn:aws:kms:REGION:ACCOUNT_ID:key/aws/KMS_KEY_ID'),
});
}
}
class MySecretsStack2 extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Define a SecretsManager secret without specifying KMS key ID
const mySecret = new secretsmanager.Secret(this, 'MySecret', {
secretName: 'MySecretName',
});
}
}
const app = new App();
new MySecretsStack(app, "MySecretsStack");
new MySecretsStack2(app, "MySecretsStack2");
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/SecretManagerSecretEncrypted/pass.ts
================================================
import { App, Stack } from 'aws-cdk-lib';
import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
import * as kms from 'aws-cdk-lib/aws-kms';
import { Construct } from 'constructs';
class MySecretsStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Define a SecretsManager secret with KMS key ID
const mySecret = new secretsmanager.Secret(this, 'MySecret', {
secretName: 'MySecretName',
encryptionKey: kms.Key.fromKeyArn(this, 'MyKmsKey', 'arn:aws:kms:REGION:ACCOUNT_ID:key/KMS_KEY_ID'),
});
}
}
const app = new App();
new MySecretsStack(app, "MySecretsStack");
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/SecurityGroupRuleDescription/fail__4__.ts
================================================
import { App, Stack } from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import { Construct } from 'constructs';
class MySecurityGroupStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Define EC2 Security Group with Ingress
const securityGroup = new ec2.CfnSecurityGroup(this, 'MySecurityGroup', {
groupDescription: 'My security group',
securityGroupIngress: [
{
description: 'Allow HTTP inbound',
ipProtocol: 'tcp',
fromPort: 80,
toPort: 80,
cidrIp: '0.0.0.0/0',
},
],
// Other properties for your Security Group
});
}
}
class MySecurityGroupEgressStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Define EC2 Security Group with Egress
const securityGroupEgress = new ec2.CfnSecurityGroup(this, 'MySecurityGroup', {
groupDescription: 'My security group',
securityGroupEgress: [
{
description: 'Allow HTTP outbound',
ipProtocol: 'tcp',
fromPort: 80,
toPort: 80,
cidrIp: '0.0.0.0/0',
},
],
// Other properties for your Security Group
});
}
}
class MySecurityGroupIngressStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Define EC2 Security Group Ingress
new ec2.CfnSecurityGroupIngress(this, 'MySecurityGroupIngress', {
groupId: 'your-security-group-id', // Replace with your Security Group ID
ipProtocol: 'tcp',
fromPort: 80,
toPort: 80,
cidrIp: '0.0.0.0/0',
// Other properties for your Security Group Ingress
});
}
}
class MySecurityGroupEgressStack2 extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Define EC2 Security Group Egress
new ec2.CfnSecurityGroupEgress(this, 'MySecurityGroupEgress', {
groupId: 'your-security-group-id', // Replace with your Security Group ID
ipProtocol: 'tcp',
fromPort: 80,
toPort: 80,
cidrIp: '0.0.0.0/0',
// Other properties for your Security Group Egress
});
}
}
const app = new App();
new MySecurityGroupStack(app, "MySecurityGroupStack");
new MySecurityGroupIngressStack(app, "MySecurityGroupIngressStack");
new MySecurityGroupEgressStack(app, "MySecurityGroupEgressStack");
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/SecurityGroupRuleDescription/pass.ts
================================================
import { App, Stack } from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import { Construct } from 'constructs';
class MySecurityGroupStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Define EC2 Security Group with Ingress Rules
new ec2.CfnSecurityGroup(this, 'MySecurityGroup', {
groupDescription: 'My security group',
securityGroupIngress: [
{
description: 'True',
ipProtocol: 'tcp',
fromPort: 80,
toPort: 80,
cidrIp: '0.0.0.0/0',
},
],
// Other properties for your Security Group
});
}
}
class MySecurityGroupEgressStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Define EC2 Security Group with Egress Rules
new ec2.CfnSecurityGroup(this, 'MySecurityGroupEgress', {
groupDescription: 'My security group',
securityGroupEgress: [
{
description: 'True',
ipProtocol: 'tcp',
fromPort: 80,
toPort: 80,
cidrIp: '0.0.0.0/0',
},
],
// Other properties for your Security Group
});
}
}
class MySecurityGroupIngressStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Define EC2 Security Group Ingress
new ec2.CfnSecurityGroupIngress(this, 'MySecurityGroupIngress', {
groupId: 'your-security-group-id', // Replace with your Security Group ID
ipProtocol: 'tcp',
fromPort: 80,
toPort: 80,
cidrIp: '0.0.0.0/0',
description: 'abc',
// Other properties for your Security Group Ingress
});
}
}
class MySecurityGroupEgressStack2 extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Define EC2 Security Group Egress
new ec2.CfnSecurityGroupEgress(this, 'MySecurityGroupEgress', {
groupId: 'your-security-group-id', // Replace with your Security Group ID
ipProtocol: 'tcp',
fromPort: 80,
toPort: 80,
cidrIp: '0.0.0.0/0',
description: 'abc',
// Other properties for your Security Group Egress
});
}
}
const app = new App();
new MySecurityGroupStack(app, "MySecurityGroupStack");
new MySecurityGroupEgressStack(app, "MySecurityGroupEgressStack");
new MySecurityGroupIngressStack(app, "MySecurityGroupIngressStack");
new MySecurityGroupEgressStack2(app, "MySecurityGroupEgressStack2");
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/TransferServerIsPublic/fail__1__.ts
================================================
import { App, Stack } from 'aws-cdk-lib';
import * as transfer from 'aws-cdk-lib/aws-transfer';
import { Construct } from 'constructs';
class MyTransferServerStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Define Transfer Server with EndpointType set to a custom value
new transfer.CfnServer(this, 'MyTransferServer', {
endpointType: 'abc', // Replace 'abc' with your endpoint type
// Other properties as needed for your Transfer Server
});
}
}
const app = new App();
new MyTransferServerStack(app, "MyTransferServerStack");
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/TransferServerIsPublic/pass.ts
================================================
import { App, Stack } from 'aws-cdk-lib';
import * as transfer from 'aws-cdk-lib/aws-transfer';
import { Construct } from 'constructs';
class MyTransferServerStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Define Transfer Server with EndpointType set to VPC
new transfer.CfnServer(this, 'MyTransferServer', {
endpointType: 'VPC',
// Other properties as needed for your Transfer Server
});
}
}
class MyTransferServerStack2 extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Define Transfer Server with EndpointType set to VPC_ENDPOINT
new transfer.CfnServer(this, 'MyTransferServer2', {
endpointType: 'VPC_ENDPOINT',
// Other properties as needed for your Transfer Server
});
}
}
const app = new App();
new MyTransferServerStack(app, "MyTransferServerStack");
new MyTransferServerStack2(app, "MyTransferServerStack2");
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/VPCEndpointAcceptanceConfigured/fail__2__.ts
================================================
import { App, Stack } from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import { Construct } from 'constructs';
class MyVpcEndpointServiceStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Define VPC Endpoint Service with acceptance not required
var x = new ec2.CfnVPCEndpointService(this, 'MyVPCEndpointService');
const y = new ec2.CfnVPCEndpointService(this, 'MyVPCEndpointService', {
acceptanceRequired: false,
});
}
}
const app = new App();
new MyVpcEndpointServiceStack(app, "MyVpcEndpointServiceStack");
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/VPCEndpointAcceptanceConfigured/pass.ts
================================================
import { App, Stack } from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import { Construct } from 'constructs';
class MyVpcEndpointServiceStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Define VPC Endpoint Service with acceptance not required
new ec2.CfnVPCEndpointService(this, 'MyVPCEndpointService', {
acceptanceRequired: true,
// Other properties for your VPC Endpoint Service
});
}
}
const app = new App();
new MyVpcEndpointServiceStack(app, "MyVpcEndpointServiceStack");
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/WAFEnabled/fail__1__.ts
================================================
import { App, Stack } from 'aws-cdk-lib';
import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
import { Construct } from 'constructs';
class CloudFrontDistributionStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Create a CloudFront distribution
new cloudfront.CfnDistribution(this, 'MyCloudFrontDistribution', {
distributionConfig: {
defaultCacheBehavior: {
// Configure your cache behavior as needed
viewerProtocolPolicy: 'allow-all', // Example configuration
targetOriginId: 'myTargetOrigin', // Example configuration, needs to match an origin
forwardedValues: {
queryString: true,
cookies: { forward: 'none' },
},
},
enabled: true,
// Other distributionConfig properties as needed
},
});
}
}
const app = new App();
new CloudFrontDistributionStack(app, "CloudFrontDistributionStack");
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/WAFEnabled/pass.ts
================================================
import { App, Stack } from 'aws-cdk-lib';
import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
import * as wafv2 from 'aws-cdk-lib/aws-wafv2';
import { Construct } from 'constructs';
class CloudFrontDistributionStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Create a WebACL
const webAcl = new wafv2.CfnWebACL(this, 'MyWebACL', {
defaultAction: { allow: {} },
scope: 'CLOUDFRONT',
visibilityConfig: {
cloudWatchMetricsEnabled: true,
metricName: 'webAclMetric',
sampledRequestsEnabled: true,
},
// Configure your WebACL as needed
rules: [],
});
// Create a CloudFront distribution
const distribution = new cloudfront.CfnDistribution(this, 'MyCloudFrontDistribution', {
distributionConfig: {
defaultCacheBehavior: {
// Configure your cache behavior as needed
viewerProtocolPolicy: 'allow-all', // Example configuration
targetOriginId: 'myTargetOrigin', // Example configuration, needs to match an origin
forwardedValues: {
queryString: false,
cookies: { forward: 'none' },
},
},
enabled: true,
webAclId: webAcl.attrArn, // Set the WebACL association
// Other distributionConfig properties as needed
},
});
}
}
const app = new App();
new CloudFrontDistributionStack(app, 'CloudFrontDistributionStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/WorkspaceRootVolumeEncrypted/fail__1__.ts
================================================
import { App, Stack } from 'aws-cdk-lib';
import * as workspaces from 'aws-cdk-lib/aws-workspaces';
import { Construct } from 'constructs';
class WorkSpacesStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Note: The creation of a WorkSpaces directory as depicted in the Python code isn't directly supported through AWS CDK as of my last update.
// Typically, you would use an existing directory (like an AD Connector or a Simple AD).
// However, let's assume we're associating the workspace with an existing directory for this example.
// Create a WorkSpaces workspace with root volume encryption enabled
new workspaces.CfnWorkspace(this, 'MyWorkspace', {
directoryId: 'your-directory-id', // Replace with your actual directory ID
userName: 'my-user',
bundleId: 'wsb-12345678', // Replace with your actual bundle ID
rootVolumeEncryptionEnabled: false,
userVolumeEncryptionEnabled: false, // Set to true if you want user volume encryption
// Workspace properties need to be defined here, if necessary.
});
}
}
const app = new App();
new WorkSpacesStack(app, 'WorkSpacesStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/WorkspaceRootVolumeEncrypted/pass.ts
================================================
import { App, Stack } from 'aws-cdk-lib';
import * as workspaces from 'aws-cdk-lib/aws-workspaces';
import { Construct } from 'constructs';
class WorkSpacesStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Assuming the Directory ID is known and exists. Replace 'your-directory-id' with the actual Directory ID.
const directoryId = 'your-directory-id';
// Create a WorkSpaces workspace with root volume encryption enabled
new workspaces.CfnWorkspace(this, 'MyWorkspace', {
directoryId: directoryId, // Use the known Directory ID
bundleId: 'wsb-12345678', // Replace with your actual bundle ID
userName: 'my-user',
rootVolumeEncryptionEnabled: true,
userVolumeEncryptionEnabled: false, // Set to true if you want user volume encryption
// Other properties for your Workspace as needed
});
}
}
const app = new App();
new WorkSpacesStack(app, 'WorkSpacesStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/WorkspaceUserVolumeEncrypted/fail__1__.ts
================================================
import { App, Stack } from 'aws-cdk-lib';
import * as workspaces from 'aws-cdk-lib/aws-workspaces';
import { Construct } from 'constructs';
class WorkSpacesStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Note: The creation of a WorkSpaces directory as depicted in the Python code isn't directly supported through AWS CDK as of my last update.
// Typically, you would use an existing directory (like an AD Connector or a Simple AD).
// However, let's assume we're associating the workspace with an existing directory for this example.
// Create a WorkSpaces workspace with root volume encryption enabled
new workspaces.CfnWorkspace(this, 'MyWorkspace', {
directoryId: 'your-directory-id', // Replace with your actual directory ID
userName: 'my-user',
bundleId: 'wsb-12345678', // Replace with your actual bundle ID
rootVolumeEncryptionEnabled: false,
userVolumeEncryptionEnabled: false, // Set to true if you want user volume encryption
// Workspace properties need to be defined here, if necessary.
});
}
}
const app = new App();
new WorkSpacesStack(app, 'WorkSpacesStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/WorkspaceUserVolumeEncrypted/pass.ts
================================================
import { App, Stack } from 'aws-cdk-lib';
import * as workspaces from 'aws-cdk-lib/aws-workspaces';
import { Construct } from 'constructs';
class WorkSpacesStack extends Stack {
constructor(scope: Construct, id: string, props?: {}) {
super(scope, id, props);
// Assuming the Directory ID is known and exists. Replace 'your-directory-id' with the actual Directory ID.
const directoryId = 'your-directory-id';
// Create a WorkSpaces workspace with root volume encryption enabled
new workspaces.CfnWorkspace(this, 'MyWorkspace', {
directoryId: directoryId, // Use the known Directory ID
bundleId: 'wsb-12345678', // Replace with your actual bundle ID
userName: 'my-user',
rootVolumeEncryptionEnabled: true,
userVolumeEncryptionEnabled: true, // Set to true if you want user volume encryption
// Other properties for your Workspace as needed
});
}
}
const app = new App();
new WorkSpacesStack(app, 'WorkSpacesStack');
app.synth();
================================================
FILE: cdk_integration_tests/src/typescript/s3.ts
================================================
import { App, Stack, StackProps } from "aws-cdk-lib";
import * as s3 from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
export class exampleStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new s3.Bucket(this, 'example', {
encryption: s3.BucketEncryption.S3_MANAGED,
});
}
}
const app = new App();
new exampleStack(app, 'example-stack');
app.synth();
================================================
FILE: cdk_integration_tests/test_checks_python.py
================================================
from typing import Dict, Any, List
import pytest
from cdk_integration_tests.utils import run_check, load_failed_checks_from_file
LANGUAGE = 'python'
@pytest.fixture(scope="session", autouse=True)
def failed_checks() -> Dict[str, List[Dict[str, Any]]]:
report_failed_checks = load_failed_checks_from_file(LANGUAGE)
yield report_failed_checks
def test_CKV_AWS_18_S3BucketLogging(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_18", policy_name="S3BucketLogging", language="python")
def test_CKV_AWS_19_S3BucketEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_19", policy_name="S3BucketEncryption", language="python")
def test_CKV_AWS_21_S3BucketVersioning(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_21", policy_name="S3BucketVersioning", language="python")
def test_CKV_AWS_145_S3BucketKMSEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_145", policy_name="S3BucketKMSEncryption", language="python")
def test_CKV2_AWS_6_S3BucketPublicAccessBlock(failed_checks):
run_check(check_results=failed_checks, check_id="CKV2_AWS_6", policy_name="S3BucketPublicAccessBlock", language="python")
def test_CKV_AWS_54_S3BlockPublicPolicy(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_54", policy_name="S3BlockPublicPolicy", language="python")
def test_CKV_AWS_26_SNSTopicEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_26", policy_name="SNSTopicEncryption", language="python")
def test_CKV_AWS_20_S3PublicACLRead(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_20", policy_name="S3PublicACLRead", language="python")
def test_CKV_AWS_55_S3IgnorePublicACLs(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_55", policy_name="S3IgnorePublicACLs", language="python")
def test_CKV_AWS_56_S3RestrictPublicBuckets(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_56", policy_name="S3RestrictPublicBuckets", language="python")
def test_CKV_AWS_53_S3BlockPublicACLs(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_53", policy_name="S3BlockPublicACLs", language="python")
def test_CKV_AWS_57_S3PublicACLWrite(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_57", policy_name="S3PublicACLWrite", language="python")
def test_CKV_AWS_115_LambdaFunctionLevelConcurrentExecutionLimit(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_115", policy_name="LambdaFunctionLevelConcurrentExecutionLimit", language="python")
def test_CKV_AWS_116_LambdaDLQConfigured(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_116", policy_name="LambdaDLQConfigured", language="python")
def test_CKV_AWS_28_DynamodbRecovery(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_28", policy_name="DynamodbRecovery", language="python")
def test_CKV_AWS_158_CloudWatchLogGroupKMSKey(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_158", policy_name="CloudWatchLogGroupKMSKey", language="python")
def test_CKV_AWS_3_EBSEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_3", policy_name="EBSEncryption", language="python")
def test_CKV_AWS_120_APIGatewayCacheEnable(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_120", policy_name="APIGatewayCacheEnable", language="python")
def test_CKV_AWS_163_ECRImageScanning(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_163", policy_name="ECRImageScanning", language="python")
def test_CKV_AWS_51_ECRImmutableTags(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_51", policy_name="ECRImmutableTags", language="python")
def test_CKV_AWS_44_NeptuneClusterStorageEncrypted(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_44", policy_name="NeptuneClusterStorageEncrypted", language="python")
def test_CKV_AWS_166_BackupVaultEncrypted(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_166", policy_name="BackupVaultEncrypted", language="python")
def test_CKV_AWS_74_DocDBEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_74", policy_name="DocDBEncryption", language="python")
def test_CKV_AWS_47_DAXEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_47", policy_name="DAXEncryption", language="python")
def test_CKV_AWS_156_WorkspaceRootVolumeEncrypted(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_156", policy_name="WorkspaceRootVolumeEncrypted", language="python")
def test_CKV_AWS_155_WorkspaceUserVolumeEncrypted(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_155", policy_name="WorkspaceUserVolumeEncrypted", language="python")
def test_CKV_AWS_165_DynamodbGlobalTableRecovery(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_165", policy_name="DynamodbGlobalTableRecovery", language="python")
def test_CKV_AWS_27_SQSQueueEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_27", policy_name="SQSQueueEncryption", language="python")
def test_CKV_AWS_195_GlueSecurityConfigurationEnabled(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_195", policy_name="GlueSecurityConfigurationEnabled", language="python")
def test_CKV_AWS_30_ElasticacheReplicationGroupEncryptionAtTransit(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_30", policy_name="ElasticacheReplicationGroupEncryptionAtTransit", language="python")
def test_CKV_AWS_29_ElasticacheReplicationGroupEncryptionAtRest(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_29", policy_name="ElasticacheReplicationGroupEncryptionAtRest", language="python")
def test_CKV_AWS_43_KinesisStreamEncryptionType(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_43", policy_name="KinesisStreamEncryptionType", language="python")
def test_CKV_AWS_42_EFSEncryptionEnabled(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_42", policy_name="EFSEncryptionEnabled", language="python")
def test_CKV_AWS_193_AppSyncLogging(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_193", policy_name="AppSyncLogging", language="python")
def test_CKV_AWS_194_AppSyncFieldLevelLogs(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_194", policy_name="AppSyncFieldLevelLogs", language="python")
def test_CKV_AWS_104_DocDBAuditLogs(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_104", policy_name="DocDBAuditLogs", language="python")
def test_CKV_AWS_82_AthenaWorkgroupConfiguration(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_82", policy_name="AthenaWorkgroupConfiguration", language="python")
def test_CKV_AWS_17_RDSPubliclyAccessible(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_17", policy_name="RDSPubliclyAccessible", language="python")
def test_CKV_AWS_87_RedshiftClusterPubliclyAccessible(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_87", policy_name="RedshiftClusterPubliclyAccessible", language="python")
def test_CKV_AWS_69_AmazonMQBrokerPublicAccess(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_69", policy_name="AmazonMQBrokerPublicAccess", language="python")
def test_CKV_AWS_118_RDSEnhancedMonitorEnabled(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_118", policy_name="RDSEnhancedMonitorEnabled", language="python")
def test_CKV_AWS_40_IAMPolicyAttachedToGroupOrRoles(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_40", policy_name="IAMPolicyAttachedToGroupOrRoles", language="python")
def test_CKV_AWS_36_CloudTrailLogValidation(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_36", policy_name="CloudTrailLogValidation", language="python")
def test_CKV_AWS_83_ElasticsearchDomainEnforceHTTPS(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_83", policy_name="ElasticsearchDomainEnforceHTTPS", language="python")
def test_CKV_AWS_76_APIGatewayAccessLogging(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_76", policy_name="APIGatewayAccessLogging", language="python")
def test_CKV_AWS_117_LambdaInVPC(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_117", policy_name="LambdaInVPC", language="python")
def test_CKV_AWS_68_WAFEnabled(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_68", policy_name="WAFEnabled", language="python")
def test_CKV_AWS_64_RedshiftClusterEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_64", policy_name="RedshiftClusterEncryption", language="python")
def test_CKV_AWS_78_CodeBuildProjectEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_78", policy_name="CodeBuildProjectEncryption", language="python")
def test_CKV_AWS_31_ElasticacheReplicationGroupEncryptionAtTransitAuthToken(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_31", policy_name="ElasticacheReplicationGroupEncryptionAtTransitAuthToken", language="python")
def test_CKV_AWS_94_GlueDataCatalogEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_94", policy_name="GlueDataCatalogEncryption", language="python")
def test_CKV_AWS_99_GlueSecurityConfiguration(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_99", policy_name="GlueSecurityConfiguration", language="python")
def test_CKV_AWS_105_RedShiftSSL(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_105", policy_name="RedShiftSSL", language="python")
def test_CKV_AWS_149_SecretManagerSecretEncrypted(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_149", policy_name="SecretManagerSecretEncrypted", language="python")
def test_CKV_AWS_59_APIGatewayAuthorization(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_59", policy_name="APIGatewayAuthorization", language="python")
def test_CKV_AWS_89_DMSReplicationInstancePubliclyAccessible(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_89", policy_name="DMSReplicationInstancePubliclyAccessible", language="python")
def test_CKV_AWS_34_CloudfrontDistributionEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_34", policy_name="CloudfrontDistributionEncryption", language="python")
def test_CKV_AWS_95_APIGatewayV2AccessLogging(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_95", policy_name="APIGatewayV2AccessLogging", language="python")
def test_CKV_AWS_86_CloudfrontDistributionLogging(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_86", policy_name="CloudfrontDistributionLogging", language="python")
def test_CKV_AWS_90_DocDBTLS(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_90", policy_name="DocDBTLS", language="python")
def test_CKV_AWS_174_CloudFrontTLS12(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_174", policy_name="CloudFrontTLS12", language="python")
def test_CKV_AWS_71_RedshiftClusterLogging(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_71", policy_name="RedshiftClusterLogging", language="python")
def test_CKV_AWS_92_ELBAccessLogs(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_92", policy_name="ELBAccessLogs", language="python")
def test_CKV_AWS_67_CloudtrailMultiRegion(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_67", policy_name="CloudtrailMultiRegion", language="python")
def test_CKV_AWS_91_ELBv2AccessLogs(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_91", policy_name="ELBv2AccessLogs", language="python")
def test_CKV_AWS_164_TransferServerIsPublic(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_164", policy_name="TransferServerIsPublic", language="python")
def test_CKV_AWS_97_ECSTaskDefinitionEFSVolumeEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_97", policy_name="ECSTaskDefinitionEFSVolumeEncryption", language="python")
def test_CKV_AWS_123_VPCEndpointAcceptanceConfigured(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_123", policy_name="VPCEndpointAcceptanceConfigured", language="python")
def test_CKV_AWS_35_CloudtrailEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_35", policy_name="CloudtrailEncryption", language="python")
def test_CKV_AWS_154_RedshiftInEc2ClassicMode(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_154", policy_name="RedshiftInEc2ClassicMode", language="python")
def test_CKV_AWS_84_ElasticsearchDomainLogging(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_84", policy_name="ElasticsearchDomainLogging", language="python")
def test_CKV_AWS_136_ECRRepositoryEncrypted(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_136", policy_name="ECRRepositoryEncrypted", language="python")
def test_CKV_AWS_66_CloudWatchLogGroupRetention(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_66", policy_name="CloudWatchLogGroupRetention", language="python")
def test_CKV_AWS_5_ElasticsearchEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_5", policy_name="ElasticsearchEncryption", language="python")
def test_CKV_AWS_73_APIGatewayXray(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_73", policy_name="APIGatewayXray", language="python")
def test_CKV_AWS_6_ElasticsearchNodeToNodeEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_6", policy_name="ElasticsearchNodeToNodeEncryption", language="python")
def test_CKV_AWS_88_EC2PublicIP(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_88", policy_name="EC2PublicIP", language="python")
def test_CKV_AWS_8_LaunchConfigurationEBSEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_8", policy_name="LaunchConfigurationEBSEncryption", language="python")
def test_CKV_AWS_45_LambdaEnvironmentCredentials(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_45", policy_name="LambdaEnvironmentCredentials", language="python")
def test_CKV_AWS_58_EKSSecretsEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_58", policy_name="EKSSecretsEncryption", language="python")
def test_CKV_AWS_65_ECSClusterContainerInsights(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_65", policy_name="ECSClusterContainerInsights", language="python")
def test_CKV_AWS_131_ALBDropHttpHeaders(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_131", policy_name="ALBDropHttpHeaders", language="python")
def test_CKV_AWS_2_ALBListenerHTTPS(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_2", policy_name="ALBListenerHTTPS", language="python")
def test_CKV_AWS_23_SecurityGroupRuleDescription(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_23", policy_name="SecurityGroupRuleDescription", language="python")
def test_CKV_AWS_173_LambdaEnvironmentEncryptionSettings(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_173", policy_name="LambdaEnvironmentEncryptionSettings", language="python")
def test_CKV_AWS_157_RDSMultiAZEnabled(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_157", policy_name="RDSMultiAZEnabled", language="python")
def test_CKV_AWS_96_AuroraEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_96", policy_name="AuroraEncryption", language="python")
================================================
FILE: cdk_integration_tests/test_checks_typescript.py
================================================
from typing import Dict, Any, List
import pytest
from cdk_integration_tests.utils import run_check, load_failed_checks_from_file
LANGUAGE = 'typescript'
@pytest.fixture(scope="session", autouse=True)
def failed_checks() -> Dict[str, List[Dict[str, Any]]]:
report_failed_checks = load_failed_checks_from_file(LANGUAGE)
yield report_failed_checks
def test_CKV_AWS_131_ALBDropHttpHeaders(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_131", policy_name="ALBDropHttpHeaders",
language="typescript")
def test_CKV_AWS_2_ALBListenerHTTPS(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_2", policy_name="ALBListenerHTTPS", language="typescript")
def test_CKV_AWS_59_APIGatewayAuthorization(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_59", policy_name="APIGatewayAuthorization",
language="typescript")
def test_CKV_AWS_76_APIGatewayAccessLogging(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_76", policy_name="APIGatewayAccessLogging",
language="typescript")
def test_CKV_AWS_120_APIGatewayCacheEnable(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_120", policy_name="APIGatewayCacheEnable",
language="typescript")
def test_CKV_AWS_95_APIGatewayV2AccessLogging(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_95", policy_name="APIGatewayV2AccessLogging",
language="typescript")
def test_CKV_AWS_73_APIGatewayXray(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_73", policy_name="APIGatewayXray", language="typescript")
def test_CKV_AWS_194_AppSyncFieldLevelLogs(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_194", policy_name="AppSyncFieldLevelLogs",
language="typescript")
def test_CKV_AWS_193_AppSyncLogging(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_193", policy_name="AppSyncLogging", language="typescript")
def test_CKV_AWS_82_AthenaWorkgroupConfiguration(failed_checks):
# need to wait for variable rendering in TS
run_check(check_results=failed_checks, check_id="CKV_AWS_82", policy_name="AthenaWorkgroupConfiguration",
language="typescript")
def test_CKV_AWS_131_AmazonMQBrokerPublicAccess(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_69", policy_name="AmazonMQBrokerPublicAccess",
language="typescript")
def test_CKV_AWS_96_AuroraEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_96", policy_name="AuroraEncryption",
language="typescript")
def test_CKV_AWS_166_BackupVaultEncrypted(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_166", policy_name="BackupVaultEncrypted",
language="typescript")
def test_CKV_AWS_174_CloudFrontTLS12(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_174", policy_name="CloudFrontTLS12", language="typescript")
def test_CKV_AWS_36_CloudTrailLogValidation(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_36", policy_name="CloudTrailLogValidation",
language="typescript")
def test_CKV_AWS_20_S3PublicACLRead(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_20", policy_name="S3PublicACLRead", language="typescript")
def test_CKV_AWS_56_S3RestrictPublicBuckets(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_56", policy_name="S3RestrictPublicBuckets",
language="typescript")
def test_CKV_AWS_149_SecretManagerSecretEncrypted(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_149", policy_name="SecretManagerSecretEncrypted",
language="typescript")
def test_CKV_AWS_23_SecurityGroupRuleDescription(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_23", policy_name="SecurityGroupRuleDescription",
language="typescript")
def test_CKV_AWS_26_SNSTopicEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_26", policy_name="SNSTopicEncryption",
language="typescript")
def test_CKV_AWS_27_SQSQueueEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_27", policy_name="SQSQueueEncryption",
language="typescript")
def test_CKV_AWS_164_TransferServerIsPublic(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_164", policy_name="TransferServerIsPublic",
language="typescript")
def test_CKV_AWS_123_VPCEndpointAcceptanceConfigured(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_123", policy_name="VPCEndpointAcceptanceConfigured",
language="typescript")
def test_CKV_AWS_68_WAFEnabled(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_68", policy_name="WAFEnabled", language="typescript")
def test_CKV_AWS_156_WorkspaceRootVolumeEncrypted(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_156", policy_name="WorkspaceRootVolumeEncrypted",
language="typescript")
def test_CKV_AWS_155_WorkspaceUserVolumeEncrypted(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_155", policy_name="WorkspaceUserVolumeEncrypted",
language="typescript")
def test_CKV_AWS_88_EC2PublicIP(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_88", policy_name="EC2PublicIP", language="typescript")
def test_CKV_AWS_163_ECRImageScanning(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_163", policy_name="ECRImageScanning",
language="typescript")
def test_CKV_AWS_51_ECRImmutableTags(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_51", policy_name="ECRImmutableTags", language="typescript")
def test_CKV_AWS_136_ECRRepositoryEncrypted(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_136", policy_name="ECRRepositoryEncrypted",
language="typescript")
def test_CKV_AWS_65_ECSClusterContainerInsights(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_65", policy_name="ECSClusterContainerInsights",
language="typescript")
def test_CKV_AWS_97_ECSTaskDefinitionEFSVolumeEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_97", policy_name="ECSTaskDefinitionEFSVolumeEncryption",
language="typescript")
def test_CKV_AWS_42_EFSEncryptionEnabled(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_42", policy_name="EFSEncryptionEnabled",
language="typescript")
def test_CKV_AWS_58_EKSSecretsEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_58", policy_name="EKSSecretsEncryption",
language="typescript")
def test_CKV_AWS_29_ElasticacheReplicationGroupEncryptionAtRest(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_29",
policy_name="ElasticacheReplicationGroupEncryptionAtRest", language="typescript")
def test_CKV_AWS_30_ElasticacheReplicationGroupEncryptionAtTransit(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_30",
policy_name="ElasticacheReplicationGroupEncryptionAtTransit",
language="typescript")
def test_CKV_AWS_31_ElasticacheReplicationGroupEncryptionAtTransitAuthToken(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_31",
policy_name="ElasticacheReplicationGroupEncryptionAtTransitAuthToken",
language="typescript")
def test_CKV_AWS_83_ElasticsearchDomainEnforceHTTPS(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_83", policy_name="ElasticsearchDomainEnforceHTTPS",
language="typescript")
def test_CKV_AWS_84_ElasticsearchDomainLogging(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_84", policy_name="ElasticsearchDomainLogging",
language="typescript")
def test_CKV_AWS_92_ELBAccessLogs(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_92", policy_name="ELBAccessLogs", language="typescript")
def test_CKV_AWS_91_ELBv2AccessLogs(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_91", policy_name="ELBv2AccessLogs", language="typescript")
def test_CKV_AWS_158_CloudWatchLogGroupKMSKey(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_158", policy_name="CloudWatchLogGroupKMSKey",
language="typescript")
def test_CKV_AWS_66_CloudWatchLogGroupRetention(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_66", policy_name="CloudWatchLogGroupRetention",
language="typescript")
def test_CKV_AWS_34_CloudfrontDistributionEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_34", policy_name="CloudfrontDistributionEncryption",
language="typescript")
def test_CKV_AWS_86_CloudfrontDistributionLogging(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_86", policy_name="CloudfrontDistributionLogging",
language="typescript")
def test_CKV_AWS_35_CloudtrailEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_35", policy_name="CloudtrailEncryption",
language="typescript")
def test_CKV_AWS_67_CloudtrailMultiRegion(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_67", policy_name="CloudtrailMultiRegion",
language="typescript")
def test_CKV_AWS_78_CodeBuildProjectEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_78", policy_name="CodeBuildProjectEncryption",
language="typescript")
def test_CKV_AWS_47_DAXEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_47", policy_name="DAXEncryption", language="typescript")
def test_CKV_AWS_89_DMSReplicationInstancePubliclyAccessible(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_89",
policy_name="DMSReplicationInstancePubliclyAccessible", language="typescript")
def test_CKV_AWS_104_DocDBAuditLogs(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_104", policy_name="DocDBAuditLogs", language="typescript")
def test_CKV_AWS_74_DocDBEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_74", policy_name="DocDBEncryption", language="typescript")
def test_CKV_AWS_90_DocDBTLS(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_90", policy_name="DocDBTLS", language="typescript")
def test_CKV_AWS_165_DynamodbGlobalTableRecovery(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_165", policy_name="DynamodbGlobalTableRecovery",
language="typescript")
def test_CKV_AWS_28_DynamodbRecovery(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_28", policy_name="DynamodbRecovery", language="typescript")
def test_CKV_AWS_3_EBSEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_3", policy_name="EBSEncryption", language="typescript")
def test_CKV_AWS_18_S3BucketLogging(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_18", policy_name="S3BucketLogging",
language="typescript")
def test_CKV_AWS_19_S3BucketEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_19", policy_name="S3BucketEncryption",
language="typescript")
def test_CKV_AWS_21_S3BucketVersioning(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_21", policy_name="S3BucketVersioning",
language="typescript")
def test_CKV_AWS_145_S3BucketKMSEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_145", policy_name="S3BucketKMSEncryption",
language="typescript")
def test_CKV2_AWS_6_S3BucketPublicAccessBlock(failed_checks):
run_check(check_results=failed_checks, check_id="CKV2_AWS_6", policy_name="S3BucketPublicAccessBlock",
language="typescript")
def test_CKV_AWS_195_GlueSecurityConfigurationEnabled(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_195", policy_name="GlueSecurityConfigurationEnabled",
language="typescript")
def test_CKV_AWS_5_ElasticsearchEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_5", policy_name="ElasticsearchEncryption",
language="typescript")
def test_CKV_AWS_6_ElasticsearchNodeToNodeEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_6", policy_name="ElasticsearchNodeToNodeEncryption",
language="typescript")
def test_CKV_AWS_94_GlueDataCatalogEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_94", policy_name="GlueDataCatalogEncryption",
language="typescript")
def test_CKV_AWS_99_GlueSecurityConfiguration(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_99", policy_name="GlueSecurityConfiguration",
language="typescript")
def test_CKV_AWS_40_IAMPolicyAttachedToGroupOrRoles(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_40", policy_name="IAMPolicyAttachedToGroupOrRoles",
language="typescript")
def test_CKV_AWS_43_KinesisStreamEncryptionType(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_43", policy_name="KinesisStreamEncryptionType",
language="typescript")
def test_CKV_AWS_116_LambdaDLQConfigured(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_116", policy_name="LambdaDLQConfigured",
language="typescript")
def test_CKV_AWS_45_LambdaEnvironmentCredentials(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_45", policy_name="LambdaEnvironmentCredentials",
language="typescript")
def test_CKV_AWS_173_LambdaEnvironmentEncryptionSettings(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_173", policy_name="LambdaEnvironmentEncryptionSettings",
language="typescript")
def test_CKV_AWS_115_LambdaFunctionLevelConcurrentExecutionLimit(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_115",
policy_name="LambdaFunctionLevelConcurrentExecutionLimit", language="typescript")
def test_CKV_AWS_117_LambdaInVPC(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_117", policy_name="LambdaInVPC", language="typescript")
def test_CKV_AWS_8_LaunchConfigurationEBSEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_8", policy_name="LaunchConfigurationEBSEncryption",
language="typescript")
def test_CKV_AWS_44_NeptuneClusterStorageEncrypted(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_44", policy_name="NeptuneClusterStorageEncrypted",
language="typescript")
# unskip after BCE-33034
# def test_CKV_AWS_118_RDSEnhancedMonitorEnabled(failed_checks):
# run_check(check_results=failed_checks, check_id="CKV_AWS_118", policy_name="RDSEnhancedMonitorEnabled",
# language="typescript")
def test_CKV_AWS_157_RDSMultiAZEnabled(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_157", policy_name="RDSMultiAZEnabled",
language="typescript")
def test_CKV_AWS_17_RDSPubliclyAccessible(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_17", policy_name="RDSPubliclyAccessible",
language="typescript")
def test_CKV_AWS_105_RedShiftSSL(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_105", policy_name="RedShiftSSL",
language="typescript")
def test_CKV_AWS_64_RedshiftClusterEncryption(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_64", policy_name="RedshiftClusterEncryption",
language="typescript")
def test_CKV_AWS_71_RedshiftClusterLogging(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_71", policy_name="RedshiftClusterLogging",
language="typescript")
def test_CKV_AWS_87_RedshiftClusterPubliclyAccessible(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_87", policy_name="RedshiftClusterPubliclyAccessible",
language="typescript")
def test_CKV_AWS_154_RedshiftInEc2ClassicMode(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_154", policy_name="RedshiftInEc2ClassicMode",
language="typescript")
def test_CKV_AWS_53_S3BlockPublicACLs(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_53", policy_name="S3BlockPublicACLs",
language="typescript")
def test_CKV_AWS_54_S3BlockPublicPolicy(failed_checks):
run_check(check_results=failed_checks, check_id="CKV_AWS_54", policy_name="S3BlockPublicPolicy",
language="typescript")
================================================
FILE: cdk_integration_tests/utils.py
================================================
import json
import os
from typing import List, Dict, Any
import yaml
current_dir = os.path.dirname(os.path.realpath(__file__))
def load_failed_checks_from_file(lang: str) -> Dict[str, List[Dict[str, Any]]]:
report_path = os.path.join(current_dir, '..', 'checkov_report_cdk.json')
with open(report_path) as f:
data = f.read()
reports = json.loads(data)
for report in reports:
if report.get('check_type') == f'cdk_{lang}':
assert report is not None
results = report.get("results", {})
failed_checks = results.get("failed_checks")
skipped_checks = results.get("skipped_checks")
results = {}
for check in failed_checks:
check_id = check['check_id']
if not results.get(check_id):
results[check_id] = []
results[check_id].append(check)
for check in skipped_checks:
check_id = check['check_id']
if not results.get(check_id):
results[check_id] = []
results[check_id].append(check)
return results
return {}
def is_policy_with_correct_check_id(check_id: str, language: str, policy_name: str) -> bool:
path = os.path.join(current_dir, '..', 'checkov', 'cdk', 'checks', language, policy_name + ".yaml")
with open(path, 'r') as file:
data = yaml.safe_load(file)
if 'metadata' in data and 'id' in data['metadata'] and data['metadata']['id'] == check_id:
return True
return False
def run_check(check_results: Dict[str, List[Dict[str, Any]]], check_id: str, policy_name: str, language: str) -> None:
assert is_policy_with_correct_check_id(check_id, language, policy_name)
results_for_check_id = check_results.get(check_id)
assert results_for_check_id
def validate_report(report_path: str) -> None:
with open(report_path) as f:
data = f.read()
report = json.loads(data)
assert report is not None
results = report.get("results")
assert results is not None
passed_checks = results.get("passed_checks")
failed_checks = results.get("failed_checks")
assert not passed_checks
assert failed_checks is not None
assert isinstance(failed_checks, list)
assert len(failed_checks) > 0
summary = report.get("summary")
assert summary.get("passed") == 0
assert summary.get("failed") > 0
================================================
FILE: checkov/__init__.py
================================================
================================================
FILE: checkov/ansible/__init__.py
================================================
from checkov.ansible.checks import * # noqa
================================================
FILE: checkov/ansible/checks/__init__.py
================================================
from checkov.ansible.checks.task import * # noqa
================================================
FILE: checkov/ansible/checks/base_ansible_task_check.py
================================================
from __future__ import annotations
import json
import logging
from abc import abstractmethod
from collections.abc import Iterable
from typing import TYPE_CHECKING, Any
from checkov.ansible.checks.registry import registry
from checkov.common.checks.base_check import BaseCheck
from checkov.common.models.enums import CheckResult
if TYPE_CHECKING:
from checkov.common.models.enums import CheckCategories
class BaseAnsibleTaskCheck(BaseCheck):
def __init__(
self,
name: str,
id: str,
categories: Iterable[CheckCategories],
supported_modules: Iterable[str],
block_type: str,
guideline: str | None = None,
path: str | None = None,
) -> None:
supported_entities = [
entity
for module in supported_modules
for entity in (
f'[].tasks[?"{module}" != null][]',
f'[?"{module}" != null][]',
f'[].tasks[].block[?"{module}" != null][]',
f'[].block[?"{module}" != null][]',
f'[].tasks[].block[].block[?"{module}" != null][]',
f'[].block[].block[?"{module}" != null][]',
# in theory, it can be more nested, but let's stop at 3 levels
# jmespath lib doesn't support recursive search https://github.com/jmespath/jmespath.py/issues/110
f'[].tasks[].block[].block[].block[?"{module}" != null][]',
f'[].block[].block[].block[?"{module}" != null][]',
)
]
super().__init__(
name=name,
id=id,
categories=categories,
supported_entities=supported_entities,
block_type=block_type,
guideline=guideline,
)
self.entity_conf: dict[str, Any] # stores the complete entity configuration
self.path = path
self.supported_modules = supported_modules
registry.register(self)
def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> tuple[CheckResult, dict[str, Any]]:
self.entity_type = entity_type
self.entity_conf = conf
module_conf = next((conf[module] for module in self.supported_modules if module in conf), None)
if not module_conf:
# this should actually never happen, but better to be safe, than sorry
logging.info(f"Failed to find supported module {self.supported_modules} in {json.dumps(conf)}")
return CheckResult.UNKNOWN, conf
return self.scan_conf(module_conf)
@abstractmethod
def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:
pass
================================================
FILE: checkov/ansible/checks/base_ansible_task_value_check.py
================================================
from __future__ import annotations
from abc import abstractmethod
from collections.abc import Iterable
from typing import TYPE_CHECKING, Any
from checkov.ansible.checks.base_ansible_task_check import BaseAnsibleTaskCheck
from checkov.common.models.consts import ANY_VALUE
from checkov.common.models.enums import CheckResult
from checkov.common.util.data_structures_utils import find_in_dict
from checkov.yaml_doc.enums import BlockType
if TYPE_CHECKING:
from checkov.common.models.enums import CheckCategories
class BaseAnsibleTaskValueCheck(BaseAnsibleTaskCheck):
def __init__(
self,
name: str,
id: str,
categories: Iterable[CheckCategories],
supported_modules: Iterable[str],
guideline: str | None = None,
path: str | None = None,
missing_block_result: CheckResult = CheckResult.FAILED,
) -> None:
super().__init__(
name=name,
id=id,
categories=categories,
supported_modules=supported_modules,
block_type=BlockType.ARRAY,
guideline=guideline,
path=path,
)
self.missing_block_result = missing_block_result
def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:
inspected_key = self.get_inspected_key()
expected_values = self.get_expected_values()
value = find_in_dict(conf, inspected_key)
if value is None:
return self.missing_block_result, self.entity_conf
if ANY_VALUE in expected_values:
return CheckResult.PASSED, self.entity_conf
if value in expected_values:
return CheckResult.PASSED, self.entity_conf
# quite often string values are case-insensitive
if isinstance(value, str) and value.lower() in [exp.lower() for exp in expected_values if isinstance(exp, str)]:
return CheckResult.PASSED, self.entity_conf
return CheckResult.FAILED, self.entity_conf
@abstractmethod
def get_inspected_key(self) -> str:
"""
:return: JSONPath syntax path of the checked attribute
"""
raise NotImplementedError()
def get_expected_values(self) -> list[Any]:
"""
Override the method with the list of acceptable values if the check has more than one possible expected value, given
the inspected key
:return: List of expected values, defaults to a list of the expected value
"""
return [self.get_expected_value()]
def get_expected_value(self) -> Any:
"""
Returns the default expected value, governed by provider best practices
"""
return True
def get_evaluated_keys(self) -> list[str]:
return [self.get_inspected_key()]
================================================
FILE: checkov/ansible/checks/graph_checks/BlockErrorHandling.yaml
================================================
metadata:
id: "CKV2_ANSIBLE_3"
name: "Ensure block is handling task errors properly"
category: "BACKUP_AND_RECOVERY"
definition:
cond_type: attribute
resource_types:
- block
attribute: rescue
operator: exists
================================================
FILE: checkov/ansible/checks/graph_checks/DnfDisableGpgCheck.yaml
================================================
metadata:
id: "CKV2_ANSIBLE_4"
name: "Ensure that packages with untrusted or missing GPG signatures are not used by dnf"
category: "GENERAL_SECURITY"
definition:
cond_type: attribute
resource_types:
- tasks.ansible.builtin.dnf
- tasks.dnf
attribute: disable_gpg_check
operator: not_equals
value: true
================================================
FILE: checkov/ansible/checks/graph_checks/DnfSslVerify.yaml
================================================
metadata:
id: "CKV2_ANSIBLE_5"
name: "Ensure that SSL validation isn't disabled with dnf"
category: "GENERAL_SECURITY"
definition:
cond_type: attribute
resource_types:
- tasks.ansible.builtin.dnf
- tasks.dnf
attribute: sslverify
operator: not_equals
value: false
================================================
FILE: checkov/ansible/checks/graph_checks/DnfValidateCerts.yaml
================================================
metadata:
id: "CKV2_ANSIBLE_6"
name: "Ensure that certificate validation isn't disabled with dnf"
category: "GENERAL_SECURITY"
definition:
cond_type: attribute
resource_types:
- tasks.ansible.builtin.dnf
- tasks.dnf
attribute: validate_certs
operator: not_equals
value: false
================================================
FILE: checkov/ansible/checks/graph_checks/GetUrlHttpsOnly.yaml
================================================
metadata:
id: "CKV2_ANSIBLE_2"
name: "Ensure that HTTPS url is used with get_url"
category: "NETWORKING"
definition:
and:
- cond_type: attribute
resource_types:
- tasks.ansible.builtin.get_url
- tasks.get_url
attribute: url
operator: not_starting_with
value: "http://"
- cond_type: attribute
resource_types:
- tasks.ansible.builtin.get_url
- tasks.get_url
attribute: url
operator: not_starting_with
value: "ftp://"
================================================
FILE: checkov/ansible/checks/graph_checks/PanosIPsecAuthenticationAlgorithms.yaml
================================================
metadata:
id: "CKV_PAN_12"
name: "Ensure IPsec profiles do not specify use of insecure authentication algorithms"
category: "NETWORKING"
definition:
and:
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_ipsec_profile
attribute: esp_authentication
operator: exists
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_ipsec_profile
attribute: esp_authentication
operator: not_contains
value: 'none'
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_ipsec_profile
attribute: esp_authentication
operator: not_contains
value: 'md5'
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_ipsec_profile
attribute: esp_authentication
operator: not_contains
value: 'sha1'
================================================
FILE: checkov/ansible/checks/graph_checks/PanosIPsecProtocols.yaml
================================================
metadata:
id: "CKV_PAN_13"
name: "Ensure IPsec profiles do not specify use of insecure protocols"
category: "NETWORKING"
definition:
cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_ipsec_profile
attribute: ah_authentication
operator: not_exists
================================================
FILE: checkov/ansible/checks/graph_checks/PanosInterfaceMgmtProfileNoHTTP.yaml
================================================
metadata:
id: "CKV_PAN_2"
name: "Ensure plain-text management HTTP is not enabled for an Interface Management Profile"
category: "NETWORKING"
definition:
or:
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_management_profile
attribute: http
operator: not_exists
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_management_profile
attribute: http
operator: not_equals
value: true
================================================
FILE: checkov/ansible/checks/graph_checks/PanosInterfaceMgmtProfileNoTelnet.yaml
================================================
metadata:
id: "CKV_PAN_3"
name: "Ensure plain-text management Telnet is not enabled for an Interface Management Profile"
category: "NETWORKING"
definition:
or:
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_management_profile
attribute: telnet
operator: not_exists
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_management_profile
attribute: telnet
operator: not_equals
value: true
================================================
FILE: checkov/ansible/checks/graph_checks/PanosPolicyDescription.yaml
================================================
metadata:
id: "CKV_PAN_8"
name: "Ensure description is populated within security policies"
category: "NETWORKING"
definition:
and:
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: description
operator: exists
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: description
operator: is_not_empty
================================================
FILE: checkov/ansible/checks/graph_checks/PanosPolicyLogForwarding.yaml
================================================
metadata:
id: "CKV_PAN_9"
name: "Ensure a Log Forwarding Profile is selected for each security policy rule"
category: "NETWORKING"
definition:
and:
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: log_setting
operator: exists
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: log_setting
operator: is_not_empty
================================================
FILE: checkov/ansible/checks/graph_checks/PanosPolicyLogSessionStart.yaml
================================================
metadata:
id: "CKV_PAN_16"
name: "Ensure logging at session start is disabled within security policies except for troubleshooting and long lived GRE tunnels"
category: "LOGGING"
definition:
# Logging config flag "log_start = true " is specified, defaults to false, which is a pass
or:
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: log_start
operator: not_equals_ignore_case
value: true
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: log_start
operator: not_exists
================================================
FILE: checkov/ansible/checks/graph_checks/PanosPolicyLoggingEnabled.yaml
================================================
metadata:
id: "CKV_PAN_10"
name: "Ensure logging at session end is enabled within security policies"
category: "NETWORKING"
definition:
# Logging config flag "log_end" is not specified, defaults to true, which is a pass
cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: log_end
operator: not_equals
value: false
================================================
FILE: checkov/ansible/checks/graph_checks/PanosPolicyNoApplicationAny.yaml
================================================
metadata:
id: "CKV_PAN_5"
name: "Ensure security rules do not have 'application' set to 'any'"
category: "NETWORKING"
definition:
and:
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: application
operator: exists
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: application
operator: is_not_empty
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: application
operator: not_equals_ignore_case
value: 'any'
================================================
FILE: checkov/ansible/checks/graph_checks/PanosPolicyNoDSRI.yaml
================================================
metadata:
id: "CKV_PAN_4"
name: "Ensure DSRI is not enabled within security policies"
category: "NETWORKING"
definition:
or:
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: disable_server_response_inspection
operator: equals
value: false
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: disable_server_response_inspection
operator: not_exists # Default value is false which passes the check
================================================
FILE: checkov/ansible/checks/graph_checks/PanosPolicyNoServiceAny.yaml
================================================
metadata:
id: "CKV_PAN_6"
name: "Ensure security rules do not have 'service' set to 'any'"
category: "NETWORKING"
definition:
and:
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: service
operator: exists
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: service
operator: is_not_empty
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: service
operator: not_equals_ignore_case
value: 'any'
================================================
FILE: checkov/ansible/checks/graph_checks/PanosPolicyNoSrcAnyDstAny.yaml
================================================
metadata:
id: "CKV_PAN_7"
name: "Ensure security rules do not have 'source_ip' and 'destination_ip' both containing values of 'any'"
category: "NETWORKING"
definition:
or:
- and:
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: source_ip
operator: exists
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: source_ip
operator: is_not_empty
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: source_ip
operator: not_equals_ignore_case
value: 'any'
- and:
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: destination_ip
operator: exists
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: destination_ip
operator: is_not_empty
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: destination_ip
operator: not_equals_ignore_case
value: 'any'
================================================
FILE: checkov/ansible/checks/graph_checks/PanosPolicyNoSrcZoneAnyNoDstZoneAny.yaml
================================================
metadata:
id: "CKV_PAN_17"
name: "Ensure security rules do not have 'source_zone' and 'destination_zone' both containing values of 'any'"
category: "NETWORKING"
definition:
or:
- and:
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: source_zone
operator: exists
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: source_zone
operator: is_not_empty
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: source_zone
operator: not_equals_ignore_case
value: 'any'
- and:
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: destination_zone
operator: exists
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: destination_zone
operator: is_not_empty
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_security_rule
attribute: destination_zone
operator: not_equals_ignore_case
value: 'any'
================================================
FILE: checkov/ansible/checks/graph_checks/PanosZoneProtectionProfile.yaml
================================================
metadata:
id: "CKV_PAN_14"
name: "Ensure a Zone Protection Profile is defined within Security Zones"
category: "NETWORKING"
definition:
and:
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_zone
attribute: zone_profile
operator: exists
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_zone
attribute: zone_profile
operator: is_not_empty
================================================
FILE: checkov/ansible/checks/graph_checks/PanosZoneUserIDIncludeACL.yaml
================================================
metadata:
id: "CKV_PAN_15"
name: "Ensure an Include ACL is defined for a Zone when User-ID is enabled"
category: "NETWORKING"
definition:
or:
# If User-ID is enabled, also check for a non-empty Include ACL
- and:
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_zone
attribute: enable_userid
operator: equals
value: true
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_zone
attribute: include_acl
operator: exists
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_zone
attribute: include_acl
operator: is_not_empty
# Or if User-ID is not enabled, there is no need to check for an Include ACL
- cond_type: attribute
resource_types:
- tasks.paloaltonetworks.panos.panos_zone
attribute: enable_userid
operator: not_exists
================================================
FILE: checkov/ansible/checks/graph_checks/UriHttpsOnly.yaml
================================================
metadata:
id: "CKV2_ANSIBLE_1"
name: "Ensure that HTTPS url is used with uri"
category: "NETWORKING"
definition:
cond_type: attribute
resource_types:
- tasks.ansible.builtin.uri
- tasks.uri
attribute: url
operator: starting_with
value: "https://"
================================================
FILE: checkov/ansible/checks/graph_checks/__init__.py
================================================
================================================
FILE: checkov/ansible/checks/registry.py
================================================
from checkov.common.bridgecrew.check_type import CheckType
from checkov.yaml_doc.base_registry import Registry
registry = Registry(CheckType.ANSIBLE)
================================================
FILE: checkov/ansible/checks/task/__init__.py
================================================
from checkov.ansible.checks.task.aws import * # noqa
from checkov.ansible.checks.task.builtin import * # noqa
================================================
FILE: checkov/ansible/checks/task/aws/EC2EBSOptimized.py
================================================
from __future__ import annotations
from typing import Any
from checkov.ansible.checks.base_ansible_task_value_check import BaseAnsibleTaskValueCheck
from checkov.common.models.enums import CheckResult, CheckCategories
class EC2EBSOptimized(BaseAnsibleTaskValueCheck):
def __init__(self) -> None:
name = "Ensure that EC2 is EBS optimized"
id = "CKV_AWS_135"
super().__init__(
name=name,
id=id,
categories=(CheckCategories.GENERAL_SECURITY,),
supported_modules=("amazon.aws.ec2_instance", "ec2_instance"),
)
def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:
if not conf.get("image_id") and not conf.get("image"):
# if 'image_id' or 'image' are not set, then an already running instance is targeted
return CheckResult.UNKNOWN, self.entity_conf
return super().scan_conf(conf=conf)
def get_inspected_key(self) -> str:
return "ebs_optimized"
check = EC2EBSOptimized()
================================================
FILE: checkov/ansible/checks/task/aws/EC2PublicIP.py
================================================
from __future__ import annotations
from typing import Any
from checkov.ansible.checks.base_ansible_task_value_check import BaseAnsibleTaskValueCheck
from checkov.common.models.enums import CheckResult, CheckCategories
class EC2PublicIP(BaseAnsibleTaskValueCheck):
def __init__(self) -> None:
name = "EC2 instance should not have public IP."
id = "CKV_AWS_88"
super().__init__(
name=name,
id=id,
categories=(CheckCategories.NETWORKING,),
supported_modules=("amazon.aws.ec2_instance", "ec2_instance"),
)
def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:
if not conf.get("image_id") and not conf.get("image"):
# if 'image_id' or 'image' are not set, then an already running instance is targeted
return CheckResult.UNKNOWN, self.entity_conf
return super().scan_conf(conf=conf)
def get_inspected_key(self) -> str:
return "network/assign_public_ip"
def get_expected_value(self) -> Any:
return False
check = EC2PublicIP()
================================================
FILE: checkov/ansible/checks/task/aws/__init__.py
================================================
from pathlib import Path
modules = Path(__file__).parent.glob("*.py")
__all__ = [f.stem for f in modules if f.is_file() and not f.stem == "__init__"]
================================================
FILE: checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py
================================================
from __future__ import annotations
from typing import Any
from checkov.ansible.checks.base_ansible_task_value_check import BaseAnsibleTaskValueCheck
from checkov.common.models.enums import CheckResult, CheckCategories
class AptAllowUnauthenticated(BaseAnsibleTaskValueCheck):
def __init__(self) -> None:
name = "Ensure that packages with untrusted or missing signatures are not used"
id = "CKV_ANSIBLE_5"
super().__init__(
name=name,
id=id,
categories=(CheckCategories.GENERAL_SECURITY,),
supported_modules=("ansible.builtin.apt", "apt"),
missing_block_result=CheckResult.PASSED,
)
def get_expected_value(self) -> Any:
return False
def get_inspected_key(self) -> str:
return "allow_unauthenticated"
check = AptAllowUnauthenticated()
================================================
FILE: checkov/ansible/checks/task/builtin/AptForce.py
================================================
from __future__ import annotations
from typing import Any
from checkov.ansible.checks.base_ansible_task_value_check import BaseAnsibleTaskValueCheck
from checkov.common.models.enums import CheckResult, CheckCategories
class AptForce(BaseAnsibleTaskValueCheck):
def __init__(self) -> None:
name = "Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state"
id = "CKV_ANSIBLE_6"
super().__init__(
name=name,
id=id,
categories=(CheckCategories.GENERAL_SECURITY,),
supported_modules=("ansible.builtin.apt", "apt"),
missing_block_result=CheckResult.PASSED,
)
def get_expected_value(self) -> Any:
return False
def get_inspected_key(self) -> str:
return "force"
check = AptForce()
================================================
FILE: checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py
================================================
from __future__ import annotations
from checkov.ansible.checks.base_ansible_task_value_check import BaseAnsibleTaskValueCheck
from checkov.common.models.enums import CheckResult, CheckCategories
class GetUrlValidateCerts(BaseAnsibleTaskValueCheck):
def __init__(self) -> None:
name = "Ensure that certificate validation isn't disabled with get_url"
id = "CKV_ANSIBLE_2"
super().__init__(
name=name,
id=id,
categories=(CheckCategories.GENERAL_SECURITY,),
supported_modules=("ansible.builtin.get_url", "get_url"),
missing_block_result=CheckResult.PASSED,
)
def get_inspected_key(self) -> str:
return "validate_certs"
check = GetUrlValidateCerts()
================================================
FILE: checkov/ansible/checks/task/builtin/UriValidateCerts.py
================================================
from __future__ import annotations
from checkov.ansible.checks.base_ansible_task_value_check import BaseAnsibleTaskValueCheck
from checkov.common.models.enums import CheckResult, CheckCategories
class UriValidateCerts(BaseAnsibleTaskValueCheck):
def __init__(self) -> None:
name = "Ensure that certificate validation isn't disabled with uri"
id = "CKV_ANSIBLE_1"
super().__init__(
name=name,
id=id,
categories=(CheckCategories.GENERAL_SECURITY,),
supported_modules=("ansible.builtin.uri", "uri"),
missing_block_result=CheckResult.PASSED,
)
def get_inspected_key(self) -> str:
return "validate_certs"
check = UriValidateCerts()
================================================
FILE: checkov/ansible/checks/task/builtin/YumSslVerify.py
================================================
from __future__ import annotations
from checkov.ansible.checks.base_ansible_task_value_check import BaseAnsibleTaskValueCheck
from checkov.common.models.enums import CheckResult, CheckCategories
class YumSslVerify(BaseAnsibleTaskValueCheck):
def __init__(self) -> None:
name = "Ensure that SSL validation isn't disabled with yum"
id = "CKV_ANSIBLE_4"
super().__init__(
name=name,
id=id,
categories=(CheckCategories.GENERAL_SECURITY,),
supported_modules=("ansible.builtin.yum", "yum"),
missing_block_result=CheckResult.PASSED,
)
def get_inspected_key(self) -> str:
return "sslverify"
check = YumSslVerify()
================================================
FILE: checkov/ansible/checks/task/builtin/YumValidateCerts.py
================================================
from __future__ import annotations
from checkov.ansible.checks.base_ansible_task_value_check import BaseAnsibleTaskValueCheck
from checkov.common.models.enums import CheckResult, CheckCategories
class YumValidateCerts(BaseAnsibleTaskValueCheck):
def __init__(self) -> None:
name = "Ensure that certificate validation isn't disabled with yum"
id = "CKV_ANSIBLE_3"
super().__init__(
name=name,
id=id,
categories=(CheckCategories.GENERAL_SECURITY,),
supported_modules=("ansible.builtin.yum", "yum"),
missing_block_result=CheckResult.PASSED,
)
def get_inspected_key(self) -> str:
return "validate_certs"
check = YumValidateCerts()
================================================
FILE: checkov/ansible/checks/task/builtin/__init__.py
================================================
from pathlib import Path
modules = Path(__file__).parent.glob("*.py")
__all__ = [f.stem for f in modules if f.is_file() and not f.stem == "__init__"]
================================================
FILE: checkov/ansible/graph_builder/__init__.py
================================================
================================================
FILE: checkov/ansible/graph_builder/graph_components/__init__.py
================================================
================================================
FILE: checkov/ansible/graph_builder/graph_components/resource_types.py
================================================
from enum import Enum
class ResourceType(str, Enum):
BLOCK = "block"
TASKS = "tasks"
def __str__(self) -> str:
# needed, because of a Python 3.11 change
return self.value
================================================
FILE: checkov/ansible/graph_builder/local_graph.py
================================================
from __future__ import annotations
import logging
from pathlib import Path
from typing import Any
from checkov.common.graph.graph_builder import CustomAttributes
from checkov.common.graph.graph_builder.consts import GraphSource, SELF_REFERENCE
from checkov.common.graph.graph_builder.graph_components.block_types import BlockType
from checkov.common.graph.graph_builder.graph_components.blocks import Block
from checkov.common.runners.graph_builder.local_graph import ObjectLocalGraph
from checkov.common.util.consts import START_LINE, END_LINE
from checkov.ansible.graph_builder.graph_components.resource_types import ResourceType
from checkov.ansible.utils import get_scannable_file_paths, TASK_RESERVED_KEYWORDS, parse_file
from checkov.common.util.data_structures_utils import pickle_deepcopy
class AnsibleLocalGraph(ObjectLocalGraph):
def __init__(self, definitions: dict[str | Path, dict[str, Any] | list[dict[str, Any]]]) -> None:
super().__init__(definitions=definitions)
self.source = GraphSource.ANSIBLE
def _create_vertices(self) -> None:
for file_path, definition in self.definitions.items():
if not isinstance(definition, list):
logging.debug(f"definition of file {file_path} has the wrong type {type(definition)}")
continue
file_path = str(file_path)
for code_block in definition:
if ResourceType.TASKS in code_block:
tasks = code_block[ResourceType.TASKS]
if tasks: # Check if tasks is not None and not empty
for task in tasks:
self._process_blocks(file_path=file_path, task=task)
else:
self._process_blocks(file_path=file_path, task=code_block)
else:
self._process_blocks(file_path=file_path, task=code_block)
def _process_blocks(self, file_path: str, task: Any, prefix: str = "") -> None:
"""Checks for possible block usage"""
if not task or not isinstance(task, dict):
return
if ResourceType.BLOCK in task and isinstance(task[ResourceType.BLOCK], list):
prefix += f"{ResourceType.BLOCK}." # with each nested level an extra block prefix is added
self._create_block_vertices(file_path=file_path, block=task, prefix=prefix)
for block_task in task[ResourceType.BLOCK]:
self._process_blocks(file_path=file_path, task=block_task, prefix=prefix)
else:
self._create_tasks_vertices(file_path=file_path, task=task, prefix=prefix)
def _create_tasks_vertices(self, file_path: str, task: Any, prefix: str = "") -> None:
"""Creates tasks vertices"""
if not task or not isinstance(task, dict):
return
# grab the task name at the beginning before trying to find the actual module name
task_name = task.get("name") or "unknown"
for name, config in task.items():
if name in TASK_RESERVED_KEYWORDS:
continue
if name in (START_LINE, END_LINE):
continue
if isinstance(config, list):
# either it is actually not an Ansible file or a playbook without tasks refs
continue
resource_type = f"{ResourceType.TASKS}.{prefix}{name}"
if isinstance(config, str):
# this happens when modules have no parameters and are directly used with the user input
# ex. ansible.builtin.command: cat /etc/passwd
config = {SELF_REFERENCE: config}
elif config is None:
# this happens when modules have no parameters and are passed no value
# ex. amazon.aws.ec2_instance_info:
config = {
START_LINE: task[START_LINE],
END_LINE: task[END_LINE],
}
if not isinstance(config, dict):
# either it is actually not an Ansible file or a playbook without tasks refs
continue
attributes = pickle_deepcopy(config)
attributes[CustomAttributes.RESOURCE_TYPE] = resource_type
# only the module code is relevant for validation,
# but in the check result the whole task should be visible
attributes[START_LINE] = task[START_LINE]
attributes[END_LINE] = task[END_LINE]
self.vertices.append(
Block(
name=f"{resource_type}.{task_name}",
config=task,
path=file_path,
block_type=BlockType.RESOURCE,
attributes=attributes,
id=f"{resource_type}.{task_name}",
source=self.source,
)
)
# no need to further check
break
def _create_block_vertices(self, file_path: str, block: dict[str, Any], prefix: str = "") -> None:
"""Creates block vertices"""
# grab the block name, if it exists
block_name = block.get("name") or "unknown"
config = block
attributes = pickle_deepcopy(config)
attributes[CustomAttributes.RESOURCE_TYPE] = ResourceType.BLOCK
del attributes[ResourceType.BLOCK] # the real block content are tasks, which have their own vertices
self.vertices.append(
Block(
name=f"{ResourceType.BLOCK}.{block_name}",
config=config,
path=file_path,
block_type=BlockType.RESOURCE,
attributes=attributes,
id=f"{prefix}{block_name}",
source=self.source,
)
)
def _create_edges(self) -> None:
return None
@staticmethod
def get_files_definitions(root_folder: str | Path) -> dict[str | Path, dict[str, Any] | list[dict[str, Any]]]:
definitions: "dict[str | Path, dict[str, Any] | list[dict[str, Any]]]" = {}
file_paths = get_scannable_file_paths(root_folder=root_folder)
for file_path in file_paths:
try:
result = parse_file(f=file_path)
if result is not None:
definitions[file_path] = result[0]
except Exception as err:
logging.warning(f'fail to pars file {file_path}, {err}')
return definitions
================================================
FILE: checkov/ansible/runner.py
================================================
from __future__ import annotations
from typing import TYPE_CHECKING, Any
from checkov.common.graph.checks_infra.registry import BaseRegistry
from checkov.ansible.checks.registry import registry
from checkov.ansible.graph_builder.graph_components.resource_types import ResourceType
from checkov.ansible.graph_builder.local_graph import AnsibleLocalGraph
from checkov.ansible.utils import get_relevant_file_content, build_definitions_context, generate_task_name
from checkov.common.output.report import CheckType
from checkov.common.util.consts import START_LINE, END_LINE
from checkov.yaml_doc.runner import Runner as YamlRunner
if TYPE_CHECKING:
from checkov.common.checks.base_check_registry import BaseCheckRegistry
from checkov.common.typing import LibraryGraphConnector
from checkov.common.runners.graph_builder.local_graph import ObjectLocalGraph
from checkov.common.runners.graph_manager import ObjectGraphManager
from collections.abc import Iterable
class Runner(YamlRunner):
check_type = CheckType.ANSIBLE # noqa: CCE003 # a static attribute
def __init__(
self,
db_connector: LibraryGraphConnector | None = None,
source: str = "Ansible",
graph_class: type[ObjectLocalGraph] = AnsibleLocalGraph,
graph_manager: ObjectGraphManager | None = None,
external_registries: list[BaseRegistry] | None = None,
) -> None:
super().__init__(
db_connector=db_connector,
source=source,
graph_class=graph_class,
graph_manager=graph_manager,
)
def require_external_checks(self) -> bool:
return False
def import_registry(self) -> BaseCheckRegistry:
return registry
@staticmethod
def _parse_file(
f: str, file_content: str | None = None
) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None:
content = get_relevant_file_content(file_path=f)
if content:
return YamlRunner._parse_file(f=f, file_content=content)
return None
def get_resource(
self,
file_path: str,
key: str,
supported_entities: Iterable[str],
start_line: int = -1,
end_line: int = -1,
graph_resource: bool = False,
) -> str:
if not self.definitions or not isinstance(self.definitions, dict):
return key
resource_name = self.generate_resource_name(start_line, end_line, self.definitions[file_path])
return resource_name if resource_name else key
def generate_resource_name(
self,
start_line: int,
end_line: int,
file_conf: dict[str, Any] | list[dict[str, Any]],
resource_key: str | None = None,
) -> str | None:
if not isinstance(file_conf, list):
return resource_key
for code_block in file_conf:
if code_block[START_LINE] <= start_line <= end_line <= code_block[END_LINE]:
if ResourceType.TASKS in code_block:
for task in code_block[ResourceType.TASKS]:
if task[START_LINE] <= start_line <= end_line <= task[END_LINE]:
if ResourceType.BLOCK in task:
resource_name = self._handle_block_tasks(
start_line=start_line,
end_line=end_line,
code_block=task,
)
if resource_name is not None:
return resource_name
return generate_task_name(task=task) or resource_key
elif ResourceType.BLOCK in code_block:
resource_name = self._handle_block_tasks(
start_line=start_line,
end_line=end_line,
code_block=code_block,
)
if resource_name is not None:
return resource_name
else:
return generate_task_name(task=code_block) or resource_key
return resource_key
def _handle_block_tasks(
self, start_line: int, end_line: int, code_block: dict[str, Any], prefix: str = ""
) -> str | None:
for block_task in code_block[ResourceType.BLOCK]:
if block_task[START_LINE] <= start_line <= end_line <= block_task[END_LINE]:
prefix += f"{ResourceType.BLOCK}." # with each nested level an extra block prefix is added
if ResourceType.BLOCK in block_task:
resource_name = self._handle_block_tasks(
start_line=start_line,
end_line=end_line,
code_block=block_task,
prefix=prefix,
)
if resource_name is not None:
return resource_name
return generate_task_name(task=block_task, prefix=prefix)
return None
def build_definitions_context(
self,
definitions: dict[str, dict[str, Any] | list[dict[str, Any]]],
definitions_raw: dict[str, list[tuple[int, str]]],
) -> dict[str, dict[str, Any]]:
return build_definitions_context(definitions=definitions, definitions_raw=definitions_raw)
def set_definitions_raw(self, definitions_raw: dict[str, list[tuple[int, str]]]) -> None:
self.definitions_raw = definitions_raw
================================================
FILE: checkov/ansible/utils.py
================================================
from __future__ import annotations
import logging
import os
import re
from pathlib import Path
from typing import Any, List
from checkov.ansible.graph_builder.graph_components.resource_types import ResourceType
from checkov.common.parallelizer.parallel_runner import parallel_runner
from checkov.common.parsers.yaml.parser import parse
from checkov.common.resource_code_logger_filter import add_resource_code_filter_to_logger
from checkov.common.runners.base_runner import filter_ignored_paths
from checkov.common.util.consts import START_LINE, END_LINE
from checkov.common.util.file_utils import read_file_with_any_encoding
from checkov.common.util.suppression import collect_suppressions_for_context
from checkov.runner_filter import RunnerFilter
TASK_NAME_PATTERN = re.compile(r"^\s*-\s+name:\s+", re.MULTILINE)
# https://docs.ansible.com/ansible/latest/reference_appendices/playbooks_keywords.html#task
TASK_RESERVED_KEYWORDS = {
"action",
"any_errors_fatal",
"args",
"async",
"become",
"become_exe",
"become_flags",
"become_method",
"become_user",
"changed_when",
"check_mode",
"collections",
"connection",
"debugger",
"delay",
"delegate_facts",
"delegate_to",
"diff",
"environment",
"failed_when",
"ignore_errors",
"ignore_unreachable",
"local_action",
"loop",
"loop_control",
"module_defaults",
"name",
"no_log",
"notify",
"poll",
"port",
"register",
"remote_user",
"retries",
"run_once",
"tags",
"throttle",
"timeout",
"until",
"vars",
"when",
}
logger = logging.getLogger(__name__)
add_resource_code_filter_to_logger(logger)
def get_scannable_file_paths(root_folder: str | Path) -> set[Path]:
"""Finds yaml files"""
file_paths: set[Path] = set()
if root_folder:
root_path = root_folder if isinstance(root_folder, Path) else Path(root_folder)
file_paths = {file_path for file_path in root_path.rglob("*.[y][am]*[l]") if file_path.is_file()}
return file_paths
def get_relevant_file_content(file_path: str | Path) -> str | None:
if not str(file_path).endswith((".yaml", ".yml")):
return None
content = read_file_with_any_encoding(file_path=file_path)
if "name:" not in content:
# the following regex will search more precisely, but no need to further process
return None
match_task_name = re.search(TASK_NAME_PATTERN, content)
if match_task_name:
# there are more files, which belong to an ansible playbook,
# but we are currently only interested in 'tasks'
return content
return None
def parse_file(
f: str | Path, file_content: str | None = None
) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None:
file_content = get_relevant_file_content(file_path=f)
if file_content:
content = parse(filename=str(f), file_content=file_content)
return content
return None
def generate_task_name(task: dict[str, Any], prefix: str = "") -> str | None:
# grab the task name at the beginning before trying to find the actual module name
task_name = task.get("name") or "unknown"
for name in task:
if name in TASK_RESERVED_KEYWORDS:
continue
if prefix:
# if the task is found in a block, then prefix the module name with 'block'
name = f"{prefix}{name}"
return f"{ResourceType.TASKS}.{name}.{task_name}"
return None
def build_definitions_context(
definitions: dict[str, dict[str, Any] | list[dict[str, Any]]],
definitions_raw: dict[str, list[tuple[int, str]]],
) -> dict[str, dict[str, Any]]:
definitions_context: dict[str, dict[str, Any]] = {}
for file_path, definition in definitions.items():
file_path_context: dict[str, Any] = {}
definition_raw = definitions_raw[file_path]
if not isinstance(definition, list):
logger.info(f"File {file_path} has the wrong type {type(definition)}")
continue
for code_block in definition:
if ResourceType.TASKS in code_block:
tasks = code_block[ResourceType.TASKS]
if tasks: # Check if tasks is not empty
for task in tasks:
_process_blocks(definition_raw=definition_raw, file_path_context=file_path_context, task=task)
else:
_process_blocks(definition_raw=definition_raw, file_path_context=file_path_context, task=code_block)
else:
_process_blocks(definition_raw=definition_raw, file_path_context=file_path_context, task=code_block)
definitions_context[file_path] = file_path_context
return definitions_context
def _process_blocks(
definition_raw: list[tuple[int, str]],
file_path_context: dict[str, Any],
task: Any,
prefix: str = "",
) -> None:
"""Checks for possible block usage"""
if not task or not isinstance(task, dict):
return
if ResourceType.BLOCK in task and isinstance(task[ResourceType.BLOCK], list):
prefix += f"{ResourceType.BLOCK}." # with each nested level an extra block prefix is added
block_name = f"{prefix}.{task.get('name') or 'unknown'}"
resource_context = _create_resource_context(definition_raw=definition_raw, resource=task)
file_path_context[block_name] = resource_context
for block_task in task[ResourceType.BLOCK]:
_process_blocks(
definition_raw=definition_raw, file_path_context=file_path_context, task=block_task, prefix=prefix
)
else:
resource_context = _create_resource_context(definition_raw=definition_raw, resource=task)
task_name = generate_task_name(task=task, prefix=prefix)
if task_name:
file_path_context[task_name] = resource_context
def _create_resource_context(definition_raw: list[tuple[int, str]], resource: dict[str, Any]) -> dict[str, Any]:
"""Creates the resource context block"""
start_line = resource[START_LINE]
end_line = resource[END_LINE]
code_lines = definition_raw[start_line - 1 : end_line - 1] # lines start with index 0
skipped_checks = collect_suppressions_for_context(code_lines=code_lines)
return {
"start_line": start_line,
"end_line": end_line - 1,
"code_lines": code_lines,
"skipped_checks": skipped_checks,
}
def create_definitions(
root_folder: str | None,
files: list[str] | None = None,
runner_filter: RunnerFilter | None = None
) -> tuple[dict[str, dict[str, Any]], dict[str, list[tuple[int, str]]]]:
runner_filter = runner_filter or RunnerFilter()
definitions: dict[str, dict[str, Any]] = {}
definitions_raw: dict[str, list[tuple[int, str]]] = {}
if files:
create_file_definition(files, definitions, definitions_raw)
if root_folder:
for root, d_names, f_names in os.walk(root_folder):
filter_ignored_paths(root, d_names, runner_filter.excluded_paths)
filter_ignored_paths(root, f_names, runner_filter.excluded_paths)
files_to_load = [os.path.join(root, f_name) for f_name in f_names]
create_file_definition(files_to_load, definitions, definitions_raw)
return definitions, definitions_raw
def create_file_definition(files_to_load: List[str], definitions: dict[str, dict[str, Any]], definitions_raw: dict[str, list[tuple[int, str]]]) -> None:
results = parallel_runner.run_function(lambda f: (f, parse_file(f)), files_to_load)
for file_result_pair in results:
if file_result_pair is None:
# this only happens, when an uncaught exception occurs
continue
file, result = file_result_pair
if result:
(definitions[file], definitions_raw[file]) = result # type: ignore[assignment]
================================================
FILE: checkov/argo_workflows/__init__.py
================================================
from checkov.argo_workflows.checks import * # noqa
================================================
FILE: checkov/argo_workflows/checks/__init__.py
================================================
from checkov.argo_workflows.checks.template import * # noqa
================================================
FILE: checkov/argo_workflows/checks/base_argo_workflows_check.py
================================================
from __future__ import annotations
from abc import abstractmethod
from collections.abc import Iterable
from typing import TYPE_CHECKING, Any
from checkov.common.checks.base_check import BaseCheck
from checkov.argo_workflows.checks.registry import registry
if TYPE_CHECKING:
from checkov.common.models.enums import CheckCategories, CheckResult
class BaseArgoWorkflowsCheck(BaseCheck):
def __init__(
self,
name: str,
id: str,
categories: Iterable[CheckCategories],
supported_entities: Iterable[str],
block_type: str,
path: str | None = None,
) -> None:
super().__init__(
name=name,
id=id,
categories=categories,
supported_entities=supported_entities,
block_type=block_type,
)
self.path = path
registry.register(self)
def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> tuple[CheckResult, dict[str, Any]]:
self.entity_type = entity_type
return self.scan_conf(conf)
@abstractmethod
def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:
pass
================================================
FILE: checkov/argo_workflows/checks/registry.py
================================================
from checkov.common.bridgecrew.check_type import CheckType
from checkov.yaml_doc.base_registry import Registry
registry = Registry(CheckType.ARGO_WORKFLOWS)
================================================
FILE: checkov/argo_workflows/checks/template/DefaultServiceAccount.py
================================================
from __future__ import annotations
from typing import Any
from checkov.argo_workflows.checks.base_argo_workflows_check import BaseArgoWorkflowsCheck
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.yaml_doc.enums import BlockType
class DefaultServiceAccount(BaseArgoWorkflowsCheck):
def __init__(self) -> None:
name = "Ensure Workflow pods are not using the default ServiceAccount"
id = "CKV_ARGO_1"
super().__init__(
name=name,
id=id,
categories=(CheckCategories.IAM,),
supported_entities=("spec",),
block_type=BlockType.OBJECT,
)
def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:
if "serviceAccountName" in conf.keys() and conf["serviceAccountName"] != "default":
return CheckResult.PASSED, conf
return CheckResult.FAILED, conf
check = DefaultServiceAccount()
================================================
FILE: checkov/argo_workflows/checks/template/RunAsNonRoot.py
================================================
from __future__ import annotations
from typing import Any
from checkov.argo_workflows.checks.base_argo_workflows_check import BaseArgoWorkflowsCheck
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.yaml_doc.enums import BlockType
class RunAsNonRoot(BaseArgoWorkflowsCheck):
def __init__(self) -> None:
name = "Ensure Workflow pods are running as non-root user"
id = "CKV_ARGO_2"
super().__init__(
name=name,
id=id,
categories=(CheckCategories.IAM,),
supported_entities=("spec",),
block_type=BlockType.OBJECT,
)
def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:
security_context = conf.get("securityContext")
if isinstance(security_context, dict) and security_context.get("runAsNonRoot") is True:
return CheckResult.PASSED, conf
return CheckResult.FAILED, conf
check = RunAsNonRoot()
================================================
FILE: checkov/argo_workflows/checks/template/__init__.py
================================================
from pathlib import Path
modules = Path(__file__).parent.glob("*.py")
__all__ = [f.stem for f in modules if f.is_file() and not f.stem == "__init__"]
================================================
FILE: checkov/argo_workflows/common/__init__.py
================================================
================================================
FILE: checkov/argo_workflows/runner.py
================================================
from __future__ import annotations
import re
from typing import TYPE_CHECKING, Any
from checkov.common.images.image_referencer import ImageReferencer, Image
from checkov.common.output.report import CheckType
from checkov.common.util.file_utils import read_file_with_any_encoding
from checkov.yaml_doc.runner import Runner as YamlRunner
# Import of the checks registry for a specific resource type
from checkov.argo_workflows.checks.registry import registry as template_registry
if TYPE_CHECKING:
from checkov.common.checks.base_check_registry import BaseCheckRegistry
API_VERSION_PATTERN = re.compile(r"^apiVersion:\s*argoproj.io/", re.MULTILINE)
KIND_PATTERN = re.compile(r"^kind:\s*Workflow", re.MULTILINE)
class Runner(YamlRunner, ImageReferencer):
check_type = CheckType.ARGO_WORKFLOWS # noqa: CCE003 # a static attribute
block_type_registries = { # noqa: CCE003 # a static attribute
"template": template_registry,
}
def require_external_checks(self) -> bool:
return False
def import_registry(self) -> BaseCheckRegistry:
return self.block_type_registries["template"]
@staticmethod
def _parse_file(
f: str, file_content: str | None = None
) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None:
content = Runner._get_workflow_file_content(file_path=f)
if content:
return YamlRunner._parse_file(f=f, file_content=content)
return None
@staticmethod
def _get_workflow_file_content(file_path: str) -> str | None:
if not file_path.endswith((".yaml", ".yml")):
return None
content = read_file_with_any_encoding(file_path=file_path)
if "argoproj.io" not in content:
# the following regex will search more precisely, but no need to further process
return None
match_api = re.search(API_VERSION_PATTERN, content)
if match_api:
match_kind = re.search(KIND_PATTERN, content)
if match_kind:
# only scan Argo Workflows
return content
return None
def is_workflow_file(self, file_path: str) -> bool:
return self._get_workflow_file_content(file_path=file_path) is not None
def get_images(self, file_path: str) -> set[Image]:
"""Get container images mentioned in a file
Argo Workflows file can have a job and services run within a container.
in the following sample file we can see a node:14.16 image:
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: template-defaults-
spec:
entrypoint: main
templates:
- name: main
steps:
- - name: retry-backoff
template: retry-backoff
- - name: whalesay
template: whalesay
- name: whalesay
container:
image: argoproj/argosay:v2
command: [cowsay]
args: ["hello world"]
- name: retry-backoff
container:
image: python:alpine3.6
command: ["python", -c]
# fail with a 66% probability
args: ["import random; import sys; exit_code = random.choice([0, 1, 1]); sys.exit(exit_code)"]
Source: https://github.com/argoproj/argo-workflows/blob/master/examples/template-defaults.yaml
:return: List of container image short ids mentioned in the file.
Example return value for a file with node:14.16 image: ['sha256:6a353e22ce']
"""
images: set[Image] = set()
parsed_file = self._parse_file(file_path)
if not parsed_file:
return images
workflow, workflow_line_numbers = parsed_file
if not isinstance(workflow, dict):
# make type checking happy
return images
spec = workflow.get("spec")
if spec:
templates = spec.get("templates")
if isinstance(templates, list):
for template in templates:
container = template.get("container")
if container:
image = self.extract_image(file_path=file_path, container=container)
if image:
images.add(image)
script = template.get("script")
if script:
image = self.extract_image(file_path=file_path, container=script)
if image:
images.add(image)
return images
def extract_image(self, file_path: str, container: dict[str, Any]) -> Image | None:
image_name = container.get("image")
if image_name and isinstance(image_name, str):
start_line = container.get("__startline__", 0)
end_line = container.get("__endline__", 0)
return Image(
file_path=file_path,
name=image_name,
start_line=start_line,
end_line=end_line,
)
return None
================================================
FILE: checkov/arm/__init__.py
================================================
from checkov.arm.checks import * # noqa
================================================
FILE: checkov/arm/base_parameter_check.py
================================================
from __future__ import annotations
from abc import abstractmethod
from collections.abc import Iterable
from typing import TYPE_CHECKING, Any
from checkov.arm.registry import arm_parameter_registry
from checkov.common.checks.base_check import BaseCheck
if TYPE_CHECKING:
from checkov.common.models.enums import CheckCategories, CheckResult
class BaseParameterCheck(BaseCheck):
def __init__(
self,
name: str,
id: str,
categories: Iterable[CheckCategories],
supported_resources: Iterable[str],
guideline: str | None = None,
) -> None:
super().__init__(
name=name,
id=id,
categories=categories,
supported_entities=supported_resources,
block_type="parameter",
guideline=guideline,
)
self.supported_resources = supported_resources
arm_parameter_registry.register(self)
def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> CheckResult:
self.entity_type = entity_type
return self.scan_resource_conf(conf)
@abstractmethod
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
raise NotImplementedError()
================================================
FILE: checkov/arm/base_registry.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.bridgecrew.check_type import CheckType
from checkov.common.checks.base_check_registry import BaseCheckRegistry
class Registry(BaseCheckRegistry):
def __init__(self) -> None:
super().__init__(report_type=CheckType.ARM)
def extract_entity_details(self, entity: dict[str, Any]) -> tuple[str, str, dict[str, Any]]:
resource_name, resource = next(iter(entity.items()))
resource_type = str(resource.get("type", "")) # entity['type'] ??
return resource_type, resource_name, resource
================================================
FILE: checkov/arm/base_resource_check.py
================================================
from __future__ import annotations
from abc import abstractmethod
from collections.abc import Iterable
from typing import Any
from checkov.arm.registry import arm_resource_registry
from checkov.bicep.checks.resource.registry import registry as bicep_registry
from checkov.common.checks.base_check import BaseCheck
from checkov.common.models.enums import CheckCategories, CheckResult
class BaseResourceCheck(BaseCheck):
def __init__(
self,
name: str,
id: str,
categories: "Iterable[CheckCategories]",
supported_resources: "Iterable[str]",
guideline: str | None = None,
) -> None:
super().__init__(
name=name,
id=id,
categories=categories,
supported_entities=supported_resources,
block_type="resource",
guideline=guideline,
)
self.supported_resources = supported_resources
arm_resource_registry.register(self)
# leverage ARM checks to use with bicep runner
bicep_registry.register(self)
def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> CheckResult:
self.entity_type = entity_type
# the "existing" key indicates a Bicep resource
if "existing" in conf:
if conf["existing"] is True:
# the existing keyword is used to retrieve information about an already deployed resource
return CheckResult.UNKNOWN
self.api_version = conf["api_version"]
conf["config"]["apiVersion"] = conf["api_version"] # set for better reusability of existing ARM checks
resource_conf = conf["config"]
if "loop_type" in resource_conf:
# this means the whole resource block is surrounded by a for loop
resource_conf = resource_conf["config"]
return self.scan_resource_conf(resource_conf)
self.api_version = None
return self.scan_resource_conf(conf)
@abstractmethod
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
raise NotImplementedError()
================================================
FILE: checkov/arm/base_resource_negative_value_check.py
================================================
from __future__ import annotations
import re
from abc import abstractmethod
from collections.abc import Iterable
from typing import Any
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.common.models.consts import ANY_VALUE
from checkov.common.util.data_structures_utils import find_in_dict
from checkov.common.util.type_forcers import force_list
VARIABLE_DEPENDANT_REGEX = re.compile(r"(?:parameters|variables)\(")
class BaseResourceNegativeValueCheck(BaseResourceCheck):
def __init__(
self,
name: str,
id: str,
categories: "Iterable[CheckCategories]",
supported_resources: "Iterable[str]",
missing_block_result: CheckResult = CheckResult.PASSED,
guideline: str | None = None,
) -> None:
super().__init__(
name=name, id=id, categories=categories, supported_resources=supported_resources, guideline=guideline
)
self.missing_block_result = missing_block_result
@staticmethod
def _is_variable_dependant(value: Any) -> bool:
return bool(isinstance(value, str) and re.match(VARIABLE_DEPENDANT_REGEX, value))
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
inspected_key = self.get_inspected_key()
forbidden_values = self.get_forbidden_values()
value = find_in_dict(conf, inspected_key)
if value:
if isinstance(value, list) and len(value) == 1:
value = value[0]
if self._is_variable_dependant(value):
# If the tested attribute is variable-dependant, then result is PASSED
return CheckResult.UNKNOWN
if value in forbidden_values or ANY_VALUE in forbidden_values:
return CheckResult.FAILED
else:
return CheckResult.PASSED
return self.missing_block_result
@abstractmethod
def get_inspected_key(self) -> str:
"""
:return: JSONPath syntax path of the checked attribute
"""
raise NotImplementedError()
@abstractmethod
def get_forbidden_values(self) -> list[Any]:
"""
Returns a list of vulnerable values for the inspected key, governed by provider best practices
"""
raise NotImplementedError()
def get_evaluated_keys(self) -> list[str]:
return force_list(self.get_inspected_key())
================================================
FILE: checkov/arm/base_resource_value_check.py
================================================
from __future__ import annotations
import re
from abc import abstractmethod
from collections.abc import Iterable
from typing import Dict, Any, List, Optional
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.common.models.consts import ANY_VALUE
from checkov.common.util.data_structures_utils import find_in_dict
VARIABLE_DEPENDANT_REGEX = re.compile(r"(?:local|var|module)\.[^\s]+")
class BaseResourceValueCheck(BaseResourceCheck):
def __init__(
self,
name: str,
id: str,
categories: Iterable[CheckCategories],
supported_resources: "Iterable[str]",
missing_block_result: CheckResult = CheckResult.FAILED,
guideline: Optional[str] = None,
) -> None:
super().__init__(
name=name, id=id, categories=categories, supported_resources=supported_resources, guideline=guideline
)
self.missing_block_result = missing_block_result
@staticmethod
def _is_variable_dependant(value: Any) -> bool:
if isinstance(value, str) and re.match(VARIABLE_DEPENDANT_REGEX, value):
return True
return False
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
inspected_key = self.get_inspected_key()
expected_values = self.get_expected_values()
value = find_in_dict(conf, inspected_key)
if value is not None:
if ANY_VALUE in expected_values:
# Key is found in the configuration - if it accepts any value, the check is PASSED
return CheckResult.PASSED
if isinstance(value, list) and len(value) == 1:
value = value[0]
if value in expected_values:
return CheckResult.PASSED
if self._is_variable_dependant(value):
# If the tested attribute is variable-dependant, then result is PASSED
return CheckResult.PASSED
return CheckResult.FAILED
return self.missing_block_result
@abstractmethod
def get_inspected_key(self) -> str:
"""
:return: JSONPath syntax path of the checked attribute
"""
raise NotImplementedError()
def get_expected_values(self) -> List[Any]:
"""
Override the method with the list of acceptable values if the check has more than one possible expected value, given
the inspected key
:return: List of expected values, defaults to a list of the expected value
"""
return [self.get_expected_value()]
def get_expected_value(self) -> Any:
"""
Returns the default expected value, governed by provider best practices
"""
return True
================================================
FILE: checkov/arm/checks/__init__.py
================================================
from checkov.arm.checks.resource import * # noqa
from checkov.arm.checks.parameter import * # noqa
================================================
FILE: checkov/arm/checks/graph_checks/AzureMLWorkspacePublicNetwork.yaml
================================================
metadata:
id: "CKV2_AZURE_49"
name: "Ensure that Azure Machine learning workspace is not configured with overly permissive network access"
category: "NETWORKING"
definition:
or:
- cond_type: "attribute"
resource_types: "Microsoft.MachineLearningServices/workspaces"
attribute: "properties.publicNetworkAccess"
operator: "not_exists"
- cond_type: "attribute"
resource_types: "Microsoft.MachineLearningServices/workspaces"
attribute: "properties.publicNetworkAccess"
operator: "equals"
value: "Disabled"
================================================
FILE: checkov/arm/checks/graph_checks/AzureSpringCloudConfigWithVnet.yaml
================================================
metadata:
id: "CKV2_AZURE_23"
name: "Ensure Azure spring cloud is configured with Virtual network (Vnet)"
category: "NETWORKING"
definition:
and:
- cond_type: attribute
resource_types: "Microsoft.AppPlatform/Spring"
attribute: "sku.name"
operator: "not_equals_ignore_case"
value: "B0"
- cond_type: attribute
resource_types: "Microsoft.AppPlatform/Spring"
attribute: "properties.networkProfile.serviceRuntimeSubnetId"
operator: "exists"
================================================
FILE: checkov/arm/checks/graph_checks/SynapseLogMonitoringEnabledForSQLPool.yaml
================================================
metadata:
id: "CKV2_AZURE_54"
name: "Ensure log monitoring is enabled for Synapse SQL Pool"
category: "LOGGING"
definition:
and:
- cond_type: connection
resource_types:
- Microsoft.Synapse/workspaces/sqlPools
connected_resource_types:
- Microsoft.Synapse/workspaces/sqlPools/auditingSettings
operator: exists
- cond_type: filter
attribute: resource_type
value:
- Microsoft.Synapse/workspaces/sqlPools
operator: within
- or:
- and:
- cond_type: attribute
resource_types:
- Microsoft.Synapse/workspaces/sqlPools/auditingSettings
attribute: properties.state
operator: exists
- cond_type: attribute
resource_types:
- Microsoft.Synapse/workspaces/sqlPools/auditingSettings
attribute: properties.state
operator: equals
value: Enabled
- cond_type: attribute
resource_types:
- Microsoft.Synapse/workspaces/sqlPools/auditingSettings
attribute: properties.state
operator: not_exists
================================================
FILE: checkov/arm/checks/graph_checks/SynapseSQLPoolHasSecurityAlertPolicy.yaml
================================================
metadata:
id: "CKV2_AZURE_51"
name: "Ensure Synapse SQL Pool has a security alert policy"
category: "GENERAL_SECURITY"
definition:
and:
- cond_type: connection
resource_types:
- Microsoft.Synapse/workspaces/sqlPools
connected_resource_types:
- Microsoft.Sql/servers/securityAlertPolicies
operator: exists
- cond_type: filter
attribute: resource_type
operator: within
value:
- Microsoft.Synapse/workspaces/sqlPools
- or:
- and:
- cond_type: attribute
resource_types:
- Microsoft.Sql/servers/securityAlertPolicies
attribute: properties.state
operator: exists
- cond_type: attribute
resource_types:
- Microsoft.Sql/servers/securityAlertPolicies
attribute: properties.state
operator: equals
value: Enabled
- cond_type: attribute
resource_types:
- Microsoft.Sql/servers/securityAlertPolicies
attribute: properties.state
operator: not_exists
================================================
FILE: checkov/arm/checks/graph_checks/SynapseSQLPoolHasVulnerabilityAssessment.yaml
================================================
metadata:
id: "CKV2_AZURE_52"
name: "Ensure Synapse SQL Pool has vulnerability assessment attached"
category: "GENERAL_SECURITY"
definition:
and:
- resource_types:
- Microsoft.Synapse/workspaces/sqlPools
connected_resource_types:
- Microsoft.Sql/servers/securityAlertPolicies
operator: exists
cond_type: connection
- resource_types:
- Microsoft.Sql/servers/securityAlertPolicies
connected_resource_types:
- Microsoft.Sql/servers/vulnerabilityAssessments
operator: exists
cond_type: connection
- cond_type: filter
attribute: resource_type
value:
- Microsoft.Synapse/workspaces/sqlPools
operator: within
- or:
- and:
- cond_type: attribute
resource_types:
- Microsoft.Sql/servers/vulnerabilityAssessments
attribute: properties.recurringScans.isEnabled
operator: exists
- cond_type: attribute
resource_types:
- Microsoft.Sql/servers/vulnerabilityAssessments
attribute: properties.recurringScans.isEnabled
operator: equals
value: true
- cond_type: attribute
resource_types:
- Microsoft.Sql/servers/vulnerabilityAssessments
attribute: properties.recurringScans.isEnabled
operator: not_exists
================================================
FILE: checkov/arm/checks/graph_checks/SynapseWorkspaceHasExtendedAuditLogs.yaml
================================================
metadata:
id: "CKV2_AZURE_53"
name: "Ensure Azure Synapse Workspace has extended audit logs"
category: "LOGGING"
definition:
and:
- cond_type: filter
attribute: resource_type
value:
- Microsoft.Synapse/workspaces
operator: within
- cond_type: connection
resource_types:
- Microsoft.Synapse/workspaces
connected_resource_types:
- Microsoft.Synapse/workspaces/extendedAuditingPolicies
operator: exists
- or:
- and:
- cond_type: attribute
resource_types:
- Microsoft.Synapse/workspaces/extendedAuditingPolicies
attribute: properties.state
operator: exists
- cond_type: attribute
resource_types:
- Microsoft.Synapse/workspaces/extendedAuditingPolicies
attribute: properties.state
operator: equals
value: Enabled
- cond_type: attribute
resource_types:
- Microsoft.Synapse/workspaces/extendedAuditingPolicies
attribute: properties.state
operator: not_exists
================================================
FILE: checkov/arm/checks/graph_checks/__init__.py
================================================
================================================
FILE: checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_parameter_check import BaseParameterCheck
class SecureStringParameterNoHardcodedValue(BaseParameterCheck):
def __init__(self) -> None:
name = "SecureString parameter should not have hardcoded default values"
id = "CKV_AZURE_131"
supported_resources = ('secureString',)
categories = (CheckCategories.SECRETS,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
# https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/test-cases#secure-parameters-cant-have-hardcoded-default
default_value = conf.get('defaultValue')
if default_value: # should be missing, or an empty string
conf[f'{self.id}_secret'] = default_value
return CheckResult.FAILED
else:
return CheckResult.PASSED
check = SecureStringParameterNoHardcodedValue()
================================================
FILE: checkov/arm/checks/parameter/__init__.py
================================================
from os.path import dirname, basename, isfile, join
import glob
modules = glob.glob(join(dirname(__file__), "*.py"))
__all__ = [basename(f)[:-3] for f in modules if isfile(f) and not f.endswith("__init__.py")]
================================================
FILE: checkov/arm/checks/resource/ACRAdminAccountDisabled.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck
class ACRAdminAccountDisabled(BaseResourceNegativeValueCheck):
def __init__(self) -> None:
name = "Ensure ACR admin account is disabled"
id = "CKV_AZURE_137"
supported_resources = ("Microsoft.ContainerRegistry/registries",)
categories = [CheckCategories.IAM]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/adminUserEnabled"
def get_forbidden_values(self) -> List[Any]:
return [True]
check = ACRAdminAccountDisabled()
================================================
FILE: checkov/arm/checks/resource/ACRAnonymousPullDisabled.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class ACRAnonymousPullDisabled(BaseResourceCheck):
ANONYMOUS_PULL_SKUS = {"Standard", "Premium"} # noqa: CCE003 # a static attribute
def __init__(self) -> None:
name = "Ensures that ACR disables anonymous pulling of images"
id = "CKV_AZURE_138"
supported_resources = ("Microsoft.ContainerRegistry/registries",)
categories = (CheckCategories.IAM,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
properties = conf.get("properties", {})
anonymousPullEnabled = properties.get("anonymousPullEnabled")
sku = conf.get("sku")
if (
sku is not None
and isinstance(sku.get("name"), str)
and sku.get("name") in ACRAnonymousPullDisabled.ANONYMOUS_PULL_SKUS
and properties
and anonymousPullEnabled
):
return CheckResult.FAILED
return CheckResult.PASSED
def get_evaluated_keys(self) -> List[str]:
return ['properties', 'properties/anonymousPullEnabled', 'sku']
check = ACRAnonymousPullDisabled()
================================================
FILE: checkov/arm/checks/resource/ACRContainerScanEnabled.py
================================================
from __future__ import annotations
from typing import Any, Dict, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class ACRContainerScanEnabled(BaseResourceCheck):
SKUS = {"Standard", "Premium"} # noqa: CCE003 # a static attribute
def __init__(self) -> None:
name = "Enable vulnerability scanning for container images."
id = "CKV_AZURE_163"
supported_resources = ("Microsoft.ContainerRegistry/registries",)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
sku = conf.get("sku", {})
sku_name = sku.get("name")
if isinstance(sku_name, str) and sku_name in ACRContainerScanEnabled.SKUS:
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ["sku", "sku/name"]
check = ACRContainerScanEnabled()
================================================
FILE: checkov/arm/checks/resource/ACREnableImageQuarantine.py
================================================
from __future__ import annotations
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class ACREnableImageQuarantine(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure container image quarantine, scan, and mark images verified"
id = "CKV_AZURE_166"
supported_resources = ("Microsoft.ContainerRegistry/registries",)
categories = (CheckCategories.SUPPLY_CHAIN,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/policies/quarantinePolicy/status"
def get_expected_value(self) -> str:
return "enabled"
check = ACREnableImageQuarantine()
================================================
FILE: checkov/arm/checks/resource/ACREnableZoneRedundancy.py
================================================
from __future__ import annotations
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_check import BaseResourceCheck
from typing import Any
class ACREnableZoneRedundancy(BaseResourceCheck):
def __init__(self) -> None:
"""
Zone redundancy provides resiliency and high availability to
a registry or replication resource in a specific region. Supported on Premium.
"""
name = "Ensure Azure Container Registry (ACR) is zone redundant"
id = "CKV_AZURE_233"
supported_resources = ("Microsoft.ContainerRegistry/registries", "Microsoft.ContainerRegistry/registries/replications",)
categories = (CheckCategories.BACKUP_AND_RECOVERY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
# check registry. default=false
properties = conf.get("properties")
if properties and isinstance(properties, dict):
self.evaluated_keys = ["properties"]
if properties.get("zoneRedundancy") == "Disabled":
self.evaluated_keys = ["properties/zoneRedundancy"]
return CheckResult.FAILED
return CheckResult.PASSED
check = ACREnableZoneRedundancy()
================================================
FILE: checkov/arm/checks/resource/ACRPublicNetworkAccessDisabled.py
================================================
from __future__ import annotations
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class ACRPublicNetworkAccessDisabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure ACR set to disable public networking"
id = "CKV_AZURE_139"
supported_resources = ("Microsoft.ContainerRegistry/registries",)
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/publicNetworkAccess"
def get_expected_value(self) -> str:
return "Disabled"
check = ACRPublicNetworkAccessDisabled()
================================================
FILE: checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class AKSApiServerAuthorizedIpRanges(BaseResourceCheck):
def __init__(self) -> None:
# apiVersion 2017-08-03 and 2018-03-31 = Fail - No authorized IP range available
# apiVersion 2019-02-01, 2019-04-01, 2019-06-01 - Preview
# apiversion 2019-08-01 and greater are fully supported
name = "Ensure AKS has an API Server Authorized IP Ranges enabled"
id = "CKV_AZURE_6"
supported_resources = ('Microsoft.ContainerService/managedClusters',)
categories = (CheckCategories.KUBERNETES,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "apiVersion" in conf:
if conf["apiVersion"] in ["2017-08-31", "2018-03-31"]:
# ApiServerAuthorizedIpRanges not supported in these API versions
return CheckResult.FAILED
elif conf["apiVersion"] in ["2019-02-01", "2019-04-01", "2019-06-01"]:
# apiServerAuthorizedIPRanges in Preview in these API versions
if "properties" in conf:
if "apiServerAuthorizedIPRanges" in conf["properties"]:
if conf["properties"]["apiServerAuthorizedIPRanges"]:
return CheckResult.PASSED
else:
# ApiServerAuthorizedIpRanges fully supported in all future API versions
properties = conf.get('properties')
if not properties or not isinstance(properties, dict):
return CheckResult.FAILED
api_server_access_profile = properties.get('apiServerAccessProfile')
if not api_server_access_profile:
return CheckResult.FAILED
authorized_ip_ranges = api_server_access_profile.get('authorizedIPRanges')
if authorized_ip_ranges:
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ['properties', 'properties/apiServerAccessProfile', 'properties/apiServerAccessProfile/authorizedIPRanges']
check = AKSApiServerAuthorizedIpRanges()
================================================
FILE: checkov/arm/checks/resource/AKSDashboardDisabled.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class AKSDashboardDisabled(BaseResourceCheck):
def __init__(self) -> None:
# apiVersion 2017-08-03 = Fail - No addonProfiles option to configure
name = "Ensure Kubernetes Dashboard is disabled"
id = "CKV_AZURE_8"
supported_resources = ('Microsoft.ContainerService/managedClusters',)
categories = (CheckCategories.KUBERNETES,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if conf.get("apiVersion") is not None:
if conf["apiVersion"] == "2017-08-31":
# No addonProfiles option to configure
self.evaluated_keys = ["apiVersion"]
return CheckResult.FAILED
properties = conf.get("properties")
self.evaluated_keys = ["properties"]
if properties is None or not isinstance(properties, dict):
self.evaluated_keys = ["properties"]
return CheckResult.FAILED
addon_profiles = conf["properties"].get("addonProfiles")
if not isinstance(addon_profiles, dict):
self.evaluated_keys = ["properties/addonProfiles"]
return CheckResult.FAILED
kube_dashboard = addon_profiles.get("kubeDashboard")
if not isinstance(kube_dashboard, dict):
self.evaluated_keys = ["properties/addonProfiles/kubeDashboard"]
return CheckResult.FAILED
enabled = kube_dashboard.get("enabled")
if enabled is not None and str(enabled).lower() == "false":
return CheckResult.PASSED
return CheckResult.FAILED
check = AKSDashboardDisabled()
================================================
FILE: checkov/arm/checks/resource/AKSEncryptionAtHostEnabled.py
================================================
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class AKSEncryptionAtHostEnabled(BaseResourceValueCheck):
def __init__(self) -> None:
"""
With host-based encryption, the data stored on the VM host of
your AKS agent nodes' VMs is encrypted at rest and flows encrypted to the Storage service.
This means the temp disks are encrypted at rest with platform-managed keys.
The cache of OS and data disks is encrypted at rest with either platform-managed keys
or customer-managed keys depending on the encryption type set on those disks.
"""
name = "Ensure that the AKS cluster encrypt temp disks, caches, and data flows "
name += "between Compute and Storage resources"
id = "CKV_AZURE_227"
supported_resources = ["Microsoft.ContainerService/managedClusters",
"Microsoft.ContainerService/managedClusters/agentPools"]
categories = [CheckCategories.KUBERNETES, ]
super().__init__(
name=name,
id=id,
categories=categories,
supported_resources=supported_resources,
missing_block_result=CheckResult.FAILED,
)
def get_inspected_key(self) -> str:
if self.entity_type == "Microsoft.ContainerService/managedClusters":
return "properties/agentPoolProfiles/[0]/enableEncryptionAtHost"
else:
return "properties/enableEncryptionAtHost"
def get_expected_value(self) -> bool:
return True
check = AKSEncryptionAtHostEnabled()
================================================
FILE: checkov/arm/checks/resource/AKSEphemeralOSDisks.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class AKSEphemeralOSDisks(BaseResourceValueCheck):
def __init__(self) -> None:
"""
Temporary data can contain sensitive data at some points, by using ephemeral disks,
we ensure that data written to OS disk is stored on local VM storage and isn't persisted to Azure Storage
Azure automatically replicates data stored in the managed OS disk of a virtual machine to Azure storage
to avoid data loss in case the virtual machine needs to be relocated to another host.
Generally speaking, containers are not designed to have local state persisted to the managed OS disk,
hence this behavior offers limited value to AKS hosted while providing some drawbacks,
including slower node provisioning and higher read/write latency.
Ephemeral disks allow us also to have faster cluster operations like scale or upgrade
due to faster re-imaging and boot times.
"""
name = "Ensure ephemeral disks are used for OS disks"
id = "CKV_AZURE_226"
supported_resources = ["Microsoft.ContainerService/managedClusters",]
categories = [CheckCategories.KUBERNETES,]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/agentPoolProfiles/[0]/osDiskType"
def get_expected_value(self) -> str:
return "Ephemeral"
check = AKSEphemeralOSDisks()
================================================
FILE: checkov/arm/checks/resource/AKSLocalAdminDisabled.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class AKSLocalAdminDisabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure AKS local admin account is disabled"
id = "CKV_AZURE_141"
supported_resources = ("Microsoft.ContainerService/managedClusters",)
categories = (CheckCategories.IAM,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/disableLocalAccounts"
def get_expected_value(self) -> bool:
return True
check = AKSLocalAdminDisabled()
================================================
FILE: checkov/arm/checks/resource/AKSLoggingEnabled.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class AKSLoggingEnabled(BaseResourceCheck):
def __init__(self) -> None:
# apiVersion 2017-08-03 = Fail - No addonProfiles option to configure
name = "Ensure AKS logging to Azure Monitoring is Configured"
id = "CKV_AZURE_4"
supported_resources = ("Microsoft.ContainerService/managedClusters",)
categories = (CheckCategories.KUBERNETES,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "apiVersion" in conf:
if conf["apiVersion"] == "2017-08-31":
self.evaluated_keys = ["apiVersion"]
# No addonProfiles option to configure
return CheckResult.FAILED
properties = conf.get("properties")
self.evaluated_keys = ["properties"]
if isinstance(properties, dict):
addon_profiles = properties.get("addonProfiles")
if isinstance(addon_profiles, dict):
self.evaluated_keys = ["properties/addonProfiles"]
omsagent = addon_profiles.get("omsagent")
if not omsagent:
# it can be written in lowercase or camelCase
omsagent = addon_profiles.get("omsAgent")
if isinstance(omsagent, dict) and omsagent.get("enabled"):
return CheckResult.PASSED
return CheckResult.FAILED
check = AKSLoggingEnabled()
================================================
FILE: checkov/arm/checks/resource/AKSMaxPodsMinimum.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
from typing import Optional
class AKSMaxPodsMinimum(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods."
id = "CKV_AZURE_168"
supported_resources = ("Microsoft.ContainerService/managedClusters",
"Microsoft.ContainerService/managedClusters/agentPools", )
categories = (CheckCategories.KUBERNETES,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
max_pods: Optional[int] = 30
properties = conf.get("properties", {})
if properties and isinstance(properties, dict):
max_pods = properties.get("maxPods")
if "agentPoolProfiles" in properties:
if "maxPods" in properties["agentPoolProfiles"][0]:
max_pods = properties["agentPoolProfiles"][0]["maxPods"]
if max_pods is None or max_pods < 50:
return CheckResult.FAILED
return CheckResult.PASSED
def get_evaluated_keys(self) -> List[str]:
return ["properties", "properties/agentPoolProfiles", "properties/agentPoolProfiles/maxPods"]
check = AKSMaxPodsMinimum()
================================================
FILE: checkov/arm/checks/resource/AKSNetworkPolicy.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class AKSNetworkPolicy(BaseResourceCheck):
def __init__(self) -> None:
# apiVersion 2017-08-03 = Fail - No networkProfile option to configure
name = "Ensure AKS cluster has Network Policy configured"
id = "CKV_AZURE_7"
supported_resources = ('Microsoft.ContainerService/managedClusters',)
categories = (CheckCategories.KUBERNETES,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "apiVersion" in conf:
if conf["apiVersion"] == "2017-08-31":
# No networkProfile option to configure
return CheckResult.FAILED
properties = conf.get('properties')
if not properties or not isinstance(properties, dict):
return CheckResult.FAILED
network_profile = properties.get('networkProfile')
if not network_profile:
return CheckResult.FAILED
network_policy = network_profile.get('networkPolicy')
if network_policy:
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ['properties', 'properties/networkProfile', 'properties/networkProfile/networkPolicy']
check = AKSNetworkPolicy()
================================================
FILE: checkov/arm/checks/resource/AKSPoolTypeIsScaleSet.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck
class AKSPoolTypeIsScaleSet(BaseResourceNegativeValueCheck):
def __init__(self) -> None:
name = "Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets"
id = "CKV_AZURE_169"
supported_resources = ("Microsoft.ContainerService/managedClusters",)
categories = (CheckCategories.KUBERNETES,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
def get_inspected_key(self) -> str:
return "properties/agentPoolProfiles/[0]/type"
def get_forbidden_values(self) -> list[Any]:
return ["AvailabilitySet"]
check = AKSPoolTypeIsScaleSet()
================================================
FILE: checkov/arm/checks/resource/AKSRbacEnabled.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class AKSRbacEnabled(BaseResourceCheck):
def __init__(self) -> None:
# apiVersion 2017-08-03 = Fail - No enableRBAC option to configure
name = "Ensure RBAC is enabled on AKS clusters"
id = "CKV_AZURE_5"
supported_resources = ('Microsoft.ContainerService/managedClusters',)
categories = (CheckCategories.KUBERNETES,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "apiVersion" in conf:
if conf["apiVersion"] == "2017-08-31":
# No enableRBAC option to configure
self.evaluated_keys = ["apiVersion"]
return CheckResult.FAILED
self.evaluated_keys = ["properties"]
properties = conf.get('properties')
if not properties or not isinstance(properties, dict):
return CheckResult.FAILED
enable_RBAC = properties.get('enableRBAC')
if str(enable_RBAC).lower() == "true":
return CheckResult.PASSED
self.evaluated_keys.append("properties/enableRBAC")
return CheckResult.FAILED
check = AKSRbacEnabled()
================================================
FILE: checkov/arm/checks/resource/AKSUpgradeChannel.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck
class AKSUpgradeChannel(BaseResourceNegativeValueCheck):
def __init__(self) -> None:
name = "Ensure AKS cluster upgrade channel is chosen"
id = "CKV_AZURE_171"
supported_resources = ("Microsoft.ContainerService/managedClusters",)
categories = (CheckCategories.NETWORKING,)
super().__init__(
name=name,
id=id,
categories=categories,
supported_resources=supported_resources,
missing_block_result=CheckResult.FAILED,
)
def get_inspected_key(self) -> str:
return "properties/autoUpgradeProfile/upgradeChannel"
def get_forbidden_values(self) -> Any:
return "none"
check = AKSUpgradeChannel()
================================================
FILE: checkov/arm/checks/resource/APIManagementMinTLS12.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_check import BaseResourceCheck
class APIManagementMinTLS12(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure API management uses at least TLS 1.2"
id = "CKV_AZURE_173"
supported_resources = ("Microsoft.ApiManagement/service",)
categories = (CheckCategories.ENCRYPTION,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
properties = conf.get("properties")
if isinstance(properties, dict) and "customProperties" in properties:
self.evaluated_keys = ["properties"]
customProperties = properties.get("customProperties")
if isinstance(customProperties, dict):
self.evaluated_keys = ["properties/customProperties"]
if customProperties.get("Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30"):
return CheckResult.FAILED
if customProperties.get("Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10"):
return CheckResult.FAILED
if customProperties.get("Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30"):
return CheckResult.FAILED
if customProperties.get("Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10"):
return CheckResult.FAILED
if customProperties.get("Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11"):
return CheckResult.FAILED
return CheckResult.PASSED
check = APIManagementMinTLS12()
================================================
FILE: checkov/arm/checks/resource/APIManagementPublicAccess.py
================================================
from typing import Any
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class APIManagementPublicAccess(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure API management public access is disabled"
id = "CKV_AZURE_174"
supported_resources = ("Microsoft.ApiManagement/service",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/publicNetworkAccess"
def get_expected_value(self) -> Any:
return "Disabled"
check = APIManagementPublicAccess()
================================================
FILE: checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py
================================================
from typing import Any
from checkov.common.models.consts import ANY_VALUE
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class APIServicesUseVirtualNetwork(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that API management services use virtual networks"
id = "CKV_AZURE_107"
supported_resources = ("Microsoft.ApiManagement/service",)
categories = (CheckCategories.NETWORKING,)
super().__init__(
name=name,
id=id,
categories=categories,
supported_resources=supported_resources,
missing_block_result=CheckResult.FAILED,
)
def get_inspected_key(self) -> str:
return "properties/virtualNetworkConfiguration"
def get_expected_value(self) -> Any:
return ANY_VALUE
check = APIServicesUseVirtualNetwork()
================================================
FILE: checkov/arm/checks/resource/AkSSecretStoreRotation.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class AkSSecretStoreRotation(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters"
id = "CKV_AZURE_172"
supported_resources = ("Microsoft.ContainerService/managedClusters",)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/addonProfiles/azureKeyvaultSecretsProvider/config/enableSecretRotation"
check = AkSSecretStoreRotation()
================================================
FILE: checkov/arm/checks/resource/AppGWDefinesSecureProtocols.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_check import BaseResourceCheck
BAD_CIPHERS = {
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 ",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
}
PROTOCOL_VERSIONS = {"TLSv1_2", "TLSv1_3"}
class AppGWDefinesSecureProtocols(BaseResourceCheck):
def __init__(self) -> None:
"""
https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppGw.SSLPolicy/
"""
name = "Ensure Application Gateway defines secure protocols for in transit communication"
id = "CKV_AZURE_218"
supported_resources = ("Microsoft.Network/applicationGateways",)
categories = (CheckCategories.ENCRYPTION,)
super().__init__(name=name,
id=id,
categories=categories,
supported_resources=supported_resources,)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
sslPolicy = conf["properties"].get("sslPolicy")
if sslPolicy and isinstance(sslPolicy, dict):
policyType = sslPolicy.get("policyType")
if policyType != "Predefined":
protocolversion = sslPolicy.get("minProtocolVersion")
if (
protocolversion and isinstance(protocolversion, str)
and protocolversion in PROTOCOL_VERSIONS
):
ciphers = sslPolicy.get("cipherSuites")
if ciphers and isinstance(ciphers, list) and any(cipher in BAD_CIPHERS for cipher in ciphers):
return CheckResult.FAILED
return CheckResult.PASSED
policyName = sslPolicy.get("policyName")
if policyName == "AppGwSslPolicy20220101S":
return CheckResult.PASSED
return CheckResult.FAILED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ["properties/sslPolicy", "properties/sslPolicy/policyType", "properties/sslPolicy/minProtocolVersion",
"properties/sslPolicy/cipherSuites"]
check = AppGWDefinesSecureProtocols()
================================================
FILE: checkov/arm/checks/resource/AppGatewayWAFACLCVE202144228.py
================================================
from typing import Dict, Any
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.util.type_forcers import force_list
class AppGatewayWAFACLCVE202144228(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
id = "CKV_AZURE_135"
supported_resources = ("Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",)
categories = (CheckCategories.APPLICATION_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
properties = conf.get("properties")
if not properties:
return CheckResult.FAILED
self.evaluated_keys = properties.get("managedRules")
managed_rules = properties.get("managedRules")
if managed_rules:
managed_rule_sets = managed_rules.get("managedRuleSets") or []
for idx_rule_set, rule_set in enumerate(force_list(managed_rule_sets)):
self.evaluated_keys = [
f"managedRules/[0]/managedRuleSets[{idx_rule_set}]/ruleSetType",
f"managedRules/[0]/managedRuleSets[{idx_rule_set}]/ruleSetVersion",
]
if (rule_set.get("ruleSetType") == "OWASP" or not rule_set.get("ruleSetType")) and rule_set.get("ruleSetVersion") in ["3.1", "3.2"]:
rule_overrides = rule_set.get("ruleGroupOverrides") or []
for idx_override, rule_override in enumerate(force_list(rule_overrides)):
self.evaluated_keys.extend(
[
f"managedRules/[0]/managedRuleSets[{idx_rule_set}]/ruleGroupOverrides/[{idx_override}]/ruleGroupName",
f"managedRules/[0]/managedRuleSets[{idx_rule_set}]/ruleGroupOverrides/[{idx_override}]/rules",
]
)
if isinstance(rule_override, dict) and rule_override.get("ruleGroupName") == "REQUEST-944-APPLICATION-ATTACK-JAVA":
disabled_rules = rule_override.get("rules") or []
for idx_rule_id, disabled_rule in enumerate(force_list(disabled_rules)):
self.evaluated_keys.extend(
[
f"managedRules/[0]/managedRuleSets[{idx_rule_set}]/ruleGroupOverrides/[{idx_override}]/rules/[{idx_rule_id}]/ruleId",
]
)
if disabled_rule.get("ruleId") == "944240":
return CheckResult.FAILED
return CheckResult.PASSED
return CheckResult.FAILED
check = AppGatewayWAFACLCVE202144228()
================================================
FILE: checkov/arm/checks/resource/AppServiceAuthentication.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
# https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites/config-authsettings
class AppServiceAuthentication(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure App Service Authentication is set on Azure App Service"
id = "CKV_AZURE_13"
supported_resources = ("Microsoft.Web/sites/config", "config")
categories = (CheckCategories.IAM,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
self.evaluated_keys = ["name"]
if self.entity_type == "Microsoft.Web/sites/config":
if "name" in conf and "authsettings" in conf["name"]:
if "properties" in conf and "enabled" in conf["properties"]:
if str(conf["properties"]["enabled"]).lower() == "true":
return CheckResult.PASSED
return CheckResult.FAILED
elif self.entity_type == "config":
if "name" in conf and conf["name"] == "authsettings":
if "parent_type" in conf:
if conf["parent_type"] == "Microsoft.Web/sites":
if "properties" in conf:
if "enabled" in conf["properties"]:
if str(conf["properties"]["enabled"]).lower() == "true":
return CheckResult.PASSED
return CheckResult.FAILED
return CheckResult.UNKNOWN
check = AppServiceAuthentication()
================================================
FILE: checkov/arm/checks/resource/AppServiceClientCertificate.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class AppServiceClientCertificate(BaseResourceCheck):
def __init__(self) -> None:
# https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites
# clientCertEnabled default = false
name = "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
id = "CKV_AZURE_17"
supported_resources = ('Microsoft.Web/sites',)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "properties" in conf:
if "clientCertEnabled" in conf["properties"]:
if str(conf["properties"]["clientCertEnabled"]).lower() == "true":
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ["properties", "properties/clientCertEnabled"]
check = AppServiceClientCertificate()
================================================
FILE: checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py
================================================
from __future__ import annotations
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckCategories
class AppServiceDetailedErrorMessagesEnabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that App service enables detailed error messages"
id = "CKV_AZURE_65"
supported_resources = ['Microsoft.Web/sites/config']
categories = [CheckCategories.LOGGING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/detailedErrorLoggingEnabled"
check = AppServiceDetailedErrorMessagesEnabled()
================================================
FILE: checkov/arm/checks/resource/AppServiceDisallowCORS.py
================================================
from typing import Any, List
from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck
from checkov.common.models.enums import CheckCategories, CheckResult
class AppServiceDisallowCORS(BaseResourceNegativeValueCheck):
def __init__(self) -> None:
name = "Ensure that CORS disallows every resource to access app services"
id = "CKV_AZURE_57"
supported_resources = ("Microsoft.Web/sites",)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(
name=name,
id=id,
categories=categories,
supported_resources=supported_resources,
missing_block_result=CheckResult.PASSED
)
def get_inspected_key(self) -> str:
return 'properties/siteConfig/cors/allowedOrigins'
def get_forbidden_values(self) -> List[Any]:
return ['*']
check = AppServiceDisallowCORS()
================================================
FILE: checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class AppServiceDotnetFrameworkVersion(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that 'Net Framework' version is the latest, if used as a part of the web app"
id = "CKV_AZURE_80"
supported_resources = ['Microsoft.Web/sites/config']
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/netFrameworkVersion"
def get_expected_value(self) -> str:
return "v8.0"
check = AppServiceDotnetFrameworkVersion()
================================================
FILE: checkov/arm/checks/resource/AppServiceEnableFailedRequest.py
================================================
from __future__ import annotations
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class AppServiceEnableFailedRequest(BaseResourceValueCheck):
def __init__(self) -> None:
"""
todo: revisit when graph fully enabled as web config section could be missing entirely from a web app
"""
name = "Ensure that App service enables failed request tracing"
id = "CKV_AZURE_66"
supported_resources = ["Microsoft.Web/sites/config"]
categories = [CheckCategories.LOGGING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/requestTracingEnabled"
check = AppServiceEnableFailedRequest()
================================================
FILE: checkov/arm/checks/resource/AppServiceFTPSState.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from typing import List
from typing import Any
class AppServiceFTPSState(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure FTP deployments are disabled"
id = "CKV_AZURE_78"
supported_resources = ('Microsoft.Web/sites',)
categories = (CheckCategories.APPLICATION_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/siteConfig/ftpsState"
def get_expected_value(self) -> Any:
return "Disabled"
def get_expected_values(self) -> List[Any]:
return ["Disabled", "FtpsOnly"]
check = AppServiceFTPSState()
================================================
FILE: checkov/arm/checks/resource/AppServiceHTTPSOnly.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class AppServiceHTTPSOnly(BaseResourceCheck):
def __init__(self) -> None:
# https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites
name = "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service"
id = "CKV_AZURE_14"
supported_resources = ('Microsoft.Web/sites',)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "properties" in conf:
if "httpsOnly" in conf["properties"]:
if str(conf["properties"]["httpsOnly"]).lower() == "true":
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ["properties", "properties/httpsOnly"]
check = AppServiceHTTPSOnly()
================================================
FILE: checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py
================================================
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckCategories
class AppServiceHttpLoggingEnabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that App service enables HTTP logging"
id = "CKV_AZURE_63"
supported_resources = ["Microsoft.Web/sites/config"]
categories = [CheckCategories.LOGGING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/httpLoggingEnabled"
def get_expected_value(self) -> bool:
return True
check = AppServiceHttpLoggingEnabled()
================================================
FILE: checkov/arm/checks/resource/AppServiceHttps20Enabled.py
================================================
from __future__ import annotations
from typing import Any
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.common.util.data_structures_utils import find_in_dict
class AppServiceHttps20Enabled(BaseResourceCheck):
# apiVersion = 2018-11-01 - http20Enabled is a string
# apiVersion > 2020-10-01 - http20Enabled is a boolean
def __init__(self) -> None:
name = "Ensure that 'HTTP Version' is the latest if used to run the web app"
id = "CKV_AZURE_18"
supported_resources = ("Microsoft.Web/sites",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
self.evaluated_keys = ["properties"]
http_20_enabled = find_in_dict(conf, "properties/siteConfig/http20Enabled")
if http_20_enabled and "apiVersion" in conf:
self.evaluated_keys = ["properties/siteConfig/http20Enabled", "apiVersion"]
if conf["apiVersion"] == "2018-11-01":
if isinstance(http_20_enabled, str) and str(http_20_enabled).lower() == "true":
return CheckResult.PASSED
elif isinstance(http_20_enabled, bool) and http_20_enabled:
return CheckResult.PASSED
return CheckResult.FAILED
check = AppServiceHttps20Enabled()
================================================
FILE: checkov/arm/checks/resource/AppServiceIdentity.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class AppServiceIdentity(BaseResourceCheck):
def __init__(self) -> None:
# https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites#ManagedServiceIdentity
# https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity
# https://docs.microsoft.com/en-us/azure/app-service/samples-resource-manager-templates
name = "Ensure that Register with Azure Active Directory is enabled on App Service"
id = "CKV_AZURE_16"
supported_resources = ('Microsoft.Web/sites',)
categories = (CheckCategories.IAM,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "identity" in conf:
if "type" in conf["identity"]:
if conf["identity"]["type"] == "SystemAssigned":
return CheckResult.PASSED
elif conf["identity"]["type"] == "UserAssigned":
if "userAssignedIdentities" in conf["identity"]:
if conf["identity"]["userAssignedIdentities"]:
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ['identity', 'identity/type', 'identity/userAssignedIdentities']
check = AppServiceIdentity()
================================================
FILE: checkov/arm/checks/resource/AppServiceIdentityProviderEnabled.py
================================================
from typing import Any
from checkov.common.models.consts import ANY_VALUE
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class AppServiceIdentityProviderEnabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that Managed identity provider is enabled for web apps"
id = "CKV_AZURE_71"
supported_resources = ('Microsoft.Web/sites',)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "identity/type"
def get_expected_value(self) -> Any:
return ANY_VALUE
check = AppServiceIdentityProviderEnabled()
================================================
FILE: checkov/arm/checks/resource/AppServiceInstanceMinimum.py
================================================
from __future__ import annotations
from typing import Dict, List
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckCategories, CheckResult
class AppServiceInstanceMinimum(BaseResourceCheck):
def __init__(self) -> None:
# "App Services Plans provides a configurable number of instances that will run apps.
# When a single instance is configured your app may be temporarily unavailable during unplanned interruptions.
# In most circumstances, Azure will self-heal faulty app service instances automatically.
# How-ever during this time there may interruptions to your workload."
name = "Ensure App Service has a minimum number of instances for failover"
id = "CKV_AZURE_212"
supported_resources = ("Microsoft.Web/sites", "Microsoft.Web/sites/slots")
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: Dict[str, Dict[str, Dict[str, int]]]) -> CheckResult:
if "properties" in conf:
if conf.get("properties", {}).get("siteConfig") is not None:
if "numberOfWorkers" in conf["properties"]["siteConfig"]:
worker_count = conf["properties"]["siteConfig"]["numberOfWorkers"]
if worker_count:
if not isinstance(worker_count, int):
return CheckResult.UNKNOWN
if worker_count > 1:
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ["properties", "properties/siteConfig", "properties/siteConfig/numberOfWorkers"]
check = AppServiceInstanceMinimum()
================================================
FILE: checkov/arm/checks/resource/AppServiceJavaVersion.py
================================================
from typing import Any
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class AppServiceJavaVersion(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that 'Java version' is the latest, if used to run the web app"
id = "CKV_AZURE_83"
supported_resources = ('Microsoft.Web/sites',)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
missing_block_result=CheckResult.UNKNOWN)
def get_inspected_key(self) -> str:
return "siteConfig/javaVersion"
def get_expected_value(self) -> Any:
return '17'
check = AppServiceJavaVersion()
================================================
FILE: checkov/arm/checks/resource/AppServiceMinTLSVersion.py
================================================
from typing import Any, List
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckCategories
class AppServiceMinTLSVersion(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure web app is using the latest version of TLS encryption"
id = "CKV_AZURE_15"
supported_resources = ("Microsoft.Web/sites",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
# https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites
return "properties/siteConfig/minTlsVersion"
def get_expected_value(self) -> Any:
return "1.2"
def get_expected_values(self) -> List[Any]:
return ["1.2", 1.2, "1.3", 1.3]
check = AppServiceMinTLSVersion()
================================================
FILE: checkov/arm/checks/resource/AppServicePHPVersion.py
================================================
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class AppServicePHPVersion(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that 'PHP version' is the latest, if used to run the web app"
id = "CKV_AZURE_81"
supported_resources = ["Microsoft.Web/sites"]
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
missing_block_result=CheckResult.UNKNOWN)
def get_inspected_key(self) -> str:
return "properties/siteConfig/phpVersion"
def get_expected_values(self) -> List[Any]:
return ["8.1", "8.2"]
check = AppServicePHPVersion()
================================================
FILE: checkov/arm/checks/resource/AppServicePlanZoneRedundant.py
================================================
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class AppServicePlanZoneRedundant(BaseResourceValueCheck):
def __init__(self) -> None:
"""
To enhance the resiliency and reliability of business-critical workloads,
it's recommended to deploy new App Service Plans with zone-redundancy.
There's no additional cost associated with enabling availability zones.
Pricing for a zone redundant App Service is the same as a single zone App Service.
"""
name = "Ensure the App Service Plan is zone redundant"
id = "CKV_AZURE_225"
supported_resources = ["Microsoft.Web/serverfarms", ]
categories = [CheckCategories.BACKUP_AND_RECOVERY, ]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
missing_block_result=CheckResult.FAILED)
def get_inspected_key(self) -> str:
return "properties/zoneRedundant"
def get_expected_value(self) -> bool:
return True
check = AppServicePlanZoneRedundant()
================================================
FILE: checkov/arm/checks/resource/AppServicePublicAccessDisabled.py
================================================
from typing import Any
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckCategories
class AppServicePublicAccessDisabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that Azure Web App public network access is disabled"
id = "CKV_AZURE_222"
supported_resources = [
"Microsoft.Web/sites",
"Microsoft.Web/sites/slots",
"Microsoft.Web/sites/config"
]
categories = [CheckCategories.NETWORKING,]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/publicNetworkAccess"
def get_expected_value(self) -> Any:
return "Disabled"
check = AppServicePublicAccessDisabled()
================================================
FILE: checkov/arm/checks/resource/AppServicePythonVersion.py
================================================
from typing import List, Any
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckCategories, CheckResult
class AppServicePythonVersion(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that 'Python version' is the latest, if used to run the web app"
id = "CKV_AZURE_82"
supported_resources = ("Microsoft.Web/sites",)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(
name=name,
id=id,
categories=categories,
supported_resources=supported_resources,
missing_block_result=CheckResult.UNKNOWN)
def get_inspected_key(self) -> str:
return "properties/siteConfig/pythonVersion"
def get_expected_values(self) -> List[Any]:
return ["3.9", "3.10", "3.11", "3.12"]
check = AppServicePythonVersion()
================================================
FILE: checkov/arm/checks/resource/AppServiceRemoteDebuggingNotEnabled.py
================================================
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class AppServiceRemoteDebuggingNotEnabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that remote debugging is not enabled for app services"
id = "CKV_AZURE_72"
supported_resources = ["Microsoft.Web/sites",]
categories = [CheckCategories.GENERAL_SECURITY,]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
missing_block_result=CheckResult.PASSED,)
def get_inspected_key(self) -> str:
return "properties/siteConfig/remoteDebuggingEnabled"
def get_expected_value(self) -> bool:
return False
check = AppServiceRemoteDebuggingNotEnabled()
================================================
FILE: checkov/arm/checks/resource/AppServiceSetHealthCheck.py
================================================
from typing import Any
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.consts import ANY_VALUE
from checkov.common.models.enums import CheckCategories
class AppServiceSetHealthCheck(BaseResourceValueCheck):
def __init__(self) -> None:
# "Azure App Service monitors a specific path for each web app instance to determine health status.
# The monitored path should implement functional checks to determine if the app is performing correctly.
# The checks should include dependencies including those that may not be regularly called.
# Regular checks of the monitored path allow Azure App Service to route traffic based on availability."
name = "Ensure that App Service configures health check"
id = "CKV_AZURE_213"
supported_resources = ('Microsoft.Web/sites', 'Microsoft.Web/sites/slots',)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return 'properties/siteConfig/healthCheckPath'
def get_expected_values(self) -> Any:
return ANY_VALUE
check = AppServiceSetHealthCheck()
================================================
FILE: checkov/arm/checks/resource/AppServiceSlotDebugDisabled.py
================================================
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckCategories, CheckResult
class AppServiceSlotDebugDisabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure debugging is disabled for the App service slot"
id = "CKV_AZURE_155"
supported_resources = ('Microsoft.Web/sites/slots', 'Microsoft.Web/sites',)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
missing_block_result=CheckResult.PASSED)
def get_inspected_key(self) -> str:
return "properties/siteConfig/remoteDebuggingEnabled"
def get_expected_value(self) -> bool:
return False
check = AppServiceSlotDebugDisabled()
================================================
FILE: checkov/arm/checks/resource/AppServiceSlotHTTPSOnly.py
================================================
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckCategories
class AppServiceSlotHTTPSOnly(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot"
id = "CKV_AZURE_153"
supported_resources = ("Microsoft.Web/sites", "Microsoft.Web/sites/slots",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/httpsOnly"
check = AppServiceSlotHTTPSOnly()
================================================
FILE: checkov/arm/checks/resource/AppServiceUsedAzureFiles.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckCategories, CheckResult
class AppServiceUsedAzureFiles(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that app services use Azure Files"
id = "CKV_AZURE_88"
supported_resources = ("Microsoft.Web/sites/config",)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
properties = conf.get('properties')
if properties and isinstance(properties, dict):
azureStorageAccounts = properties.get("azureStorageAccounts")
if azureStorageAccounts and isinstance(azureStorageAccounts, dict):
for account_data in azureStorageAccounts.values():
if isinstance(account_data, dict) and account_data.get('type') == "AzureFiles":
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ['properties', 'properties/azureStorageAccounts']
check = AppServiceUsedAzureFiles()
================================================
FILE: checkov/arm/checks/resource/AutomationEncrypted.py
================================================
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckCategories
class AutomationEncrypted(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that Automation account variables are encrypted"
id = "CKV_AZURE_73"
supported_resources = ("Microsoft.Automation/automationAccounts/variables",)
categories = (CheckCategories.ENCRYPTION,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/isEncrypted"
def get_expected_value(self) -> bool:
return True
check = AutomationEncrypted()
================================================
FILE: checkov/arm/checks/resource/AzureBatchAccountEndpointAccessDefaultAction.py
================================================
from __future__ import annotations
from typing import Any
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckCategories, CheckResult
class AzureBatchAccountEndpointAccessDefaultAction(BaseResourceCheck):
DISABLED_PUBLIC_NETWORK_ACCESS = "disabled"
FORBIDDEN_NETWORK_ACCESS_DEFAULT_ACTION = "allow"
def __init__(self) -> None:
name = "Ensure that if Azure Batch account public network access in case 'enabled' then its account access must be 'deny'"
id = "CKV_AZURE_248"
supported_resources = ("Microsoft.Batch/batchAccounts",)
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
@staticmethod
def _exists_and_lower_equal(actual_value: Any, expected_lowercase_value: str) -> bool:
return actual_value and str(actual_value).lower() == expected_lowercase_value
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
properties = conf.get('properties')
if not properties or not isinstance(properties, dict):
return CheckResult.FAILED
public_network_access = properties.get('publicNetworkAccess')
# public network access is disabled, no need to check for account access default action
if self._exists_and_lower_equal(public_network_access, self.DISABLED_PUBLIC_NETWORK_ACCESS):
return CheckResult.PASSED
network_profile = properties.get('networkProfile')
if not network_profile:
return CheckResult.PASSED
account_access = network_profile.get('accountAccess')
if not account_access:
return CheckResult.PASSED
default_action = account_access.get('defaultAction')
if not self._exists_and_lower_equal(default_action, self.FORBIDDEN_NETWORK_ACCESS_DEFAULT_ACTION):
return CheckResult.PASSED
self.evaluated_keys = ["properties/networkProfile/accountAccess/defaultAction"]
return CheckResult.FAILED
check = AzureBatchAccountEndpointAccessDefaultAction()
================================================
FILE: checkov/arm/checks/resource/AzureBatchAccountUsesKeyVaultEncryption.py
================================================
from checkov.common.models.consts import ANY_VALUE
from typing import Any
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class AzureBatchAccountUsesKeyVaultEncryption(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that Azure Batch account uses key vault to encrypt data"
id = "CKV_AZURE_76"
supported_resources = ("Microsoft.Batch/batchAccounts",)
categories = [CheckCategories.ENCRYPTION]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
def get_inspected_key(self) -> str:
return "properties/keyVaultReference"
def get_expected_value(self) -> Any:
return ANY_VALUE
check = AzureBatchAccountUsesKeyVaultEncryption()
================================================
FILE: checkov/arm/checks/resource/AzureDataExplorerDoubleEncryptionEnabled.py
================================================
from typing import Any
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class AzureDataExplorerDoubleEncryptionEnabled(BaseResourceValueCheck):
def __init__(self) -> None:
name: str = "Ensure that Azure Data Explorer uses double encryption"
id: str = "CKV_AZURE_75"
supported_resources = ("Microsoft.Kusto/clusters",)
categories = (CheckCategories.ENCRYPTION,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/enableDoubleEncryption"
def get_expected_value(self) -> Any:
return True
check: Any = AzureDataExplorerDoubleEncryptionEnabled()
================================================
FILE: checkov/arm/checks/resource/AzureDefenderOnKeyVaults.py
================================================
from __future__ import annotations
from typing import Any, Dict
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_check import BaseResourceCheck
class AzureDefenderOnKeyVaults(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that Azure Defender is set to On for Key Vault"
id = "CKV_AZURE_87"
supported_resources = ("Microsoft.Security/pricings",)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
properties = conf.get('properties', {})
pricing_tier = properties.get('pricingTier')
name = conf.get('name', '')
return (
CheckResult.PASSED
if pricing_tier == "Standard" and name == 'KeyVaults'
else CheckResult.FAILED
)
def get_evaluated_keys(self) -> list[str]:
return ["properties.pricingTier", "name"]
check = AzureDefenderOnKeyVaults()
================================================
FILE: checkov/arm/checks/resource/AzureDefenderOnKubernetes.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_check import BaseResourceCheck
class AzureDefenderOnKubernetes(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that Azure Defender is set to On for Kubernetes"
id = "CKV_AZURE_85"
supported_resources = ("Microsoft.Security/pricings",)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
return (
CheckResult.PASSED
if conf.get("name") != "KubernetesService" or str(conf["properties"]["pricingTier"]).lower() == "standard"
else CheckResult.FAILED
)
def get_evaluated_keys(self) -> list[str]:
return ["name", "pricingTier"]
check = AzureDefenderOnKubernetes()
================================================
FILE: checkov/arm/checks/resource/AzureDefenderOnSqlServersVMS.py
================================================
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_check import BaseResourceCheck
from typing import List, Dict, Any
class AzureDefenderOnSqlServersVMS(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that Azure Defender is set to On for SQL servers on machines"
id = "CKV_AZURE_79"
supported_resources = ("Microsoft.Security/pricings",)
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(
name=name,
id=id,
categories=categories,
supported_resources=supported_resources,
)
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
properties = conf.get("properties", {})
name = conf.get("name", "")
tier = properties.get("tier")
if tier == "Standard" and name == "SqlServerVirtualMachines":
return CheckResult.FAILED
return CheckResult.PASSED
def get_evaluated_keys(self) -> List[str]:
return ["tier"]
check = AzureDefenderOnSqlServersVMS()
================================================
FILE: checkov/arm/checks/resource/AzureDefenderOnStorage.py
================================================
from typing import Any, Dict, List
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_check import BaseResourceCheck
class AzureDefenderOnStorage(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that Azure Defender is set to On for Storage"
id = "CKV_AZURE_84"
supported_resources = ("Microsoft.Security/pricings",)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
properties: Dict[str, Any] = conf.get("properties", {})
pricingTier = properties.get("pricingTier", "")
return (
CheckResult.PASSED
if pricingTier == "Standard"
else CheckResult.FAILED
)
def get_evaluated_keys(self) -> List[str]:
return ["properties/pricingTier"]
check = AzureDefenderOnStorage()
================================================
FILE: checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py
================================================
from typing import Any
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class AzureFirewallDenyThreatIntelMode(BaseResourceValueCheck):
def __init__(self) -> None:
"""
https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Firewall.Mode/
Configure deny on threat intel for classic managed Azure Firewalls
"""
name = "Ensure DenyIntelMode is set to Deny for Azure Firewalls"
id = "CKV_AZURE_216"
supported_resources = ("Microsoft.Network/azureFirewalls",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return 'properties/threatIntelMode'
def get_expected_value(self) -> Any:
return "Deny"
check = AzureFirewallDenyThreatIntelMode()
================================================
FILE: checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py
================================================
from typing import Any
from checkov.common.models.consts import ANY_VALUE
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class AzureFrontDoorEnablesWAF(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that Azure Front Door enables WAF"
id = "CKV_AZURE_121"
supported_resources = ("Microsoft.Network/frontDoors",)
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/frontendEndpoints/[0]/properties/webApplicationFirewallPolicyLink/id"
def get_expected_value(self) -> Any:
return ANY_VALUE
check = AzureFrontDoorEnablesWAF()
================================================
FILE: checkov/arm/checks/resource/AzureInstanceExtensions.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class AzureInstanceExtensions(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure Virtual Machine Extensions are not Installed"
id = "CKV_AZURE_50"
supported_resources = ["Microsoft.Compute/virtualMachines"]
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/osProfile/allowExtensionOperations"
def get_expected_value(self) -> bool:
return False
check = AzureInstanceExtensions()
================================================
FILE: checkov/arm/checks/resource/AzureInstancePassword.py
================================================
from typing import Any, Dict
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckResult, CheckCategories
class AzureInstancePassword(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)"
id = "CKV_AZURE_1"
supported_resources = ("Microsoft.Compute/virtualMachines",)
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
properties = conf.get("properties")
if isinstance(properties, dict):
storage_profile = properties.get("storageProfile")
if isinstance(storage_profile, dict):
image_reference = storage_profile.get("imageReference")
if isinstance(image_reference, dict):
publisher = image_reference.get("publisher")
if publisher and ("windows" in publisher.lower() or
"microsoft" in publisher.lower()):
# This check is not relevant to Windows systems
return CheckResult.UNKNOWN
return super().scan_resource_conf(conf)
def get_inspected_key(self) -> str:
return "properties/osProfile/linuxConfiguration/disablePasswordAuthentication"
def get_expected_value(self) -> Any:
return True
check = AzureInstancePassword()
================================================
FILE: checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py
================================================
from typing import Dict, Any, List
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.util.consts import START_LINE, END_LINE
class AzureMLWorkspacePrivateEndpoint(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure Azure Machine learning workspace is configured with private endpoint"
id = "CKV_AZURE_243"
supported_resources = ["Microsoft.MachineLearningServices/workspaces"]
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
properties = conf.get("properties")
if isinstance(properties, dict):
managed_network = properties.get("managedNetwork")
if isinstance(managed_network, dict):
ob_rules = managed_network.get("outboundRules")
if isinstance(ob_rules, dict):
# check no outbound rule has private endpoint type
for key, rule in ob_rules.items():
if key in [START_LINE, END_LINE]:
# Skip inner fields we add
continue
if rule.get("type") == "PrivateEndpoint":
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ["properties", "properties/[0]/managedNetwork", "properties/[0]/managedNetwork/[0]/outboundRules"]
check = AzureMLWorkspacePrivateEndpoint()
================================================
FILE: checkov/arm/checks/resource/AzureManagedDiscEncryption.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.util.data_structures_utils import find_in_dict
class AzureManagedDiscEncryption(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure Azure managed disk have encryption enabled"
id = "CKV_AZURE_2"
supported_resources = ("Microsoft.Compute/disks",)
categories = (CheckCategories.ENCRYPTION,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
properties = conf.get("properties")
if properties:
self.evaluated_keys = ["properties"]
encryption = properties.get("encryption")
if encryption:
# if the block exists, then it is enabled
return CheckResult.PASSED
encryption_enabled = find_in_dict(input_dict=properties, key_path="encryptionSettingsCollection/enabled")
if str(encryption_enabled).lower() == "true":
return CheckResult.PASSED
encryption_enabled = find_in_dict(input_dict=properties, key_path="encryptionSettings/enabled")
if str(encryption_enabled).lower() == "true":
return CheckResult.PASSED
return CheckResult.FAILED
check = AzureManagedDiscEncryption()
================================================
FILE: checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py
================================================
from typing import Any
from checkov.common.models.consts import ANY_VALUE
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class AzureManagedDiskEncryptionSet(BaseResourceValueCheck):
def __init__(self) -> None:
name = (
"Ensure that managed disks use a specific set of disk encryption sets for the "
"customer-managed key encryption"
)
id = "CKV_AZURE_93"
supported_resources = ("Microsoft.Compute/disks",)
categories = (CheckCategories.ENCRYPTION,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/encryption/diskEncryptionSetId"
def get_expected_value(self) -> Any:
return ANY_VALUE
check = AzureManagedDiskEncryptionSet()
================================================
FILE: checkov/arm/checks/resource/AzureScaleSetPassword.py
================================================
from typing import Dict, Any
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckResult, CheckCategories
class AzureScaleSetPassword(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)"
id = "CKV_AZURE_49"
supported_resources = ("Microsoft.Compute/virtualMachineScaleSets",)
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
properties = conf.get("properties")
if isinstance(properties, dict):
vm_profile = properties.get("virtualMachineProfile")
if isinstance(vm_profile, dict):
storage_profile = vm_profile.get("storageProfile")
if isinstance(storage_profile, dict):
image_reference = storage_profile.get("imageReference")
if isinstance(image_reference, dict):
publisher = image_reference.get("publisher")
if publisher and "windows" in publisher.lower():
# This check is not relevant to Windows systems
return CheckResult.UNKNOWN
return super().scan_resource_conf(conf)
def get_inspected_key(self) -> str:
return "properties/virtualMachineProfile/osProfile/linuxConfiguration/disablePasswordAuthentication"
def get_expected_value(self) -> Any:
return True
check = AzureScaleSetPassword()
================================================
FILE: checkov/arm/checks/resource/AzureSearchSLAIndex.py
================================================
from __future__ import annotations
from typing import Any, Dict
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_check import BaseResourceCheck
class AzureSearchSLAIndex(BaseResourceCheck):
def __init__(self) -> None:
# Cognitive Search services support indexing and querying. Indexing is the process of loading content into
# the service to make it searchable. Querying is the process where a client searches for content
# by sending queries to the index.
# Cognitive Search supports a configurable number of replicas. Having multiple replicas allows queries and
# index updates to load balance across multiple replicas.
#
# To receive a Service Level Agreement (SLA) for Search index updates a minimum of 3 replicas is required.
name = "Ensure that Azure Cognitive Search maintains SLA for index updates"
id = "CKV_AZURE_208"
supported_resources = ["Microsoft.Search/searchServices", ]
categories = [CheckCategories.GENERAL_SECURITY, ]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
properties = conf.get("properties", {})
self.evaluated_keys = ["properties"]
if not isinstance(properties, dict):
return CheckResult.FAILED
replica_count = properties.get("replicaCount")
if replica_count and isinstance(replica_count, int):
if replica_count >= 3:
return CheckResult.PASSED
else:
self.evaluated_keys = ["properties/replicaCount"]
return CheckResult.FAILED
else:
return CheckResult.FAILED
check = AzureSearchSLAIndex()
================================================
FILE: checkov/arm/checks/resource/AzureSearchSLAQueryUpdates.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_check import BaseResourceCheck
class AzureSearchSQLQueryUpdates(BaseResourceCheck):
def __init__(self) -> None:
# Cognitive Search services support indexing and querying. Indexing is the process of loading content
# into the service to make it searchable. Querying is the process where a client searches for content
# by sending queries to the index.
# Cognitive Search supports a configurable number of replicas.
# Having multiple replicas allows queries and index updates to load balance across multiple replicas.
# To receive a Service Level Agreement (SLA) for Search index queries a minimum of 2 replicas is required.
name = "Ensure that Azure Cognitive Search maintains SLA for search index queries"
id = "CKV_AZURE_209"
supported_resources = ["Microsoft.Search/searchServices", ]
categories = [CheckCategories.GENERAL_SECURITY, ]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
self.evaluated_keys = ["properties/replicaCount"]
properties = conf.get("properties", {})
if not isinstance(properties, dict):
return CheckResult.FAILED
replica_count = properties.get("replicaCount")
if replica_count:
if not isinstance(replica_count, int):
return CheckResult.UNKNOWN
if replica_count >= 2:
return CheckResult.PASSED
return CheckResult.FAILED
check = AzureSearchSQLQueryUpdates()
================================================
FILE: checkov/arm/checks/resource/AzureServiceFabricClusterProtectionLevel.py
================================================
from typing import Dict, List, Any, Union
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.util.type_forcers import force_list
class AzureServiceFabricClusterProtectionLevel(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensures that Service Fabric use three levels of protection available"
id = "CKV_AZURE_125"
supported_resources = ('Microsoft.ServiceFabric/clusters',)
categories = (CheckCategories.ENCRYPTION,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
properties: Union[List[Any], Dict[str, Any]] = conf.get('properties', {})
if not isinstance(properties, dict):
self.evaluated_keys = ['properties']
return CheckResult.FAILED
settings_conf = force_list(properties.get('fabricSettings', []))
if not isinstance(settings_conf, list):
self.evaluated_keys = ['properties/fabricSettings']
return CheckResult.FAILED
for setting in settings_conf:
if setting and isinstance(setting, dict) and setting.get('name') == 'Security':
params = setting.get('parameters', [{}])
if isinstance(params, list) and len(params) > 0 and isinstance(params[0], dict):
param = params[0]
if param.get('name') == 'ClusterProtectionLevel' and param.get('value') == 'EncryptAndSign':
index = settings_conf.index(setting)
self.evaluated_keys = [f'fabricSettings/{index}/parameters/name',
f'fabricSettings/{index}/parameters/value']
return CheckResult.PASSED
else:
self.evaluated_keys = [f'fabricSettings/{settings_conf.index(setting)}/parameters']
return CheckResult.FAILED
self.evaluated_keys = ['fabricSettings']
return CheckResult.FAILED
check = AzureServiceFabricClusterProtectionLevel()
================================================
FILE: checkov/arm/checks/resource/AzureSparkPoolIsolatedComputeEnabled.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class AzureSparkPoolIsolatedComputeEnabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure isolated compute is enabled for Synapse Spark pools"
id = "CKV_AZURE_242"
supported_resources = ["Microsoft.Synapse/workspaces/bigDataPools"]
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return 'properties/isComputeIsolationEnabled'
check = AzureSparkPoolIsolatedComputeEnabled()
================================================
FILE: checkov/arm/checks/resource/AzureSynapseWorkspaceVAisEnabled.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class SynapseWorkspaceVAisEnabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that Azure Synapse Workspace vulnerability assessment is enabled"
id = "CKV2_AZURE_46"
supported_resources = ["Microsoft.Synapse/workspaces/vulnerabilityAssessments"]
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return 'properties/recurringScans/isEnabled'
check = SynapseWorkspaceVAisEnabled()
================================================
FILE: checkov/arm/checks/resource/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py
================================================
from typing import Dict, List, Any
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_check import BaseResourceCheck
class AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that Azure Synapse workspaces have no IP firewall rules attached"
id = "CKV2_AZURE_19"
supported_resources = ["Microsoft.Synapse/workspaces"]
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
depends_on = conf.get("dependsOn")
if depends_on is None or not len(depends_on):
return CheckResult.PASSED
if any('Microsoft.Synapse/workspaces/firewallRules' in item for item in depends_on):
self.evaluated_keys = ["dependsOn"]
return CheckResult.FAILED
return CheckResult.PASSED
check = AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached()
================================================
FILE: checkov/arm/checks/resource/CognitiveServicesConfigureIdentity.py
================================================
from typing import Any
from checkov.common.models.consts import ANY_VALUE
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class CognitiveServicesConfigureIdentity(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that all Azure Cognitive Services accounts are configured with a managed identity"
id = "CKV_AZURE_238"
supported_resources = ('Microsoft.CognitiveServices/accounts',)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "identity/type"
def get_expected_value(self) -> Any:
return ANY_VALUE
check = CognitiveServicesConfigureIdentity()
================================================
FILE: checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py
================================================
from typing import Any
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class CognitiveServicesDisablesPublicNetwork(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that Cognitive Services accounts disable public network access"
id = "CKV_AZURE_134"
supported_resources = ("Microsoft.CognitiveServices/accounts",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/publicNetworkAccess"
def get_expected_value(self) -> Any:
return "Disabled"
check = CognitiveServicesDisablesPublicNetwork()
================================================
FILE: checkov/arm/checks/resource/CognitiveServicesEnableLocalAuth.py
================================================
from typing import Any
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class CognitiveServicesEnableLocalAuth(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that Cognitive Services accounts disable local authentication"
id = "CKV_AZURE_236"
supported_resources = ('Microsoft.CognitiveServices/accounts', )
categories = (CheckCategories.NETWORKING, )
super().__init__(
name=name,
id=id,
categories=categories,
supported_resources=supported_resources,
)
def get_inspected_key(self) -> str:
return 'properties/disableLocalAuth'
def get_expected_value(self) -> Any:
return True
check = CognitiveServicesEnableLocalAuth()
================================================
FILE: checkov/arm/checks/resource/CosmosDBAccountsRestrictedAccess.py
================================================
from typing import Dict, Any, Optional
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class CosmosDBAccountsRestrictedAccess(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure Cosmos DB accounts have restricted access"
id = "CKV_AZURE_99"
supported_resources = ('Microsoft.DocumentDB/databaseAccounts',)
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
properties: Optional[Dict[str, Any]] = conf.get('properties')
if properties is not None:
if 'enableMultipleWriteLocations' not in properties or properties['enableMultipleWriteLocations']:
self.evaluated_keys = ['enableMultipleWriteLocations']
if 'isVirtualNetworkFilterEnabled' in properties and properties['isVirtualNetworkFilterEnabled']:
self.evaluated_keys.append('isVirtualNetworkFilterEnabled')
if 'virtualNetworkRules' in properties and properties['virtualNetworkRules']:
self.evaluated_keys.append('virtualNetworkRules')
return CheckResult.PASSED
if 'ipRules' in properties and properties['ipRules']:
self.evaluated_keys.append('ipAddressOrRange')
return CheckResult.PASSED
return CheckResult.FAILED
return CheckResult.PASSED
check = CosmosDBAccountsRestrictedAccess()
================================================
FILE: checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class CosmosDBDisableAccessKeyWrite(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure cosmosdb does not allow privileged escalation by restricting management plane changes"
id = "CKV_AZURE_132"
supported_resources = ('Microsoft.DocumentDB/databaseAccounts',)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if 'properties' in conf:
if "disableKeyBasedMetadataWriteAccess" in conf['properties'] and conf['properties']['disableKeyBasedMetadataWriteAccess']:
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ["properties", "properties/disableKeyBasedMetadataWriteAccess"]
check = CosmosDBDisableAccessKeyWrite()
================================================
FILE: checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class CosmosDBDisablesPublicNetwork(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that Azure Cosmos DB disables public network access"
id = "CKV_AZURE_101"
supported_resources = ['Microsoft.DocumentDB/databaseAccounts']
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return 'properties/publicNetworkAccess'
def get_expected_value(self) -> str:
return "Disabled"
check = CosmosDBDisablesPublicNetwork()
================================================
FILE: checkov/arm/checks/resource/CosmosDBHaveCMK.py
================================================
from typing import Any
from checkov.common.models.consts import ANY_VALUE
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class CosmosDBHaveCMK(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest"
id = "CKV_AZURE_100"
supported_resources = ("Microsoft.DocumentDb/databaseAccounts",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/keyVaultKeyUri"
def get_expected_value(self) -> Any:
return ANY_VALUE
check = CosmosDBHaveCMK()
================================================
FILE: checkov/arm/checks/resource/CosmosDBLocalAuthDisabled.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class CosmosDBLocalAuthDisabled(BaseResourceValueCheck):
def __init__(self) -> None:
description = "Ensure that Local Authentication is disabled on CosmosDB"
id = "CKV_AZURE_140"
supported_resources = ('Microsoft.DocumentDB/databaseAccounts',)
categories = (CheckCategories.IAM,)
super().__init__(name=description, id=id, categories=categories, supported_resources=supported_resources,)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if conf.get("kind") == "GlobalDocumentDB":
return super().scan_resource_conf(conf)
return CheckResult.UNKNOWN
def get_inspected_key(self) -> str:
return "properties/disableLocalAuth"
def get_expected_value(self) -> bool:
return True
check = CosmosDBLocalAuthDisabled()
================================================
FILE: checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
import re
SUBSCRIPTION = re.compile(r"\/|\/subscriptions\/[\w\d-]+$|\[subscription\(\).id\]")
# https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-template
# https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions
# https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/2018-01-01-preview/roledefinitions
class CustomRoleDefinitionSubscriptionOwner(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that no custom subscription owner roles are created"
id = "CKV_AZURE_39"
supported_resources = ("Microsoft.Authorization/roleDefinitions",)
categories = (CheckCategories.IAM,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "properties" in conf:
if "assignableScopes" in conf["properties"]:
if any(
isinstance(scope, str) and re.match(SUBSCRIPTION, scope)
for scope in conf["properties"]["assignableScopes"]
):
if "permissions" in conf["properties"]:
if conf["properties"]["permissions"]:
for permission in conf["properties"]["permissions"]:
if "actions" in permission and "*" in permission["actions"]:
return CheckResult.FAILED
return CheckResult.PASSED
def get_evaluated_keys(self) -> List[str]:
return ["properties/assignableScopes", "properties/permissions/actions"]
check = CustomRoleDefinitionSubscriptionOwner()
================================================
FILE: checkov/arm/checks/resource/DataExplorerUsesDiskEncryption.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class DataExplorerUsesDiskEncryption(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that Azure Data Explorer (Kusto) uses disk encryption"
id = "CKV_AZURE_74"
supported_resources = ("Microsoft.Kusto/clusters",)
categories = [CheckCategories.ENCRYPTION,]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
def get_inspected_key(self) -> str:
return "properties/enableDiskEncryption"
def get_expected_value(self) -> bool:
return True
check = DataExplorerUsesDiskEncryption()
================================================
FILE: checkov/arm/checks/resource/DataFactoryNoPublicNetworkAccess.py
================================================
from typing import Any
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class DataFactoryNoPublicNetworkAccess(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that Azure Data factory public network access is disabled"
id = "CKV_AZURE_104"
supported_resources = ("Microsoft.DataFactory/factories",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/publicNetworkAccess"
def get_expected_value(self) -> Any:
return "Disabled"
check = DataFactoryNoPublicNetworkAccess()
================================================
FILE: checkov/arm/checks/resource/DataFactoryUsesGitRepository.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_check import BaseResourceCheck
class DataFactoryUsesGitRepository(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that Azure Data Factory uses Git repository for source control"
id = "CKV_AZURE_103"
supported_resources = ("Microsoft.DataFactory/factories",)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
properties = conf.get("properties")
if properties and isinstance(properties, dict):
self.evaluated_keys = ["properties/repoConfiguration/type"]
repo = properties.get("repoConfiguration")
if not repo:
return CheckResult.FAILED
if repo and isinstance(repo, dict) and repo.get("type") is not None:
return CheckResult.PASSED
return CheckResult.UNKNOWN
return CheckResult.FAILED
check = DataFactoryUsesGitRepository()
================================================
FILE: checkov/arm/checks/resource/DataLakeStoreEncryption.py
================================================
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class DataLakeStoreEncryption(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that Data Lake Store accounts enables encryption"
id = "CKV_AZURE_105"
supported_resources = ['Microsoft.DataLakeStore/accounts',]
categories = [CheckCategories.ENCRYPTION,]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, missing_block_result=CheckResult.PASSED)
def get_inspected_key(self) -> str:
return 'properties/encryptionState'
def get_expected_value(self) -> str:
return "Enabled"
check = DataLakeStoreEncryption()
================================================
FILE: checkov/arm/checks/resource/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.util.data_structures_utils import find_in_dict
class DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey(BaseResourceCheck):
def __init__(self) -> None:
# https://learn.microsoft.com/en-us/azure/templates/microsoft.databricks/workspaces?pivots=deployment-language-arm-template#workspaceencryptionparameter-1
name = "Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption"
id = "CKV2_AZURE_48"
supported_resources = ("Microsoft.Databricks/workspaces",)
categories = (CheckCategories.ENCRYPTION,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
parameters = conf.get("properties", {}).get("parameters")
prepare_encryption = find_in_dict(input_dict=parameters, key_path="prepareEncryption/value")
if not prepare_encryption or str(prepare_encryption).lower() != "true":
return CheckResult.FAILED
encryption_settings = find_in_dict(input_dict=parameters, key_path="encryption/value")
if not encryption_settings:
return CheckResult.FAILED
return CheckResult.PASSED
def get_evaluated_keys(self) -> List[str]:
return ["properties/parameters"]
check = DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey()
================================================
FILE: checkov/arm/checks/resource/DatabricksWorkspaceIsNotPublic.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.util.data_structures_utils import find_in_dict
class DatabricksWorkspaceIsNotPublic(BaseResourceCheck):
def __init__(self) -> None:
# https://learn.microsoft.com/en-us/azure/templates/microsoft.databricks/workspaces?pivots=deployment-language-arm-template
name = "Ensure Databricks Workspace data plane to control plane communication happens over private link"
id = "CKV_AZURE_158"
supported_resources = ("Microsoft.Databricks/workspaces",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
public_network_access = find_in_dict(input_dict=conf, key_path="properties/publicNetworkAccess")
if not public_network_access or public_network_access == "Enabled":
return CheckResult.FAILED
return CheckResult.PASSED
def get_evaluated_keys(self) -> List[str]:
return ["properties", "properties/publicNetworkAccess"]
check = DatabricksWorkspaceIsNotPublic()
================================================
FILE: checkov/arm/checks/resource/EventHubNamespaceMinTLS12.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class EventHubNamespaceMinTLS12(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure Event Hub Namespace uses at least TLS 1.2"
id = "CKV_AZURE_223"
supported_resources = ["Microsoft.EventHub/namespaces", ]
categories = [CheckCategories.ENCRYPTION, ]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
missing_block_result=CheckResult.PASSED)
def get_inspected_key(self) -> str:
return "properties/minimumTlsVersion"
def get_expected_value(self) -> Any:
return "1.2"
check = EventHubNamespaceMinTLS12()
================================================
FILE: checkov/arm/checks/resource/EventgridTopicIdentityProviderEnabled.py
================================================
from typing import Any
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.consts import ANY_VALUE
from checkov.common.models.enums import CheckCategories
class EventgridTopicIdentityProviderEnabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that Managed identity provider is enabled for Azure Event Grid Topic"
id = "CKV_AZURE_191"
supported_resources = ("Microsoft.EventGrid/topics",)
categories = (CheckCategories.IAM,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "identity/type"
def get_expected_value(self) -> Any:
return ANY_VALUE
check = EventgridTopicIdentityProviderEnabled()
================================================
FILE: checkov/arm/checks/resource/EventgridTopicLocalAuthentication.py
================================================
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckCategories
class EventgridTopicLocalAuthentication(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that Azure Event Grid Topic local Authentication is disabled"
id = "CKV_AZURE_192"
supported_resources = ("Microsoft.EventGrid/topics",)
categories = (CheckCategories.IAM,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/disableLocalAuth"
def get_expected_value(self) -> bool:
return True
check = EventgridTopicLocalAuthentication()
================================================
FILE: checkov/arm/checks/resource/EventgridTopicNetworkAccess.py
================================================
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckCategories
class EventgridTopicNetworkAccess(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure public network access is disabled for Azure Event Grid Topic"
id = "CKV_AZURE_193"
supported_resources = ("Microsoft.EventGrid/topics",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/publicNetworkAccess"
def get_expected_value(self) -> str:
return "Disabled"
check = EventgridTopicNetworkAccess()
================================================
FILE: checkov/arm/checks/resource/FrontDoorWAFACLCVE202144228.py
================================================
from typing import Dict, Any
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.common.util.type_forcers import force_list
from checkov.arm.base_resource_check import BaseResourceCheck
class FrontDoorWAFACLCVE202144228(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
id = "CKV_AZURE_133"
supported_resources = ["Microsoft.Network/frontdoorWebApplicationFirewallPolicies"]
categories = [CheckCategories.APPLICATION_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: Dict[Any, Any]) -> CheckResult:
self.evaluatedKeys = ["managedRules"]
properties = conf.get("properties")
if properties is None or "managedRules" not in properties:
return CheckResult.FAILED
managedRules = properties.get("managedRules")
if not managedRules:
return CheckResult.FAILED
for idx_managed_rule, managed_rule in enumerate(force_list(managedRules.get("managedRuleSets", []))):
self.evaluated_keys = [f"managedRules/[{idx_managed_rule}]/type"]
if managed_rule and managed_rule.get("ruleSetType") in ["DefaultRuleSet", "Microsoft_DefaultRuleSet"]:
ruleOverrides = managed_rule.get("ruleGroupOverrides", [])
if ruleOverrides == []:
return CheckResult.PASSED
for idx_override, rule_override in enumerate(force_list(ruleOverrides)):
self.evaluated_keys.append(
f"managedRules/[{idx_managed_rule}]/ruleGroupOverrides/[{idx_override}]/ruleGroupName"
)
if rule_override.get("ruleGroupName") == "JAVA":
rules = rule_override.get("rules", [])
for idx_rule, rule in enumerate(force_list(rules)):
self.evaluated_keys.extend([
f"managedRules/[{idx_managed_rule}]/ruleGroupOverrides/[{idx_override}]/rules/[{idx_rule}]/ruleId",
f"managedRules/[{idx_managed_rule}]/ruleGroupOverrides/[{idx_override}]/rules/[{idx_rule}]/enabledState",
f"managedRules/[{idx_managed_rule}]/ruleGroupOverrides/[{idx_override}]/rules/[{idx_rule}]/action",
])
if rule.get("ruleId") == "944240":
enabledState = rule.get("enabledState")
if not enabledState:
return CheckResult.FAILED
if rule.get("action") in ["Block", "Redirect"]:
return CheckResult.PASSED
return CheckResult.FAILED
check = FrontDoorWAFACLCVE202144228()
================================================
FILE: checkov/arm/checks/resource/FrontdoorUseWAFMode.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_check import BaseResourceCheck
class FrontdoorUseWAFMode(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that Azure Front Door uses WAF in \"Detection\" or \"Prevention\" modes"
id = "CKV_AZURE_123"
supported_resources = ('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies',)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
properties = conf.get('properties')
if properties and isinstance(properties, dict):
policy_settings = properties.get('policySettings')
if policy_settings and isinstance(policy_settings, dict):
if policy_settings.get('enabledState') == "Enabled":
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> list[str]:
return ["policySettings/[0]/enabledState"]
check = FrontdoorUseWAFMode()
================================================
FILE: checkov/arm/checks/resource/FunctionAppDisallowCORS.py
================================================
from typing import List, Any
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck
class FunctionAppDisallowCORS(BaseResourceNegativeValueCheck):
def __init__(self) -> None:
name = "Ensure function apps are not accessible from all regions"
id = "CKV_AZURE_62"
supported_resources = ("Microsoft.Web/sites",)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories,
supported_resources=supported_resources,
missing_block_result=CheckResult.PASSED)
def get_inspected_key(self) -> str:
return "properties/siteConfig/cors/allowedOrigins"
def get_forbidden_values(self) -> List[Any]:
return ["*"]
check = FunctionAppDisallowCORS()
================================================
FILE: checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py
================================================
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckCategories
class FunctionAppHttpVersionLatest(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that 'HTTP Version' is the latest, if used to run the Function app"
id = "CKV_AZURE_67"
supported_resources = ("Microsoft.Web/sites/slots", "Microsoft.Web/sites",)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(
name=name,
id=id,
categories=categories,
supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/siteConfig/http20Enabled"
check = FunctionAppHttpVersionLatest()
================================================
FILE: checkov/arm/checks/resource/FunctionAppMinTLSVersion.py
================================================
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class FunctionAppMinTLSVersion(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure Function app is using the latest version of TLS encryption"
id = "CKV_AZURE_145"
supported_resources = ('Microsoft.Web/sites', 'Microsoft.Web/sites/slots',)
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
missing_block_result=CheckResult.PASSED)
def get_inspected_key(self) -> str:
return "properties/siteConfig/minTlsVersion"
def get_expected_value(self) -> Any:
return 1.2
def get_expected_values(self) -> List[Any]:
return ["1.2", 1.2, "1.3", 1.3]
check = FunctionAppMinTLSVersion()
================================================
FILE: checkov/arm/checks/resource/FunctionAppsAccessibleOverHttps.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class FunctionAppsAccessibleOverHttps(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that Function apps is only accessible over HTTPS"
id = "CKV_AZURE_70"
supported_resources = (
"Microsoft.Web/sites/config",
"Microsoft.Web/sites",
"Microsoft.Web/sites/slots",
)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "properties" in conf:
if self.entity_type == "Microsoft.Web/sites" or self.entity_type == "Microsoft.Web/sites/slots":
if "httpsOnly" not in conf["properties"]:
return CheckResult.FAILED
https_only = conf["properties"]["httpsOnly"]
if not https_only:
return CheckResult.FAILED
if "httpSettings" in conf["properties"]:
auth_settings_v2 = conf["properties"]["httpSettings"]
# default=true for require_https
if 'requireHttps' not in auth_settings_v2:
return CheckResult.PASSED
require_https = auth_settings_v2.get("requireHttps")
if not require_https:
return CheckResult.FAILED
return CheckResult.PASSED
def get_evaluated_keys(self) -> List[str]:
return ["properties", "properties/httpsOnly", "properties/httpSettings"]
check = FunctionAppsAccessibleOverHttps()
================================================
FILE: checkov/arm/checks/resource/FunctionAppsEnableAuthentication.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckCategories, CheckResult
class FunctionAppsEnableAuthentication(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that function apps enables Authentication"
id = "CKV_AZURE_56"
supported_resources = ("Microsoft.Web/sites/config",)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if conf.get('name', '') != 'authsettingsV2':
return CheckResult.PASSED
properties = conf.get('properties', {})
if properties and isinstance(properties, dict):
platform = properties.get('platform', {})
if platform and isinstance(properties, dict):
enabled = platform.get('enabled', False)
if enabled:
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ['properties', 'properties/platform', 'properties/platform/enabled']
check = FunctionAppsEnableAuthentication()
================================================
FILE: checkov/arm/checks/resource/KeyBackedByHSM.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class KeyBackedByHSM(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that key vault key is backed by HSM"
id = "CKV_AZURE_112"
supported_resources = ("Microsoft.KeyVault/vaults/keys",)
categories = (CheckCategories.BACKUP_AND_RECOVERY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/kty"
def get_expected_value(self) -> Any:
return "RSA-HSM"
def get_expected_values(self) -> list[Any]:
return [self.get_expected_value(), "EC-HSM"]
check = KeyBackedByHSM()
================================================
FILE: checkov/arm/checks/resource/KeyExpirationDate.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.consts import ANY_VALUE
class KeyExpirationDate(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that the expiration date is set on all keys"
id = "CKV_AZURE_40"
supported_resources = ['Microsoft.KeyVault/vaults/keys']
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return 'properties/rotationPolicy/attributes/expiryTime'
def get_expected_value(self) -> str:
return ANY_VALUE
check = KeyExpirationDate()
================================================
FILE: checkov/arm/checks/resource/KeyVaultDisablesPublicNetworkAccess.py
================================================
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from typing import Dict, Any
class KeyVaultDisablesPublicNetworkAccess(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that Azure Key Vault disables public network access"
id = "CKV_AZURE_189"
supported_resources = ("Microsoft.KeyVault/vaults",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "publicNetworkAccess"
def get_expected_value(self) -> str:
return "disabled"
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
properties = conf.get("properties", {})
if self.get_inspected_key() in properties:
conf_value = conf["properties"][self.get_inspected_key()]
# Docs are unclear, so supporting Disabled and disabled
if conf_value and conf_value.lower() == self.get_expected_value():
return CheckResult.PASSED
if properties and "networkAcls" in properties:
network_acls = conf["properties"]["networkAcls"]
if isinstance(network_acls, dict) and "ipRules" in network_acls:
ip_rules = network_acls["ipRules"]
ip_rules = ip_rules[0] if ip_rules and isinstance(ip_rules, list) else ip_rules
if ip_rules:
return CheckResult.PASSED
return CheckResult.FAILED
check = KeyVaultDisablesPublicNetworkAccess()
================================================
FILE: checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py
================================================
from typing import Any
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class KeyVaultEnablesFirewallRulesSettings(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that key vault allows firewall rules settings"
id = "CKV_AZURE_109"
supported_resources = ("Microsoft.KeyVault/vaults",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/networkAcls/defaultAction"
def get_expected_value(self) -> Any:
return "Deny"
check = KeyVaultEnablesFirewallRulesSettings()
================================================
FILE: checkov/arm/checks/resource/KeyVaultEnablesPurgeProtection.py
================================================
from typing import Any
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class KeyVaultEnablesPurgeProtection(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that key vault enables purge protection"
id = "CKV_AZURE_110"
supported_resources = ['Microsoft.KeyVault/vaults']
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> Any:
return "properties/enablePurgeProtection"
def get_expected_value(self) -> bool:
return True
check = KeyVaultEnablesPurgeProtection()
================================================
FILE: checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py
================================================
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckCategories
from checkov.common.models.enums import CheckResult
class KeyVaultEnablesSoftDelete(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that key vault enables soft delete"
id = "CKV_AZURE_111"
supported_resources = ['Microsoft.KeyVault/vaults']
categories = [CheckCategories.LOGGING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
missing_block_result=CheckResult.PASSED)
def get_inspected_key(self) -> str:
return "properties/enableSoftDelete"
check = KeyVaultEnablesSoftDelete()
================================================
FILE: checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class KeyVaultRecoveryEnabled(BaseResourceCheck):
def __init__(self) -> None:
# https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/2016-10-01/vaults
name = "Ensure the key vault is recoverable"
id = "CKV_AZURE_42"
supported_resources = ('Microsoft.KeyVault/vaults',)
categories = (CheckCategories.BACKUP_AND_RECOVERY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
# NOTE: enablePurgeProtection not supported in API version 2015-06-01
if "properties" in conf:
if "enablePurgeProtection" in conf["properties"] and "enableSoftDelete" in conf["properties"]:
if str(conf["properties"]["enablePurgeProtection"]).lower() == "true" and \
str(conf["properties"]["enableSoftDelete"]).lower() == "true":
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ["properties", "properties/enablePurgeProtection", "properties/enableSoftDelete"]
check = KeyVaultRecoveryEnabled()
================================================
FILE: checkov/arm/checks/resource/LinuxVMUsesSSH.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from typing import Any
from checkov.common.models.consts import ANY_VALUE
class LinuxVMUsesSSH(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure linux VM enables SSH with keys for secure communication"
id = "CKV_AZURE_178"
supported_resources = ("Microsoft.Compute/virtualMachines", "Microsoft.Compute/virtualMachineScaleSets")
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
def get_inspected_key(self) -> str:
if self.entity_type == "Microsoft.Compute/virtualMachineScaleSets":
return "properties/virtualMachineProfile/osProfile/linuxConfiguration/ssh/publicKeys/[0]/path"
return "properties/osProfile/linuxConfiguration/ssh/publicKeys/[0]/path"
def get_expected_value(self) -> Any:
return ANY_VALUE
check = LinuxVMUsesSSH()
================================================
FILE: checkov/arm/checks/resource/MSSQLServerMinTLSVersion.py
================================================
from typing import List, Any
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class MSSQLServerMinTLSVersion(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure MSSQL is using the latest version of TLS encryption"
id = "CKV_AZURE_52"
supported_resources = ("Microsoft.Sql/servers",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name,
id=id,
categories=categories,
supported_resources=supported_resources,
missing_block_result=CheckResult.FAILED,)
def get_inspected_key(self) -> str:
return "properties/minimalTlsVersion"
def get_expected_value(self) -> str:
return "1.2"
def get_expected_values(self) -> List[Any]:
return ["1.2", 1.2, "1.3", 1.3]
check = MSSQLServerMinTLSVersion()
================================================
FILE: checkov/arm/checks/resource/MariaDBGeoBackupEnabled.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class MariaDBGeoBackupEnabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that MariaDB server enables geo-redundant backups"
id = "CKV_AZURE_129"
supported_resources = ("Microsoft.DBforMariaDB/servers",)
categories = (CheckCategories.BACKUP_AND_RECOVERY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/storageProfile/geoRedundantBackup"
def get_expected_value(self) -> str:
return "Enabled"
check = MariaDBGeoBackupEnabled()
================================================
FILE: checkov/arm/checks/resource/MariaDBPublicAccessDisabled.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class MariaDBPublicAccessDisabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure 'public network access enabled' is set to 'False' for MariaDB servers"
id = "CKV_AZURE_48"
supported_resources = ("Microsoft.DBforMariaDB/servers",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/publicNetworkAccess"
def get_expected_value(self) -> str:
return "Disabled"
check = MariaDBPublicAccessDisabled()
================================================
FILE: checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py
================================================
from typing import Any
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckCategories
class MariaDBSSLEnforcementEnabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers"
id = "CKV_AZURE_47"
supported_resources = ["Microsoft.DBforMariaDB/servers"]
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/sslEnforcement"
def get_expected_value(self) -> Any:
return "Enabled"
check = MariaDBSSLEnforcementEnabled()
================================================
FILE: checkov/arm/checks/resource/MonitorLogProfileCategories.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
# https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2016-03-01/logprofiles
class MonitorLogProfileRetentionDays(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure audit profile captures all the activities"
id = "CKV_AZURE_38"
supported_resources = ("Microsoft.Insights/logprofiles",)
categories = (CheckCategories.LOGGING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "properties" in conf and "categories" in conf["properties"]:
categories = ("Write", "Delete", "Action")
if all(category in conf["properties"]["categories"] for category in categories):
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ["properties", "properties/categories"]
check = MonitorLogProfileRetentionDays()
================================================
FILE: checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.util.type_forcers import force_int
# https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2016-03-01/logprofiles
class MonitorLogProfileRetentionDays(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that Activity Log Retention is set 365 days or greater"
id = "CKV_AZURE_37"
supported_resources = ("Microsoft.Insights/logprofiles",)
categories = (CheckCategories.LOGGING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
self.evaluated_keys = ["properties"]
if "properties" in conf and "retentionPolicy" in conf["properties"]:
self.evaluated_keys = ["properties/retentionPolicy"]
retention = conf["properties"]["retentionPolicy"]
if "enabled" in retention and str(retention["enabled"]).lower() == "true":
if "days" in retention:
days = force_int(retention["days"])
if days is not None and (days == 0 or days >= 365):
return CheckResult.PASSED
return CheckResult.FAILED
check = MonitorLogProfileRetentionDays()
================================================
FILE: checkov/arm/checks/resource/MySQLEncryptionEnabled.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_check import BaseResourceCheck
class MySQLEncryptionEnabled(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that MySQL server enables infrastructure encryption"
id = "CKV_AZURE_96"
supported_resources = ("Microsoft.DBforMySQL/flexibleServers",)
categories = (CheckCategories.ENCRYPTION,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
properties = conf.get("properties")
if properties and isinstance(properties, dict):
self.evaluated_keys = ["properties/dataencryption"]
data_encryption = properties.get("dataencryption")
if data_encryption and isinstance(data_encryption, dict):
if data_encryption is None:
return CheckResult.FAILED
return CheckResult.PASSED
# unparsed
elif data_encryption and isinstance(data_encryption, str):
return CheckResult.UNKNOWN
return CheckResult.FAILED
return CheckResult.UNKNOWN
check = MySQLEncryptionEnabled()
================================================
FILE: checkov/arm/checks/resource/MySQLGeoBackupEnabled.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class MySQLGeoBackupEnabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that My SQL server enables geo-redundant backups"
id = "CKV_AZURE_94"
supported_resources = ("Microsoft.DBforMySQL/flexibleServers",)
categories = (CheckCategories.BACKUP_AND_RECOVERY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/Backup/geoRedundantBackup"
check = MySQLGeoBackupEnabled()
================================================
FILE: checkov/arm/checks/resource/MySQLPublicAccessDisabled.py
================================================
from typing import List
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class MySQLPublicAccessDisabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure 'public network access enabled' is set to 'False' for mySQL servers"
id = "CKV_AZURE_53"
supported_resources = ("Microsoft.DBforMySQL/servers", "Microsoft.DBforMySQL/flexibleServers",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
if self.entity_type == "Microsoft.DBforMySQL/servers":
return "properties/publicNetworkAccess"
else:
return "properties/network/publicNetworkAccess"
def get_expected_value(self) -> str:
return "disabled"
def get_expected_values(self) -> List[str]:
return ["disabled", "Disabled"]
check = MySQLPublicAccessDisabled()
================================================
FILE: checkov/arm/checks/resource/MySQLServerMinTLSVersion.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class MySQLServerMinTLSVersion(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure MySQL is using the latest version of TLS encryption"
id = "CKV_AZURE_54"
supported_resources = ("Microsoft.DBforMySQL/servers",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name,
id=id,
categories=categories,
supported_resources=supported_resources, )
def get_inspected_key(self) -> str:
return "properties/minimalTlsVersion"
def get_expected_value(self) -> str:
return "TLS1_2"
check = MySQLServerMinTLSVersion()
================================================
FILE: checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py
================================================
from typing import Any
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckCategories
class MySQLServerSSLEnforcementEnabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server"
id = "CKV_AZURE_28"
supported_resources = ["Microsoft.DBforMySQL/servers"]
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/sslEnforcement"
def get_expected_value(self) -> Any:
return "Enabled"
check = MySQLServerSSLEnforcementEnabled()
================================================
FILE: checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py
================================================
from checkov.arm.checks.resource.NSGRulePortAccessRestricted import NSGRulePortAccessRestricted
class NSGRuleHTTPAccessRestricted(NSGRulePortAccessRestricted):
def __init__(self) -> None:
super().__init__(
name="Ensure that HTTP (port 80) access is restricted from the internet",
check_id="CKV_AZURE_160",
port=80,
)
check = NSGRuleHTTPAccessRestricted()
================================================
FILE: checkov/arm/checks/resource/NSGRulePortAccessRestricted.py
================================================
import re
from typing import Union, Dict, Any
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
# https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups
# https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules
INTERNET_ADDRESSES = ["*", "0.0.0.0", "/0", "/0", "internet", "any"] # nosec
PORT_RANGE = re.compile(r"\d+-\d+")
class NSGRulePortAccessRestricted(BaseResourceCheck):
def __init__(self, name: str, check_id: str, port: int) -> None:
supported_resources = (
"Microsoft.Network/networkSecurityGroups",
"Microsoft.Network/networkSecurityGroups/securityRules",
)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=check_id, categories=categories, supported_resources=supported_resources)
self.port = port
def is_port_in_range(self, port_range: Union[int, str]) -> bool:
port_range_str = str(port_range)
if re.match(PORT_RANGE, port_range_str):
start, end = int(port_range_str.split("-")[0]), int(port_range_str.split("-")[1])
if start <= self.port <= end:
return True
if port_range in (str(self.port), "*"):
return True
return False
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
if "properties" in conf:
securityRules = []
if self.entity_type == "Microsoft.Network/networkSecurityGroups":
if "securityRules" in conf["properties"]:
securityRules.extend(conf["properties"]["securityRules"])
if self.entity_type == "Microsoft.Network/networkSecurityGroups/securityRules":
securityRules.append(conf)
for rule in securityRules:
portRanges = []
sourcePrefixes = []
if "properties" in rule:
if "access" in rule["properties"] and rule["properties"]["access"].lower() == "allow":
if "direction" in rule["properties"] and rule["properties"]["direction"].lower() == "inbound":
if "protocol" in rule["properties"] and rule["properties"]["protocol"].lower() in ("tcp", "*"):
if "destinationPortRanges" in rule["properties"]:
portRanges.extend(rule["properties"]["destinationPortRanges"])
if "destinationPortRange" in rule["properties"]:
portRanges.append(rule["properties"]["destinationPortRange"])
if "sourceAddressPrefixes" in rule["properties"]:
sourcePrefixes.extend(rule["properties"]["sourceAddressPrefixes"])
if "sourceAddressPrefix" in rule["properties"]:
sourcePrefixes.append(rule["properties"]["sourceAddressPrefix"])
for portRange in portRanges:
if self.is_port_in_range(portRange):
for prefix in sourcePrefixes:
if prefix in INTERNET_ADDRESSES:
return CheckResult.FAILED
return CheckResult.PASSED
================================================
FILE: checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py
================================================
from checkov.arm.checks.resource.NSGRulePortAccessRestricted import NSGRulePortAccessRestricted
class NSGRuleRDPAccessRestricted(NSGRulePortAccessRestricted):
def __init__(self) -> None:
super().__init__(
name="Ensure that RDP access is restricted from the internet", check_id="CKV_AZURE_9", port=3389
)
check = NSGRuleRDPAccessRestricted()
================================================
FILE: checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py
================================================
from checkov.arm.checks.resource.NSGRulePortAccessRestricted import NSGRulePortAccessRestricted
class NSGRuleSSHAccessRestricted(NSGRulePortAccessRestricted):
def __init__(self) -> None:
super().__init__(
name="Ensure that SSH access is restricted from the internet", check_id="CKV_AZURE_10", port=22
)
check = NSGRuleSSHAccessRestricted()
================================================
FILE: checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.util.type_forcers import force_int
class NetworkWatcherFlowLogPeriod(BaseResourceCheck):
def __init__(self) -> None:
# https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2020-04-01/networkwatchers/flowlogs
name = "Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'"
id = "CKV_AZURE_12"
supported_resources = (
'Microsoft.Network/networkWatchers/flowLogs',
'Microsoft.Network/networkWatchers/FlowLogs',
'Microsoft.Network/networkWatchers/flowLogs/',
'Microsoft.Network/networkWatchers/FlowLogs/',
)
categories = (CheckCategories.LOGGING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "properties" in conf:
if "enabled" in conf["properties"]:
if str(conf["properties"]["enabled"]).lower() == "true":
if "retentionPolicy" in conf["properties"]:
if "enabled" in conf["properties"]["retentionPolicy"]:
if str(conf["properties"]["retentionPolicy"]["enabled"]).lower() == "true":
if "days" in conf["properties"]["retentionPolicy"]:
days = force_int(conf["properties"]["retentionPolicy"]["days"])
if days and days >= 90:
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ['properties', 'properties/enabled', 'properties/retentionPolicy', 'properties/retentionPolicy/enabled',
'properties/retentionPolicy/days']
check = NetworkWatcherFlowLogPeriod()
================================================
FILE: checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class PostgreSQLEncryptionEnabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that PostgreSQL server enables infrastructure encryption"
id = "CKV_AZURE_130"
supported_resources = ["Microsoft.DBforPostgreSQL/servers"]
categories = [CheckCategories.ENCRYPTION]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/infrastructureEncryption"
def get_expected_value(self) -> str:
return "Enabled"
check = PostgreSQLEncryptionEnabled()
================================================
FILE: checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class PostgreSQLServerConnectionThrottlingEnabled(BaseResourceCheck):
def __init__(self) -> None:
# https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers
# https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers/configurations
name = "Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server"
id = "CKV_AZURE_32"
supported_resources = ('Microsoft.DBforPostgreSQL/servers/configurations', 'configurations')
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "type" in conf:
if conf["type"] == "Microsoft.DBforPostgreSQL/servers/configurations":
if "name" in conf and conf["name"] == "connection_throttling":
if "properties" in conf:
if "value" in conf["properties"] and \
conf["properties"]["value"].lower() == "on":
return CheckResult.PASSED
self.evaluated_keys = ['properties', 'properties/value']
return CheckResult.FAILED
elif conf["type"] == "configurations":
if "name" in conf and conf["name"] == "connection_throttling":
if "parent_type" in conf:
if conf["parent_type"] == "Microsoft.DBforPostgreSQL/servers":
if "properties" in conf:
if "value" in conf["properties"] and \
conf["properties"]["value"].lower() == "on":
return CheckResult.PASSED
self.evaluated_keys = ['properties', 'properties/value']
return CheckResult.FAILED
else:
self.evaluated_keys = ["properties"]
return CheckResult.FAILED
# If name not connection_throttling - don't report (neither pass nor fail)
return CheckResult.UNKNOWN
check = PostgreSQLServerConnectionThrottlingEnabled()
================================================
FILE: checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class PostgreSQLServerLogCheckpointsEnabled(BaseResourceCheck):
def __init__(self) -> None:
# https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers
# https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers/configurations
# https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver#examples
name = "Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server"
id = "CKV_AZURE_30"
supported_resources = ('Microsoft.DBforPostgreSQL/servers/configurations', 'configurations')
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
self.evaluated_keys = ["properties"]
if "type" in conf:
if conf["type"] == "Microsoft.DBforPostgreSQL/servers/configurations":
if "name" in conf and conf["name"] == "log_checkpoints":
if "properties" in conf:
if "value" in conf["properties"] and \
conf["properties"]["value"].lower() == "on":
return CheckResult.PASSED
self.evaluated_keys.append("properties/value")
return CheckResult.FAILED
elif conf["type"] == "configurations":
if "name" in conf and conf["name"] == "log_checkpoints":
if "parent_type" in conf:
if conf["parent_type"] == "Microsoft.DBforPostgreSQL/servers":
if "properties" in conf:
if "value" in conf["properties"] and \
conf["properties"]["value"].lower() == "on":
return CheckResult.PASSED
self.evaluated_keys.append("properties/value")
return CheckResult.FAILED
else:
return CheckResult.FAILED
# If name not connection_throttling - don't report (neither pass nor fail)
return CheckResult.UNKNOWN
check = PostgreSQLServerLogCheckpointsEnabled()
================================================
FILE: checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class PostgreSQLServerLogConnectionsEnabled(BaseResourceCheck):
def __init__(self) -> None:
# https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers
# https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers/configurations
# https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver#examples
name = "Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server"
id = "CKV_AZURE_31"
supported_resources = ('Microsoft.DBforPostgreSQL/servers/configurations', 'configurations')
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "type" in conf:
if conf["type"] == "Microsoft.DBforPostgreSQL/servers/configurations":
if "name" in conf and conf["name"] == "log_connections":
if "properties" in conf:
if "value" in conf["properties"] and \
conf["properties"]["value"].lower() == "on":
return CheckResult.PASSED
return CheckResult.FAILED
elif conf["type"] == "configurations":
if "name" in conf and conf["name"] == "log_connections":
if "parent_type" in conf:
if conf["parent_type"] == "Microsoft.DBforPostgreSQL/servers":
if "properties" in conf:
if "value" in conf["properties"] and \
conf["properties"]["value"].lower() == "on":
return CheckResult.PASSED
return CheckResult.FAILED
else:
return CheckResult.FAILED
# If name not connection_throttling - don't report (neither pass nor fail)
return CheckResult.UNKNOWN
def get_evaluated_keys(self) -> List[str]:
return ["type", "name", "properties/value"]
check = PostgreSQLServerLogConnectionsEnabled()
================================================
FILE: checkov/arm/checks/resource/PostgreSQLServerPublicAccessDisabled.py
================================================
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class PostgreSQLServerHasPublicAccessDisabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that PostgreSQL server disables public network access"
id = "CKV_AZURE_68"
supported_resources = ('Microsoft.DBforPostgreSQL/servers',)
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
missing_block_result=CheckResult.FAILED)
def get_inspected_key(self) -> str:
return 'properties/publicNetworkAccess'
def get_expected_value(self) -> str:
return "Disabled"
check = PostgreSQLServerHasPublicAccessDisabled()
================================================
FILE: checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py
================================================
from typing import Any
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckCategories
class PostgreSQLServerSSLEnforcementEnabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server"
id = "CKV_AZURE_29"
supported_resources = ["Microsoft.DBforPostgreSQL/servers"]
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/sslEnforcement"
def get_expected_value(self) -> Any:
return "Enabled"
check = PostgreSQLServerSSLEnforcementEnabled()
================================================
FILE: checkov/arm/checks/resource/PostgressSQLGeoBackupEnabled.py
================================================
from typing import Any
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class PostgressSQLGeoBackupEnabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that PostgreSQL server enables geo-redundant backups"
id = "CKV_AZURE_102"
supported_resources = ['Microsoft.DBforPostgreSQL/servers']
categories = [CheckCategories.BACKUP_AND_RECOVERY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> Any:
return 'properties/storageProfile/geoRedundantBackup'
def get_expected_value(self) -> str:
return 'Enabled'
check = PostgressSQLGeoBackupEnabled()
================================================
FILE: checkov/arm/checks/resource/PubsubSKUSLA.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck
class PubsubSKUSLA(BaseResourceNegativeValueCheck):
def __init__(self) -> None:
name = "Ensure Web PubSub uses a SKU with an SLA"
id = "CKV_AZURE_175"
supported_resources = ("Microsoft.SignalRService/webPubSub",)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
def get_inspected_key(self) -> str:
return "sku/name"
def get_forbidden_values(self) -> Any:
return "Free_F1"
check = PubsubSKUSLA()
================================================
FILE: checkov/arm/checks/resource/PubsubSpecifyIdentity.py
================================================
from typing import Any
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.consts import ANY_VALUE
from checkov.common.models.enums import CheckCategories
class PubsubSpecifyIdentity(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure Web PubSub uses managed identities to access Azure resources"
id = "CKV_AZURE_176"
supported_resources = ["Microsoft.SignalRService/webPubSub"]
categories = [CheckCategories.IAM]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "identity/type"
def get_expected_value(self) -> Any:
return ANY_VALUE
check = PubsubSpecifyIdentity()
================================================
FILE: checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class RedisCachePublicNetworkAccessEnabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that Azure Cache for Redis disables public network access"
id = "CKV_AZURE_89"
supported_resources = ('Microsoft.Cache/redis',)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return 'properties/publicNetworkAccess'
def get_expected_value(self) -> str:
return 'Disabled'
check = RedisCachePublicNetworkAccessEnabled()
================================================
FILE: checkov/arm/checks/resource/SQLDatabaseZoneRedundant.py
================================================
from __future__ import annotations
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class SQLDatabaseZoneRedundant(BaseResourceValueCheck):
def __init__(self) -> None:
"""
This is a best practise which helps to:
- Improved High Availability: Zone redundancy ensures that your database is replicated
across Availability Zones within an Azure region. If one Availability Zone experiences an outage,
your database continues to operate from the other zones, minimizing downtime.
- Reduced Maintenance Downtime: Zone-redundant configurations often require
less planned maintenance downtime because updates and patches can be applied to
one zone at a time while the other zones continue to serve traffic.
- Improved Scalability: Zone-redundant configurations are designed to scale with your workload.
You can take advantage of features like Hyperscale to dynamically adjust resources based on
your database's performance needs.
- Improved SLA: Azure SQL Database zone-redundant configurations typically offer
a higher service-level agreement (SLA) for availability compared to non-zone-redundant configurations.
However, it's critical to note that:
Note that:
- Zone-redundant availability is available to databases in the
General Purpose, Premium, Business Critical and Hyperscale service tiers of the vCore purchasing model,
and not the Basic and Standard service tiers of the DTU-based purchasing model.
- This may not be required for:
- Databases that supports applications which doesn't a high maturity in terms of "High Availability"
- Databases that are very sensitive to network latency that may increase the transaction commit time,
and thus impact the performance of some OLTP workloads.
"""
name = "Ensure the Azure SQL Database Namespace is zone redundant"
id = "CKV_AZURE_229"
supported_resources = ["Microsoft.Sql/servers/databases",]
categories = [CheckCategories.BACKUP_AND_RECOVERY,]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/zoneRedundant"
check = SQLDatabaseZoneRedundant()
================================================
FILE: checkov/arm/checks/resource/SQLServerAuditingEnabled.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2019-06-01-preview/servers
# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2017-03-01-preview/servers/databases/auditingsettings
class SQLServerAuditingEnabled(BaseResourceCheck):
# this should be a graph check, due to the possible connection between
# Microsoft.Sql/servers -> Microsoft.Sql/servers/auditingSettings
# Microsoft.Sql/servers -> Microsoft.Sql/servers/databases/auditingSettings
def __init__(self) -> None:
name = "Ensure that 'Auditing' is set to 'Enabled' for SQL servers"
id = "CKV_AZURE_23"
supported_resources = ("Microsoft.Sql/servers", "Microsoft.Sql/servers/databases")
categories = (CheckCategories.LOGGING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
resources = conf.get("resources")
if resources and isinstance(resources, list):
for resource in resources:
if resource.get("type") in (
"auditingSettings",
"Microsoft.Sql/servers/auditingSettings",
"Microsoft.Sql/servers/databases/auditingSettings",
):
properties = resource.get("properties")
if properties:
state = properties.get("state")
if state and state.lower() == "enabled":
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ["resources"]
check = SQLServerAuditingEnabled()
================================================
FILE: checkov/arm/checks/resource/SQLServerAuditingRetention90Days.py
================================================
from typing import Dict, Any
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.common.util.type_forcers import force_list
# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2019-06-01-preview/servers
# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2017-03-01-preview/servers/databases/auditingsettings
class SQLServerAuditingRetention90Days(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers"
id = "CKV_AZURE_24"
supported_resources = ("Microsoft.Sql/servers",)
categories = (CheckCategories.LOGGING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
self.evaluated_keys = ["resources"]
resources = conf.get("resources") or []
for idx, resource in enumerate(force_list(resources)):
self.evaluated_keys = [
f"resources/[{idx}]/type",
f"resources/[{idx}]/properties/state",
f"resources/[{idx}]/properties/retentionDays",
]
if resource.get("type") in (
"Microsoft.Sql/servers/databases/auditingSettings",
'Microsoft.Sql/servers/auditingSettings',
"auditingSettings",
):
return self.check_resource(resource)
elif resource.get("type") in (
"databases"
):
sub_resources = resource.get("resources") or []
for sr in sub_resources:
if sr.get("type") == "Microsoft.Sql/servers/databases/auditingPolicies":
return self.check_resource(sr)
return CheckResult.FAILED
@staticmethod
def check_resource(resource: Dict[str, Any]) -> CheckResult:
properties = resource.get("properties")
if isinstance(properties, dict):
state = properties.get("state")
if isinstance(state, str) and state.lower() == "enabled":
retention = properties.get("retentionDays")
if isinstance(retention, int) and retention >= 90:
return CheckResult.PASSED
if isinstance(retention, str):
try:
if int(retention) >= 90:
return CheckResult.PASSED
except ValueError: # not a valid number
return CheckResult.FAILED
return CheckResult.FAILED
check = SQLServerAuditingRetention90Days()
================================================
FILE: checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py
================================================
from typing import Dict, Any
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.common.util.type_forcers import force_list
# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2019-06-01-preview/servers
# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2017-03-01-preview/servers/securityalertpolicies
class SQLServerEmailAlertsEnabled(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that 'Send Alerts To' is enabled for MSSQL servers"
id = "CKV_AZURE_26"
supported_resources = ("Microsoft.Sql/servers/databases",)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
self.evaluated_keys = ["resources"]
resources = conf.get("resources") or []
for idx, resource in enumerate(force_list(resources)):
self.evaluated_keys = [
f"resources/[{idx}]/type",
f"resources/[{idx}]/properties/state",
f"resources/[{idx}]/properties/emailAddresses",
]
if resource.get("type") in (
"Microsoft.Sql/servers/databases/securityAlertPolicies",
"securityAlertPolicies",
):
properties = resource.get("properties")
if isinstance(properties, dict):
state = properties.get("state")
if isinstance(state, str) and state.lower() == "enabled":
if properties.get("emailAddresses"):
return CheckResult.PASSED
return CheckResult.FAILED
check = SQLServerEmailAlertsEnabled()
================================================
FILE: checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py
================================================
from typing import Dict, Any
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.common.util.type_forcers import force_list
# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2019-06-01-preview/servers
# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2017-03-01-preview/servers/securityalertpolicies
class SQLServerEmailAlertsToAdminsEnabled(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers"
id = "CKV_AZURE_27"
supported_resources = ["Microsoft.Sql/servers/databases"]
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
self.evaluated_keys = ["resources"]
resources = conf.get("resources") or []
for idx, resource in enumerate(force_list(resources)):
self.evaluated_keys = [
f"resources/[{idx}]/type",
f"resources/[{idx}]/properties/state",
f"resources/[{idx}]/properties/emailAccountAdmins",
]
if resource.get("type") in (
"Microsoft.Sql/servers/databases/securityAlertPolicies",
"securityAlertPolicies",
):
properties = resource.get("properties")
if isinstance(properties, dict):
state = properties.get("state")
if isinstance(state, str) and state.lower() == "enabled":
email_admins = properties.get("emailAccountAdmins")
if email_admins:
return CheckResult.PASSED
return CheckResult.FAILED
check = SQLServerEmailAlertsToAdminsEnabled()
================================================
FILE: checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py
================================================
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class SQLServerHasPublicAccessDisabled(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that SQL server disables public network access"
id = "CKV_AZURE_113"
supported_resources = ["Microsoft.Sql/servers"]
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
missing_block_result=CheckResult.FAILED)
def get_inspected_key(self) -> str:
return 'properties/publicNetworkAccess'
def get_expected_value(self) -> str:
return "Disabled"
check = SQLServerHasPublicAccessDisabled()
================================================
FILE: checkov/arm/checks/resource/SQLServerNoPublicAccess.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class SQLServerNoPublicAccess(BaseResourceCheck):
def __init__(self) -> None:
# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2019-06-01-preview/servers
# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2014-04-01/servers/firewallrules
name = "Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)"
id = "CKV_AZURE_11"
supported_resources = ("Microsoft.Sql/servers",)
categories = (CheckCategories.LOGGING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
# API Version 2015-05-01-preview and 2014-04-01
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
resources = conf.get("resources")
if resources and isinstance(resources, list):
self.evaluated_keys = ["resources"]
for idx, resource in enumerate(resources):
self.evaluated_keys = [f"resources/[{idx}]/type", f"resources/[{idx}]/properties/startIpAddress",
f"resources/[{idx}]/properties/endIpAddress"]
resource_type = resource.get("type")
if resource_type in ("Microsoft.Sql/servers/firewallRules", "firewallRules", "firewallrules"):
if "properties" in resource:
if (
"startIpAddress" in resource["properties"]
and resource["properties"]["startIpAddress"] in ["0.0.0.0", "0.0.0.0/0"] # nosec # false positive
and "endIpAddress" in resource["properties"]
and resource["properties"]["endIpAddress"] == "255.255.255.255"
):
return CheckResult.FAILED
return CheckResult.PASSED
check = SQLServerNoPublicAccess()
================================================
FILE: checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py
================================================
from typing import Dict, Any
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2019-06-01-preview/servers
# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2017-03-01-preview/servers/securityalertpolicies
class SQLServerThreatDetectionTypes(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that 'Threat Detection types' is set to 'All'"
id = "CKV_AZURE_25"
supported_resources = ("Microsoft.Sql/servers/databases",) # 'Microsoft.Sql/servers'
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
resources = conf.get("resources")
if isinstance(resources, list):
self.evaluated_keys = ["resources"]
for resource in resources:
if "type" in resource:
if resource["type"] in (
"Microsoft.Sql/servers/databases/securityAlertPolicies",
"securityAlertPolicies",
):
properties = resource.get("properties")
if isinstance(properties, dict):
if "state" in properties and properties["state"].lower() == "enabled":
if not properties.get("disabledAlerts"):
return CheckResult.PASSED
return CheckResult.FAILED
check = SQLServerThreatDetectionTypes()
================================================
FILE: checkov/arm/checks/resource/SQLServerUsesADAuth.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.consts import ANY_VALUE
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck
class SQLServerUsesADAuth(BaseResourceNegativeValueCheck):
def __init__(self) -> None:
"""
I think that this check is really, ensure that only AD auth is used (not user/pass)
"""
name = "Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)"
id = "CKV2_AZURE_27"
supported_resources = ["Microsoft.Sql/servers"]
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return 'properties/administratorLogin'
def get_forbidden_values(self) -> list[Any]:
return [ANY_VALUE]
check = SQLServerUsesADAuth()
================================================
FILE: checkov/arm/checks/resource/SecretContentType.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.consts import ANY_VALUE
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class SecretContentType(BaseResourceValueCheck):
def __init__(self) -> None:
name = 'Ensure that key vault secrets have "content_type" set'
id = "CKV_AZURE_114"
supported_resources = ("Microsoft.KeyVault/vaults/secrets",)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/contentType"
def get_expected_value(self) -> Any:
return ANY_VALUE
check = SecretContentType()
================================================
FILE: checkov/arm/checks/resource/SecretExpirationDate.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class SecretExpirationDate(BaseResourceCheck):
def __init__(self) -> None:
# https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults/secrets
name = "Ensure that the expiration date is set on all secrets"
id = "CKV_AZURE_41"
supported_resources = ('Microsoft.KeyVault/vaults/secrets',)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "properties" in conf:
self.evaluated_keys = ['properties']
if "attributes" in conf["properties"]:
self.evaluated_keys = ['properties/attributes']
if "exp" in conf["properties"]["attributes"]:
if conf["properties"]["attributes"]["exp"]:
return CheckResult.PASSED
return CheckResult.FAILED
check = SecretExpirationDate()
================================================
FILE: checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class SecurityCenterContactEmailAlert(BaseResourceCheck):
def __init__(self) -> None:
# https://docs.microsoft.com/en-us/azure/templates/microsoft.security/securitycontacts
name = "Ensure that 'Send email notification for high severity alerts' is set to 'On'"
id = "CKV_AZURE_21"
supported_resources = ('Microsoft.Security/securityContacts',)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "properties" in conf:
if "alertNotifications" in conf["properties"]:
if str(conf["properties"]["alertNotifications"]).lower() == "on":
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ['properties', 'properties/alertNotifications']
check = SecurityCenterContactEmailAlert()
================================================
FILE: checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class SecurityCenterContactEmailAlertAdmins(BaseResourceCheck):
def __init__(self) -> None:
# https://docs.microsoft.com/en-us/azure/templates/microsoft.security/securitycontacts
name = "Ensure that 'Send email notification for high severity alerts' is set to 'On'"
id = "CKV_AZURE_22"
supported_resources = ('Microsoft.Security/securityContacts',)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "properties" in conf:
if "alertsToAdmins" in conf["properties"]:
if str(conf["properties"]["alertsToAdmins"]).lower() == "on":
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ['properties', 'properties/alertsToAdmins']
check = SecurityCenterContactEmailAlertAdmins()
================================================
FILE: checkov/arm/checks/resource/SecurityCenterContactPhone.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class SecurityCenterContactPhone(BaseResourceCheck):
def __init__(self) -> None:
# https://docs.microsoft.com/en-us/azure/templates/microsoft.security/securitycontacts
name = "Ensure that security contact 'Phone number' is set"
id = "CKV_AZURE_20"
supported_resources = ('Microsoft.Security/securityContacts',)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "properties" in conf:
if "phone" in conf["properties"]:
if conf["properties"]["phone"]:
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ["properties", "properties/phone"]
check = SecurityCenterContactPhone()
================================================
FILE: checkov/arm/checks/resource/SecurityCenterStandardPricing.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class SecurityCenterStandardPricing(BaseResourceCheck):
def __init__(self) -> None:
# https://docs.microsoft.com/en-us/azure/templates/microsoft.security/securitycontacts
name = "Ensure that standard pricing tier is selected"
id = "CKV_AZURE_19"
supported_resources = ('Microsoft.Security/pricings',)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
self.evaluated_keys = ["properties"]
if "properties" in conf:
if "pricingTier" in conf["properties"]:
self.evaluated_keys = ["properties/pricingTier"]
if str(conf["properties"]["pricingTier"]).lower() == "standard":
return CheckResult.PASSED
return CheckResult.FAILED
check = SecurityCenterStandardPricing()
================================================
FILE: checkov/arm/checks/resource/StorageAccountAzureServicesAccessEnabled.py
================================================
from __future__ import annotations
from typing import Any
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories
# https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts
from checkov.common.util.type_forcers import force_int
class StorageAccountAzureServicesAccessEnabled(BaseResourceCheck):
def __init__(self) -> None:
# properties.networkAcls.bypass == "AzureServices"
# Fail if apiVersion less than 2017 as this setting wasn't available
name = "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
id = "CKV_AZURE_36"
supported_resources = ('Microsoft.Storage/storageAccounts',)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "apiVersion" in conf:
# Fail if apiVersion < 2017 as you could not set networkAcls
year = force_int(conf["apiVersion"][0:4])
if year is None:
return CheckResult.UNKNOWN # Should be handled by variable rendering
if year < 2017:
self.evaluated_keys = ["apiVersion"]
return CheckResult.FAILED
self.evaluated_keys = ["properties"]
if "properties" in conf:
if "networkAcls" in conf["properties"]:
self.evaluated_keys = ["properties/networkAcls"]
if "defaultAction" in conf["properties"]["networkAcls"]:
if not isinstance(conf["properties"]["networkAcls"], dict):
return CheckResult.UNKNOWN
if conf["properties"]["networkAcls"]["defaultAction"] == "Allow":
return CheckResult.PASSED
elif "bypass" in conf["properties"]["networkAcls"] and \
conf["properties"]["networkAcls"]["bypass"] == "AzureServices":
return CheckResult.PASSED
return CheckResult.FAILED
check = StorageAccountAzureServicesAccessEnabled()
================================================
FILE: checkov/arm/checks/resource/StorageAccountDefaultNetworkAccessDeny.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.common.util.type_forcers import force_int
# https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts
class StorageAccountDefaultNetworkAccessDeny(BaseResourceCheck):
def __init__(self) -> None:
# properties.networkAcls.bypass == "AzureServices"
# Fail if apiVersion less than 2017 as this setting wasn't available
name = "Ensure default network access rule for Storage Accounts is set to deny"
id = "CKV_AZURE_35"
supported_resources = ('Microsoft.Storage/storageAccounts',)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "apiVersion" in conf:
# Fail if apiVersion < 2017 as you could not set networkAcls
year = force_int(conf["apiVersion"][0:4])
if year is None:
return CheckResult.UNKNOWN
elif year < 2017:
return CheckResult.FAILED
if "properties" in conf:
if "networkAcls" in conf["properties"]:
if not isinstance(conf["properties"]["networkAcls"], dict):
return CheckResult.UNKNOWN
if "defaultAction" in conf["properties"]["networkAcls"]:
if conf["properties"]["networkAcls"]["defaultAction"] == "Deny":
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ["apiVersion", "properties", "properties/networkAcls"]
check = StorageAccountDefaultNetworkAccessDeny()
================================================
FILE: checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py
================================================
from __future__ import annotations
from typing import Any
from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck
from checkov.common.models.enums import CheckCategories
class StorageAccountDisablePublicAccess(BaseResourceNegativeValueCheck):
def __init__(self) -> None:
name = "Ensure that Storage accounts disallow public access"
id = "CKV_AZURE_59"
supported_resources = ("Microsoft.Storage/storageAccounts",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/publicNetworkAccess"
def get_forbidden_values(self) -> list[Any]:
return ["Enabled"]
check = StorageAccountDisablePublicAccess()
================================================
FILE: checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class StorageAccountLoggingQueueServiceEnabled(BaseResourceCheck):
def __init__(self) -> None:
# https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts
# https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts/queueservices
# https://github.com/MicrosoftDocs/azure-docs/issues/13195
# This check is only relevant for storageAccounts with Queue Service enabled
# properties.networkAcls.bypass == "AzureServices"
# Fail if apiVersion less than 2017 as this setting wasn't available
name = "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
id = "CKV_AZURE_33"
supported_resources = ('Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings',)
categories = (CheckCategories.LOGGING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "properties" in conf:
if "logs" in conf["properties"]:
if conf["properties"]["logs"]:
storage = {}
for log in conf["properties"]["logs"]:
if "category" in log and "enabled" in log:
if str(log["enabled"]).lower() == "true":
storage[log["category"]] = True
if "StorageRead" in storage.keys() and \
"StorageWrite" in storage.keys() and \
"StorageDelete" in storage.keys():
if storage["StorageRead"] and storage["StorageWrite"] and storage["StorageDelete"]:
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ['properties', 'properties/logs']
check = StorageAccountLoggingQueueServiceEnabled()
================================================
FILE: checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class StorageAccountMinimumTlsVersion(BaseResourceCheck):
def __init__(self) -> None:
"""
Looks for min_tls_version configuration at azurerm_storage_account to be set to TLS1_2
https://www.terraform.io/docs/providers/azurerm/r/storage_account.html#min_tls_version
:param conf: azurerm_storage_account configuration
:return:
"""
name = "Ensure Storage Account is using the latest version of TLS encryption"
id = "CKV_AZURE_44"
supported_resources = ('Microsoft.Storage/storageAccounts',)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "properties" in conf and \
"minimumTlsVersion" in conf["properties"] and \
conf["properties"]["minimumTlsVersion"] in ['TLS1_2']:
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ['properties', 'properties/minimumTlsVersion']
check = StorageAccountMinimumTlsVersion()
================================================
FILE: checkov/arm/checks/resource/StorageAccountName.py
================================================
from __future__ import annotations
import re
import typing
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
STO_NAME_REGEX = re.compile(r"^[a-z0-9]{3,24}$")
VARIABLE_REFS = ("local.", "module.", "var.", "random_string.", "random_id.", "random_integer.", "random_pet.",
"azurecaf_name", "each.", "substring")
class StorageAccountName(BaseResourceCheck):
def __init__(self) -> None:
"""
Initializes a check to ensure that Storage Accounts adhere to the naming rules.
The naming reference for Storage Accounts can be found here:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview#naming-storage-accounts
"""
name = "Ensure Storage Accounts adhere to the naming rules"
id = "CKV_AZURE_43"
supported_resources = ['Microsoft.Storage/storageAccounts']
categories = [CheckCategories.CONVENTION]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, typing.Any]) -> CheckResult:
"""
The Storage Account naming reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview#naming-storage-accounts
:param conf: azurerm_storage_account configuration
:return:
"""
if "name" in conf.keys():
name = conf["name"]
if name:
name = str(name)
if any(x in name for x in VARIABLE_REFS):
# in the case we couldn't evaluate the name, just ignore
return CheckResult.UNKNOWN
if re.findall(STO_NAME_REGEX, name):
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> typing.List[str]:
return ["name"]
check = StorageAccountName()
================================================
FILE: checkov/arm/checks/resource/StorageAccountsTransportEncryption.py
================================================
from __future__ import annotations
from typing import Any
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.common.util.type_forcers import force_int
class StorageAccountsTransportEncryption(BaseResourceCheck):
def __init__(self) -> None:
# supportsHttpsTrafficOnly: Allows https traffic only to storage service if sets to true. The default value is
# true since API version 2019-04-01.
name = "Ensure that 'supportsHttpsTrafficOnly' is set to 'true'"
id = "CKV_AZURE_3"
supported_resources = ("Microsoft.Storage/storageAccounts",)
categories = (CheckCategories.ENCRYPTION,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
self.evaluated_keys = ["properties"]
properties = conf.get("properties")
if isinstance(properties, dict) and "supportsHttpsTrafficOnly" in properties:
self.evaluated_keys = ["properties/supportsHttpsTrafficOnly"]
https = str(properties["supportsHttpsTrafficOnly"]).lower()
return CheckResult.PASSED if https == "true" else CheckResult.FAILED
# Use default if supportsHttpsTrafficOnly is not set
if "apiVersion" in conf:
# Default for apiVersion 2019 and newer is supportsHttpsTrafficOnly = True
year = force_int(conf["apiVersion"][0:4])
if year is None:
return CheckResult.UNKNOWN
elif year < 2019:
self.evaluated_keys = ["apiVersion"]
return CheckResult.FAILED
else:
return CheckResult.PASSED
return CheckResult.FAILED
check = StorageAccountsTransportEncryption()
================================================
FILE: checkov/arm/checks/resource/StorageAccountsUseReplication.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
from typing import Any, List
class StorageAccountsUseReplication(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that Storage Accounts use replication"
id = "CKV_AZURE_206"
supported_resources = ("Microsoft.Storage/storageAccounts",)
categories = (CheckCategories.BACKUP_AND_RECOVERY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
def get_inspected_key(self) -> str:
return "sku/name"
def get_expected_value(self) -> Any:
return "Standard_GRS"
def get_expected_values(self) -> List[Any]:
return ["Standard_GRS", "Standard_RAGRS", "Standard_GZRS", "Standard_RAGZRS"]
check = StorageAccountsUseReplication()
================================================
FILE: checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class StorageBlobServiceContainerPrivateAccess(BaseResourceCheck):
def __init__(self) -> None:
# https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts/blobservices/containers
# publicAccess default is None
name = "Ensure that 'Public access level' is set to Private for blob containers"
id = "CKV_AZURE_34"
supported_resources = (
'Microsoft.Storage/storageAccounts/blobServices/containers',
'containers',
'blobServices/containers',
)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if "properties" in conf:
self.evaluated_keys = ["properties"]
if "publicAccess" in conf["properties"]:
self.evaluated_keys = ["properties/publicAccess"]
if str(conf["properties"]["publicAccess"]).lower() == "container" or \
str(conf["properties"]["publicAccess"]).lower() == "blob":
return CheckResult.FAILED
return CheckResult.PASSED
check = StorageBlobServiceContainerPrivateAccess()
================================================
FILE: checkov/arm/checks/resource/StorageSyncPublicAccessDisabled.py
================================================
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class NetworkInterfaceEnableIPForwarding(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that Azure File Sync disables public network access"
id = "CKV_AZURE_64"
supported_resources = ('Microsoft.StorageSync/storageSyncServices',)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
missing_block_result=CheckResult.FAILED)
def get_inspected_key(self) -> str:
return 'properties/incomingTrafficPolicy'
def get_expected_value(self) -> str:
return 'AllowVirtualNetworksOnly'
check = NetworkInterfaceEnableIPForwarding()
================================================
FILE: checkov/arm/checks/resource/SynapseWorkspaceAdministratorLoginPasswordHidden.py
================================================
from __future__ import annotations
from typing import Any, List
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_check import BaseResourceCheck
class SynapseWorkspaceAdministratorLoginPasswordHidden(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure Azure Synapse Workspace administrator login password is not exposed"
id = "CKV_AZURE_239"
supported_resources = ['Microsoft.Synapse/workspaces']
categories = [CheckCategories.SECRETS]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
if conf.get("properties", {}).get("sqlAdministratorLoginPassword"):
return CheckResult.FAILED
return CheckResult.PASSED
def get_evaluated_keys(self) -> List[str]:
return ['properties/sqlAdministratorLoginPassword']
check = SynapseWorkspaceAdministratorLoginPasswordHidden()
================================================
FILE: checkov/arm/checks/resource/SynapseWorkspaceCMKEncryption.py
================================================
from __future__ import annotations
from typing import Any
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories
class SynapseWorkspaceCMKEncryption(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure Azure Synapse Workspace is encrypted with a CMK"
id = "CKV_AZURE_240"
supported_resources = ['Microsoft.Synapse/workspaces']
categories = [CheckCategories.ENCRYPTION]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
encryption = conf.get("properties", {}).get("encryption", {})
if "cmk" in encryption:
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> list[str]:
return ['properties', 'properties/encryption']
check = SynapseWorkspaceCMKEncryption()
================================================
FILE: checkov/arm/checks/resource/SynapseWorkspaceEnablesDataExfilProtection.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class SynapseWorkspaceEnablesDataExfilProtection(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure that Synapse workspace has data_exfiltration_protection_enabled"
id = "CKV_AZURE_157"
supported_resources = ["Microsoft.Synapse/workspaces"]
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return 'properties/dataExfiltrationProtectionEnabled'
check = SynapseWorkspaceEnablesDataExfilProtection()
================================================
FILE: checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck
class SynapseWorkspaceEnablesManagedVirtualNetworks(BaseResourceNegativeValueCheck):
def __init__(self) -> None:
name = "Ensure that Azure Synapse workspaces enables managed virtual networks"
id = "CKV_AZURE_58"
supported_resources = ['Microsoft.Synapse/workspaces']
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return 'properties/managedVirtualNetwork'
def get_forbidden_values(self) -> list[Any]:
return ["default"]
check = SynapseWorkspaceEnablesManagedVirtualNetworks()
================================================
FILE: checkov/arm/checks/resource/VMCredsInCustomData.py
================================================
from typing import List, Dict, Any
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.common.util.secrets import string_has_secrets, AZURE, GENERAL
from checkov.arm.base_resource_value_check import BaseResourceCheck
class VMCredsInCustomData(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that no sensitive credentials are exposed in VM custom_data"
id = "CKV_AZURE_45"
supported_resources = ("Microsoft.Compute/virtualMachines",)
categories = (CheckCategories.SECRETS,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
properties = conf.get("properties")
if properties and isinstance(properties, dict):
os_profile = properties.get("osProfile")
if isinstance(os_profile, dict):
custom_data = os_profile.get("customData")
if isinstance(custom_data, str):
if string_has_secrets(custom_data, AZURE, GENERAL):
conf[f'{self.id}_secret'] = custom_data
return CheckResult.FAILED
return CheckResult.PASSED
def get_evaluated_keys(self) -> List[str]:
return ["properties/osProfile/customData"]
check = VMCredsInCustomData()
================================================
FILE: checkov/arm/checks/resource/VMDisablePasswordAuthentication.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_check import BaseResourceCheck
class VMDisablePasswordAuthentication(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that Virtual machine does not enable password authentication"
id = "CKV_AZURE_149"
supported_resources = (
"Microsoft.Compute/virtualMachineScaleSets",
"Microsoft.Compute/virtualMachines",
)
categories = (CheckCategories.ENCRYPTION,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
os_profile = None
properties = conf.get("properties")
if properties and isinstance(properties, dict):
self.evaluated_keys = ["properties"]
if self.entity_type == "Microsoft.Compute/virtualMachines":
tmp_os_profile = properties.get("osProfile")
if tmp_os_profile and isinstance(tmp_os_profile, dict):
self.evaluated_keys = ["properties/osProfile"]
os_profile = tmp_os_profile
elif self.entity_type == "Microsoft.Compute/virtualMachineScaleSets":
vm_profile = properties.get("virtualMachineProfile")
if vm_profile and isinstance(vm_profile, dict):
tmp_os_profile = vm_profile.get("osProfile")
if tmp_os_profile and isinstance(tmp_os_profile, dict):
self.evaluated_keys = ["properties/virtualMachineProfile/osProfile"]
os_profile = tmp_os_profile
if os_profile is None:
return CheckResult.UNKNOWN
linux_config = os_profile.get("linuxConfiguration")
if linux_config and isinstance(linux_config, dict):
pass_auth = linux_config.get("disablePasswordAuthentication")
if pass_auth and isinstance(pass_auth, bool):
return CheckResult.PASSED if pass_auth and isinstance(pass_auth, bool) else CheckResult.FAILED
return CheckResult.FAILED
return CheckResult.UNKNOWN
return CheckResult.FAILED
check = VMDisablePasswordAuthentication()
================================================
FILE: checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py
================================================
from __future__ import annotations
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_check import BaseResourceCheck
from typing import Any
from checkov.common.util.data_structures_utils import find_in_dict
class VMEncryptionAtHostEnabled(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that Virtual machine scale sets have encryption at host enabled"
id = "CKV_AZURE_97"
supported_resources = ("Microsoft.Compute/virtualMachineScaleSets", "Microsoft.Compute/virtualMachines")
categories = (CheckCategories.ENCRYPTION,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
encryption = ""
if self.entity_type == "Microsoft.Compute/virtualMachines":
self.evaluated_keys = ["properties/securityProfile/encryptionAtHost"]
encryption = find_in_dict(input_dict=conf, key_path="properties/securityProfile/encryptionAtHost")
elif self.entity_type == "Microsoft.Compute/virtualMachineScaleSets":
self.evaluated_keys = ["properties/virtualMachineProfile/securityProfile/encryptionAtHost"]
encryption = find_in_dict(
input_dict=conf, key_path="properties/virtualMachineProfile/securityProfile/encryptionAtHost"
)
if str(encryption).lower() == "true":
return CheckResult.PASSED
return CheckResult.FAILED
check = VMEncryptionAtHostEnabled()
================================================
FILE: checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.util.data_structures_utils import find_in_dict
class VMScaleSetsAutoOSImagePatchingEnabled(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets"
id = "CKV_AZURE_95"
supported_resources = ("Microsoft.Compute/virtualMachineScaleSets",)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
properties = conf.get("properties")
if properties and isinstance(properties, dict):
if properties.get("orchestrationMode") == "Flexible":
self.evaluated_keys = ["properties/orchestrationMode"]
return CheckResult.FAILED
self.evaluated_keys = ["properties/virtualMachineProfile/extensionProfile/extensions"]
extensions = find_in_dict(
input_dict=properties,
key_path="virtualMachineProfile/extensionProfile/extensions",
)
if extensions:
for extension in extensions:
extension_properties = extension.get("properties")
if extension_properties and isinstance(extension_properties, dict):
if extension_properties.get("enableAutomaticUpgrade") is True:
return CheckResult.PASSED
return CheckResult.FAILED
return CheckResult.UNKNOWN
check = VMScaleSetsAutoOSImagePatchingEnabled()
================================================
FILE: checkov/arm/checks/resource/VMStorageOsDisk.py
================================================
from typing import Any, Dict
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceCheck
class VMStorageOsDisk(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that Virtual Machines use managed disks"
id = "CKV_AZURE_92"
supported_resources = ("Microsoft.Compute/virtualMachines",)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
properties = conf.get('properties')
if not properties or not isinstance(properties, dict):
return CheckResult.PASSED
storage_profile = properties.get('storageProfile')
if not storage_profile or not isinstance(storage_profile, dict):
return CheckResult.PASSED
os_disk = storage_profile.get('osDisk')
data_disks = list(storage_profile.get('dataDisks', []))
if os_disk and isinstance(os_disk, dict) and "vhd" in os_disk:
self.evaluated_keys = ['os_disk']
return CheckResult.FAILED
if data_disks and any(isinstance(data_disk, dict) and "vhd" in data_disk for data_disk in data_disks):
self.evaluated_keys = ['data_disks']
return CheckResult.FAILED
self.evaluated_keys = ['os_disk'] if os_disk else []
if data_disks:
self.evaluated_keys.append('data_disks')
return CheckResult.PASSED
check = VMStorageOsDisk()
================================================
FILE: checkov/arm/checks/resource/VnetLocalDNS.py
================================================
from ipaddress import ip_network, ip_address
from typing import Any, List, Dict
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckCategories, CheckResult
class VnetLocalDNS(BaseResourceCheck):
def __init__(self) -> None:
"""Avoid taking a dependency on external DNS servers
for local communication such as those deployed on-premises.
Where possible consider deploying Azure Private DNS Zones,
a platform-as-a-service (PaaS) DNS service for VNETs"""
name = "Ensure that VNET uses local DNS addresses"
id = "CKV_AZURE_183"
supported_resources = ("Microsoft.Network/virtualNetworks",)
categories = [CheckCategories.NETWORKING, ]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: Dict[str, Dict[str, Dict[str, List[Any]]]]) -> CheckResult:
if "properties" in conf and "dhcpOptions" in conf["properties"]:
if "dnsServers" in conf["properties"]["dhcpOptions"]:
if isinstance(conf["properties"]["dhcpOptions"]["dnsServers"], list):
dns_servers = conf["properties"]["dhcpOptions"]["dnsServers"]
if dns_servers:
for ip in dns_servers:
if "addressSpace" in conf["properties"] and conf["properties"]["addressSpace"]:
if "addressPrefixes" in conf["properties"]["addressSpace"]:
if isinstance(conf["properties"]["addressSpace"]["addressPrefixes"], list):
address_spaces = conf["properties"]["addressSpace"]["addressPrefixes"]
if isinstance(address_spaces, list):
for address_range in address_spaces:
if not isinstance(address_range, str):
continue
try:
net = ip_network(address_range)
ip_add = ip_address(ip) if isinstance(ip, str) else None
except ValueError:
return CheckResult.UNKNOWN
if isinstance(ip, str) and ip_add in net:
return CheckResult.PASSED
self.evaluated_keys = ["dnsServers"]
return CheckResult.FAILED
return CheckResult.PASSED
check = VnetLocalDNS()
================================================
FILE: checkov/arm/checks/resource/VnetSingleDNSServer.py
================================================
from typing import Any, List, Dict
from checkov.arm.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckCategories, CheckResult
class VnetSingleDNSServer(BaseResourceCheck):
def __init__(self) -> None:
"""Using a single DNS server may indicate a single point of failure
where the DNS IP address is not load balanced."""
name = "Ensure that VNET has at least 2 connected DNS Endpoints"
id = "CKV_AZURE_182"
supported_resources = ("Microsoft.Network/networkInterfaces", "Microsoft.Network/virtualNetworks")
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: Dict[str, Dict[str, Dict[str, List[Any]]]]) -> CheckResult:
if "properties" in conf and "dnsSettings" in conf["properties"]:
if "dnsServers" in conf["properties"]["dnsSettings"] and isinstance(
conf["properties"]["dnsSettings"]["dnsServers"], list):
dns_servers = conf["properties"]["dnsSettings"]["dnsServers"]
if dns_servers and len(dns_servers) == 1:
self.evaluated_keys = ["dnsServers"]
return CheckResult.FAILED
else:
if "properties" in conf and "dhcpOptions" in conf["properties"]:
if "dnsServers" in conf["properties"]["dhcpOptions"] and isinstance(
conf["properties"]["dhcpOptions"]["dnsServers"], list):
dns_servers = conf["properties"]["dhcpOptions"]["dnsServers"]
if dns_servers and len(dns_servers) == 1:
self.evaluated_keys = ["dnsServers"]
return CheckResult.FAILED
return CheckResult.PASSED
check = VnetSingleDNSServer()
================================================
FILE: checkov/arm/checks/resource/WinVMAutomaticUpdates.py
================================================
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class WinVMAutomaticUpdates(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure Windows VM enables automatic updates"
id = "CKV_AZURE_177"
supported_resources = ("Microsoft.Compute/virtualMachines", "Microsoft.Compute/virtualMachineScaleSets")
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
missing_block_result=CheckResult.PASSED,)
def get_inspected_key(self) -> str:
if self.entity_type == "Microsoft.Compute/virtualMachineScaleSets":
return "properties/virtualMachineProfile/osProfile/windowsConfiguration/enableAutomaticUpdates"
return "properties/osProfile/windowsConfiguration/enableAutomaticUpdates"
check = WinVMAutomaticUpdates()
================================================
FILE: checkov/arm/checks/resource/WinVMEncryptionAtHost.py
================================================
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck
class WinVMEncryptionAtHost(BaseResourceValueCheck):
def __init__(self) -> None:
"""
If enabled, all the disks (including the temp disk) attached to this Virtual Machine will be encrypted
If not enabled:
https://learn.microsoft.com/en-gb/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-cli#prerequisites
"""
name = "Ensure Windows VM enables encryption"
id = "CKV_AZURE_151"
supported_resources = ("Microsoft.Compute/virtualMachines",)
categories = (CheckCategories.ENCRYPTION,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/securityProfile/encryptionAtHost"
check = WinVMEncryptionAtHost()
================================================
FILE: checkov/arm/checks/resource/__init__.py
================================================
from os.path import dirname, basename, isfile, join
import glob
modules = glob.glob(join(dirname(__file__), "*.py"))
__all__ = [basename(f)[:-3] for f in modules if isfile(f) and not f.endswith("__init__.py")]
================================================
FILE: checkov/arm/context_parser.py
================================================
from __future__ import annotations
import logging
import operator
import re
from functools import reduce
from typing import Any, TYPE_CHECKING, Generator
from checkov.arm.utils import ArmElements
from checkov.common.bridgecrew.integration_features.features.policy_metadata_integration import integration as metadata_integration
from checkov.common.util.consts import LINE_FIELD_NAMES, START_LINE, END_LINE
from checkov.common.util.type_forcers import force_list
if TYPE_CHECKING:
from checkov.common.typing import _SkippedCheck
COMMENT_REGEX = re.compile(r'([A-Z_\d]+)(:[^\n]+)?')
PARAMETERS_PATTERN = re.compile(r"\[parameters\('|'\)]")
VARIABLES_PATTERN = re.compile(r"\[variables\('|'\)]")
class ContextParser:
"""
ARM template context parser
"""
def __init__(self, arm_file: str, arm_template: dict[str, Any], arm_template_lines: list[tuple[int, str]]) -> None:
self.arm_file = arm_file
self.arm_template = arm_template
self.arm_template_lines = arm_template_lines
def evaluate_default_parameters(self) -> None:
# Get parameter defaults and variable values
parameter_defaults = {}
if ArmElements.PARAMETERS in self.arm_template:
for parameter, config in self.arm_template[ArmElements.PARAMETERS].items():
if parameter in LINE_FIELD_NAMES:
continue
if "defaultValue" in config:
parameter_defaults[parameter] = config["defaultValue"]
variable_values = {}
if ArmElements.VARIABLES in self.arm_template:
for var, config in self.arm_template[ArmElements.VARIABLES].items():
if var in LINE_FIELD_NAMES:
continue
variable_values[var] = config.get('value') if config.get('value') else config
# Find paths to substitute parameters and variables
keys_w_params = self.search_deep_values('[parameters(', self.arm_template, [])
keys_w_vars = self.search_deep_values('[variables(', self.arm_template, [])
# Substitute Parameters and Variables
for key_entry in keys_w_params:
try:
param = re.sub(
PARAMETERS_PATTERN,
"",
self._get_from_dict(dict(self.arm_template), key_entry[:-1])[key_entry[-1]], # type:ignore[index] # this will be a str
)
if param in parameter_defaults:
logging.debug(f"Replacing parameter {param} in file {self.arm_file} with default value: {parameter_defaults[param]}")
self._set_in_dict(dict(self.arm_template), key_entry, parameter_defaults[param])
except TypeError:
logging.debug(f"Failed to evaluate param in {self.arm_file}", exc_info=True)
for key_entry in keys_w_vars:
try:
param = re.sub(
VARIABLES_PATTERN,
"",
self._get_from_dict(dict(self.arm_template), key_entry[:-1])[key_entry[-1]], # type:ignore[index] # this will be a str
)
if param in variable_values.keys():
self._set_in_dict(dict(self.arm_template), key_entry, variable_values[param])
logging.debug(
"Replacing variable {} in file {} with default value: {}".format(param, self.arm_file,
variable_values[param]))
else:
logging.debug("Variable {} not found in evaluated variables in file {}".format(param, self.arm_file))
except TypeError:
logging.debug(f"Failed to evaluate param in {self.arm_file}", exc_info=True)
@staticmethod
def extract_arm_resource_id(arm_resource: dict[str, Any]) -> str | None:
# if arm_resource_name == '__startline__' or arm_resource_name == '__endline__':
# return
if 'type' not in arm_resource:
# This is not an ARM resource, skip
return None
if 'name' not in arm_resource:
# This is not an ARM resource, skip
return None
return f"{arm_resource['type']}.{arm_resource['name']}"
@staticmethod
def extract_arm_resource_name(arm_resource: dict[str, Any]) -> str | None:
# if arm_resource_name == '__startline__' or arm_resource_name == '__endline__':
# return
if 'name' not in arm_resource:
# This is not an ARM resource, skip
return None
return f"{arm_resource['name']}"
def extract_arm_resource_code_lines(
self, arm_resource: dict[str, Any]
) -> tuple[list[int], list[tuple[int, str]]] | tuple[None, None]:
find_lines_result_list = list(self.find_lines(arm_resource, START_LINE))
if len(find_lines_result_list) >= 1:
start_line = min(find_lines_result_list)
end_line = max(list(self.find_lines(arm_resource, END_LINE)))
entity_lines_range = [start_line, end_line]
entity_code_lines = self.arm_template_lines[start_line - 1: end_line]
return entity_lines_range, entity_code_lines
return None, None
@staticmethod
def find_lines(node: dict[str, Any] | list[dict[str, Any]], kv: str) -> Generator[Any, None, None]:
if isinstance(node, list):
for i in node:
for x in ContextParser.find_lines(i, kv):
yield x
elif isinstance(node, dict):
if kv in node:
yield node[kv]
for j in node.values():
for x in ContextParser.find_lines(j, kv):
yield x
@staticmethod
def collect_skip_comments(resource: dict[str, Any]) -> list[_SkippedCheck]:
skipped_checks = []
bc_id_mapping = metadata_integration.bc_to_ckv_id_mapping
if "metadata" in resource:
if "checkov" in resource["metadata"]:
for item in force_list(resource["metadata"]["checkov"]):
skip_search = re.search(COMMENT_REGEX, str(item))
if skip_search:
skipped_check: "_SkippedCheck" = {
'id': skip_search.group(1),
'suppress_comment': skip_search.group(2)[1:] if skip_search.group(
2) else "No comment provided"
}
if bc_id_mapping and skipped_check["id"] in bc_id_mapping:
skipped_check["bc_id"] = skipped_check["id"]
skipped_check["id"] = bc_id_mapping[skipped_check["id"]]
elif metadata_integration.check_metadata:
skipped_check["bc_id"] = metadata_integration.get_bc_id(skipped_check["id"])
skipped_checks.append(skipped_check)
return skipped_checks
@staticmethod
def search_deep_keys(search_text: str, arm_dict: dict[str, Any], path: list[str | int]) -> list[list[Any]]:
"""Search deep for keys and get their values"""
keys = []
if isinstance(arm_dict, dict):
for key in arm_dict:
pathprop = path[:]
pathprop.append(key)
if key == search_text:
pathprop.append(arm_dict[key])
keys.append(pathprop)
# pop the last element off for nesting of found elements for
# dict and list checks
pathprop = pathprop[:-1]
if isinstance(arm_dict[key], dict):
keys.extend(ContextParser.search_deep_keys(search_text, arm_dict[key], pathprop))
elif isinstance(arm_dict[key], list):
for index, item in enumerate(arm_dict[key]):
pathproparr = pathprop[:]
pathproparr.append(index)
keys.extend(ContextParser.search_deep_keys(search_text, item, pathproparr))
elif isinstance(arm_dict, list):
for index, item in enumerate(arm_dict):
pathprop = path[:]
pathprop.append(index)
keys.extend(ContextParser.search_deep_keys(search_text, item, pathprop))
return keys
@staticmethod
def search_deep_values(search_text: str, arm_dict: dict[str, Any], path: list[str | int]) -> list[list[str | int]]:
"""Search deep for keys with values matching search text"""
keys: "list[list[str | int]]" = []
if isinstance(arm_dict, dict):
for key in arm_dict:
pathprop = path[:]
pathprop.append(key)
if search_text in str(arm_dict[key]):
pathprop.append(arm_dict[key])
keys.append(pathprop)
# pop the last element off for nesting of found elements for
# dict and list checks
pathprop = pathprop[:-1]
if isinstance(arm_dict[key], dict):
keys.extend(ContextParser.search_deep_values(search_text, arm_dict[key], pathprop))
elif isinstance(arm_dict[key], list):
for index, item in enumerate(arm_dict[key]):
pathproparr = pathprop[:]
pathproparr.append(index)
keys.extend(ContextParser.search_deep_values(search_text, item, pathproparr))
elif isinstance(arm_dict, list):
for index, item in enumerate(arm_dict):
pathprop = path[:]
pathprop.append(index)
keys.extend(ContextParser.search_deep_values(search_text, item, pathprop))
for inner_keys in keys[:]:
for i in inner_keys:
if isinstance(i, list) or isinstance(i, dict):
keys.remove(inner_keys)
# Remove parameter
if search_text in inner_keys[-1]: # type:ignore[operator] # this will be a str
inner_keys.pop()
return keys
def _set_in_dict(self, data_dict: dict[str, Any], map_list: list[str | int], value: Any) -> None:
self._get_from_dict(data_dict, map_list[:-1])[map_list[-1]] = value # type:ignore[index] # this will be a str
@staticmethod
def _get_from_dict(data_dict: dict[str, Any], map_list: list[str | int]) -> dict[str, Any]:
return reduce(operator.getitem, map_list, data_dict) # type:ignore[arg-type] # this works, because of a deeper dict access
================================================
FILE: checkov/arm/graph_builder/__init__.py
================================================
================================================
FILE: checkov/arm/graph_builder/definition_context.py
================================================
from __future__ import annotations
from typing import cast, Dict, Any
from checkov.common.util.consts import START_LINE, END_LINE
from checkov.common.util.suppression import collect_suppressions_for_report
ARM_COMMENT = "//"
DEFINITIONS_KEYS = ["parameters", "resources"]
def build_definitions_context(definitions: dict[str, dict[str, Any]], definitions_raw: dict[str, list[tuple[int, str]]]
) -> Dict[str, Dict[str, Any]]:
definitions_context: Dict[str, Dict[str, Any]] = {}
for file_path_object, file_path_definitions in definitions.items():
file_path = str(file_path_object)
definitions_context[file_path] = {}
for definition_attribute, resources in file_path_definitions.items():
if definition_attribute not in DEFINITIONS_KEYS:
continue
definitions_context[file_path][definition_attribute] = {}
if isinstance(resources, dict):
for resource_key, resource_attributes in resources.items():
if isinstance(resource_attributes, dict):
add_resource_to_definitions_context(definitions_context, resource_key, resource_attributes,
definition_attribute, definitions_raw, file_path)
elif isinstance(resources, list):
for resource in resources:
if isinstance(resource, dict):
add_resource_to_definitions_context(definitions_context, '', resource,
definition_attribute, definitions_raw, file_path)
return definitions_context
def add_resource_to_definitions_context(definitions_context: dict[str, dict[str, Any]], resource_key: str,
resource_attributes: dict[str, Any], definition_attribute: str,
definitions_raw: dict[str, Any], file_path: str) -> None:
start_line = resource_attributes[START_LINE]
end_line = resource_attributes[END_LINE]
definition_resource = {"start_line": start_line, "end_line": end_line}
if definition_attribute == "resources":
resource_key = f"{resource_attributes.get('type')}.{resource_attributes.get('name')}"
int_start_line = cast(int, definition_resource["start_line"])
int_end_line = cast(int, definition_resource["end_line"])
code_lines_for_suppressions_check = definitions_raw[file_path][int_start_line: int_end_line]
definition_resource['skipped_checks'] = collect_suppressions_for_report(
code_lines=code_lines_for_suppressions_check)
else:
definition_resource["type"] = resource_attributes.get('type')
definition_resource["code_lines"] = definitions_raw[file_path][start_line - 1: end_line]
definitions_context[file_path][definition_attribute][resource_key] = definition_resource
================================================
FILE: checkov/arm/graph_builder/graph_components/__init__.py
================================================
================================================
FILE: checkov/arm/graph_builder/graph_components/block_types.py
================================================
from __future__ import annotations
from dataclasses import dataclass
from typing import Literal
from checkov.common.graph.graph_builder.graph_components.block_types import BlockType as CommonBlockType
@dataclass
class BlockType(CommonBlockType):
PARAMETER: Literal["parameters"] = "parameters"
VARIABLE: Literal["variables"] = "variables"
OUTPUT: Literal["outputs"] = "outputs"
================================================
FILE: checkov/arm/graph_builder/graph_components/blocks.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.graph.graph_builder.consts import GraphSource
from checkov.common.graph.graph_builder.graph_components.blocks import Block
class ArmBlock(Block):
def __init__(
self,
name: str,
config: dict[str, Any],
path: str,
block_type: str,
attributes: dict[str, Any],
id: str = "",
) -> None:
super().__init__(name, config, path, block_type, attributes, id, GraphSource.ARM)
def should_run_get_inner_attributes(self, attribute_value: Any) -> bool:
"""
this function is triggered from _extract_inner_attributes to check whether we need to run the get_inner_attributes function.
for ARM we want to get the inner_attributes also from list[str] and only for list[dict] like the rest of the frameworks,
specific for the 'dependsOn' attribute in a resource
"""
return isinstance(attribute_value, dict) or (isinstance(attribute_value, list) and len(attribute_value) > 0)
================================================
FILE: checkov/arm/graph_builder/graph_to_definitions.py
================================================
from __future__ import annotations
import os
from pathlib import Path
from typing import Any, TYPE_CHECKING
from checkov.arm.graph_builder.graph_components.block_types import BlockType
from checkov.arm.utils import ArmElements
if TYPE_CHECKING:
from checkov.arm.graph_builder.graph_components.blocks import ArmBlock
def convert_graph_vertices_to_definitions(vertices: list[ArmBlock], root_folder: str | Path | None)\
-> tuple[dict[str, dict[str, Any]], dict[str, dict[str, Any]]]:
arm_definitions: dict[str, dict[str, Any]] = {}
breadcrumbs: dict[str, dict[str, Any]] = {}
for vertex in vertices:
block_path = vertex.path
if vertex.block_type == BlockType.RESOURCE:
arm_definitions.setdefault(block_path, {}).setdefault(ArmElements.RESOURCES, []).append(vertex.config)
else:
element_name = vertex.name.split('/')[-1]
arm_definitions.setdefault(block_path, {}).setdefault(vertex.block_type, {})[element_name] = vertex.config
if vertex.breadcrumbs:
relative_block_path = f"/{os.path.relpath(block_path, root_folder)}"
add_breadcrumbs(vertex, breadcrumbs, relative_block_path)
return arm_definitions, breadcrumbs
def add_breadcrumbs(vertex: ArmBlock, breadcrumbs: dict[str, dict[str, Any]], relative_block_path: str) -> None:
breadcrumbs.setdefault(relative_block_path, {})[vertex.name] = vertex.breadcrumbs
================================================
FILE: checkov/arm/graph_builder/local_graph.py
================================================
from __future__ import annotations
import logging
import re
from typing import Any, TYPE_CHECKING
from checkov.arm.graph_builder.graph_components.blocks import ArmBlock
from checkov.arm.utils import ArmElements, extract_resource_name_from_resource_id_func, \
extract_resource_name_from_reference_func
from checkov.arm.graph_builder.variable_rendering.renderer import ArmVariableRenderer
from checkov.arm.graph_builder.graph_components.block_types import BlockType
from checkov.common.graph.graph_builder import CustomAttributes, Edge
from checkov.common.graph.graph_builder.local_graph import LocalGraph
from checkov.common.graph.graph_builder.utils import filter_sub_keys, adjust_value
from checkov.common.util.consts import START_LINE, END_LINE
from checkov.common.util.data_structures_utils import pickle_deepcopy
from checkov.common.util.type_forcers import force_int
if TYPE_CHECKING:
from checkov.common.graph.graph_builder.local_graph import Block
DEPENDS_ON_FIELD = 'dependsOn'
RESOURCE_ID_FUNC = 'resourceId('
REFERENCE_FUNC = 'reference('
PARAMETER_FUNC = 'parameters('
VARIABLE_FUNC = 'variables('
class ArmLocalGraph(LocalGraph[ArmBlock]):
def __init__(self, definitions: dict[str, dict[str, Any]]) -> None:
super().__init__()
self.vertices: list[ArmBlock] = []
self.definitions = definitions
self.vertices_by_path_and_id: dict[tuple[str, str], int] = {}
self.vertices_by_name: dict[str, int] = {}
def build_graph(self, render_variables: bool = True) -> None:
self._create_vertices()
logging.debug(f"[ArmLocalGraph] created {len(self.vertices)} vertices")
'''
In order to resolve the resources names for the dependencies we need to render the variables first
Examples: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/resource-dependency
'''
self._create_vars_and_parameters_edges()
if render_variables:
renderer = ArmVariableRenderer(self)
renderer.render_variables_from_local_graph()
self._update_resource_vertices_names()
self._create_edges()
logging.debug(f"[ArmLocalGraph] created {len(self.edges)} edges")
def _create_vertices(self) -> None:
for file_path, definition in self.definitions.items():
self._create_parameter_vertices(file_path=file_path, parameters=definition.get(ArmElements.PARAMETERS))
self._create_resource_vertices(file_path=file_path, resources=definition.get(ArmElements.RESOURCES))
self._create_variables_vertices(file_path=file_path, variables=definition.get(ArmElements.VARIABLES))
for i, vertex in enumerate(self.vertices):
self.vertices_by_block_type[vertex.block_type].append(i)
self.vertices_block_name_map[vertex.block_type][vertex.name].append(i)
self.vertices_by_path_and_id[(vertex.path, vertex.id)] = i
self.vertices_by_name[vertex.name] = i
self.in_edges[i] = []
self.out_edges[i] = []
def _create_variables_vertices(self, file_path: str, variables: dict[str, dict[str, Any]] | None) -> None:
if not variables:
return
for name, conf in variables.items():
if name in [START_LINE, END_LINE]:
continue
if not isinstance(conf, dict) or "value" not in conf:
full_conf = {"value": pickle_deepcopy(conf)}
else:
full_conf = conf
config = pickle_deepcopy(full_conf)
attributes = pickle_deepcopy(full_conf)
self.vertices.append(
ArmBlock(
name=f"{file_path}/{name}",
config=config,
path=file_path,
block_type=BlockType.VARIABLE,
attributes=attributes,
id=f"{ArmElements.VARIABLES}.{name}",
)
)
def _create_parameter_vertices(self, file_path: str, parameters: dict[str, dict[str, Any]] | None) -> None:
if not parameters:
return
for name, config in parameters.items():
if name in (START_LINE, END_LINE):
continue
if not isinstance(config, dict):
logging.warning(f"[ArmLocalGraph] parameter {name} has wrong type {type(config)}")
continue
attributes = pickle_deepcopy(config)
self.vertices.append(
ArmBlock(
name=f"{file_path}/{name}",
config=config,
path=file_path,
block_type=BlockType.PARAMETER,
attributes=attributes,
id=f"{ArmElements.PARAMETERS}.{name}",
)
)
def _create_resource_vertices(self, file_path: str, resources: list[dict[str, Any]] | None) -> None:
if not resources:
return
for config in resources:
if "type" not in config:
# this can't be a real ARM resource without a "type" field
return
resource_name = config.get("name") or "unknown"
resource_type = config["type"]
attributes = pickle_deepcopy(config)
attributes[CustomAttributes.RESOURCE_TYPE] = resource_type
self.vertices.append(
ArmBlock(
name=resource_name,
config=config,
path=file_path,
block_type=BlockType.RESOURCE,
attributes=attributes,
id=f"{resource_type}.{resource_name}"
)
)
def _create_edges(self) -> None:
for origin_vertex_index, vertex in enumerate(self.vertices):
if DEPENDS_ON_FIELD in vertex.attributes:
self._create_explicit_edge(origin_vertex_index, vertex.name, vertex.attributes['dependsOn'])
self._create_implicit_edges(origin_vertex_index, vertex.name, vertex.attributes)
def _create_explicit_edge(self, origin_vertex_index: int, resource_name: str, deps: list[str]) -> None:
for dep in deps:
if RESOURCE_ID_FUNC in dep:
processed_dep = extract_resource_name_from_resource_id_func(dep)
else:
processed_dep = dep.split('/')[-1]
# Check if the processed dependency exists in the map
if processed_dep in self.vertices_by_name:
self._create_edge(processed_dep, origin_vertex_index, f'{resource_name}->{processed_dep}')
else:
# Dependency not found
logging.warning(f"[ArmLocalGraph] resource dependency {processed_dep} defined in {dep} for resource"
f" {resource_name} not found")
continue
def _create_vars_and_parameters_edges(self) -> None:
pattern = r"(variables|parameters)\('(\w+)'\)"
for origin_vertex_index, vertex in enumerate(self.vertices):
for attr_key, attr_value in vertex.attributes.items():
if not isinstance(attr_value, str):
continue
if ArmElements.VARIABLES in attr_value or ArmElements.PARAMETERS in attr_value:
matches = re.findall(pattern, attr_value)
for match in matches:
var_name = match[1]
self._create_edge(f"{vertex.path}/{var_name}", origin_vertex_index, attr_key)
def _create_edge(self, element_name: str, origin_vertex_index: int, label: str) -> None:
dest_vertex_index = self.vertices_by_name.get(element_name)
if origin_vertex_index == dest_vertex_index or dest_vertex_index is None:
return
edge = Edge(origin_vertex_index, dest_vertex_index, label)
self.edges.append(edge)
self.out_edges[origin_vertex_index].append(edge)
self.in_edges[dest_vertex_index].append(edge)
def _create_implicit_edges(self, origin_vertex_index: int, resource_name: str, resource: dict[str, Any]) -> None:
for value in resource.values():
if isinstance(value, str):
if REFERENCE_FUNC in value:
self._create_implicit_edge(origin_vertex_index, resource_name, value)
def _create_implicit_edge(self, origin_vertex_index: int, resource_name: str, reference_string: str) -> None:
dep_name = extract_resource_name_from_reference_func(reference_string)
self._create_edge(dep_name, origin_vertex_index, f'{resource_name}->{dep_name}')
def _update_resource_vertices_names(self) -> None:
for i, vertex in enumerate(self.vertices):
if ((vertex.block_type != BlockType.RESOURCE or 'name' not in vertex.config or vertex.name == vertex.config['name'])
or not isinstance(vertex.config['name'], str)):
continue
if PARAMETER_FUNC in vertex.name or VARIABLE_FUNC in vertex.name:
if vertex.name in self.vertices_by_name:
del self.vertices_by_name[vertex.name]
vertex.name = vertex.config['name']
self.vertices_by_name[vertex.name] = i
def update_vertices_configs(self) -> None:
for vertex in self.vertices:
changed_attributes = list(vertex.changed_attributes.keys())
changed_attributes = filter_sub_keys(changed_attributes)
self.update_vertex_config(vertex, changed_attributes)
@staticmethod
def update_vertex_config(vertex: Block, changed_attributes: list[str] | dict[str, Any],
dynamic_blocks: bool = False) -> None:
if not changed_attributes:
# skip, if there is no change
return
for attr in changed_attributes:
new_value = vertex.attributes.get(attr, None)
if vertex.block_type == BlockType.RESOURCE:
ArmLocalGraph.update_config_attribute(
config=vertex.config, key_to_update=attr, new_value=new_value
)
@staticmethod
def update_config_attribute(config: list[Any] | dict[str, Any], key_to_update: str, new_value: Any) -> None:
key_parts = key_to_update.split(".")
if isinstance(config, dict):
key = key_parts[0]
if len(key_parts) == 1:
ArmLocalGraph.update_config_value(config=config, key=key, new_value=new_value)
return
else:
key, key_parts = ArmLocalGraph.adjust_key(config, key, key_parts)
if len(key_parts) == 1:
ArmLocalGraph.update_config_value(config=config, key=key, new_value=new_value)
return
ArmLocalGraph.update_config_attribute(config[key], ".".join(key_parts[1:]), new_value)
elif isinstance(config, list):
key_idx = force_int(key_parts[0])
if key_idx is None:
return
if len(key_parts) == 1:
ArmLocalGraph.update_config_value(config=config, key=key_idx, new_value=new_value)
return
else:
ArmLocalGraph.update_config_attribute(config[key_idx], ".".join(key_parts[1:]), new_value)
return
@staticmethod
def update_config_value(config: list[Any] | dict[str, Any], key: int | str, new_value: Any) -> None:
new_value = adjust_value(config[key], new_value) # type:ignore[index]
if new_value is None:
# couldn't find key in in value object
return
config[key] = new_value # type:ignore[index]
@staticmethod
def adjust_key(config: dict[str, Any], key: str, key_parts: list[str]) -> tuple[str, list[str]]:
"""Adjusts the key, if it consists of multiple dots
Ex:
config = {"'container.registry'": "acrName"}
key = "'container"
key_parts = ["'container", "registry'"]
returns new_key = "'container.registry'"
new_key_parts = ["'container.registry'"]
"""
if key not in config:
if len(key_parts) >= 2:
new_key = ".".join(key_parts[:2])
new_key_parts = [new_key] + key_parts[2:]
return ArmLocalGraph.adjust_key(config, new_key, new_key_parts)
return key, key_parts
def get_resources_types_in_graph(self) -> list[str]:
# not used
return []
================================================
FILE: checkov/arm/graph_builder/variable_rendering/__init__.py
================================================
================================================
FILE: checkov/arm/graph_builder/variable_rendering/renderer.py
================================================
from __future__ import annotations
import logging
from typing import TYPE_CHECKING, Any
from checkov.arm.graph_builder.graph_components.block_types import BlockType
from checkov.common.graph.graph_builder import Edge
from checkov.common.graph.graph_builder.utils import adjust_value
from checkov.common.graph.graph_builder.variable_rendering.renderer import VariableRenderer
from checkov.common.util.data_structures_utils import pickle_deepcopy
if TYPE_CHECKING:
from checkov.arm.graph_builder.local_graph import ArmLocalGraph
class ArmVariableRenderer(VariableRenderer["ArmLocalGraph"]):
def __init__(self, local_graph: ArmLocalGraph) -> None:
super().__init__(local_graph)
def _render_variables_from_vertices(self) -> None:
# need to add rendering to function like format, reference etc
pass
def evaluate_vertex_attribute_from_edge(self, edge_list: list[Edge]) -> None:
origin_vertex_attributes = self.local_graph.vertices[edge_list[0].origin].attributes
value_to_eval = pickle_deepcopy(origin_vertex_attributes.get(edge_list[0].label, ""))
attr_path = None
for edge in edge_list:
attr_path, attr_value = self.extract_dest_attribute_path_and_value(dest_index=edge.dest,
origin_value=value_to_eval)
if not attr_value:
continue
'''if the arg start with '[parameters'/ '[variables' its mean we need to eval the all attribute
like here - "addressPrefix": "[parameters('subnetAddressPrefix')]" '''
if len(edge_list) == 1 and isinstance(value_to_eval, str) and value_to_eval.startswith(("[parameters", "[variables")):
value_to_eval = attr_value
continue
'''
if the value i need to eval is part of the full attribute like "[format('{0}/{1}', parameters('vnetName'), variables('subnetName'))]"
or "[resourceId('Microsoft.Network/networkProfiles', variables('networkProfileName'))]".
vertices[edge.dest].id = variables.networkProfileName -> variables('networkProfileName')
'''
val_to_replace = self.local_graph.vertices[edge.dest].id.replace(".", "('") + "')"
if attr_value and isinstance(value_to_eval, str):
value_to_eval = value_to_eval.replace(val_to_replace, str(attr_value))
self.local_graph.update_vertex_attribute(
vertex_index=edge_list[0].origin,
attribute_key=edge_list[0].label,
attribute_value=value_to_eval,
change_origin_id=edge_list[0].dest,
attribute_at_dest=attr_path,
)
def extract_dest_attribute_path_and_value(self, dest_index: int, origin_value: Any) -> tuple[str, Any] | tuple[None, None]:
vertex = self.local_graph.vertices[dest_index]
if vertex.block_type == BlockType.PARAMETER:
new_value = vertex.attributes.get("defaultValue")
if new_value:
new_value = adjust_value(element_name=origin_value, value=new_value)
return "defaultValue", new_value
else:
logging.warning(f'No defaultValue for parameter id = {vertex.id}')
return "defaultValue", None
elif vertex.block_type == BlockType.VARIABLE:
new_value = adjust_value(element_name=origin_value, value=vertex.attributes.get("value"))
return "value", new_value
return None, None
def evaluate_non_rendered_values(self) -> None:
pass
================================================
FILE: checkov/arm/graph_manager.py
================================================
from __future__ import annotations
from typing import TYPE_CHECKING, Any, Optional
from checkov.arm.graph_builder.local_graph import ArmLocalGraph
from checkov.arm.utils import get_scannable_file_paths, get_files_definitions
from checkov.common.graph.graph_builder.consts import GraphSource
from checkov.common.graph.graph_manager import GraphManager
if TYPE_CHECKING:
from checkov.common.typing import LibraryGraphConnector
class ArmGraphManager(GraphManager[ArmLocalGraph, "dict[str, dict[str, Any]]"]):
def __init__(self, db_connector: LibraryGraphConnector, source: str = GraphSource.ARM) -> None:
super().__init__(db_connector=db_connector, parser=None, source=source)
def build_graph_from_source_directory(
self,
source_dir: str,
local_graph_class: type[ArmLocalGraph] = ArmLocalGraph,
render_variables: bool = False,
parsing_errors: dict[str, Exception] | None = None,
download_external_modules: Optional[bool] = False,
excluded_paths: list[str] | None = None,
**kwargs: Any,
) -> tuple[ArmLocalGraph, dict[str, dict[str, Any]]]:
file_paths = get_scannable_file_paths(root_folder=source_dir, excluded_paths=excluded_paths)
definitions, _, _ = get_files_definitions(files=file_paths)
local_graph = self.build_graph_from_definitions(definitions=definitions)
return local_graph, definitions
def build_graph_from_definitions(
self, definitions: dict[str, dict[str, Any]], render_variables: bool = True
) -> ArmLocalGraph:
local_graph = ArmLocalGraph(definitions=definitions)
local_graph.build_graph(render_variables=render_variables)
return local_graph
================================================
FILE: checkov/arm/parser/__init__.py
================================================
================================================
FILE: checkov/arm/parser/parser.py
================================================
from __future__ import annotations
import logging
from pathlib import Path
from typing import Any
from yaml.scanner import ScannerError
from yaml import YAMLError
from checkov.common.parsers.json import parse as json_parse
from checkov.common.parsers.yaml import loader
from checkov.common.resource_code_logger_filter import add_resource_code_filter_to_logger
from checkov.common.util.file_utils import read_file_with_any_encoding
LOGGER = logging.getLogger(__name__)
add_resource_code_filter_to_logger(LOGGER)
def parse(filename: str) -> tuple[dict[str, Any], list[tuple[int, str]]] | tuple[None, None]:
"""Decode filename into an object"""
template = None
template_lines = None
try:
template, template_lines = load(filename)
except IOError as e:
if e.errno == 2:
LOGGER.error(f"Template file not found: {filename}")
elif e.errno == 21:
LOGGER.error(f"Template references a directory, not a file: {filename}")
elif e.errno == 13:
LOGGER.error(f"Permission denied when accessing template file: {filename}")
except UnicodeDecodeError:
LOGGER.error(f"Cannot read file contents: {filename}")
except ScannerError as err:
if err.problem in ("found character '\\t' that cannot start any token", "found unknown escape character"):
try:
result = json_parse(filename, allow_nulls=False)
if result:
template, template_lines = result # type:ignore[assignment] # this is handled by the next line
if isinstance(template, list):
# should not happen and is more relevant for type safety
template = template[0]
except Exception:
LOGGER.error(f"Template {filename} is malformed: {err.problem}")
LOGGER.error(f"Tried to parse {filename} as JSON", exc_info=True)
except YAMLError:
LOGGER.info(f"Failed to parse {filename}")
LOGGER.debug("With Exception", exc_info=True)
if template is None or template_lines is None:
return None, None
return template, template_lines
def load(filename: Path | str) -> tuple[dict[str, Any], list[tuple[int, str]]]:
"""
Load the given JSON/YAML file
"""
content = read_file_with_any_encoding(file_path=filename)
if not all(key in content for key in ("$schema", "contentVersion")):
return {}, []
file_lines = [(idx + 1, line) for idx, line in enumerate(content.splitlines(keepends=True))]
template: "dict[str, Any] | list[dict[str, Any]]" = loader.loads(content=content)
if not template:
template = {}
if isinstance(template, list):
template = template[0]
return template, file_lines
================================================
FILE: checkov/arm/registry.py
================================================
from checkov.arm.base_registry import Registry
arm_resource_registry = Registry()
arm_parameter_registry = Registry()
================================================
FILE: checkov/arm/runner.py
================================================
from __future__ import annotations
import logging
import os
from collections.abc import Iterable
from pathlib import Path
from typing import TYPE_CHECKING, Any, cast
from typing_extensions import TypeAlias # noqa[TC002]
from checkov.arm.graph_builder.definition_context import build_definitions_context
from checkov.arm.graph_builder.graph_to_definitions import convert_graph_vertices_to_definitions
from checkov.arm.graph_builder.local_graph import ArmLocalGraph
from checkov.arm.graph_manager import ArmGraphManager
from checkov.arm.registry import arm_resource_registry, arm_parameter_registry
from checkov.arm.utils import get_scannable_file_paths, get_files_definitions, ARM_POSSIBLE_ENDINGS, ArmElements, \
clean_file_path, filter_failed_checks_with_unrendered_resources
from checkov.common.checks_infra.registry import get_graph_checks_registry
from checkov.common.graph.graph_builder import CustomAttributes
from checkov.common.graph.graph_builder.consts import GraphSource
from checkov.common.output.extra_resource import ExtraResource
from checkov.common.output.graph_record import GraphRecord
from checkov.common.output.record import Record
from checkov.common.output.report import Report
from checkov.common.bridgecrew.check_type import CheckType
from checkov.common.runners.base_runner import BaseRunner
from checkov.common.util.consts import START_LINE, END_LINE
from checkov.common.util.secrets import omit_secret_value_from_checks
from checkov.runner_filter import RunnerFilter
from checkov.arm.context_parser import ContextParser
if TYPE_CHECKING:
from checkov.common.checks.base_check import BaseCheck
from checkov.common.graph.checks_infra.base_check import BaseGraphCheck
from checkov.common.graph.checks_infra.registry import BaseRegistry
from checkov.common.typing import LibraryGraphConnector, _CheckResult
_ArmContext: TypeAlias = "dict[str, dict[str, Any]]"
_ArmDefinitions: TypeAlias = "dict[str, dict[str, Any]]"
class Runner(BaseRunner[_ArmDefinitions, _ArmContext, ArmGraphManager]):
check_type = CheckType.ARM # noqa: CCE003 # a static attribute
def __init__(
self,
db_connector: LibraryGraphConnector | None = None,
source: str = GraphSource.ARM,
graph_class: type[ArmLocalGraph] = ArmLocalGraph,
graph_manager: ArmGraphManager | None = None,
external_registries: list[BaseRegistry] | None = None,
) -> None:
super().__init__(file_extensions=ARM_POSSIBLE_ENDINGS)
db_connector = db_connector or self.db_connector
self.external_registries = external_registries if external_registries else []
self.graph_class = graph_class
self.graph_manager: "ArmGraphManager" = (
graph_manager if graph_manager else ArmGraphManager(source=source, db_connector=db_connector)
)
self.graph_registry = get_graph_checks_registry(self.check_type)
# need to check, how to support subclass differences
self.definitions: _ArmDefinitions = {}
self.definitions_raw: "dict[str, list[tuple[int, str]]]" = {}
self.context: _ArmContext | None = None
self.root_folder: "str | None" = None
def run(
self,
root_folder: str | None = None,
external_checks_dir: list[str] | None = None,
files: list[str] | None = None,
runner_filter: RunnerFilter | None = None,
collect_skip_comments: bool = True,
) -> Report | list[Report]:
runner_filter = runner_filter or RunnerFilter()
if not runner_filter.show_progress_bar:
self.pbar.turn_off_progress_bar()
report = Report(self.check_type)
self.root_folder = root_folder
if not self.context or not self.definitions:
files_list: "Iterable[str]" = []
if external_checks_dir:
for directory in external_checks_dir:
arm_resource_registry.load_external_checks(directory)
if self.graph_registry:
self.graph_registry.load_external_checks(directory)
if files:
files_list = files.copy()
if self.root_folder:
files_list = get_scannable_file_paths(root_folder=root_folder,
excluded_paths=runner_filter.excluded_paths)
self.definitions, self.definitions_raw, parsing_errors = get_files_definitions(files_list)
self.context = build_definitions_context(definitions=self.definitions, definitions_raw=self.definitions_raw)
report.add_parsing_errors(parsing_errors)
if self.graph_registry and self.graph_manager:
logging.info("Creating ARM graph")
local_graph = self.graph_manager.build_graph_from_definitions(definitions=self.definitions)
logging.info("Successfully created ARM graph")
self.graph_manager.save_graph(local_graph)
self.definitions, self.breadcrumbs = convert_graph_vertices_to_definitions(
vertices=local_graph.vertices,
root_folder=root_folder,
)
self.pbar.initiate(len(self.definitions))
# run Python checks
self.add_python_check_results(report=report, runner_filter=runner_filter, root_folder=root_folder)
# run graph checks
if self.graph_registry:
self.add_graph_check_results(report=report, runner_filter=runner_filter)
# Filter failed checks on resources with unrendered string functions
# Remove if we ever implement full variable rendering for arm
report = filter_failed_checks_with_unrendered_resources(report)
return report
def set_definitions_raw(self, definitions_raw: dict[str, list[tuple[int, str]]]) -> None:
self.definitions_raw = definitions_raw
def add_python_check_results(self, report: Report, runner_filter: RunnerFilter, root_folder: str | None) -> None:
"""Adds Python check results to given report"""
for arm_file in self.definitions.keys():
self.pbar.set_additional_data({"Current File Scanned": os.path.relpath(arm_file, root_folder)})
file_abs_path = Path(arm_file).absolute()
if isinstance(self.definitions[arm_file], dict):
arm_context_parser = ContextParser(arm_file, self.definitions[arm_file], self.definitions_raw[arm_file])
logging.debug(f"Template Dump for {arm_file}: {self.definitions[arm_file]}")
if ArmElements.RESOURCES in self.definitions[arm_file]:
arm_context_parser.evaluate_default_parameters()
# Split out nested resources from base resource
for resource in self.definitions[arm_file][ArmElements.RESOURCES]:
if isinstance(resource, dict) and "parent_name" in resource.keys():
continue
nested_resources = arm_context_parser.search_deep_keys(ArmElements.RESOURCES, resource, [])
if nested_resources:
for nr in nested_resources:
nr_element = nr.pop()
if nr_element:
for element in nr_element:
new_resource = element
if isinstance(new_resource, dict):
new_resource["parent_name"] = resource.get("name", "")
new_resource["parent_type"] = resource.get("type", "")
self.definitions[arm_file][ArmElements.RESOURCES].append(new_resource)
for resource in self.definitions[arm_file][ArmElements.RESOURCES]:
resource_id = arm_context_parser.extract_arm_resource_id(resource)
resource_name = arm_context_parser.extract_arm_resource_name(resource)
if resource_id is None or resource_name is None:
logging.debug(f"Could not determine 'resource_id' of Resource {resource}")
continue
cleaned_path = clean_file_path(Path(arm_file))
report.add_resource(f"{cleaned_path}:{resource_id}")
entity_lines_range, entity_code_lines = arm_context_parser.extract_arm_resource_code_lines(
resource
)
if entity_lines_range and entity_code_lines:
# TODO - Variable Eval Message!
variable_evaluations: "dict[str, Any]" = {}
skipped_checks = ContextParser.collect_skip_comments(resource)
results = arm_resource_registry.scan(
arm_file,
{resource_name: resource},
skipped_checks,
runner_filter,
report_type=CheckType.ARM,
)
if results:
for check, check_result in results.items():
record = Record(
check_id=check.id,
bc_check_id=check.bc_id,
check_name=check.name,
check_result=check_result,
code_block=entity_code_lines,
file_path=self.extract_file_path_from_abs_path(cleaned_path),
file_line_range=entity_lines_range,
resource=resource_id,
evaluations=variable_evaluations,
check_class=check.__class__.__module__,
file_abs_path=str(file_abs_path),
severity=check.severity,
)
record.set_guideline(check.guideline)
report.add_record(record=record)
else:
# resources without checks, but not existing ones
report.extra_resources.add(
ExtraResource(
file_abs_path=str(file_abs_path),
file_path=self.extract_file_path_from_abs_path(cleaned_path),
resource=resource_id,
)
)
if ArmElements.PARAMETERS in self.definitions[arm_file]:
parameters = self.definitions[arm_file][ArmElements.PARAMETERS]
for parameter_name, parameter_details in parameters.items():
# TODO - Variable Eval Message!
variable_evaluations = {}
resource_id = f"parameter.{parameter_name}"
resource_name = cast(str, parameter_name)
entity_lines_range, entity_code_lines = arm_context_parser.extract_arm_resource_code_lines(
parameter_details
)
if entity_lines_range and entity_code_lines:
skipped_checks = ContextParser.collect_skip_comments(parameter_details)
results = arm_parameter_registry.scan(
arm_file, {resource_name: parameter_details}, skipped_checks, runner_filter
)
for check, check_result in results.items():
censored_code_lines = omit_secret_value_from_checks(
check=check,
check_result=check_result,
entity_code_lines=entity_code_lines,
entity_config=parameter_details,
resource_attributes_to_omit=runner_filter.resource_attr_to_omit,
)
cleaned_path = clean_file_path(Path(arm_file))
self.build_record(
report=report,
check=check,
check_result=check_result,
code_block=censored_code_lines,
file_path=self.extract_file_path_from_abs_path(cleaned_path),
file_abs_path=str(file_abs_path),
file_line_range=entity_lines_range,
resource_id=resource_id,
evaluations=variable_evaluations,
)
self.pbar.update()
self.pbar.close()
def add_graph_check_results(self, report: Report, runner_filter: RunnerFilter) -> None:
"""Adds graph check results to given report"""
graph_checks_results = self.run_graph_checks_results(runner_filter, self.check_type)
for check, check_results in graph_checks_results.items():
for check_result in check_results:
entity = check_result["entity"]
entity_file_path = entity[CustomAttributes.FILE_PATH]
file_abs_path = Path(entity_file_path).absolute()
start_line = entity[START_LINE] - 1
end_line = entity[END_LINE] - 1
if CustomAttributes.RESOURCE_TYPE not in entity or CustomAttributes.BLOCK_NAME not in entity:
logging.debug(f"Could not determine 'resource_id' of Entity {entity_file_path}")
continue
self.build_record(
report=report,
check=check,
check_result=check_result,
code_block=self.definitions_raw[entity_file_path][start_line:end_line],
file_path=self.extract_file_path_from_abs_path(clean_file_path(Path(entity_file_path))),
file_abs_path=str(file_abs_path),
file_line_range=[start_line - 1, end_line - 1],
resource_id=f'{entity[CustomAttributes.RESOURCE_TYPE]}.{entity[CustomAttributes.BLOCK_NAME]}',
)
def build_record(
self,
report: Report,
check: BaseCheck | BaseGraphCheck,
check_result: _CheckResult,
code_block: list[tuple[int, str]],
file_path: str,
file_abs_path: str,
file_line_range: list[int],
resource_id: str,
evaluations: dict[str, Any] | None = None,
) -> None:
record = Record(
check_id=check.id,
bc_check_id=check.bc_id,
check_name=check.name,
check_result=check_result,
code_block=code_block,
file_path=file_path,
file_line_range=file_line_range,
resource=resource_id,
evaluations=evaluations,
check_class=check.__class__.__module__,
file_abs_path=file_abs_path,
severity=check.severity,
)
if self.breadcrumbs:
breadcrumb = self.breadcrumbs.get(record.file_path, {}).get(record.resource)
if breadcrumb:
record = GraphRecord(record, breadcrumb)
record.set_guideline(check.guideline)
report.add_record(record=record)
def extract_file_path_from_abs_path(self, path: Path) -> str:
return f"{os.path.sep}{os.path.relpath(path, self.root_folder)}"
================================================
FILE: checkov/arm/utils.py
================================================
from __future__ import annotations
import logging
import os
from enum import Enum
from typing import Iterable, Callable, Any
from collections.abc import Collection
from pathlib import Path
from checkov.arm.parser.parser import parse
from checkov.common.output.report import Report
from checkov.common.runners.base_runner import filter_ignored_paths
from checkov.common.util.data_structures_utils import pickle_deepcopy
from checkov.runner_filter import RunnerFilter
ARM_POSSIBLE_ENDINGS = [".json"]
class ArmElements(str, Enum):
OUTPUTS = "outputs"
PARAMETERS = "parameters"
RESOURCES = "resources"
VARIABLES = "variables"
def __str__(self) -> str:
# needed, because of a Python 3.11 change
return self.value
def get_scannable_file_paths(root_folder: str | None = None, excluded_paths: list[str] | None = None) -> set[str]:
"""Finds ARM files"""
file_paths: "set[str]" = set()
if not root_folder:
return file_paths
for root, d_names, f_names in os.walk(root_folder):
filter_ignored_paths(root, d_names, excluded_paths)
filter_ignored_paths(root, f_names, excluded_paths)
for file in f_names:
file_ending = os.path.splitext(file)[1]
if file_ending in ARM_POSSIBLE_ENDINGS:
file_paths.add(os.path.join(root, file))
return file_paths
def create_definitions(
root_folder: str,
files: Collection[Path] | None = None,
runner_filter: RunnerFilter | None = None,
) -> tuple[dict[str, dict[str, Any]], dict[str, list[tuple[int, str]]]]:
definitions: dict[str, dict[str, Any]] = {}
definitions_raw: dict[str, list[tuple[int, str]]] = {}
parsing_errors: list[str] = []
runner_filter = runner_filter or RunnerFilter()
if root_folder:
file_paths = get_scannable_file_paths(root_folder, runner_filter.excluded_paths)
definitions, definitions_raw, parsing_errors = get_files_definitions(files=file_paths)
if parsing_errors:
logging.warning(f"[arm] found errors while parsing definitions: {parsing_errors}")
return definitions, definitions_raw
def get_files_definitions(
files: Iterable[str],
filepath_fn: Callable[[str], str] | None = None,
) -> tuple[dict[str, dict[str, Any]], dict[str, list[tuple[int, str]]], list[str]]:
"""Parses ARM files into its definitions and raw data"""
definitions = {}
definitions_raw = {}
parsing_errors = []
for file in files:
result = parse(file)
definition, definition_raw = result
if definition is not None and definition_raw is not None: # this has to be a 'None' check
path = filepath_fn(file) if filepath_fn else file
definitions[path] = definition
definitions_raw[path] = definition_raw
else:
parsing_errors.append(os.path.normpath(file))
return definitions, definitions_raw, parsing_errors
def extract_resource_name_from_resource_id_func(resource_id: str) -> str:
'''
Examples:
resourceId('Microsoft.Network/virtualNetworks/', virtualNetworkName) -> virtualNetworkName
'''
return clean_string(resource_id.split(',')[1].split(')')[0])
def extract_resource_name_from_reference_func(reference: str) -> str:
'''
Examples:
reference('storageAccountName') -> storageAccountName
reference('myStorage').primaryEndpoints -> myStorage
reference('myStorage', '2022-09-01', 'Full').location -> myStorage
reference(resourceId('storageResourceGroup', 'Microsoft.Storage/storageAccounts', 'storageAccountName')), '2022-09-01') -> storageAccountName
reference(resourceId('Microsoft.Network/publicIPAddresses', 'ipAddressName')) -> ipAddressName
'''
resource_name = ')'.join(reference.split('reference(', 1)[1].split(')')[:-1])
if 'resourceId' in resource_name:
return clean_string(
''.join(resource_name.split('resourceId(', 1)[1].split(')')[0]).split(',')[-1])
else:
return clean_string(resource_name.split(',')[0].split('/')[-1])
def clean_string(input: str) -> str:
return input.replace("'", '').replace(" ", "")
def clean_file_path(file_path: Path) -> Path:
path_parts = [part for part in file_path.parts if part not in (".", "..")]
return Path(*path_parts)
def filter_failed_checks_with_unrendered_resources(report: Report) -> Report:
"""Returns a new report with filtered checks instead of modifying the original"""
arm_function_patterns = ['toLower(', 'trim(', 'join(', 'split(', 'substring(']
filtered_report = pickle_deepcopy(report)
filtered_report.failed_checks = [
check for check in report.failed_checks
if not any(func in str(check.resource) for func in arm_function_patterns)
]
return filtered_report
================================================
FILE: checkov/azure_pipelines/__init__.py
================================================
from checkov.azure_pipelines.checks import * # noqa
================================================
FILE: checkov/azure_pipelines/checks/__init__.py
================================================
from checkov.azure_pipelines.checks.job import * # noqa
================================================
FILE: checkov/azure_pipelines/checks/base_azure_pipelines_check.py
================================================
from __future__ import annotations
from abc import abstractmethod
from collections.abc import Iterable
from typing import TYPE_CHECKING, Any
from checkov.common.checks.base_check import BaseCheck
from checkov.azure_pipelines.checks.registry import registry
if TYPE_CHECKING:
from checkov.common.models.enums import CheckCategories, CheckResult
class BaseAzurePipelinesCheck(BaseCheck):
def __init__(
self,
name: str,
id: str,
categories: Iterable[CheckCategories],
supported_entities: Iterable[str],
block_type: str,
path: str | None = None,
) -> None:
super().__init__(
name=name,
id=id,
categories=categories,
supported_entities=supported_entities,
block_type=block_type,
)
self.path = path
registry.register(self)
def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> tuple[CheckResult, dict[str, Any]]:
self.entity_type = entity_type
return self.scan_conf(conf)
@abstractmethod
def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:
pass
================================================
FILE: checkov/azure_pipelines/checks/job/ContainerDigest.py
================================================
from __future__ import annotations
from typing import Any
from checkov.azure_pipelines.checks.base_azure_pipelines_check import BaseAzurePipelinesCheck
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.yaml_doc.enums import BlockType
class ContainerDigest(BaseAzurePipelinesCheck):
def __init__(self) -> None:
name = "Ensure container job uses a version digest"
id = "CKV_AZUREPIPELINES_2"
super().__init__(
name=name,
id=id,
categories=(CheckCategories.SUPPLY_CHAIN,),
supported_entities=("jobs", "stages[].jobs[]"),
block_type=BlockType.ARRAY,
)
def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:
container = conf.get("container")
if container and isinstance(container, str):
if "@" in container:
return CheckResult.PASSED, conf
return CheckResult.FAILED, conf
return CheckResult.UNKNOWN, conf
check = ContainerDigest()
================================================
FILE: checkov/azure_pipelines/checks/job/ContainerLatestTag.py
================================================
from __future__ import annotations
from typing import Any
from checkov.azure_pipelines.checks.base_azure_pipelines_check import BaseAzurePipelinesCheck
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.yaml_doc.enums import BlockType
class ContainerLatestTag(BaseAzurePipelinesCheck):
def __init__(self) -> None:
name = "Ensure container job uses a non latest version tag"
id = "CKV_AZUREPIPELINES_1"
super().__init__(
name=name,
id=id,
categories=(CheckCategories.SUPPLY_CHAIN,),
supported_entities=("jobs", "stages[].jobs[]"),
block_type=BlockType.ARRAY,
)
def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:
container = conf.get("container")
if container and isinstance(container, dict):
container = container.get('image')
if container and isinstance(container, str):
if ":" in container:
# some image tag
if container.split(":")[1] == "latest":
# latest image tag
return CheckResult.FAILED, conf
elif "@" not in container:
# no image tag
return CheckResult.FAILED, conf
# image tag is either not latest or a digest
return CheckResult.PASSED, conf
return CheckResult.UNKNOWN, conf
check = ContainerLatestTag()
================================================
FILE: checkov/azure_pipelines/checks/job/DetectImagesUsage.py
================================================
from __future__ import annotations
from typing import Any
from checkov.azure_pipelines.checks.base_azure_pipelines_check import BaseAzurePipelinesCheck
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.yaml_doc.enums import BlockType
class DetectImageUsage(BaseAzurePipelinesCheck):
def __init__(self) -> None:
name = "Detecting image usages in azure pipelines workflows"
id = "CKV_AZUREPIPELINES_5"
super().__init__(
name=name,
id=id,
categories=(CheckCategories.SUPPLY_CHAIN,),
supported_entities=("jobs[]", "stages[].jobs[]", "*.container[]"),
block_type=BlockType.ARRAY,
)
def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:
return CheckResult.PASSED, conf
check = DetectImageUsage()
================================================
FILE: checkov/azure_pipelines/checks/job/SetSecretVariable.py
================================================
from __future__ import annotations
from typing import Any
from checkov.azure_pipelines.checks.base_azure_pipelines_check import BaseAzurePipelinesCheck
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.yaml_doc.enums import BlockType
class SetSecretVariable(BaseAzurePipelinesCheck):
def __init__(self) -> None:
name = "Ensure set variable is not marked as a secret"
id = "CKV_AZUREPIPELINES_3"
super().__init__(
name=name,
id=id,
categories=(CheckCategories.SUPPLY_CHAIN,),
supported_entities=("jobs[].steps[]", "stages[].jobs[].steps[]"),
block_type=BlockType.ARRAY,
)
def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:
run_cmd = conf.get("bash") or conf.get("powershell")
if run_cmd and isinstance(run_cmd, str):
variable_found = False
for line in run_cmd.splitlines():
if "task.setvariable" in line:
variable_found = True
if "issecret=true" in line:
return CheckResult.FAILED, conf
if variable_found:
# should only pass, if it really found a set variable, otherwise unknown
return CheckResult.PASSED, conf
return CheckResult.UNKNOWN, conf
check = SetSecretVariable()
================================================
FILE: checkov/azure_pipelines/checks/job/__init__.py
================================================
from pathlib import Path
modules = Path(__file__).parent.glob("*.py")
__all__ = [f.stem for f in modules if f.is_file() and not f.stem == "__init__"]
================================================
FILE: checkov/azure_pipelines/checks/registry.py
================================================
from checkov.common.bridgecrew.check_type import CheckType
from checkov.yaml_doc.base_registry import Registry
registry = Registry(CheckType.AZURE_PIPELINES)
================================================
FILE: checkov/azure_pipelines/common/__init__.py
================================================
================================================
FILE: checkov/azure_pipelines/common/resource_id_utils.py
================================================
from __future__ import annotations
from typing import Any, Dict, List
from checkov.common.util.consts import START_LINE, END_LINE
def _get_resource_from_code_block(start_line: int, end_line: int, block_to_inspect: dict[str, Any], inspected_key: str | None) -> str | None:
if block_to_inspect[START_LINE] <= start_line <= end_line <= block_to_inspect[END_LINE]:
block_name = block_to_inspect.get('displayName',
block_to_inspect.get('name',
block_to_inspect.get('job',
block_to_inspect.get('stage',
False))))
inspected_key = f'{inspected_key}({block_name})' if block_name else inspected_key
if block_to_inspect[START_LINE] == start_line:
return inspected_key
return generate_resource_key_recursive(start_line, end_line, block_to_inspect, resource_key=inspected_key)
return None
def generate_resource_key_recursive(start_line: int, end_line: int,
file_conf: Dict[str, Any] | List[Dict[str, Any]], resource_key: str | None = None
) -> str | None:
if not isinstance(file_conf, dict):
return resource_key
for code_block_name, code_block in file_conf.items():
if isinstance(code_block, dict):
new_key = f'{resource_key}.{code_block_name}' if resource_key else code_block_name
resource = _get_resource_from_code_block(start_line, end_line, code_block, new_key)
if resource:
return resource
elif isinstance(code_block, list):
for index, item in enumerate(code_block):
if isinstance(item, dict):
resource_key_to_inspect = f'{resource_key}.{code_block_name}[{index}]' if resource_key else f'{code_block_name}[{index}]'
resource = _get_resource_from_code_block(start_line, end_line, item, resource_key_to_inspect)
if resource:
return resource
return resource_key
================================================
FILE: checkov/azure_pipelines/runner.py
================================================
from __future__ import annotations
from typing import TYPE_CHECKING, Any, Optional
from checkov.azure_pipelines.checks.registry import registry
from checkov.azure_pipelines.common.resource_id_utils import generate_resource_key_recursive
from checkov.common.output.report import CheckType, Report
from checkov.runner_filter import RunnerFilter
from checkov.yaml_doc.runner import Runner as YamlRunner
if TYPE_CHECKING:
from checkov.common.checks.base_check_registry import BaseCheckRegistry
from collections.abc import Iterable
class Runner(YamlRunner):
check_type = CheckType.AZURE_PIPELINES # noqa: CCE003 # a static attribute
def require_external_checks(self) -> bool:
return False
def import_registry(self) -> BaseCheckRegistry:
return registry
@staticmethod
def _parse_file(
f: str, file_content: str | None = None
) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None:
if Runner.is_workflow_file(f):
return YamlRunner._parse_file(f=f)
return None
@staticmethod
def is_workflow_file(file_path: str) -> bool:
return file_path.endswith(('azure-pipelines.yml', 'azure-pipelines.yaml'))
def get_resource(self, file_path: str, key: str, supported_entities: Iterable[str],
start_line: int = -1, end_line: int = -1, graph_resource: bool = False) -> str:
if not self.definitions or not isinstance(self.definitions, dict):
return key
resource_name: Optional[str] = generate_resource_key_recursive(start_line, end_line, self.definitions[file_path])
return resource_name if resource_name else key
def run(
self,
root_folder: str | None = None,
external_checks_dir: list[str] | None = None,
files: list[str] | None = None,
runner_filter: RunnerFilter | None = None,
collect_skip_comments: bool = True,
) -> Report | list[Report]:
runner_filter = runner_filter or RunnerFilter()
report = super().run(root_folder=root_folder, external_checks_dir=external_checks_dir,
files=files, runner_filter=runner_filter, collect_skip_comments=collect_skip_comments)
return report
================================================
FILE: checkov/bicep/__init__.py
================================================
from checkov.bicep.checks import * # noqa
================================================
FILE: checkov/bicep/checks/__init__.py
================================================
================================================
FILE: checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml
================================================
metadata:
id: "CKV_AZURE_23"
name: "Ensure that 'Auditing' is set to 'On' for SQL servers"
category: "LOGGING"
definition:
and:
- cond_type: filter
attribute: resource_type
operator: within
value:
- Microsoft.Sql/servers
- Microsoft.Sql/servers/databases
- or:
- and:
- cond_type: connection
resource_types:
- Microsoft.Sql/servers
connected_resource_types:
- Microsoft.Sql/servers/auditingSettings
operator: exists
- cond_type: attribute
resource_types:
- Microsoft.Sql/servers/auditingSettings
attribute: properties.state
operator: equals
value: Enabled
- and:
- cond_type: connection
resource_types:
- Microsoft.Sql/servers/databases
connected_resource_types:
- Microsoft.Sql/servers/databases/auditingSettings
operator: exists
- cond_type: attribute
resource_types:
- Microsoft.Sql/servers/databases/auditingSettings
attribute: properties.state
operator: equals
value: Enabled
================================================
FILE: checkov/bicep/checks/graph_checks/SQLServerAuditingRetention90Days.yaml
================================================
metadata:
id: "CKV_AZURE_24"
name: "Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers"
category: "LOGGING"
definition:
and:
- cond_type: "filter"
attribute: "resource_type"
value:
- "Microsoft.Sql/servers"
operator: "within"
- cond_type: "connection"
resource_types:
- "Microsoft.Sql/servers"
connected_resource_types:
- "Microsoft.Sql/servers/auditingSettings"
operator: "exists"
- cond_type: "attribute"
resource_types:
- "Microsoft.Sql/servers/auditingSettings"
attribute: "properties.retentionDays"
operator: "exists"
- cond_type: "attribute"
resource_types:
- "Microsoft.Sql/servers/auditingSettings"
attribute: "properties.retentionDays"
operator: "greater_than_or_equal"
value: 90
- cond_type: "attribute"
resource_types:
- "Microsoft.Sql/servers/auditingSettings"
attribute: "properties.state"
operator: "equals"
value: Enabled
================================================
FILE: checkov/bicep/checks/graph_checks/SQLServerThreatDetectionTypes.yaml
================================================
metadata:
id: "CKV_AZURE_25"
name: "Azure SQL Server threat detection alerts are enabled for all threat types"
category: "LOGGING"
definition:
and:
- cond_type: filter
attribute: resource_type
operator: within
value:
- Microsoft.Sql/servers
- Microsoft.Sql/servers/databases
- or:
- and:
- cond_type: connection
resource_types:
- Microsoft.Sql/servers
connected_resource_types:
- Microsoft.Sql/servers/securityAlertPolicies
operator: exists
- cond_type: attribute
resource_types:
- Microsoft.Sql/servers/securityAlertPolicies
attribute: properties.state
operator: equals
value: Enabled
- or:
- cond_type: attribute
resource_types:
- Microsoft.Sql/servers/securityAlertPolicies
attribute: properties.disabledAlerts
operator: is_empty
- cond_type: attribute
resource_types:
- Microsoft.Sql/servers/securityAlertPolicies
attribute: properties.disabledAlerts
operator: not_exists
- and:
- cond_type: connection
resource_types:
- Microsoft.Sql/servers/databases
connected_resource_types:
- Microsoft.Sql/servers/databases/securityAlertPolicies
operator: exists
- cond_type: attribute
resource_types:
- Microsoft.Sql/servers/databases/securityAlertPolicies
attribute: properties.state
operator: equals
value: Enabled
- or:
- cond_type: attribute
resource_types:
- Microsoft.Sql/servers/databases/securityAlertPolicies
attribute: properties.disabledAlerts
operator: is_empty
- cond_type: attribute
resource_types:
- Microsoft.Sql/servers/databases/securityAlertPolicies
attribute: properties.disabledAlerts
operator: not_exists
================================================
FILE: checkov/bicep/checks/graph_checks/__init__.py
================================================
================================================
FILE: checkov/bicep/checks/param/__init__.py
================================================
from checkov.bicep.checks.param.azure import * # noqa
================================================
FILE: checkov/bicep/checks/param/azure/SecureStringParameterNoHardcodedValue.py
================================================
from checkov.bicep.checks.param.base_param_check import BaseParamCheck, CheckovParameterAttributes
from checkov.common.models.enums import CheckResult, CheckCategories
# https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/test-cases#secure-parameters-cant-have-hardcoded-default
class SecureStringParameterNoHardcodedValue(BaseParamCheck):
def __init__(self) -> None:
name = "SecureString parameter should not have hardcoded default values"
id = "CKV_AZURE_131"
supported_type = ("string",)
categories = (CheckCategories.SECRETS,)
super().__init__(name=name, id=id, categories=categories, supported_type=supported_type)
def scan_param_conf(self, conf: CheckovParameterAttributes) -> CheckResult:
if not any(decorator["type"] == "secure" for decorator in conf["decorators"]):
# if the decorator '@secure()' is not set, then it is a normal string
return CheckResult.UNKNOWN
default_value = conf.get("default")
if default_value: # should be missing, or an empty string
conf["CKV_AZURE_131_secret"] = str(default_value)
return CheckResult.FAILED
else:
return CheckResult.PASSED
check = SecureStringParameterNoHardcodedValue()
================================================
FILE: checkov/bicep/checks/param/azure/__init__.py
================================================
from pathlib import Path
modules = Path(__file__).parent.glob("*.py")
__all__ = [f.stem for f in modules if f.is_file() and not f.stem == "__init__"]
================================================
FILE: checkov/bicep/checks/param/base_param_check.py
================================================
from __future__ import annotations
from abc import abstractmethod
from collections.abc import Iterable
from typing import TYPE_CHECKING
from pycep.typing import ParameterAttributes
from checkov.bicep.checks.param.registry import registry
from checkov.common.checks.base_check import BaseCheck
from checkov.common.models.enums import CheckCategories, CheckResult
if TYPE_CHECKING:
from typing_extensions import NotRequired
class CheckovParameterAttributes(ParameterAttributes):
CKV_AZURE_131_secret: NotRequired[str] # noqa
class BaseParamCheck(BaseCheck):
def __init__(
self,
name: str,
id: str,
categories: "Iterable[CheckCategories]",
supported_type: "Iterable[str]",
guideline: str | None = None,
) -> None:
super().__init__(
name=name,
id=id,
categories=categories,
supported_entities=supported_type,
block_type="param",
guideline=guideline,
)
self.supported_type = supported_type
registry.register(self)
def scan_entity_conf(self, conf: CheckovParameterAttributes, entity_type: str) -> CheckResult: # type:ignore[override] # it's ok
self.entity_type = entity_type
return self.scan_param_conf(conf)
@abstractmethod
def scan_param_conf(self, conf: CheckovParameterAttributes) -> CheckResult:
raise NotImplementedError()
================================================
FILE: checkov/bicep/checks/param/base_registry.py
================================================
from __future__ import annotations
from collections import defaultdict
from typing import TYPE_CHECKING
from checkov.common.bridgecrew.check_type import CheckType
from checkov.common.checks.base_check import BaseCheck
from checkov.common.checks.base_check_registry import BaseCheckRegistry
from checkov.runner_filter import RunnerFilter
if TYPE_CHECKING:
from pycep.typing import ParameterAttributes
class Registry(BaseCheckRegistry):
def __init__(self) -> None:
self.entity_to_check_map: dict[str, set[str]] = defaultdict(set)
super().__init__(report_type=CheckType.BICEP)
def register(self, check: BaseCheck) -> None:
if self._BaseCheckRegistry__loading_external_checks: # type:ignore[attr-defined] # they exist
RunnerFilter.notify_external_check(check.id)
for entity in check.supported_entities:
checks = self.wildcard_checks if self._is_wildcard(entity) else self.checks
if check.id not in self.entity_to_check_map[entity]:
checks[entity].append(check)
self.entity_to_check_map[entity].add(check.id)
self._BaseCheckRegistry__all_registered_checks.append(check) # type:ignore[attr-defined] # they exist
def extract_entity_details(self, entity: dict[str, ParameterAttributes]) -> tuple[str, str, ParameterAttributes]: # type:ignore[override] # it's ok
param_name, param = next(iter(entity.items()))
param_type = param["type"]
return param_type, param_name, param
================================================
FILE: checkov/bicep/checks/param/registry.py
================================================
from checkov.bicep.checks.param.base_registry import Registry
registry = Registry()
================================================
FILE: checkov/bicep/checks/resource/__init__.py
================================================
from checkov.bicep.checks.resource.azure import * # noqa
================================================
FILE: checkov/bicep/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py
================================================
from __future__ import annotations
from typing import Any
from checkov.bicep.checks.resource.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories
class StorageAccountAzureServicesAccessEnabled(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
id = "CKV_AZURE_36"
supported_resources = ("Microsoft.Storage/storageAccounts",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
self.evaluated_keys = ["properties/networkAcls/defaultAction"]
properties = conf.get("properties")
if properties:
if not isinstance(properties, dict):
return CheckResult.UNKNOWN
nacls = properties.get("networkAcls")
if nacls and isinstance(nacls, dict):
default_action = nacls.get("defaultAction")
if default_action == "Deny":
bypass = nacls.get("bypass")
if not bypass or bypass == "None":
self.evaluated_keys.append("properties/networkAcls/bypass")
return CheckResult.FAILED
return CheckResult.PASSED
check = StorageAccountAzureServicesAccessEnabled()
================================================
FILE: checkov/bicep/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py
================================================
from __future__ import annotations
from typing import Any
from checkov.bicep.checks.resource.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckCategories
class StorageAccountDefaultNetworkAccessDeny(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure default network access rule for Storage Accounts is set to deny"
id = "CKV_AZURE_35"
supported_resources = ("Microsoft.Storage/storageAccounts",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self) -> str:
return "properties/networkAcls/defaultAction"
def get_expected_value(self) -> Any:
return "Deny"
check = StorageAccountDefaultNetworkAccessDeny()
================================================
FILE: checkov/bicep/checks/resource/azure/StorageAccountsTransportEncryption.py
================================================
from __future__ import annotations
from typing import Any
from checkov.bicep.checks.resource.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.common.util.type_forcers import force_int
class StorageAccountsTransportEncryption(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that 'supportsHttpsTrafficOnly' is set to 'true'"
id = "CKV_AZURE_3"
supported_resources = ("Microsoft.Storage/storageAccounts",)
categories = (CheckCategories.ENCRYPTION,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
self.evaluated_keys = ["properties/supportsHttpsTrafficOnly"]
properties = conf.get("properties")
if properties:
if not isinstance(properties, dict):
return CheckResult.UNKNOWN
https_only = properties.get("supportsHttpsTrafficOnly")
if https_only is True:
return CheckResult.PASSED
elif https_only is False:
return CheckResult.FAILED
year = force_int(self.api_version[:4])
if year is None:
return CheckResult.UNKNOWN
elif year < 2019:
return CheckResult.FAILED
return CheckResult.PASSED
check = StorageAccountsTransportEncryption()
================================================
FILE: checkov/bicep/checks/resource/azure/__init__.py
================================================
from pathlib import Path
modules = Path(__file__).parent.glob("*.py")
__all__ = [f.stem for f in modules if f.is_file() and not f.stem == "__init__"]
================================================
FILE: checkov/bicep/checks/resource/base_registry.py
================================================
from __future__ import annotations
from typing import TYPE_CHECKING
from checkov.common.checks.base_check import BaseCheck
from checkov.common.checks.base_check_registry import BaseCheckRegistry
from checkov.common.checks_infra.registry import get_graph_checks_registry
from checkov.common.output.report import CheckType
from checkov.runner_filter import RunnerFilter
if TYPE_CHECKING:
from pycep.typing import ResourceAttributes
class Registry(BaseCheckRegistry):
def __init__(self) -> None:
self.check_id_to_enitity_map: dict[str, list[str]] = {}
self.graph_registry = get_graph_checks_registry(CheckType.BICEP)
self.graph_registry.load_checks()
self.graph_check_ids = [check.id for check in self.graph_registry.checks]
super().__init__(report_type=CheckType.BICEP)
def register(self, check: BaseCheck) -> None:
# a copy of the original method to be able to prioritize Bicep styled checks over the ARM equivalent
if self._BaseCheckRegistry__loading_external_checks: # type:ignore[attr-defined] # they exist
RunnerFilter.notify_external_check(check.id)
# don't add an ARM check, if a Bicep graph check exists for it
if check.id in self.graph_check_ids:
return
# remove the ARM check, if a Bicep check with the same check ID exists
if check.id in self.check_id_to_enitity_map.keys():
if check.__module__.split(".")[1] != "bicep":
return
entities = self.check_id_to_enitity_map[check.id]
for entity in entities:
checks = self.wildcard_checks if self._is_wildcard(entity) else self.checks
check_idx = next((idx for idx, c in enumerate(checks[entity]) if c.id == check.id), None)
if check_idx is not None:
del checks[entity][check_idx]
del self.check_id_to_enitity_map[check.id]
for entity in check.supported_entities:
checks = self.wildcard_checks if self._is_wildcard(entity) else self.checks
checks[entity].append(check)
self.check_id_to_enitity_map.setdefault(check.id, []).append(entity)
self._BaseCheckRegistry__all_registered_checks.append(check) # type:ignore[attr-defined] # they exist
def extract_entity_details(self, entity: dict[str, ResourceAttributes]) -> tuple[str, str, ResourceAttributes]: # type:ignore[override] # it's ok
resource_name, resource = next(iter(entity.items()))
resource_type = resource["type"]
return resource_type, resource_name, resource
================================================
FILE: checkov/bicep/checks/resource/base_resource_check.py
================================================
from __future__ import annotations
from abc import abstractmethod
from collections.abc import Iterable
from typing import Any, TYPE_CHECKING
from checkov.bicep.checks.resource.registry import registry
from checkov.common.checks.base_check import BaseCheck
from checkov.common.models.enums import CheckCategories, CheckResult
if TYPE_CHECKING:
from pycep.typing import ResourceAttributes
class BaseResourceCheck(BaseCheck):
def __init__(
self,
name: str,
id: str,
categories: "Iterable[CheckCategories]",
supported_resources: "Iterable[str]",
guideline: str | None = None,
) -> None:
super().__init__(
name=name,
id=id,
categories=categories,
supported_entities=supported_resources,
block_type="resource",
guideline=guideline,
)
self.supported_resources = supported_resources
registry.register(self)
def scan_entity_conf(self, conf: ResourceAttributes, entity_type: str) -> CheckResult: # type:ignore[override] # it's ok
if conf["existing"] is True:
# the existing keyword is used to retrieve information about an already deployed resource
return CheckResult.UNKNOWN
self.entity_type = entity_type
self.api_version = conf["api_version"]
return self.scan_resource_conf(conf["config"])
@abstractmethod
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
raise NotImplementedError()
================================================
FILE: checkov/bicep/checks/resource/base_resource_value_check.py
================================================
from __future__ import annotations
from abc import abstractmethod
from collections.abc import Iterable
from typing import Any
from checkov.bicep.checks.resource.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.common.models.consts import ANY_VALUE
from checkov.common.util.data_structures_utils import find_in_dict
class BaseResourceValueCheck(BaseResourceCheck):
def __init__(
self,
name: str,
id: str,
categories: "Iterable[CheckCategories]",
supported_resources: "Iterable[str]",
guideline: str | None = None,
missing_block_result: CheckResult = CheckResult.FAILED,
) -> None:
super().__init__(
name=name, id=id, categories=categories, supported_resources=supported_resources, guideline=guideline
)
self.missing_block_result = missing_block_result
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
inspected_key = self.get_inspected_key()
expected_values = self.get_expected_values()
value = find_in_dict(conf, inspected_key)
if value is None:
return self.missing_block_result
if ANY_VALUE in expected_values:
return CheckResult.PASSED
if value in expected_values:
return CheckResult.PASSED
# quite often string values are case-insensitive
if isinstance(value, str) and value.lower() in [exp.lower() for exp in expected_values if isinstance(exp, str)]:
return CheckResult.PASSED
return self.missing_block_result
@abstractmethod
def get_inspected_key(self) -> str:
"""
:return: JSONPath syntax path of the checked attribute
"""
raise NotImplementedError()
def get_expected_values(self) -> list[Any]:
"""
Override the method with the list of acceptable values if the check has more than one possible expected value, given
the inspected key
:return: List of expected values, defaults to a list of the expected value
"""
return [self.get_expected_value()]
def get_expected_value(self) -> Any:
"""
Returns the default expected value, governed by provider best practices
"""
return True
def get_evaluated_keys(self) -> list[str]:
return [self.get_inspected_key()]
================================================
FILE: checkov/bicep/checks/resource/registry.py
================================================
from checkov.bicep.checks.resource.base_registry import Registry
registry = Registry()
================================================
FILE: checkov/bicep/graph_builder/__init__.py
================================================
================================================
FILE: checkov/bicep/graph_builder/context_definitions.py
================================================
from __future__ import annotations
from pathlib import Path
from typing import cast, List, Tuple, Dict, Any, TYPE_CHECKING
from checkov.common.util.suppression import collect_suppressions_for_report
if TYPE_CHECKING:
from pycep.typing import BicepJson
BICEP_COMMENT = "//"
DEFINITIONS_KEYS_TO_PARSE = {"parameters": "parameters", "resources": "resources"}
def build_definitions_context(definitions: Dict[Path, BicepJson], definitions_raw: Dict[Path, List[Tuple[int, str]]]
) -> Dict[str, Dict[str, Any]]:
definitions_context: Dict[str, Dict[str, Any]] = {}
for file_path_object, file_path_definitions in definitions.items():
file_path = str(file_path_object)
definitions_context[file_path] = {}
for definition_attribute, resources in file_path_definitions.items():
if definition_attribute not in DEFINITIONS_KEYS_TO_PARSE.values():
continue
definitions_context[file_path][definition_attribute] = {}
# ignore mypy mismatched type warning since it can't resolve this type correctly
for resource_key, resource_attributes in resources.items(): # type:ignore[attr-defined]
definition_resource = {"start_line": resource_attributes["__start_line__"], "end_line": resource_attributes["__end_line__"]}
if definition_attribute == DEFINITIONS_KEYS_TO_PARSE["resources"]:
definition_key = f"{resource_attributes['type']}.{resource_key}"
int_start_line = cast(int, definition_resource["start_line"])
int_end_line = cast(int, definition_resource["end_line"])
code_lines_for_suppressions_check = definitions_raw[file_path_object][int_start_line: int_end_line]
definition_resource['skipped_checks'] = collect_suppressions_for_report(code_lines=code_lines_for_suppressions_check)
elif definition_attribute == DEFINITIONS_KEYS_TO_PARSE["parameters"]:
definition_key = resource_key
definition_resource["type"] = resource_attributes['type']
start_line = resource_attributes["__start_line__"]
end_line = resource_attributes["__end_line__"]
# add resource comments to definition lines
current_line = str.strip(definitions_raw[file_path_object][start_line - 1][1])
while not current_line or current_line[0] == BICEP_COMMENT:
start_line -= 1
current_line = str.strip(definitions_raw[file_path_object][start_line - 1][1])
# remove next resource comments from definition lines
current_line = str.strip(definitions_raw[file_path_object][end_line - 1][1])
while not current_line or current_line[0] == BICEP_COMMENT:
end_line -= 1
current_line = str.strip(definitions_raw[file_path_object][end_line - 1][1])
definition_resource["code_lines"] = definitions_raw[file_path_object][start_line - 1: end_line]
definitions_context[file_path][definition_attribute][definition_key] = definition_resource
return definitions_context
================================================
FILE: checkov/bicep/graph_builder/graph_components/__init__.py
================================================
================================================
FILE: checkov/bicep/graph_builder/graph_components/block_types.py
================================================
from dataclasses import dataclass
from typing import Literal
from typing_extensions import TypeAlias # noqa[TC002]
from checkov.common.graph.graph_builder.graph_components.block_types import BlockType as CommonBlockType
BlockTypeAlias: TypeAlias = Literal["targetScope", "param", "var", "resource", "module", "output"]
@dataclass
class BlockType(CommonBlockType):
TARGET_SCOPE: Literal["targetScope"] = "targetScope"
PARAM: Literal["param"] = "param"
VAR: Literal["var"] = "var"
MODULE: Literal["module"] = "module"
OUTPUT: Literal["output"] = "output"
================================================
FILE: checkov/bicep/graph_builder/graph_components/blocks.py
================================================
from __future__ import annotations
from typing import Any
from checkov.common.graph.graph_builder.consts import GraphSource
from checkov.common.graph.graph_builder.graph_components.blocks import Block
class BicepBlock(Block):
def __init__(
self,
name: str,
config: dict[str, Any],
path: str,
block_type: str,
attributes: dict[str, Any],
id: str = "",
) -> None:
super().__init__(name, config, path, block_type, attributes, id, GraphSource.BICEP)
================================================
FILE: checkov/bicep/graph_builder/graph_to_tf_definitions.py
================================================
from __future__ import annotations
import os
from pathlib import Path
from typing import Any, TYPE_CHECKING, cast
from checkov.bicep.graph_builder.graph_components.block_types import BlockType, BlockTypeAlias
from checkov.bicep.graph_builder.local_graph import BicepElements, BicepElementsAlias
if TYPE_CHECKING:
from checkov.bicep.graph_builder.graph_components.blocks import BicepBlock
from pycep.typing import BicepJson
BLOCK_TYPE_TO_BICEP_ELEMENTS_MAP = {
BlockType.MODULE: BicepElements.MODULES,
BlockType.OUTPUT: BicepElements.OUTPUTS,
BlockType.PARAM: BicepElements.PARAMETERS,
BlockType.RESOURCE: BicepElements.RESOURCES,
BlockType.TARGET_SCOPE: BicepElements.GLOBALS,
BlockType.VAR: BicepElements.VARIABLES,
}
def convert_graph_vertices_to_tf_definitions(
vertices: list[BicepBlock], root_folder: str | Path | None
) -> tuple[dict[Path, BicepJson], dict[str, dict[str, Any]]]:
tf_definitions: dict[Path, BicepJson] = {}
breadcrumbs: dict[str, dict[str, Any]] = {}
for vertex in vertices:
block_path = Path(vertex.path)
# in theory block_type could be any string, but not in a Bicep Graph
block_type = cast("BlockTypeAlias", vertex.block_type)
bicep_element: BicepElementsAlias = BLOCK_TYPE_TO_BICEP_ELEMENTS_MAP[block_type].value
element_name = vertex.name
if block_type == BlockType.TARGET_SCOPE:
element_name = "scope"
tf_definitions.setdefault(block_path, {}).setdefault(bicep_element, {})[element_name] = vertex.config # type:ignore[typeddict-item]
if vertex.breadcrumbs:
relative_block_path = f"/{os.path.relpath(block_path, root_folder)}"
add_breadcrumbs(vertex, breadcrumbs, relative_block_path)
return tf_definitions, breadcrumbs
def add_breadcrumbs(vertex: BicepBlock, breadcrumbs: dict[str, dict[str, Any]], relative_block_path: str) -> None:
breadcrumbs.setdefault(relative_block_path, {})[vertex.name] = vertex.breadcrumbs
================================================
FILE: checkov/bicep/graph_builder/local_graph.py
================================================
from __future__ import annotations
import logging
from enum import Enum
from pathlib import Path
from typing import Any, TYPE_CHECKING, overload, Literal
from pycep.transformer import BicepElement
from typing_extensions import TypeAlias # noqa[TC002]
from checkov.bicep.graph_builder.graph_components.block_types import BlockType
from checkov.bicep.graph_builder.graph_components.blocks import BicepBlock
from checkov.bicep.graph_builder.variable_rendering.renderer import BicepVariableRenderer
from checkov.common.graph.graph_builder.graph_components.edge import Edge
from checkov.common.graph.graph_builder.local_graph import LocalGraph
from checkov.common.graph.graph_builder.utils import filter_sub_keys
from checkov.common.graph.graph_builder.utils import adjust_value
from checkov.common.util.data_structures_utils import pickle_deepcopy
from checkov.common.util.type_forcers import force_int
if TYPE_CHECKING:
from checkov.common.graph.graph_builder.graph_components.blocks import Block
from pycep.typing import (
BicepJson,
ResourceAttributes,
GlobalsAttributes,
ParameterAttributes,
VariableAttributes,
OutputAttributes,
ModuleAttributes,
)
BicepElementsAlias: TypeAlias = Literal["globals", "parameters", "variables", "resources", "modules", "outputs"]
# mypy: disable-error-code="misc"
class BicepElements(str, Enum):
GLOBALS: Literal["globals"] = "globals"
PARAMETERS: Literal["parameters"] = "parameters"
VARIABLES: Literal["variables"] = "variables"
RESOURCES: Literal["resources"] = "resources"
MODULES: Literal["modules"] = "modules"
OUTPUTS: Literal["outputs"] = "outputs"
class BicepLocalGraph(LocalGraph[BicepBlock]):
def __init__(self, definitions: dict[Path, BicepJson]) -> None:
super().__init__()
self.vertices: list[BicepBlock] = []
self.definitions = definitions
self.vertices_by_name: dict[str, int] = {}
def build_graph(self, render_variables: bool) -> None:
self._create_vertices()
logging.info(f"[BicepLocalGraph] created {len(self.vertices)} vertices")
self._create_edges()
logging.info(f"[BicepLocalGraph] created {len(self.edges)} edges")
if render_variables:
renderer = BicepVariableRenderer(self)
renderer.render_variables_from_local_graph()
def _create_vertices(self) -> None:
for file_path, bicep_conf in self.definitions.items():
self._create_global_vertices(file_path=file_path, globals_attrs=bicep_conf.get(BicepElements.GLOBALS.value))
self._create_param_vertices(file_path=file_path, parameters=bicep_conf.get(BicepElements.PARAMETERS.value))
self._create_var_vertices(file_path=file_path, variables=bicep_conf.get(BicepElements.VARIABLES.value))
self._create_resource_vertices(file_path=file_path, resources=bicep_conf.get(BicepElements.RESOURCES.value))
self._create_module_vertices(file_path=file_path, modules=bicep_conf.get(BicepElements.MODULES.value))
self._create_output_vertices(file_path=file_path, outputs=bicep_conf.get(BicepElements.OUTPUTS.value))
for i, vertex in enumerate(self.vertices):
self.vertices_by_block_type[vertex.block_type].append(i)
self.vertices_block_name_map[vertex.block_type][vertex.name].append(i)
self.vertices_by_name[vertex.name] = i
self.in_edges[i] = []
self.out_edges[i] = []
def _create_global_vertices(self, file_path: Path, globals_attrs: GlobalsAttributes | None) -> None:
if not globals_attrs:
return
# there can only be one target scope per file
config = pickle_deepcopy(globals_attrs["scope"])
attributes = pickle_deepcopy(config)
self.vertices.append(
BicepBlock(
name=BlockType.TARGET_SCOPE,
config=config, # type:ignore[arg-type]
path=str(file_path),
block_type=BlockType.TARGET_SCOPE,
attributes=attributes, # type:ignore[arg-type]
id=BlockType.TARGET_SCOPE,
)
)
def _create_param_vertices(self, file_path: Path, parameters: dict[str, ParameterAttributes] | None) -> None:
if not parameters:
return
for name, conf in parameters.items():
config = pickle_deepcopy(conf)
attributes = pickle_deepcopy(conf)
self.vertices.append(
BicepBlock(
name=name,
config=config, # type:ignore[arg-type]
path=str(file_path),
block_type=BlockType.PARAM,
attributes=attributes, # type:ignore[arg-type]
id=f"{BlockType.PARAM}.{name}",
)
)
def _create_var_vertices(self, file_path: Path, variables: dict[str, VariableAttributes] | None) -> None:
if not variables:
return
for name, conf in variables.items():
config = pickle_deepcopy(conf)
attributes = pickle_deepcopy(conf)
self.vertices.append(
BicepBlock(
name=name,
config=config, # type:ignore[arg-type]
path=str(file_path),
block_type=BlockType.VAR,
attributes=attributes, # type:ignore[arg-type]
id=f"{BlockType.VAR}.{name}",
)
)
def _create_resource_vertices(self, file_path: Path, resources: dict[str, ResourceAttributes] | None) -> None:
if not resources:
return
for name, conf in resources.items():
config = pickle_deepcopy(conf)
attributes: dict[str, Any] = {}
attributes["decorators"] = pickle_deepcopy(config["decorators"])
attributes["type_"] = config["type"]
attributes["api_version_"] = config["api_version"]
attributes["existing_"] = config["existing"]
attributes.update(pickle_deepcopy(config["config"]))
attributes["resource_type"] = config["type"]
attributes["__start_line__"] = config["__start_line__"]
attributes["__end_line__"] = config["__end_line__"]
self.vertices.append(
BicepBlock(
name=name,
config=config, # type:ignore[arg-type]
path=str(file_path),
block_type=BlockType.RESOURCE,
attributes=attributes,
id=f"{config['type']}.{name}",
)
)
def _create_module_vertices(self, file_path: Path, modules: dict[str, ModuleAttributes] | None) -> None:
if not modules:
return
for name, conf in modules.items():
config = pickle_deepcopy(conf)
attributes: dict[str, Any] = {}
attributes["decorators"] = pickle_deepcopy(config["decorators"])
attributes["type_"] = config["type"]
attributes["detail_"] = config["detail"]
attributes.update(pickle_deepcopy(config["config"]))
attributes["resource_type"] = config["type"]
attributes["__start_line__"] = config["__start_line__"]
attributes["__end_line__"] = config["__end_line__"]
self.vertices.append(
BicepBlock(
name=str(name), # this will be fixed in pycep with the next version, currently type Token
config=config, # type:ignore[arg-type]
path=str(file_path),
block_type=BlockType.MODULE,
attributes=attributes,
id=f"{config['type']}.{name}",
)
)
def _create_output_vertices(self, file_path: Path, outputs: dict[str, OutputAttributes] | None) -> None:
if not outputs:
return
for name, conf in outputs.items():
config = pickle_deepcopy(conf)
attributes = pickle_deepcopy(conf)
self.vertices.append(
BicepBlock(
name=name,
config=config, # type:ignore[arg-type]
path=str(file_path),
block_type=BlockType.OUTPUT,
attributes=attributes, # type:ignore[arg-type]
id=f"{BlockType.OUTPUT}.{name}",
)
)
def _create_edges(self) -> None:
# TODO: support connections in interpolated strings
for origin_vertex_index, vertex in enumerate(self.vertices):
for attr_key, attr_value in vertex.attributes.items():
if isinstance(attr_value, BicepElement):
self._create_edge(
element_name=attr_value,
origin_vertex_index=origin_vertex_index,
label=attr_key,
)
if isinstance(attr_value, list):
for list_value in attr_value:
if isinstance(list_value, BicepElement):
self._create_edge(
element_name=list_value,
origin_vertex_index=origin_vertex_index,
label=attr_key,
)
def _create_edge(self, element_name: str, origin_vertex_index: int, label: str) -> None:
vertex_name = element_name
if "." in vertex_name:
# special case for`bicep elements, when properties are accessed
vertex_name = vertex_name.split(".")[0]
dest_vertex_index = self.vertices_by_name.get(vertex_name)
if dest_vertex_index:
if origin_vertex_index == dest_vertex_index:
return
edge = Edge(origin_vertex_index, dest_vertex_index, label)
self.edges.append(edge)
self.out_edges[origin_vertex_index].append(edge)
self.in_edges[dest_vertex_index].append(edge)
def update_vertices_configs(self) -> None:
for vertex in self.vertices:
changed_attributes = list(vertex.changed_attributes.keys())
changed_attributes = filter_sub_keys(changed_attributes)
self.update_vertex_config(vertex, changed_attributes)
@staticmethod
def update_vertex_config(vertex: Block, changed_attributes: list[str] | dict[str, Any], dynamic_blocks: bool = False) -> None:
if not changed_attributes:
# skip, if there is no change
return
for attr in changed_attributes:
new_value = vertex.attributes.get(attr, None)
if vertex.block_type == BlockType.RESOURCE:
BicepLocalGraph.update_config_attribute(
config=vertex.config["config"], key_to_update=attr, new_value=new_value
)
@staticmethod
def update_config_attribute(config: list[Any] | dict[str, Any], key_to_update: str, new_value: Any) -> None:
key_parts = key_to_update.split(".")
if isinstance(config, dict):
key = key_parts[0]
if len(key_parts) == 1:
BicepLocalGraph.update_config_value(config=config, key=key, new_value=new_value)
return
else:
key, key_parts = BicepLocalGraph.adjust_key(config, key, key_parts)
if len(key_parts) == 1:
BicepLocalGraph.update_config_value(config=config, key=key, new_value=new_value)
return
BicepLocalGraph.update_config_attribute(config[key], ".".join(key_parts[1:]), new_value)
elif isinstance(config, list):
key_idx = force_int(key_parts[0])
if key_idx is None:
return
if len(key_parts) == 1:
BicepLocalGraph.update_config_value(config=config, key=key_idx, new_value=new_value)
return
else:
BicepLocalGraph.update_config_attribute(config[key_idx], ".".join(key_parts[1:]), new_value)
return
@overload
@staticmethod
def update_config_value(config: list[Any], key: int, new_value: Any) -> None:
...
@overload
@staticmethod
def update_config_value(config: dict[str, Any], key: str, new_value: Any) -> None:
...
@staticmethod
def update_config_value(config: list[Any] | dict[str, Any], key: int | str, new_value: Any) -> None:
new_value = adjust_value(config[key], new_value) # type:ignore[index]
if new_value is None:
# couldn't find key in in value object
return
config[key] = new_value # type:ignore[index]
@staticmethod
def adjust_key(config: dict[str, Any], key: str, key_parts: list[str]) -> tuple[str, list[str]]:
"""Adjusts the key, if it consists of multiple dots
Ex:
config = {"'container.registry'": "acrName"}
key = "'container"
key_parts = ["'container", "registry'"]
returns new_key = "'container.registry'"
new_key_parts = ["'container.registry'"]
"""
if key not in config:
if len(key_parts) >= 2:
new_key = ".".join(key_parts[:2])
new_key_parts = [new_key] + key_parts[2:]
return BicepLocalGraph.adjust_key(config, new_key, new_key_parts)
return key, key_parts
def get_resources_types_in_graph(self) -> list[str]:
return []
================================================
FILE: checkov/bicep/graph_builder/variable_rendering/__init__.py
================================================
================================================
FILE: checkov/bicep/graph_builder/variable_rendering/renderer.py
================================================
from __future__ import annotations
from typing import TYPE_CHECKING, Any
from pycep.transformer import BicepElement
from checkov.bicep.graph_builder.graph_components.block_types import BlockType
from checkov.common.graph.graph_builder import Edge
from checkov.common.graph.graph_builder.utils import adjust_value
from checkov.common.graph.graph_builder.variable_rendering.renderer import VariableRenderer
from checkov.common.util.data_structures_utils import pickle_deepcopy
if TYPE_CHECKING:
from checkov.bicep.graph_builder.local_graph import BicepLocalGraph
class BicepVariableRenderer(VariableRenderer["BicepLocalGraph"]):
def __init__(self, local_graph: BicepLocalGraph) -> None:
super().__init__(local_graph)
def _render_variables_from_vertices(self) -> None:
pass
def evaluate_vertex_attribute_from_edge(self, edge_list: list[Edge]) -> None:
edge = edge_list[0]
origin_vertex_attributes = self.local_graph.vertices[edge.origin].attributes
val_to_eval = pickle_deepcopy(origin_vertex_attributes.get(edge.label, ""))
attr_path, attr_value = self.extract_dest_attribute_path_and_value(dest_index=edge.dest, origin_value=val_to_eval)
if attr_path:
self.local_graph.update_vertex_attribute(
vertex_index=edge.origin,
attribute_key=edge.label,
attribute_value=attr_value,
change_origin_id=edge.dest,
attribute_at_dest=attr_path,
)
def extract_dest_attribute_path_and_value(self, dest_index: int, origin_value: Any) -> tuple[str, Any] | tuple[None, None]:
if isinstance(origin_value, BicepElement):
vertex = self.local_graph.vertices[dest_index]
if vertex.block_type == BlockType.PARAM:
new_value = vertex.attributes.get("default")
if new_value:
new_value = adjust_value(element_name=origin_value, value=new_value)
return "default", new_value
elif vertex.block_type == BlockType.VAR:
new_value = adjust_value(element_name=origin_value, value=vertex.attributes["value"])
return "value", new_value
return None, None
def evaluate_non_rendered_values(self) -> None:
# not used
pass
================================================
FILE: checkov/bicep/graph_manager.py
================================================
from __future__ import annotations
from pathlib import Path
from typing import TYPE_CHECKING, Any, Optional
from checkov.bicep.parser import Parser
from checkov.bicep.utils import get_scannable_file_paths
from checkov.common.graph.graph_builder.consts import GraphSource
from checkov.common.graph.graph_manager import GraphManager
from checkov.bicep.graph_builder.local_graph import BicepLocalGraph
if TYPE_CHECKING:
from checkov.common.typing import LibraryGraphConnector
from pycep.typing import BicepJson
class BicepGraphManager(GraphManager[BicepLocalGraph, "dict[Path, BicepJson]"]):
def __init__(self, db_connector: LibraryGraphConnector, source: str = GraphSource.BICEP) -> None:
super().__init__(db_connector=db_connector, parser=None, source=source)
def build_graph_from_source_directory(
self,
source_dir: str,
local_graph_class: type[BicepLocalGraph] = BicepLocalGraph,
render_variables: bool = True,
parsing_errors: Optional[dict[str, Exception]] = None,
download_external_modules: Optional[bool] = False,
excluded_paths: Optional[list[str]] = None,
**kwargs: Any,
) -> tuple[BicepLocalGraph, dict[Path, BicepJson]]:
file_paths = get_scannable_file_paths(root_folder=source_dir)
definitions, definitions_raw, parsing_errors = Parser().get_files_definitions(file_paths) # type:ignore[assignment]
local_graph = self.build_graph_from_definitions(definitions)
return local_graph, definitions
def build_graph_from_definitions(
self, definitions: dict[Path, BicepJson], render_variables: bool = True
) -> BicepLocalGraph:
local_graph = BicepLocalGraph(definitions)
local_graph.build_graph(render_variables)
return local_graph
================================================
FILE: checkov/bicep/image_referencer/__init__.py
================================================
================================================
FILE: checkov/bicep/image_referencer/base_provider.py
================================================
from __future__ import annotations
import os
from checkov.bicep.utils import BICEP_START_LINE, BICEP_END_LINE
from checkov.common.graph.graph_builder import CustomAttributes
from checkov.common.images.graph.image_referencer_provider import GraphImageReferencerProvider
from checkov.common.images.image_referencer import Image
from checkov.common.util.str_utils import removeprefix
class BaseBicepProvider(GraphImageReferencerProvider):
def extract_images_from_resources(self) -> list[Image]:
images = []
supported_resources_graph = self.extract_nodes()
for resource in self.extract_resource(supported_resources_graph):
image_names: list[str] = []
resource_type = resource[CustomAttributes.RESOURCE_TYPE]
extract_images_func = self.supported_resource_types.get(resource_type)
if extract_images_func:
image_names.extend(extract_images_func(resource))
for name in image_names:
images.append(
Image(
file_path=resource[CustomAttributes.FILE_PATH],
name=name,
start_line=resource[BICEP_START_LINE],
end_line=resource[BICEP_END_LINE],
related_resource_id=f'{removeprefix(resource.get("file_path_", ""), os.getenv("BC_ROOT_DIR", ""))}:{resource.get("id_")}',
)
)
return images
================================================
FILE: checkov/bicep/image_referencer/manager.py
================================================
from __future__ import annotations
from typing import TYPE_CHECKING
from checkov.bicep.image_referencer.provider.azure import AzureBicepProvider
from checkov.common.images.graph.image_referencer_manager import GraphImageReferencerManager
if TYPE_CHECKING:
from checkov.common.images.image_referencer import Image
class BicepImageReferencerManager(GraphImageReferencerManager):
def extract_images_from_resources(self) -> list[Image]:
bicep_provider = AzureBicepProvider(graph_connector=self.graph_connector)
images = bicep_provider.extract_images_from_resources()
return images
================================================
FILE: checkov/bicep/image_referencer/provider/__init__.py
================================================
================================================
FILE: checkov/bicep/image_referencer/provider/azure.py
================================================
from __future__ import annotations
from typing import TYPE_CHECKING, Any
from checkov.bicep.image_referencer.base_provider import BaseBicepProvider
from checkov.common.util.data_structures_utils import find_in_dict
from checkov.common.util.type_forcers import force_list
if TYPE_CHECKING:
from networkx import DiGraph
class AzureBicepProvider(BaseBicepProvider):
def __init__(self, graph_connector: DiGraph) -> None:
super().__init__(
graph_connector=graph_connector,
supported_resource_types=SUPPORTED_AZURE_IMAGE_RESOURCE_TYPES,
)
def extract_images_from_azurerm_batch_pool(resource: dict[str, Any]) -> list[str]:
image_names: list[str] = []
containers = find_in_dict(
input_dict=resource,
key_path="properties/virtualMachineConfiguration/containerConfiguration/containerImageNames",
)
if isinstance(containers, list):
image_names.extend(container for container in containers if isinstance(container, str))
return image_names
def extract_images_from_azurerm_container_group(resource: dict[str, Any]) -> list[str]:
image_names: list[str] = []
properties = resource.get("properties")
if properties and isinstance(properties, dict):
containers = properties.get("containers")
if containers:
for container in force_list(containers):
name = find_in_dict(input_dict=container, key_path="properties/image")
if name and isinstance(name, str):
image_names.append(name)
containers = properties.get("initContainers")
if containers:
for container in force_list(containers):
name = find_in_dict(input_dict=container, key_path="properties/image")
if name and isinstance(name, str):
image_names.append(name)
return image_names
def extract_images_from_azurerm_web_app(resource: dict[str, Any]) -> list[str]:
image_names: list[str] = []
containers = find_in_dict(input_dict=resource, key_path="properties/template/containers")
if containers:
for container in force_list(containers):
name = container.get("image")
if name and isinstance(name, str):
image_names.append(name)
return image_names
# needs to be at the bottom to add the defined functions
SUPPORTED_AZURE_IMAGE_RESOURCE_TYPES = {
"Microsoft.App/containerApps": extract_images_from_azurerm_web_app,
"Microsoft.Batch/batchAccounts/pools": extract_images_from_azurerm_batch_pool,
"Microsoft.ContainerInstance/containerGroups": extract_images_from_azurerm_container_group,
"Microsoft.Web/containerApps": extract_images_from_azurerm_web_app,
}
================================================
FILE: checkov/bicep/parser.py
================================================
from __future__ import annotations
import logging
import os
from collections.abc import Collection
from pathlib import Path
from typing import TYPE_CHECKING
from pycep import BicepParser
from checkov.common.util.file_utils import read_file_with_any_encoding
if TYPE_CHECKING:
from pycep.typing import BicepJson
class Parser:
def __init__(self) -> None:
self.bicep_parser = BicepParser(add_line_numbers=True)
def parse(self, file_path: Path) -> tuple[BicepJson, list[tuple[int, str]]] | tuple[None, None]:
try:
content = read_file_with_any_encoding(file_path=file_path)
template = self.bicep_parser.parse(text=content)
except Exception:
logging.debug(f"[bicep] Couldn't parse {file_path}", exc_info=True)
return None, None
file_lines = [(idx + 1, line) for idx, line in enumerate(content.splitlines(keepends=True))]
return template, file_lines
def get_files_definitions(
self, file_paths: "Collection[Path]"
) -> tuple[dict[Path, BicepJson], dict[Path, list[tuple[int, str]]], list[str]]:
logging.info(f"[bicep] start to parse {len(file_paths)} files")
definitions: dict[Path, BicepJson] = {}
definitions_raw: dict[Path, list[tuple[int, str]]] = {}
parsing_errors: list[str] = []
for file_path in file_paths:
template, file_lines = self.parse(file_path)
if template and file_lines:
definitions[file_path] = template
definitions_raw[file_path] = file_lines
else:
parsing_errors.append(os.path.normpath(file_path.absolute()))
logging.info(f"[bicep] successfully parsed {len(definitions)} files")
return definitions, definitions_raw, parsing_errors
================================================
FILE: checkov/bicep/runner.py
================================================
from __future__ import annotations
import os
import logging
from pathlib import Path
from typing import cast, Type, TYPE_CHECKING, Any, Literal
from typing_extensions import TypeAlias # noqa[TC002]
from checkov.bicep.graph_builder.context_definitions import build_definitions_context
from checkov.bicep.checks.param.registry import registry as param_registry
from checkov.bicep.checks.resource.registry import registry as resource_registry
from checkov.bicep.graph_builder.graph_to_tf_definitions import convert_graph_vertices_to_tf_definitions
from checkov.bicep.graph_builder.local_graph import BicepLocalGraph
from checkov.bicep.graph_manager import BicepGraphManager
from checkov.bicep.image_referencer.manager import BicepImageReferencerManager
from checkov.bicep.parser import Parser
from checkov.bicep.utils import clean_file_path, get_scannable_file_paths
from checkov.common.checks_infra.registry import get_graph_checks_registry
from checkov.common.typing import LibraryGraphConnector
from checkov.common.graph.graph_builder import CustomAttributes
from checkov.common.graph.graph_builder.consts import GraphSource
from checkov.common.images.image_referencer import ImageReferencerMixin
from checkov.common.output.extra_resource import ExtraResource
from checkov.common.output.graph_record import GraphRecord
from checkov.common.output.record import Record
from checkov.common.output.report import Report
from checkov.common.bridgecrew.check_type import CheckType
from checkov.common.runners.base_runner import BaseRunner
from checkov.common.typing import _CheckResult
from checkov.common.util.secrets import omit_secret_value_from_checks
from checkov.common.util.suppression import collect_suppressions_for_report
from checkov.runner_filter import RunnerFilter
if TYPE_CHECKING:
from checkov.common.checks.base_check_registry import BaseCheckRegistry
from checkov.common.checks_infra.registry import Registry
from checkov.common.graph.checks_infra.registry import BaseRegistry
from checkov.common.images.image_referencer import Image
from networkx import DiGraph
from pycep.typing import BicepJson
_BicepContext: TypeAlias = "dict[str, dict[str, Any]]"
_BicepDefinitions: TypeAlias = "dict[Path, BicepJson]"
class Runner(ImageReferencerMixin[None], BaseRunner[_BicepDefinitions, _BicepContext, BicepGraphManager]):
check_type = CheckType.BICEP # noqa: CCE003 # a static attribute
block_type_registries: 'dict[Literal["parameters", "resources"], BaseCheckRegistry]' = { # noqa: CCE003 # a static attribute
"parameters": param_registry,
"resources": resource_registry,
}
def __init__(
self,
db_connector: LibraryGraphConnector | None = None,
source: str = GraphSource.BICEP,
graph_class: Type[BicepLocalGraph] = BicepLocalGraph,
graph_manager: BicepGraphManager | None = None,
external_registries: list[BaseRegistry] | None = None
) -> None:
super().__init__(file_extensions=['.bicep'])
db_connector = db_connector or self.db_connector
self.external_registries = external_registries if external_registries else []
self.graph_class = graph_class
self.graph_manager: BicepGraphManager = (
graph_manager if graph_manager else BicepGraphManager(source=source, db_connector=db_connector)
)
self.graph_registry: Registry = get_graph_checks_registry(self.check_type)
self.context: _BicepContext = {}
self.definitions: _BicepDefinitions = {}
self.definitions_raw: dict[Path, list[tuple[int, str]]] = {} # type:ignore[assignment]
self.root_folder: str | Path | None = None
def run(
self,
root_folder: str | Path | None,
external_checks_dir: list[str] | None = None,
files: list[str] | None = None,
runner_filter: RunnerFilter | None = None,
collect_skip_comments: bool = True,
) -> Report | list[Report]:
runner_filter = runner_filter or RunnerFilter()
if not runner_filter.show_progress_bar:
self.pbar.turn_off_progress_bar()
report = Report(Runner.check_type)
self.root_folder = root_folder
if not self.context or not self.definitions:
file_paths = get_scannable_file_paths(
root_folder=root_folder, files=files, excluded_paths=runner_filter.excluded_paths
)
if not file_paths:
return report
self.definitions, self.definitions_raw, parsing_errors = Parser().get_files_definitions(file_paths)
report.add_parsing_errors(parsing_errors)
if external_checks_dir:
for directory in external_checks_dir:
resource_registry.load_external_checks(directory)
self.graph_registry.load_external_checks(directory)
self.context = build_definitions_context(definitions=self.definitions, definitions_raw=self.definitions_raw)
logging.info("Creating Bicep graph")
local_graph = self.graph_manager.build_graph_from_definitions(self.definitions)
logging.info("Successfully created Bicep graph")
self.graph_manager.save_graph(local_graph)
self.definitions, self.breadcrumbs = convert_graph_vertices_to_tf_definitions(
vertices=local_graph.vertices, root_folder=root_folder
)
self.pbar.initiate(len(self.definitions))
# run Python checks
self.add_python_check_results(report=report, runner_filter=runner_filter, root_folder=root_folder)
# run graph checks
self.add_graph_check_results(report=report, runner_filter=runner_filter)
if runner_filter.run_image_referencer:
if files:
# 'root_folder' shouldn't be empty to remove the whole path later and only leave the shortened form
root_folder = os.path.split(os.path.commonprefix(files))[0]
image_report = self.check_container_image_references(
graph_connector=self.graph_manager.get_reader_endpoint(),
root_path=root_folder,
runner_filter=runner_filter,
)
if image_report:
# due too many tests failing only return a list, if there is an image report
return [report, image_report]
return report
def set_definitions_raw(self, definitions_raw: dict[Path, list[tuple[int, str]]]) -> None:
self.definitions_raw = definitions_raw
def add_python_check_results(
self, report: Report, runner_filter: RunnerFilter, root_folder: str | Path | None
) -> None:
"""Adds Python check results to given report"""
for file_path, definition in self.definitions.items():
self.pbar.set_additional_data({'Current File Scanned': os.path.relpath(file_path, root_folder)})
for block_type, registry in Runner.block_type_registries.items():
block_type_confs = definition.get(block_type)
if block_type_confs:
for name, conf in block_type_confs.items():
results = registry.scan(
scanned_file=str(file_path),
entity={name: conf},
skipped_checks=[],
runner_filter=runner_filter
)
if results:
file_code_lines = self.definitions_raw[file_path]
start_line = conf["__start_line__"]
end_line = conf["__end_line__"]
cleaned_path = clean_file_path(file_path)
resource_id = f"{conf['type']}.{name}"
report.add_resource(f"{cleaned_path}:{resource_id}")
suppressions = collect_suppressions_for_report(
code_lines=file_code_lines[start_line - 1 : end_line]
)
for check, check_result in results.items():
if check.id in suppressions.keys():
check_result = suppressions[check.id]
elif check.bc_id and check.bc_id in suppressions.keys():
check_result = suppressions[check.bc_id]
censored_code_lines = omit_secret_value_from_checks(
check=check,
check_result=check_result,
entity_code_lines=file_code_lines[start_line - 1 : end_line],
entity_config=conf,
resource_attributes_to_omit=runner_filter.resource_attr_to_omit
)
record = Record(
check_id=check.id,
bc_check_id=check.bc_id,
check_name=check.name,
check_result=check_result,
code_block=censored_code_lines,
file_path=self.extract_file_path_from_abs_path(cleaned_path),
file_line_range=[start_line, end_line],
resource=resource_id,
check_class=check.__class__.__module__,
file_abs_path=str(file_path.absolute()),
evaluations=None,
severity=check.severity,
)
record.set_guideline(check.guideline)
report.add_record(record=record)
elif conf.get("existing") is False:
# resources without checks, but not existing ones
cleaned_path = clean_file_path(file_path)
resource_id = f"{conf['type']}.{name}"
report.extra_resources.add(
ExtraResource(
file_abs_path=str(file_path.absolute()),
file_path=self.extract_file_path_from_abs_path(cleaned_path),
resource=resource_id,
)
)
self.pbar.update()
self.pbar.close()
def extract_file_path_from_abs_path(self, path: Path) -> str:
return f"/{os.path.relpath(path, self.root_folder)}"
def add_graph_check_results(self, report: Report, runner_filter: RunnerFilter) -> None:
"""Adds YAML check results to given report"""
checks_results = self.run_graph_checks_results(runner_filter, self.check_type)
for check, check_results in checks_results.items():
for check_result in check_results:
entity = check_result["entity"]
entity_file_path = Path(entity[CustomAttributes.FILE_PATH])
clean_check_result: _CheckResult = {
"result": check_result["result"],
"evaluated_keys": check_result["evaluated_keys"],
}
file_code_lines = self.definitions_raw[entity_file_path]
start_line = entity["__start_line__"]
end_line = cast("int", entity["__end_line__"])
record = Record(
check_id=check.id,
bc_check_id=check.bc_id,
check_name=check.name,
check_result=clean_check_result,
code_block=file_code_lines[start_line - 1 : end_line],
file_path=self.extract_file_path_from_abs_path(clean_file_path(entity_file_path)),
file_line_range=[start_line, end_line],
resource=entity[CustomAttributes.ID],
check_class=check.__class__.__module__,
file_abs_path=str(entity_file_path.absolute()),
evaluations=None,
severity=check.severity,
)
if self.breadcrumbs:
breadcrumb = self.breadcrumbs.get(record.file_path, {}).get(record.resource)
if breadcrumb:
record = GraphRecord(record, breadcrumb)
record.set_guideline(check.guideline)
report.add_record(record=record)
def extract_images(
self,
graph_connector: DiGraph | None = None,
definitions: None = None,
definitions_raw: dict[str, list[tuple[int, str]]] | None = None,
) -> list[Image]:
if not graph_connector:
# should not happen
return []
manager = BicepImageReferencerManager(graph_connector=graph_connector)
images = manager.extract_images_from_resources()
return images
================================================
FILE: checkov/bicep/utils.py
================================================
from __future__ import annotations
import logging
import os
import re
from collections.abc import Collection
from pathlib import Path
from typing import TYPE_CHECKING
from checkov.common.runners.base_runner import filter_ignored_paths
from checkov.runner_filter import RunnerFilter
from checkov.bicep.parser import Parser
if TYPE_CHECKING:
from pycep.typing import BicepJson
BICEP_POSSIBLE_ENDINGS = [".bicep"]
BICEP_START_LINE = "__start_line__"
BICEP_END_LINE = "__end_line__"
def get_scannable_file_paths(
root_folder: str | Path | None = None, files: list[str] | None = None, excluded_paths: list[str] | None = None
) -> set[Path]:
"""Finds Bicep files"""
file_paths: set[Path] = set()
if root_folder:
root_path = Path(root_folder)
file_paths = {file_path for file_path in root_path.rglob("*.bicep") if file_path.is_file()}
if excluded_paths:
compiled = [re.compile(p.replace(".terraform", r"\.terraform")) for p in excluded_paths]
file_paths = {
file_path for file_path in file_paths if not any(pattern.search(str(file_path)) for pattern in compiled)
}
if files:
for file in files:
if file.endswith(".bicep"):
file_paths.add(Path(file))
return file_paths
def clean_file_path(file_path: Path) -> Path:
path_parts = [part for part in file_path.parts if part not in (".", "..")]
return Path(*path_parts)
def get_folder_definitions(
root_folder: str, excluded_paths: list[str] | None
) -> tuple[dict[Path, BicepJson], dict[Path, list[tuple[int, str]]], list[str]]:
files_list: set[Path] = set()
for root, d_names, f_names in os.walk(root_folder):
filter_ignored_paths(root, d_names, excluded_paths)
filter_ignored_paths(root, f_names, excluded_paths)
for file in f_names:
file_ending = os.path.splitext(file)[1]
if file_ending in BICEP_POSSIBLE_ENDINGS:
full_path = os.path.join(root, file)
files_list.add(Path(full_path))
parser = Parser()
return parser.get_files_definitions(files_list)
def create_definitions(
root_folder: str,
files: "Collection[Path] | None" = None,
runner_filter: RunnerFilter | None = None,
) -> tuple[dict[Path, BicepJson], dict[Path, list[tuple[int, str]]]]:
definitions: dict[Path, BicepJson] = {}
definitions_raw: dict[Path, list[tuple[int, str]]] = {}
parsing_errors: list[str] = []
runner_filter = runner_filter or RunnerFilter()
if files:
parser = Parser()
definitions, definitions_raw, parsing_errors = parser.get_files_definitions(file_paths=files)
if root_folder:
definitions, definitions_raw, parsing_errors = get_folder_definitions(root_folder, runner_filter.excluded_paths)
if parsing_errors:
logging.warning(f"[bicep] found errors while parsing definitions: {parsing_errors}")
return definitions, definitions_raw
================================================
FILE: checkov/bitbucket/__init__.py
================================================
from checkov.bitbucket.checks import * # noqa
================================================
FILE: checkov/bitbucket/base_bitbucket_configuration_check.py
================================================
from __future__ import annotations
from abc import abstractmethod
from collections.abc import Iterable
from typing import TYPE_CHECKING, Any
from checkov.bitbucket.registry import registry
from checkov.common.checks.base_check import BaseCheck
if TYPE_CHECKING:
from checkov.common.models.enums import CheckCategories, CheckResult
class BaseBitbucketCheck(BaseCheck):
def __init__(
self,
name: str,
id: str,
categories: Iterable[CheckCategories],
supported_entities: Iterable[str],
block_type: str,
path: str | None = None,
guideline: str | None = None,
):
super().__init__(
name=name,
id=id,
categories=categories,
supported_entities=supported_entities,
block_type=block_type,
guideline=guideline,
)
self.path = path
registry.register(self)
def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> tuple[CheckResult, dict[str, Any]] | None: # type:ignore[override] # multi_signature decorator is problematic
self.entity_type = entity_type
return self.scan_conf(conf)
@abstractmethod
def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]] | None:
pass
================================================
FILE: checkov/bitbucket/checks/__init__.py
================================================
from pathlib import Path
modules = Path(__file__).parent.glob("*.py")
__all__ = [f.stem for f in modules if f.is_file() and not f.stem == "__init__"]
================================================
FILE: checkov/bitbucket/checks/merge_requests_approvals.py
================================================
from __future__ import annotations
from typing import Any
from checkov.bitbucket.base_bitbucket_configuration_check import BaseBitbucketCheck
from checkov.bitbucket.schemas.branch_restrictions import schema as branch_restrictions_schema
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.json_doc.enums import BlockType
class MergeRequestRequiresApproval(BaseBitbucketCheck):
def __init__(self) -> None:
name = "Merge requests should require at least 2 approvals"
id = "CKV_BITBUCKET_1"
categories = (CheckCategories.SUPPLY_CHAIN,)
super().__init__(
name=name,
id=id,
categories=categories,
supported_entities=("*",),
block_type=BlockType.DOCUMENT
)
def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]] | None:
if branch_restrictions_schema.validate(conf):
for value in conf.get("values", []):
if value.get('kind', '') == 'require_approvals_to_merge':
if value.get('value', 0) >= 2:
return CheckResult.PASSED, conf
return CheckResult.FAILED, conf
return None
check = MergeRequestRequiresApproval()
================================================
FILE: checkov/bitbucket/dal.py
================================================
from __future__ import annotations
import logging
import os
from typing import Any
import requests
from checkov.common.runners.base_runner import strtobool
from checkov.common.vcs.base_vcs_dal import BaseVCSDAL
class Bitbucket(BaseVCSDAL):
def setup_conf_dir(self) -> None:
"""
discover parameters from execution context of checkov and determine the directory to save temporal files of vcs configuration
"""
bitbucket_conf_dir_name = os.getenv('CKV_BITBUCKET_CONF_DIR_NAME', 'bitbucket_conf')
self.bitbucket_conf_dir_path = os.path.join(os.getcwd(), bitbucket_conf_dir_name)
self.bitbucket_branch_restrictions_file_path = os.path.join(self.bitbucket_conf_dir_path,
"branch_restrictions.json")
def discover(self) -> None:
"""
discover parameters from execution context of checkov. usually from env variable
"""
server_host = os.getenv('CI_SERVER_URL', "https://api.bitbucket.org/")
self.api_url = f'{server_host}2.0'
self.graphql_api_url = f"{server_host}api/graphql"
self.token = os.getenv('APP_PASSWORD', '')
self.current_repository = os.getenv('BITBUCKET_REPO_FULL_NAME', '')
self.current_branch = os.getenv('BITBUCKET_BRANCH', '')
self.default_branch_cache = {}
self.username = os.getenv('BITBUCKET_USERNAME', '')
def _request(self, endpoint: str, allowed_status_codes: list[int]) -> dict[str, Any] | None:
if not self.token:
return None
url_endpoint = f"{self.api_url}/{endpoint}"
try:
s = requests.Session()
s.auth = (self.username, self.token)
request = s.get(url_endpoint)
if request.status_code in allowed_status_codes:
data: "dict[str, Any]" = request.json()
if isinstance(data, dict) and 'errors' in data.keys():
return None
return data
else:
request.raise_for_status()
except Exception:
logging.debug(f"Query failed to run by returning code of {url_endpoint}", exc_info=True)
return None
def _headers(self) -> dict[str, Any]:
# not needed here
return {}
def get_branch_restrictions(self) -> dict[str, Any] | None:
if self.current_repository:
branch_restrictions = self._request(endpoint=f"repositories/{self.current_repository}/branch-restrictions",
allowed_status_codes=[200])
return branch_restrictions
logging.debug("Environment variable BITBUCKET_REPO_FULL_NAME was not set. Cannot fetch branch restrictions.")
return None
def persist_branch_restrictions(self) -> None:
branch_restrictions = self.get_branch_restrictions()
if branch_restrictions:
BaseVCSDAL.persist(path=self.bitbucket_branch_restrictions_file_path, conf=branch_restrictions)
def persist_all_confs(self) -> None:
if strtobool(os.getenv("CKV_BITBUCKET_CONFIG_FETCH_DATA", "True")):
self.persist_branch_restrictions()
================================================
FILE: checkov/bitbucket/registry.py
================================================
from checkov.common.bridgecrew.check_type import CheckType
from checkov.json_doc.base_registry import Registry
registry = Registry(CheckType.BITBUCKET_CONFIGURATION)
================================================
FILE: checkov/bitbucket/runner.py
================================================
from __future__ import annotations
from typing import TYPE_CHECKING
from checkov.bitbucket.dal import Bitbucket
from checkov.common.bridgecrew.check_type import CheckType
from checkov.json_doc.runner import Runner as JsonRunner
from checkov.runner_filter import RunnerFilter
if TYPE_CHECKING:
from checkov.common.checks.base_check_registry import BaseCheckRegistry
from checkov.common.output.report import Report
class Runner(JsonRunner):
check_type = CheckType.BITBUCKET_CONFIGURATION # noqa: CCE003 # a static attribute
def __init__(self) -> None:
self.bitbucket = Bitbucket()
super().__init__()
def run(
self,
root_folder: str | None = None,
external_checks_dir: list[str] | None = None,
files: list[str] | None = None,
runner_filter: RunnerFilter | None = None,
collect_skip_comments: bool = True
) -> Report | list[Report]:
runner_filter = runner_filter or RunnerFilter()
if not runner_filter.show_progress_bar:
self.pbar.turn_off_progress_bar()
self.prepare_data()
report = super().run(
root_folder=self.bitbucket.bitbucket_conf_dir_path,
external_checks_dir=external_checks_dir,
files=None, # ignore file scans
runner_filter=runner_filter,
collect_skip_comments=collect_skip_comments,
)
return report
def prepare_data(self) -> None:
self.bitbucket.persist_all_confs()
def require_external_checks(self) -> bool:
# default json runner require only external checks. Bitbucket runner brings build in checks
return False
def import_registry(self) -> BaseCheckRegistry:
from checkov.bitbucket.registry import registry
return registry
================================================
FILE: checkov/bitbucket/schemas/__init__.py
================================================
================================================
FILE: checkov/bitbucket/schemas/branch_restrictions.py
================================================
from checkov.common.vcs.vcs_schema import VCSSchema
class BranchRestrictionsSchema(VCSSchema):
def __init__(self) -> None:
schema = \
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"pagelen": {
"type": "integer"
},
"values": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"kind": {
"type": "string"
},
"users": {
"type": "array",
"items": {}
},
"links": {
"type": "object",
"properties": {
"self": {
"type": "object",
"properties": {
"href": {
"type": "string"
}
},
"required": [
"href"
]
}
},
"required": [
"self"
]
},
"pattern": {
"type": "string"
},
"branch_match_kind": {
"type": "string"
},
"groups": {
"type": "array",
"items": {}
},
"type": {
"type": "string"
},
"id": {
"type": "integer"
}
},
"required": [
"kind",
"users",
"links",
"pattern",
"branch_match_kind",
"groups",
"type",
"id"
]
},
{
"type": "object",
"properties": {
"kind": {
"type": "string"
},
"users": {
"type": "array",
"items": {}
},
"links": {
"type": "object",
"properties": {
"self": {
"type": "object",
"properties": {
"href": {
"type": "string"
}
},
"required": [
"href"
]
}
},
"required": [
"self"
]
},
"pattern": {
"type": "string"
},
"branch_match_kind": {
"type": "string"
},
"groups": {
"type": "array",
"items": {}
},
"type": {
"type": "string"
},
"id": {
"type": "integer"
}
},
"required": [
"kind",
"users",
"links",
"pattern",
"branch_match_kind",
"groups",
"type",
"id"
]
},
{
"type": "object",
"properties": {
"kind": {
"type": "string"
},
"users": {
"type": "array",
"items": {}
},
"links": {
"type": "object",
"properties": {
"self": {
"type": "object",
"properties": {
"href": {
"type": "string"
}
},
"required": [
"href"
]
}
},
"required": [
"self"
]
},
"pattern": {
"type": "string"
},
"branch_match_kind": {
"type": "string"
},
"groups": {
"type": "array",
"items": {}
},
"type": {
"type": "string"
},
"id": {
"type": "integer"
}
},
"required": [
"kind",
"users",
"links",
"pattern",
"branch_match_kind",
"groups",
"type",
"id"
]
}
]
},
"page": {
"type": "integer"
},
"size": {
"type": "integer"
}
},
"required": [
"pagelen",
"values",
"page",
"size"
]
}
super().__init__(schema=schema)
schema = BranchRestrictionsSchema()
================================================
FILE: checkov/bitbucket_pipelines/__init__.py
================================================
from checkov.bitbucket_pipelines.checks import * # noqa
================================================
FILE: checkov/bitbucket_pipelines/base_bitbucket_pipelines_check.py
================================================
from __future__ import annotations
from abc import abstractmethod
from collections.abc import Iterable
from typing import TYPE_CHECKING, Any
from checkov.common.checks.base_check import BaseCheck
from checkov.common.models.enums import CheckCategories
from checkov.bitbucket_pipelines.registry import registry
if TYPE_CHECKING:
from checkov.common.models.enums import CheckResult
class BaseBitbucketPipelinesCheck(BaseCheck):
def __init__(
self, name: str, id: str, supported_entities: Iterable[str], block_type: str, path: str | None = None
) -> None:
categories = (CheckCategories.SUPPLY_CHAIN,)
super().__init__(
name=name,
id=id,
categories=categories,
supported_entities=supported_entities,
block_type=block_type,
)
self.path = path
registry.register(self)
def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> tuple[CheckResult, dict[str, Any]]:
self.entity_type = entity_type
return self.scan_conf(conf)
@abstractmethod
def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:
pass
================================================
FILE: checkov/bitbucket_pipelines/checks/__init__.py
================================================
from pathlib import Path
modules = Path(__file__).parent.glob("*.py")
__all__ = [f.stem for f in modules if f.is_file() and not f.stem == "__init__"]
================================================
FILE: checkov/bitbucket_pipelines/checks/latest_image.py
================================================
from __future__ import annotations
from typing import Any
from checkov.bitbucket_pipelines.base_bitbucket_pipelines_check import BaseBitbucketPipelinesCheck
from checkov.common.models.enums import CheckResult
from checkov.yaml_doc.enums import BlockType
class ImageReferenceLatestTag(BaseBitbucketPipelinesCheck):
def __init__(self) -> None:
name = "Ensure the pipeline image uses a non latest version tag"
id = "CKV_BITBUCKETPIPELINES_1"
super().__init__(
name=name,
id=id,
block_type=BlockType.ARRAY,
supported_entities=(
"[{image:image,__startline__:__startline__,__endline__:__endline__}]",
"pipelines.default[].step.{image: image, __startline__: __startline__, __endline__:__endline__}",
"pipelines.*.[*][][][].step.{image: image, __startline__: __startline__, __endline__:__endline__}",
),
)
def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:
if not isinstance(conf, dict):
return CheckResult.UNKNOWN, conf
image = conf.get("image")
if not image:
return CheckResult.UNKNOWN, conf
if isinstance(image, str):
if image.endswith(":latest"):
return CheckResult.FAILED, conf
return CheckResult.PASSED, conf
check = ImageReferenceLatestTag()
================================================
FILE: checkov/bitbucket_pipelines/registry.py
================================================
from checkov.common.bridgecrew.check_type import CheckType
from checkov.yaml_doc.base_registry import Registry
registry = Registry(CheckType.BITBUCKET_PIPELINES)
================================================
FILE: checkov/bitbucket_pipelines/runner.py
================================================
from __future__ import annotations
from typing import Any, TYPE_CHECKING
from checkov.bitbucket_pipelines.registry import registry
from checkov.common.bridgecrew.check_type import CheckType
from checkov.yaml_doc.runner import Runner as YamlRunner
if TYPE_CHECKING:
from checkov.common.checks.base_check_registry import BaseCheckRegistry
class Runner(YamlRunner):
check_type = CheckType.BITBUCKET_PIPELINES # noqa: CCE003 # a static attribute
def __init__(self) -> None:
super().__init__()
def require_external_checks(self) -> bool:
return False
def import_registry(self) -> BaseCheckRegistry:
return registry
@staticmethod
def is_workflow_file(file_path: str) -> bool:
"""
:return: True if the file mentioned is named bitbucket-pipelines.yml. Otherwise: False
"""
return file_path.endswith(("bitbucket-pipelines.yml", "bitbucket-pipelines.yaml"))
@staticmethod
def _parse_file(
f: str, file_content: str | None = None
) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None:
if Runner.is_workflow_file(f):
return YamlRunner._parse_file(f)
return None
================================================
FILE: checkov/cdk/__init__.py
================================================
================================================
FILE: checkov/cdk/checks/__init__.py
================================================
================================================
FILE: checkov/cdk/checks/python/ALBDropHttpHeaders.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_131
name: Ensure that ALB drops HTTP headers
category: NETWORKING
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_elasticloadbalancingv2.CfnLoadBalancer()
conditions:
- not_pattern: |
aws_cdk.aws_elasticloadbalancingv2.CfnLoadBalancer(, type='application' ,, load_balancer_attributes=[, {'key': 'routing.http.drop_invalid_header_fields.enabled','value': 'true'} ,] ,)
- not_pattern: |
aws_cdk.aws_elasticloadbalancingv2.CfnLoadBalancer(, type='application' ,, load_balancer_attributes=[, {'value': 'true','key': 'routing.http.drop_invalid_header_fields.enabled'} ,] ,)
- not_pattern: |
aws_cdk.aws_elasticloadbalancingv2.CfnLoadBalancer(, load_balancer_attributes=[, {'key': 'routing.http.drop_invalid_header_fields.enabled','value': 'true'} ,] ,, type='application' ,)
- not_pattern: |
aws_cdk.aws_elasticloadbalancingv2.CfnLoadBalancer(, load_balancer_attributes=[, {'value': 'true','key': 'routing.http.drop_invalid_header_fields.enabled'} ,] ,, type='application' ,)
================================================
FILE: checkov/cdk/checks/python/ALBListenerHTTPS.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_2
name: Ensure EFS is securely encrypted
category: ENCRYPTION
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_elasticloadbalancingv2.CfnListener()
conditions:
- not_pattern: aws_cdk.aws_elasticloadbalancingv2.CfnListener(, protocol='HTTPS', )
- not_pattern: aws_cdk.aws_elasticloadbalancingv2.CfnListener(, protocol='TLS', )
- not_pattern: aws_cdk.aws_elasticloadbalancingv2.CfnListener(, protocol='TCP', )
- not_pattern: aws_cdk.aws_elasticloadbalancingv2.CfnListener(, protocol='UDP', )
- not_pattern: aws_cdk.aws_elasticloadbalancingv2.CfnListener(, protocol='TCP_UDP', )
- not_pattern: |
aws_cdk.aws_elasticloadbalancingv2.CfnListener(, default_actions=[, {'type': 'redirect', 'redirectConfig':{'protocol': 'HTTPS'}} , ] , )
================================================
FILE: checkov/cdk/checks/python/APIGatewayAccessLogging.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_76
name: Ensure API Gateway has Access Logging enabled
category: LOGGING
framework: cdk
scope:
languages:
- python
definition:
patterns:
or:
- pattern: aws_cdk.aws_apigateway.CfnStage()
conditions:
- not_pattern: aws_cdk.aws_apigateway.CfnStage(, access_log_setting=aws_cdk.aws_apigateway.CfnStage.AccessLogSettingProperty(, destination_arn=$ARG , ) , )
- not_pattern: |
$P = aws_cdk.aws_apigateway.CfnStage.AccessLogSettingProperty(, destination_arn=$ARG , )
aws_cdk.aws_apigateway.CfnStage(, access_log_setting=$P, )
- pattern: aws_cdk.aws_serverless.Api()
conditions:
- not_pattern: |
aws_cdk.aws_serverless.Api(, default_stage={, "access_log_setting": aws_cdk.aws_serverless.AccessLogSetting(, destination_arn=$ARG,), } , )
- not_pattern: |
$P = aws_cdk.aws_serverless.AccessLogSetting(, destination_arn=$ARG , )
aws_cdk.aws_serverless.Api(, default_stage={, "access_log_setting": $P, }, )
================================================
FILE: checkov/cdk/checks/python/APIGatewayAuthorization.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_59
name: Ensure there is no open access to back-end resources through API
category: GENERAL_SECURITY
framework: cdk
scope:
languages:
- python
definition:
patterns:
or:
- pattern: aws_cdk.aws_apigateway.Method(, http_method=$ARG, , authorization_type=aws_cdk.aws_apigateway.AuthorizationType.NONE, , api_key_required=False, )
- pattern: aws_cdk.aws_apigateway.Method(, http_method=$ARG, , api_key_required=False, , authorization_type=aws_cdk.aws_apigateway.AuthorizationType.NONE, )
- pattern: aws_cdk.aws_apigateway.Method(, authorization_type=aws_cdk.aws_apigateway.AuthorizationType.NONE, , http_method=$ARG, , api_key_required=False, )
- pattern: aws_cdk.aws_apigateway.Method(, authorization_type=aws_cdk.aws_apigateway.AuthorizationType.NONE, , api_key_required=False, , http_method=$ARG, )
- pattern: aws_cdk.aws_apigateway.Method(, api_key_required=False, , authorization_type=aws_cdk.aws_apigateway.AuthorizationType.NONE, , http_method=$ARG, )
- pattern: aws_cdk.aws_apigateway.Method(, api_key_required=False, , http_method=$ARG, , authorization_type=aws_cdk.aws_apigateway.AuthorizationType.NONE, )
conditions:
- metavariable: $ARG
not_regex: OPTIONS
================================================
FILE: checkov/cdk/checks/python/APIGatewayCacheEnable.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_120
name: Ensure API Gateway caching is enabled
category: BACKUP_AND_RECOVERY
framework: cdk
scope:
languages:
- python
definition:
patterns:
or:
- pattern: aws_cdk.aws_apigateway.Stage()
conditions:
- not_pattern: aws_cdk.aws_apigateway.Stage(, cache_cluster_enabled=True, )
- pattern: aws_cdk.aws_sam.CfnApi()
conditions:
- not_pattern: aws_cdk.aws_sam.CfnApi(, cacheClusterEnabled=True , )
================================================
FILE: checkov/cdk/checks/python/APIGatewayV2AccessLogging.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_95
name: Ensure API Gateway V2 has Access Logging enabled
category: LOGGING
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_apigatewayv2.$FUNC()
conditions:
- not_pattern: aws_cdk.aws_apigatewayv2.$FUNC(, access_log_settings=aws_cdk.aws_apigatewayv2.$FUNC.AccessLogSettingsProperty(, destination_arn=$ARG ,) ,)
- metavariable: $FUNC
regex: (CfnStage|CfnApi)
================================================
FILE: checkov/cdk/checks/python/APIGatewayXray.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_73
name: Ensure API Gateway has X-Ray Tracing enabled
category: LOGGING
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.$MOD.CfnStage()
conditions:
- not_pattern: aws_cdk.$MOD.CfnStage(, tracing_enabled=True , )
- metavariable: $MOD
regex: (aws_apigateway|aws_apigateway2)
================================================
FILE: checkov/cdk/checks/python/AmazonMQBrokerPublicAccess.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_69
name: Ensure Amazon MQ Broker should not have public access
category: GENERAL_SECURITY
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_amazonmq.CfnBroker(, publicly_accessible=True , )
================================================
FILE: checkov/cdk/checks/python/AppSyncFieldLevelLogs.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_194
name: Ensure AppSync has Field-Level logs enabled
category: LOGGING
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_appsync.CfnGraphQLApi()
conditions:
- not_pattern:
source: aws_cdk.aws_appsync.CfnGraphQLApi.LogConfigProperty(, field_log_level=aws_cdk.aws_appsync.FieldLogLevel.$ARG , )
sink: aws_cdk.aws_appsync.CfnGraphQLApi(, log_config=$LOG , )
- not_pattern: aws_cdk.aws_appsync.CfnGraphQLApi(, log_config=aws_cdk.aws_appsync.CfnGraphQLApi.LogConfigProperty(, field_log_level=aws_cdk.aws_appsync.FieldLogLevel.$ARG , ) , )
- not_pattern: |
$LOG = aws_cdk.aws_appsync.CfnGraphQLApi.LogConfigProperty(, field_log_level=aws_cdk.aws_appsync.FieldLogLevel.$ARG , )
aws_cdk.aws_appsync.CfnGraphQLApi(, log_config=$LOG , )
- metavariable: $ARG
regex: (ERROR|ALL)
================================================
FILE: checkov/cdk/checks/python/AppSyncLogging.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_193
name: Ensure AppSync has Logging enabled
category: LOGGING
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_appsync.CfnGraphQLApi()
conditions:
- not_pattern: aws_cdk.aws_appsync.CfnGraphQLApi(, log_config=aws_cdk.aws_appsync.CfnGraphQLApi.LogConfigProperty(, cloud_watch_logs_role_arn=$ARG , ) , )
- not_pattern: |
$LOG = aws_cdk.aws_appsync.CfnGraphQLApi.LogConfigProperty(, cloud_watch_logs_role_arn=$ARG , )
aws_cdk.aws_appsync.CfnGraphQLApi(, log_config=$LOG , )
================================================
FILE: checkov/cdk/checks/python/AthenaWorkgroupConfiguration.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_82
name: Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption
category: GENERAL_SECURITY
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_athena.CfnWorkGroup()
conditions:
- not_pattern: aws_cdk.aws_athena.CfnWorkGroup(, work_group_configuration=aws_cdk.aws_athena.CfnWorkGroup.WorkGroupConfigurationProperty(, enforce_work_group_configuration=True , ) , )
- not_pattern: |
$ARG = aws_cdk.aws_athena.CfnWorkGroup.WorkGroupConfigurationProperty(, enforce_work_group_configuration=True , )
aws_cdk.aws_athena.CfnWorkGroup(, work_group_configuration=$ARG , )
================================================
FILE: checkov/cdk/checks/python/AuroraEncryption.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_96
name: Ensure all data stored in Aurora is securely encrypted at rest
category: ENCRYPTION
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_rds.CfnDBCluster()
conditions:
- not_pattern: aws_cdk.aws_rds.CfnDBCluster(, storage_encrypted=True ,)
================================================
FILE: checkov/cdk/checks/python/BackupVaultEncrypted.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_166
name: Ensure Backup Vault is encrypted at rest using KMS CMK
category: LOGGING
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_backup.CfnBackupVault()
conditions:
- not_pattern: aws_cdk.aws_backup.CfnBackupVault(, encryption_key_arn=$ARG, )
================================================
FILE: checkov/cdk/checks/python/CloudFrontTLS12.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_174
name: Verify CloudFront Distribution Viewer Certificate is using TLS v1.2
category: ENCRYPTION
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_cloudfront.CfnDistribution()
conditions:
- not_pattern: aws_cdk.aws_cloudfront.CfnDistribution(, distribution_config=aws_cdk.aws_cloudfront.CfnDistribution.DistributionConfigProperty(, viewer_certificate=aws_cdk.aws_cloudfront.CfnDistribution.ViewerCertificateProperty(, minimum_protocol_version='TLSv1.2' ,) ,) ,)
================================================
FILE: checkov/cdk/checks/python/CloudTrailLogValidation.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_36
name: Ensure CloudTrail log file validation is enabled
category: LOGGING
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_cloudtrail.CfnTrail()
conditions:
- not_pattern: aws_cdk.aws_cloudtrail.CfnTrail(, enable_log_file_validation=True , )
================================================
FILE: checkov/cdk/checks/python/CloudWatchLogGroupKMSKey.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_158
name: Ensure that CloudWatch Log Group is encrypted by KMS
category: ENCRYPTION
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_logs.LogGroup()
conditions:
- not_pattern: aws_cdk.aws_logs.LogGroup(, kms_key=$KEY, )
================================================
FILE: checkov/cdk/checks/python/CloudWatchLogGroupRetention.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_66
name: Ensure that CloudWatch Log Group specifies retention days
category: LOGGING
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_logs.CfnLogGroup()
conditions:
- not_pattern: aws_cdk.aws_logs.CfnLogGroup(, retention_in_days=$NUM ,)
================================================
FILE: checkov/cdk/checks/python/CloudfrontDistributionEncryption.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_34
name: Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPS
category: ENCRYPTION
framework: cdk
scope:
languages:
- python
definition:
patterns:
or:
- pattern: aws_cdk.aws_cloudfront.CfnDistribution(, distribution_config=aws_cdk.aws_cloudfront.CfnDistribution.DistributionConfigProperty(, default_cache_behavior=aws_cdk.aws_cloudfront.CfnDistribution.DefaultCacheBehaviorProperty(,viewer_protocol_policy='allow-all' ,) ,) , )
- pattern: aws_cdk.aws_cloudfront.CfnDistribution(, distribution_config=aws_cdk.aws_cloudfront.CfnDistribution.DistributionConfigProperty(,cache_behaviors=[,aws_cdk.aws_cloudfront.CfnDistribution.CacheBehaviorProperty(, viewer_protocol_policy='allow-all' ,) ,] ,) ,)
================================================
FILE: checkov/cdk/checks/python/CloudfrontDistributionLogging.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_86
name: Ensure CloudFront distribution has Access Logging enabled
category: LOGGING
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_cloudfront.CfnDistribution()
conditions:
- not_pattern: aws_cdk.aws_cloudfront.CfnDistribution(, distribution_config=aws_cdk.aws_cloudfront.CfnDistribution.DistributionConfigProperty(, logging=aws_cdk.aws_cloudfront.CfnDistribution.LoggingProperty(, bucket=$ARG ,) ,) ,)
================================================
FILE: checkov/cdk/checks/python/CloudtrailEncryption.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_35
name: Ensure CloudTrail logs are encrypted at rest using KMS CMKs
category: LOGGING
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_cloudtrail.CfnTrail()
conditions:
- not_pattern: aws_cdk.aws_cloudtrail.CfnTrail(, kms_key_id=$ARG ,)
================================================
FILE: checkov/cdk/checks/python/CloudtrailMultiRegion.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_67
name: Ensure CloudTrail is enabled in all Regions
category: LOGGING
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_cloudtrail.Trail()
conditions:
- not_pattern: aws_cdk.aws_cloudtrail.Trail(, is_multi_region_trail=True ,)
================================================
FILE: checkov/cdk/checks/python/CodeBuildProjectEncryption.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_78
name: Ensure that CodeBuild Project encryption is not disabled
category: ENCRYPTION
framework: cdk
scope:
languages:
- python
definition:
patterns:
or:
- pattern: aws_cdk.aws_codebuild.Project(, artifacts=aws_cdk.aws_codebuild.Artifacts(, type=aws_cdk.aws_codebuild.ArtifactsType.S3, , encryption_disabled=True, ) , )
- pattern: aws_cdk.aws_codebuild.Project(, artifacts=aws_cdk.aws_codebuild.Artifacts(, encryption_disabled=True, , type=aws_cdk.aws_codebuild.ArtifactsType.S3, ) , )
================================================
FILE: checkov/cdk/checks/python/DAXEncryption.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_47
name: Ensure DAX is encrypted at rest (default is unencrypted)
category: ENCRYPTION
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_dax.CfnCluster()
conditions:
- not_pattern: aws_cdk.aws_dax.CfnCluster(, sse_specification=aws_cdk.aws_dax.CfnCluster.SSESpecificationProperty(, enabled=True , ), )
- not_pattern: |
$P = aws_cdk.aws_dax.CfnCluster.SSESpecificationProperty(, enabled=True , )
aws_cdk.aws_dax.CfnCluster(sse_specification=$P)
================================================
FILE: checkov/cdk/checks/python/DMSReplicationInstancePubliclyAccessible.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_89
name: DMS replication instance should not be publicly accessible
category: ENCRYPTION
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_dms.ReplicationInstance(, publicly_accessible=True, )
================================================
FILE: checkov/cdk/checks/python/DocDBAuditLogs.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_104
name: Ensure DocumentDB has audit logs enabled
category: LOGGING
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_docdb.CfnDBClusterParameterGroup()
conditions:
- not_pattern: 'aws_cdk.aws_docdb.CfnDBClusterParameterGroup(, parameters={, "audit_logs": "enabled" , } , )'
================================================
FILE: checkov/cdk/checks/python/DocDBEncryption.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_74
name: Ensure DocumentDB is encrypted at rest (default is unencrypted)
category: ENCRYPTION
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_docdb.CfnDBCluster()
conditions:
- not_pattern: aws_cdk.aws_neptune.CfnDBCluster(, storage_encrypted=True , )
================================================
FILE: checkov/cdk/checks/python/DocDBTLS.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_90
name: Ensure DocumentDB TLS is not disabled
category: ENCRYPTION
framework: cdk
scope:
languages:
- python
definition:
pattern: |
aws_cdk.aws_docdb.CfnDBClusterParameterGroup(, parameters={'tls': 'disabled'} ,)
================================================
FILE: checkov/cdk/checks/python/DynamodbGlobalTableRecovery.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_165
name: Ensure DynamoDB global table point in time recovery (backup) is enabled
category: BACKUP_AND_RECOVERY
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_dynamodb.CfnGlobalTable()
conditions:
- not_pattern: aws_cdk.aws_dynamodb.CfnGlobalTable(, replicas=[, aws_cdk.aws_dynamodb.CfnGlobalTable.ReplicaSpecificationProperty(, point_in_time_recovery_specification=aws_cdk.aws_dynamodb.CfnGlobalTable.PointInTimeRecoverySpecificationProperty(point_in_time_recovery_enabled=True) , ) , ], )
================================================
FILE: checkov/cdk/checks/python/DynamodbRecovery.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_28
name: Ensure DynamoDB point-in-time recovery (backup) is enabled
category: BACKUP_AND_RECOVERY
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_dynamodb.Table()
conditions:
- not_pattern: aws_cdk.aws_dynamodb.Table(, point_in_time_recovery=True , )
================================================
FILE: checkov/cdk/checks/python/EBSEncryption.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_3
name: Ensure all data stored in the EBS is securely encrypted
category: ENCRYPTION
framework: cdk
scope:
languages:
- python
definition:
pattern: aws_cdk.aws_ec2.Volume()
conditions:
- not_pattern: aws_cdk.aws_ec2.Volume(, encrypted=True , )
================================================
FILE: checkov/cdk/checks/python/EC2PublicIP.yaml
================================================
metadata:
version: 0.2
approach: define failing
id: CKV_AWS_88
name: EC2 instance should not have public IP
category: NETWORKING
framework: cdk
scope:
languages:
- python
definition:
patterns:
or:
- pattern: |
aws_cdk.aws_ec2.CfnInstance(, network_interfaces=[, {'associate_public_ip_address': True} ,] ,)
- pattern: |
aws_cdk.aws_ec2.CfnLaunchTemplate(, launch_template_data={'network_interfaces':[, {'associate_public_ip_address': True} ,]} ,