#hcl
Rulesets (1)
Rules (357)
semgrepEnsure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response.
semgrepEnsure that IAM policies don't allow data exfiltration actions that are not resource-constrained. This can allow the user to read sensitive data they don't need to read. Instead, make sure that the user granted these privileges are given these permissions on specific resources.
semgrepEnsure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions.
semgrepEnsure that IAM policies with permissions on other users don't allow for privilege escalation. This can lead to an attacker gaining full administrator access of AWS accounts. Instead, specify which user the permission should be used on or do not use the listed actions. $RESOURCE
semgrepEnsure that groups of actions that include iam:PassRole and could result in privilege escalation are not all allowed for the same user. These actions could result in an attacker gaining full admin access of an AWS account. Try not to use these actions in conjuction.
semgrepEnsure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources.
semgrepEnsure that no IAM policies allow "*" as a statement's actions. This allows all actions to be performed on the specified resources, and is a violation of the principle of least privilege. Instead, specify the actions that a certain user or policy is allowed to take.
semgrepThe security group rule allows ingress from public internet. Opening up ports to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible. Set a more restrictive CIDR range.
semgrepEnsure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC
semgrepDetected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to `"TLSv1.2_2018", "TLSv1.2_2019" or "TLSv1.2_2021"`.
semgrepDetected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `ssl_policy` to `"ELBSecurityPolicy-TLS13-1-2-2021-06"`, or include a default action to redirect to HTTPS.
semgrepS3 bucket with public read-write access detected.
semgrepEnsure that Amazon ElastiCache clusters have automatic backup turned on. To fix this, set a `snapshot_retention_limit`.
semgrepThe AWS QLDB ledger permissions are too permissive. Consider using "'STANDARD'" permissions mode if possible.
semgrepThe AWS RDS Cluster is not configured to use IAM authentication. Consider using IAM for authentication.
semgrepThe AWS RDS is not configured to use IAM authentication. Consider using IAM for authentication.
semgrepThe AWS RDS is not configured to use multi-az. Consider using it if possible.
semgrepEnsure that Amazon S3 bucket versioning is not enabled. Consider using versioning if you don't have alternative backup mechanism.
semgrepThe AWS S3 object lock is not enabled. Consider using it if possible.
semgrepDetected a AWS load balancer that is not configured to drop invalid HTTP headers. Add `drop_invalid_header_fields = true` in your resource block.
semgrepFound a AWS API Gateway Stage without cache cluster enabled. Enabling the cache cluster feature enhances responsiveness of your API. Add `cache_cluster_enabled = true` to your resource block.
semgrepThere are missing tags for an AWS Auto Scaling group. Tags help track costs, allow for filtering for Auto Scaling groups, help with access control, and aid in organizing AWS resources. Add: `tag { key = "key" value = "value" propagate_at_launch = boolean }` See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group for more details.
semgrepThe AWS Autoscaling Group is not tagged.
semgrepThe AWS cross zone load balancing is not enabled.
semgrepThe AWS LoadBalancer deletion protection is not enabled.
semgrepThe AWS QLDB deletion protection is not enabled.
semgrepThe AWS CloudWatch Log group is missing a KMS key. While Log group data is always encrypted, you can optionally use a KMS key instead. Add `kms_key_id = "yourKey"` to your resource block.
semgrepThe AWS CloudWatch Log group is missing log retention time. By default, logs are retained indefinitely. Add `retention_in_days = <integer>` to your resource block.
semgrepThe `source_arn` field needs to end with an asterisk, like this: `<log-group-arn>:*` Without this, the `aws_lambda_permission` resource '$NAME' will not be created. Add the asterisk to the end of the arn. x $ARN
semgrepWhen using the AWS Lambda "Image" package_type, `runtime` and `handler` are not necessary for Lambda to understand how to run the code. These are built into the container image. Including `runtime` or `handler` with an "Image" `package_type` will result in an error on `terraform apply`. Remove these redundant fields.
semgrep`terraform apply` will fail because the environment variable "$VARIABLE" is a reserved by AWS. Use another name for "$VARIABLE".
semgrepThe `aws_cloudwatch_log_subscription_filter` resource "$NAME" needs a `depends_on` clause on the `aws_lambda_permission`, otherwise Terraform may try to create these out-of-order and fail.
semgrepThe Athena workgroup configuration can be overriden by client-side settings. The client can make changes to disable encryption settings. Enforce the configuration to prevent client overrides.
semgrepThe Athena database is unencrypted at rest. These databases are generally derived from data in S3 buckets and should have the same level of at rest protection. The AWS KMS encryption key protects database contents. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
semgrepThe AWS Athena Work Group is unencrypted. The AWS KMS encryption key protects backups in the work group. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
semgrepThe AWS Backup vault is unencrypted. The AWS KMS encryption key protects backups in the Backup vault. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
semgrepEnsure CloudTrail logs are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
semgrepThe AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.
semgrepBy default, AWS CloudWatch Log Group is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your log group in CloudWatch. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
semgrepThe CodeBuild project artifacts are unencrypted. All artifacts produced by your CodeBuild project pipeline should be encrypted to prevent them from being read if compromised.
semgrepThe AWS CodeBuild Project Artifacts are unencrypted. The AWS KMS encryption key protects artifacts in the CodeBuild Projects. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
semgrepThe AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
semgrepThe AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.
semgrepDatabase instance has no logging. Missing logs can cause missing important event information.
semgrepEnsure DocDB is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
semgrepAuditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.
semgrepThe AWS DocumentDB cluster is unencrypted. The data could be read if the underlying disks are compromised. You should enable storage encryption.
semgrepPoint-in-time recovery is not enabled for the DynamoDB table. DynamoDB tables should be protected against accidental or malicious write/delete actions. By enabling point-in-time-recovery you can restore to a known point in the event of loss of data.
semgrepBy default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
semgrepEnsure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
semgrepThe AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.
semgrepEnsure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
semgrepThe AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.
semgrepEC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `"false"`.
semgrepThe AWS launch configuration EBS block device is unencrypted. The block device could be read if compromised. Block devices should be encrypted to ensure sensitive data is held securely at rest.
semgrepThe AWS launch configuration root block device is unencrypted. The block device could be read if compromised. Block devices should be encrypted to ensure sensitive data is held securely at rest.
semgrepThe EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2.
semgrepThe AWS security group rule is missing a description, or its description is empty or the default value. Security groups rules should include a meaningful description in order to simplify auditing, debugging, and managing security groups.
semgrepThe ECR repository has image scans disabled. Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.
semgrepThe ECR repository allows tag mutability. Image tags could be overwritten with compromised images. ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting `image_tag_mutability` to IMMUTABLE.
semgrepDetected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.
semgrepEnsure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
semgrepEnsure all Elasticsearch has node-to-node encryption enabled.
semgrepELB has no logging. Missing logs can cause missing important event information.
semgrepEnsure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
semgrepEnsure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
semgrepEnsure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
semgrepEnsure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
semgrepEnsure FSX Windows file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
semgrepDetected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::<account_id>:<identity>`.
semgrepDetected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.
semgrepDetected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.
semgrepEnsure ImageBuilder component is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
semgrepDetected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `"true"`.
semgrepEnsure Kinesis stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
semgrepThe AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption.
semgrepEnsure Kinesis video stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
semgrepDetected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege.
semgrepThe AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a `enable_key_rotation`.
semgrepA hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
semgrepBy default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
semgrepThe AWS Lambda permission has an AWS service principal but does not specify a source ARN. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function. Set the source_arn value to the ARN of the AWS resource that invokes the function, eg. an S3 bucket, CloudWatch Events Rule, API Gateway, or SNS topic.
semgrepThe AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts.
semgrepIngress and/or egress is allowed for all ports in the network ACL rule. Ensure access to specific required ports is allowed, and nothing else.
semgrepThe network ACL rule allows ingress from public internet. Opening up ACLs to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible. Set a more restrictive CIDR range.
semgrepA hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
semgrepThe AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a `backup_retention_period`.
semgrepEnsure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
semgrepEnsure S3 bucket object is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
semgrepEnsure S3 object copies are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
semgrepEnsure AWS Sagemaker domains are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
semgrepBy default, AWS SecretManager secrets are encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your secrets in the Secret Manager. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
semgrepThe AWS SNS topic is unencrypted. The SNS topic messages could be read if compromised. The AWS KMS encryption key protects topic contents. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
semgrepWildcard used in your SQS queue policy action. SQS queue policies should always grant least privilege - that is, only grant the permissions required to perform a specific task. Implementing least privilege is important to reducing security risks and reducing the effect of errors or malicious intent.
semgrepWildcard used in your SQS queue policy principal. This grants access to all users, including anonymous users (public access). Unless you explicitly require anyone on the internet to be able to read or write to your queue, limit principals, actions and resources to what you need according to least privilege.
semgrepThe AWS SQS queue contents are unencrypted. The data could be read if compromised. Enable server-side encryption for your queue using SQS-managed encryption keys (SSE-SQS), or using your own AWS KMS key (SSE-KMS).
semgrepThe AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
semgrepResources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible.
semgrepEnsure Timestream database is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
semgrepTransfer Server endpoint type should not have public or null configured in order to block public access. To fix this, set your `endpoint_type` to `"VPC"`.
semgrepThe AWS Workspace root volume is unencrypted. The AWS KMS encryption key protects root volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
semgrepThe AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
semgrepThe AWS Athena Workgroup is unencrypted. Encryption protects query results in your workgroup. To enable, add: `encryption_configuration { encryption_option = "SSE_KMS" kms_key_arn = aws_kms_key.example.arn }` within `result_configuration { }` in your resource block, where `encryption_option` is your chosen encryption method and `kms_key_arn` is your KMS key ARN.
semgrep`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this.
semgrepDetected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::<account_id>:root`.
semgrepEnsures that Active Directory is used for authentication for Service Fabric
semgrepEnsure that AKS uses Azure Policies Add-on
semgrepEnsure that Application Gateway enables WAF
semgrepEnsure that Net Framework version is the latest, if used as a part of the web app
semgrepEnsure FTP deployments are disabled
semgrepEnsure that HTTP Version is the latest if used to run the web app
semgrepEnsure that Java version is the latest, if used to run the web app
semgrepEnsure that PHP version is the latest, if used to run the web app
semgrepEnsure that Python version is the latest, if used to run the web app
semgrepEnsure that app services use Azure Files
semgrepEnsure that Azure Defender is set to On for App Service
semgrepEnsure that Azure Defender is set to On for Container
semgrepEnsure that Azure Defender is set to On for Key Vault
semgrepEnsure that Azure Defender is set to On for Kubernetes
semgrepEnsure that Azure Defender is set to On for Servers
semgrepEnsure that Azure Defender is set to On for SQL servers on machines
semgrepEnsure that Azure Defender is set to On for SQL servers
semgrepEnsure that Azure Defender is set to On for Storage
semgrepEnsure that Azure Front Door enables WAF
semgrepEnsure that Azure Front Door uses WAF and configured in “Detection” or “Prevention” modes
semgrepEnsure that HTTP Version is the latest if used to run the Function app
semgrepEnsure that HTTP Version is the latest if used to run the Function app
semgrepEnsure that key vault allows firewall rules settings
semgrepEnsure that key vault enables purge protection
semgrepEnsure that key vault enables soft delete
semgrepEnsure the key vault is recoverable https://docs.bridgecrew.io/docs/ensure-the-key-vault-is-recoverable
semgrepEnsure that MariaDB server enables geo-redundant backups
semgrepEnsure Enforce SSL connection is set to Enabled for MariaDB servers
semgrepEnsure audit profile captures all the activities
semgrepEnsure that Activity Log Retention is set 365 days or greater
semgrepEnsure that MySQL server enables geo-redundant backups
semgrepEnsure Enforce SSL connection is set to Enabled for MySQL servers
semgrepEnsure that MySQL server enables Threat detection policy
semgrepEnsure that Network Interfaces disable IP forwarding
semgrepEnsure that PostgreSQL Flexible server enables geo-redundant backups
semgrepEnsure that PostgreSQL server enables geo-redundant backups
semgrepEnsure server parameter connection_throttling is set to ON for PostgreSQL Database Server
semgrepEnsure server parameter log_checkpoints is set to ON for PostgreSQL Database Server
semgrepEnsure server parameter log_connections is set to ON for PostgreSQL Database Server
semgrepEnsure Enforce SSL connection is set to Enabled for PostgreSQL servers
semgrepEnsure that PostgreSQL server enables Threat detection policy
semgrepEnsure that key vault secrets have “content_type” set
semgrepEnsure that the expiration date is set on all secrets
semgrepEnsure that Send email notification for high severity alerts is set to On
semgrepEnsure that Security contact emails is set
semgrepEnsure that Security contact Phone number is set
semgrepEnsure that Send email notification for high severity alerts is set to On
semgrepEnsure that standard pricing tier is selected
semgrepEnsure that Send Alerts To is enabled for MSSQL servers
semgrepEnsure that Email service and co-administrators is Enabled for MSSQL servers
semgrepEnsure that Threat Detection types is set to All
semgrepEnsure that storage account enables secure transfer
semgrepEnsure that Azure Synapse workspaces enables managed virtual networks
semgrepEnsure that automatic OS image patching is enabled for Virtual Machine Scale Sets
semgrepEnsure that Application Gateway uses WAF in “Detection” or “Prevention” modes
semgrepEnsure AKS has an API Server Authorized IP Ranges enabled
semgrepEnsure that AKS enables private clusters
semgrepEnsure that AKS uses disk encryption set
semgrepEnsure that API management services use virtual networks
semgrepRegistering the identity used by an App with AD allows it to interact with other services without using username and password. Set the `identity` block in your appservice.
semgrepEnabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings
semgrepUse the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block
semgrepBy default, clients can connect to App Service by using both HTTP or HTTPS. HTTP should be disabled enabling the HTTPS Only setting.
semgrepDetected an AppService that was not configured to use a client certificate. Add `client_cert_enabled = true` in your resource block.
semgrepDetected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version = "1.2"` in your resource block.
semgrepEnsure App Service Authentication is set on Azure App Service
semgrepEnsure the web app has Client Certificates
semgrepEnsure that App service enables detailed error messages
semgrepEnsure that CORS disallows every resource to access app services
semgrepEnsure that App service enables failed request tracing
semgrepEnsure that App service enables HTTP logging
semgrepEnsure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot
semgrepEnsure App Service Authentication is set on Azure App Service
semgrepEnsure that Managed identity provider is enabled for app services
semgrepEnsure web app is using the latest version of TLS encryption
semgrepEnsure that Automation account variables are encrypted
semgrepEnsure that Azure Batch account uses key vault to encrypt data
semgrepEnsure that Cognitive Services accounts disable public network access
semgrepEnsure that Azure Container group is deployed into virtual network
semgrepEnsure Cosmos DB accounts have restricted access
semgrepEnsure that Cosmos DB accounts have access key write capability disabled
semgrepEnsure that Azure Cosmos DB disables public network access
semgrepEnsure that Cosmos DB accounts have customer-managed keys to encrypt data at rest
semgrepEnsure that no custom subscription owner roles are created
semgrepEnsure that Azure Data Explorer uses double encryption
semgrepEnsure that Azure Data Explorer uses disk encryption
semgrepEnsure that Azure Data factory public network access is disabled
semgrepEnsure that Azure Data Factory uses Git repository for source control
semgrepEnsure that Data Lake Store accounts enables encryption
semgrepEnsure that Azure Event Grid Domain public network access is disabled
semgrepensure that CORS disallows all resources to access Function app
semgrepEnsure that function apps enables Authentication
semgrepEnsure Virtual Machine Extensions are not Installed
semgrepEnsure that Azure IoT Hub disables public network access
semgrepEnsure that key vault key is backed by HSM
semgrepEnsure that the expiration date is set on all keys
semgrepEnsure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption
semgrepEnsure Azure managed disk has encryption enabled
semgrepEnsure public network access enabled is set to False for MariaDB servers
semgrepEnsure that Activity Log Retention is set 365 days or greater
semgrepEnsure MSSQL is using the latest version of TLS encryption
semgrepEnsure that MySQL server enables infrastructure encryption
semgrepEnsure MySQL is using the latest version of TLS encryption
semgrepEnsure public network access enabled is set to False for MySQL servers
semgrepEnsure that Network Security Group Flow Log retention period is 90 days or greater
semgrepEnsure that PostgreSQL server enables infrastructure encryption
semgrepEnsure PostgreSQL is using the latest version of TLS encryption
semgrepEnsure public network access enabled is set to False for PostgreSQL servers
semgrepEnsure that only SSL are enabled for Cache for Redis
semgrepEnsure that Azure Cache for Redis disables public network access
semgrepEnsure that remote debugging is not enabled for app services
semgrepEnsure that Virtual machine does not enable password authentication
semgrepEnsure that Azure Cognitive Search disables public network access
semgrepEnsure that Service Fabric use three levels of protection available
semgrepEnsure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
semgrepEnsure that SQL server disables public network access
semgrepEnsure default network access rule for Storage Accounts is set to deny
semgrepEnsure Storage Account is using the latest version of TLS encryption
semgrepEnsure that Public access level is set to Private for blob containers
semgrepEnsure that Azure File Sync disables public network access
semgrepEnsure that Virtual machine scale sets have encryption at host enabled
semgrepEnabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings
semgrepUse the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your function app resource block
semgrepKey vault Secret should have a content type set
semgrepEnsure that the expiration date is set on all keys
semgrepEnsure that the expiration date is set on all secrets
semgrepKey vault should have purge protection enabled
semgrepNetwork ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.
semgrepSome Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules
semgrepDetected a Storage that was not configured to deny action by default. Add `default_action = "Deny"` in your resource block.
semgrepDetected a Storage that was not configured to deny action by default. Add `enable_https_traffic_only = true` in your resource block.
semgrepStorage Analytics logs detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.
semgrepAzure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.
semgrepEnsure Compute instances are launched with Shielded VM enabled
semgrepEnsure Compute instances are launched with Shielded VM enabled
semgrepEnsure Kubernetes Cluster is created with Alias IP ranges enabled
semgrepEnsure use of Binary Authorization
semgrepEnsure Shielded GKE Nodes are Enabled
semgrepEnsure Kubernetes Clusters are configured with Labels
semgrepEnsure the GKE Metadata Server is Enabled
semgrepEnsure 'Automatic node repair' is enabled for Kubernetes Clusters
semgrepEnsure 'Automatic node upgrade' is enabled for Kubernetes Clusters
semgrepEnsure the GKE Metadata Server is Enabled
semgrepEnsure Secure Boot for Shielded GKE Nodes is Enabled
semgrepEnsure all Cloud SQL database instance have backup configuration enabled
semgrepEnsure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image
semgrepEnsure that Private google access is enabled for IPV6
semgrepEnsure MySQL database 'local_infile' flag is set to 'off'
semgrepEnsure PostgreSQL database 'log_checkpoints' flag is set to 'on'
semgrepEnsure PostgreSQL database 'log_connections' flag is set to 'on'
semgrepEnsure PostgreSQL database 'log_disconnections' flag is set to 'on'
semgrepEnsure PostgreSQL database 'log_lock_waits' flag is set to 'on'
semgrepEnsure PostgreSQL database 'log_min_duration_statement' flag is set to '-1'
semgrepEnsure PostgreSQL database 'log_min_messages' flag is set to a valid value
semgrepEnsure PostgreSQL database 'log_temp_files' flag is set to '0'
semgrepEnsure Cloud storage has versioning enabled
semgrepEnsure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)
semgrepEnsure that Artifact Registry repositories are not anonymously or publicly accessible
semgrepEnsure that Artifact Registry repositories are not anonymously or publicly accessible
semgrepEnsure that BigQuery datasets are not anonymously or publicly accessible
semgrepEnsure that BigQuery Tables are not anonymously or publicly accessible
semgrepEnsure that BigQuery Tables are not anonymously or publicly accessible
semgrepEnsure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)
semgrepEnsure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK)
semgrepEnsure Cloud build workers are private
semgrepEnsure bucket logs access.
semgrepEnsure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)
semgrepEnsure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)
semgrepEnsure Google compute firewall ingress does not allow unrestricted FTP access
semgrepEnsure Google compute firewall ingress does not allow unrestricted FTP access
semgrepEnsure Google compute firewall ingress does not allow unrestricted SSH access
semgrepEnsure Google compute firewall ingress does not allow unrestricted MySQL access
semgrepEnsure Google compute firewall ingress does not allow unrestricted RDP access
semgrepEnsure Google compute firewall ingress does not allow unrestricted HTTP access
semgrepEnsure that IP forwarding is not enabled on Instances. This lets the instance act as a traffic router and receive traffic not intended for it, which may route traffic through unintended passages.
semgrepEnsure that no instance in the project overrides the project setting for enabling OSLogin (OSLogin needs to be enabled in project metadata for all instances)
semgrepEnsure oslogin is enabled for a Project
semgrepEnsure that Compute instances do not have public IP addresses
semgrepEnsure 'Enable connecting to serial ports' is not enabled for VM Instance
semgrepEnsure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
semgrepEnsure that IP forwarding is not enabled on Instances. This lets the instance act as a traffic router and receive traffic not intended for it, which may route traffic through unintended passages.
semgrepEnsure that Compute instances do not have public IP addresses
semgrepEnsure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK)
semgrepEnsure Dataflow jobs are private
semgrepEnsure Data fusion instances are private
semgrepEnsure Datafusion has stack driver logging enabled.
semgrepEnsure Datafusion has stack driver monitoring enabled.
semgrepEnsure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK)
semgrepEnsure Dataproc Clusters do not have public IPs
semgrepEnsure that Dataproc clusters are not anonymously or publicly accessible
semgrepEnsure that Dataproc clusters are not anonymously or publicly accessible
semgrepEnsure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC
semgrepEnsure no roles that enable to impersonate and manage all service accounts are used at a folder level
semgrepEnsure no roles that enable to impersonate and manage all service accounts are used at a folder level
semgrepEnsure Default Service account is not used at a folder level
semgrepEnsure Default Service account is not used at a folder level
semgrepEnsure GKE basic auth is disabled
semgrepEnsure client certificate authentication to Kubernetes Engine Clusters is disabled
semgrepEnsure logging is set to Enabled on Kubernetes Engine Clusters
semgrepEnable VPC Flow Logs and Intranode Visibility
semgrepEnsure Integrity Monitoring for Shielded GKE Nodes is Enabled
semgrepManage Kubernetes RBAC users with Google Groups for GKE
semgrepEnsure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
semgrepEnsure legacy Compute Engine instance metadata APIs are Disabled
semgrepEnsure master authorized networks is set to enabled in GKE clusters
semgrepEnsure monitoring is set to Enabled on Kubernetes Engine Clusters
semgrepEnsure Network Policy is enabled on Kubernetes Engine Clusters
semgrepEnsure Integrity Monitoring for Shielded GKE Nodes is Enabled
semgrepEnsure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters
semgrepEnsure Kubernetes Cluster is created with Private cluster enabled
semgrepEnsure GKE Control Plane is not public
semgrepEnsure Secure Boot for Shielded GKE Nodes is Enabled
semgrepEnsure KMS keys are protected from deletion
semgrepEnsure Memorystore for Redis has AUTH enabled
semgrepEnsure Memorystore for Redis uses intransit encryption
semgrepEnsure no roles that enable to impersonate and manage all service accounts are used at an organization level
semgrepEnsure no roles that enable to impersonate and manage all service accounts are used at an organization level
semgrepEnsure default service account is not used at an organization level
semgrepEnsure default service account is not used at an organization level
semgrepEnsure that the default network does not exist in a project. Set auto_create_network to `false`.
semgrepEnsure Default Service account is not used at a project level
semgrepEnsure Default Service account is not used at a project level
semgrepEnsure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
semgrepEnsure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
semgrepEnsure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)
semgrepEnsure that Pub/Sub Topics are not anonymously or publicly accessible
semgrepEnsure that Pub/Sub Topics are not anonymously or publicly accessible
semgrepEnsure that GCP Cloud Run services are not anonymously or publicly accessible
semgrepEnsure that GCP Cloud Run services are not anonymously or publicly accessible
semgrepEnsure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK)
semgrepEnsure all Cloud SQL database instance requires all incoming connections to use SSL
semgrepEnsure that Cloud SQL database Instances are not open to the world
semgrepEnsure Cloud SQL database does not have public IP
semgrepEnsure that Container Registry repositories are not anonymously or publicly accessible
semgrepEnsure that Container Registry repositories are not anonymously or publicly accessible
semgrepEnsure that Cloud Storage buckets have uniform bucket-level access enabled
semgrepEnsure that VPC Flow Logs is enabled for every subnet in a VPC Network
semgrepEnsure that private_ip_google_access is enabled for Subnet
semgrepEnsure Vertex AI datasets uses a CMK (Customer Manager Key)
semgrepEnsure Vertex AI Metadata Store uses a CMK (Customer Manager Key)
semgrepEnsure Vertex AI instances are private
semgrepAWS EC2 Instance allowing use of the IMDSv1
semgrepThe ECR Repository isn't configured to scan images on push
semgrepMissing EKS control plane logging. It is recommended to enable at least Kubernetes API server component logs ("api") and audit logs ("audit") of the EKS control plane through the enabled_cluster_log_types attribute.
semgrepThe vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access
semgrepEncryption at rest is not enabled for the elastic search domain resource
semgrepIAM policies that allow full "*-*" admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE
semgrepRDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.
semgrepRDS instance accessible from the Internet detected.
semgrepCORS rule on bucket permits any origin
semgrepS3 bucket with public read access detected.
semgrepThis rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info.