diff --git a/assets/libraries/ansible.rego b/assets/libraries/ansible.rego index 9cd0d50ba36..0e94b37744b 100644 --- a/assets/libraries/ansible.rego +++ b/assets/libraries/ansible.rego @@ -7,7 +7,7 @@ tasks := TasksPerDocument # Builds an object that stores all tasks for each document id TasksPerDocument[id] = result { - document := input.document[i] + some document in input.document id := document.id result := getTasks(document) } diff --git a/assets/libraries/terraform.rego b/assets/libraries/terraform.rego index e0857c6d957..5ca748ca3b8 100644 --- a/assets/libraries/terraform.rego +++ b/assets/libraries/terraform.rego @@ -522,7 +522,8 @@ matches(target, name) { } has_target_resource(bucketName, resourceName) { - resource := input.document[i].resource[resourceName][_] + some document in input.document + some resource in document.resource[resourceName] split(resource.bucket, ".")[1] == bucketName } diff --git a/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/query.rego b/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/query.rego index cacc444e71b..530ec7fa334 100644 --- a/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/query.rego +++ b/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.ansible as ans_lib import data.generic.common as common_lib +import future.keywords.in modules := {"community.aws.iam_role", "iam_role"} @@ -12,7 +13,7 @@ CxPolicy[result] { policy := iamRole.assume_role_policy_document st := common_lib.get_statement(common_lib.get_policy(policy)) - statement := st[_] + some statement in st common_lib.is_allow_effect(statement) diff --git a/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/query.rego b/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/query.rego index 97f645bd33a..f57e8885578 100644 --- a/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/query.rego +++ b/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.ansible as ans_lib import data.generic.common as common_lib +import future.keywords.in modules := {"community.aws.ecs_ecr", "ecs_ecr"} @@ -11,7 +12,7 @@ CxPolicy[result] { ans_lib.checkState(cloudwatchlogs) st := common_lib.get_statement(common_lib.get_policy(cloudwatchlogs.policy)) - statement := st[_] + some statement in st common_lib.is_allow_effect(statement) diff --git a/assets/queries/ansible/aws/iam_policies_with_full_privileges/query.rego b/assets/queries/ansible/aws/iam_policies_with_full_privileges/query.rego index b6369279bc4..1ebb61df0e0 100644 --- a/assets/queries/ansible/aws/iam_policies_with_full_privileges/query.rego +++ b/assets/queries/ansible/aws/iam_policies_with_full_privileges/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.ansible as ans_lib import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { task := ans_lib.tasks[id][t] @@ -10,7 +11,7 @@ CxPolicy[result] { ans_lib.checkState(awsApiGateway) st := common_lib.get_statement(common_lib.get_policy(awsApiGateway.policy)) - statement := st[_] + some statement in st common_lib.is_allow_effect(statement) common_lib.equalsOrInArray(statement.Resource, "*") diff --git a/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/query.rego b/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/query.rego index fa7054297d3..8e4dee5fefc 100644 --- a/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/query.rego +++ b/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.ansible as ans_lib import data.generic.common as common_lib +import future.keywords.in modules := {"community.aws.iam_managed_policy", "iam_managed_policy"} @@ -11,7 +12,7 @@ CxPolicy[result] { ans_lib.checkState(awsApiGateway) st := common_lib.get_statement(common_lib.get_policy(awsApiGateway.policy)) - statement := st[_] + some statement in st common_lib.is_allow_effect(statement) diff --git a/assets/queries/ansible/aws/iam_policy_grants_full_permissions/query.rego b/assets/queries/ansible/aws/iam_policy_grants_full_permissions/query.rego index af85fda6663..6d655b64171 100644 --- a/assets/queries/ansible/aws/iam_policy_grants_full_permissions/query.rego +++ b/assets/queries/ansible/aws/iam_policy_grants_full_permissions/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.ansible as ans_lib import data.generic.common as common_lib +import future.keywords.in modules := {"community.aws.iam_managed_policy", "iam_managed_policy"} @@ -11,7 +12,7 @@ CxPolicy[result] { ans_lib.checkState(awsApiGateway) st := common_lib.get_statement(common_lib.get_policy(awsApiGateway.policy)) - statement := st[_] + some statement in st common_lib.is_allow_effect(statement) common_lib.equalsOrInArray(statement.Resource, "*") diff --git a/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/query.rego b/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/query.rego index ecae9080221..027a090f758 100644 --- a/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/query.rego +++ b/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.ansible as ans_lib import data.generic.common as common_lib +import future.keywords.in modules := {"community.aws.iam_managed_policy", "iam_managed_policy"} @@ -12,7 +13,7 @@ CxPolicy[result] { policy := common_lib.get_policy(common_lib.get_policy(awsApiGateway.policy)) st := common_lib.get_statement(policy) - statement := st[_] + some statement in st common_lib.is_allow_effect(statement) aws := statement.Principal.AWS diff --git a/assets/queries/ansible/aws/kms_key_with_full_permissions/query.rego b/assets/queries/ansible/aws/kms_key_with_full_permissions/query.rego index c5c8269a7b3..fd66c3396ee 100644 --- a/assets/queries/ansible/aws/kms_key_with_full_permissions/query.rego +++ b/assets/queries/ansible/aws/kms_key_with_full_permissions/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.ansible as ans_lib import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { task := ans_lib.tasks[id][t] @@ -10,7 +11,7 @@ CxPolicy[result] { ans_lib.checkState(aws_kms) st := common_lib.get_statement(common_lib.get_policy(aws_kms.policy)) - statement := st[_] + some statement in st common_lib.is_allow_effect(statement) not common_lib.valid_key(statement, "Condition") diff --git a/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/query.rego b/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/query.rego index cb8aac9cd07..a5bf4224a98 100644 --- a/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/query.rego +++ b/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.ansible as ans_lib import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { task := ans_lib.tasks[id][t] @@ -10,7 +11,7 @@ CxPolicy[result] { ans_lib.checkState(s3_bucket) st := common_lib.get_statement(common_lib.get_policy(s3_bucket.policy)) - statement := st[_] + some statement in st common_lib.is_allow_effect(statement) statement.Principal == "*" diff --git a/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/query.rego b/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/query.rego index 64a7d64b0bb..43ab1549652 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/query.rego +++ b/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.ansible as ans_lib import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { task := ans_lib.tasks[id][t] @@ -10,7 +11,7 @@ CxPolicy[result] { ans_lib.checkState(bucket) st := common_lib.get_statement(common_lib.get_policy(bucket.policy)) - statement := st[_] + some statement in st common_lib.is_allow_effect(statement) diff --git a/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/query.rego b/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/query.rego index 07711425755..733e22045ef 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/query.rego +++ b/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.ansible as ans_lib import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { task := ans_lib.tasks[id][t] @@ -10,7 +11,7 @@ CxPolicy[result] { ans_lib.checkState(bucket) st := common_lib.get_statement(common_lib.get_policy(bucket.policy)) - statement := st[_] + some statement in st common_lib.is_allow_effect(statement) diff --git a/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/query.rego b/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/query.rego index 7e4a3b34810..6e30cd39ec8 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/query.rego +++ b/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.ansible as ans_lib import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { task := ans_lib.tasks[id][t] @@ -10,7 +11,7 @@ CxPolicy[result] { ans_lib.checkState(bucket) st := common_lib.get_statement(common_lib.get_policy(bucket.policy)) - statement := st[_] + some statement in st common_lib.is_allow_effect(statement) diff --git a/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/query.rego b/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/query.rego index 3a4d3fab7f7..aa50a39b47f 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/query.rego +++ b/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.ansible as ans_lib import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { task := ans_lib.tasks[id][t] @@ -10,7 +11,7 @@ CxPolicy[result] { ans_lib.checkState(bucket) st := common_lib.get_statement(common_lib.get_policy(bucket.policy)) - statement := st[_] + some statement in st common_lib.is_allow_effect(statement) diff --git a/assets/queries/ansible/aws/s3_bucket_with_all_permissions/query.rego b/assets/queries/ansible/aws/s3_bucket_with_all_permissions/query.rego index 9acbd455014..7c6fd234629 100644 --- a/assets/queries/ansible/aws/s3_bucket_with_all_permissions/query.rego +++ b/assets/queries/ansible/aws/s3_bucket_with_all_permissions/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.ansible as ans_lib import data.generic.common as common_lib +import future.keywords.in modules := {"amazon.aws.s3_bucket", "s3_bucket"} @@ -11,7 +12,7 @@ CxPolicy[result] { ans_lib.checkState(s3_bucket) st := common_lib.get_statement(common_lib.get_policy(s3_bucket.policy)) - statement := st[_] + some statement in st common_lib.is_allow_effect(statement) diff --git a/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/query.rego b/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/query.rego index 5693dad437e..c1a97529740 100644 --- a/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/query.rego +++ b/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.ansible as ans_lib import data.generic.common as common_lib +import future.keywords.in modules := {"community.aws.aws_ses_identity_policy", "aws.aws_ses_identity_policy"} @@ -11,7 +12,7 @@ CxPolicy[result] { ans_lib.checkState(sesPolicy) st := common_lib.get_statement(common_lib.get_policy(sesPolicy.policy)) - statement := st[_] + some statement in st common_lib.is_allow_effect(statement) common_lib.containsOrInArrayContains(statement.Action, "*") diff --git a/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/query.rego b/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/query.rego index 01153de4245..89266d7d590 100644 --- a/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/query.rego +++ b/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.ansible as ansLib import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { task := ansLib.tasks[id][t] @@ -9,7 +10,7 @@ CxPolicy[result] { snsTopicCommunity := task[modules[m]] ansLib.checkState(snsTopicCommunity) st := common_lib.get_statement(common_lib.get_policy(snsTopicCommunity.policy)) - statement := st[_] + some statement in st statement.Effect == "Allow" common_lib.any_principal(statement) diff --git a/assets/queries/ansible/aws/sqs_policy_allows_all_actions/query.rego b/assets/queries/ansible/aws/sqs_policy_allows_all_actions/query.rego index 091851df761..406a525a892 100644 --- a/assets/queries/ansible/aws/sqs_policy_allows_all_actions/query.rego +++ b/assets/queries/ansible/aws/sqs_policy_allows_all_actions/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.ansible as ans_lib import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { task := ans_lib.tasks[id][t] @@ -10,7 +11,7 @@ CxPolicy[result] { ans_lib.checkState(sqsPolicy) st := common_lib.get_statement(common_lib.get_policy(sqsPolicy.policy)) - statement := st[_] + some statement in st common_lib.is_allow_effect(statement) common_lib.equalsOrInArray(statement.Action, "*") diff --git a/assets/queries/ansible/aws/sqs_policy_with_public_access/query.rego b/assets/queries/ansible/aws/sqs_policy_with_public_access/query.rego index 5216fb069f0..375cff173ef 100644 --- a/assets/queries/ansible/aws/sqs_policy_with_public_access/query.rego +++ b/assets/queries/ansible/aws/sqs_policy_with_public_access/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.ansible as ans_lib import data.generic.common as common_lib +import future.keywords.in modules := {"community.aws.sqs_queue", "sqs_queue"} @@ -11,7 +12,7 @@ CxPolicy[result] { ans_lib.checkState(sqsPolicy) st := common_lib.get_statement(common_lib.get_policy(sqsPolicy.policy)) - statement := st[_] + some statement in st common_lib.is_allow_effect(statement) all_principals(statement) diff --git a/assets/queries/ansible/aws/sqs_queue_exposed/query.rego b/assets/queries/ansible/aws/sqs_queue_exposed/query.rego index 83d30872570..0a2ca2cba37 100644 --- a/assets/queries/ansible/aws/sqs_queue_exposed/query.rego +++ b/assets/queries/ansible/aws/sqs_queue_exposed/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.ansible as ans_lib import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { task := ans_lib.tasks[id][t] @@ -10,7 +11,7 @@ CxPolicy[result] { ans_lib.checkState(sqs_queue) st := common_lib.get_statement(common_lib.get_policy(sqs_queue.policy)) - statement := st[_] + some statement in st common_lib.is_allow_effect(statement) diff --git a/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/query.rego b/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/query.rego index b7624d3a4ad..037f46e7179 100644 --- a/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/query.rego +++ b/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/query.rego @@ -2,17 +2,19 @@ package Cx import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].Resources[name] + some document in input.document + resource := document.Resources[name] resource.Type == "AWS::ECS::Service" - isInCluster(resource, i) + isInCluster(resource, document) not common_lib.valid_key(resource.Properties, "TaskDefinition") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), "searchKey": sprintf("Resources.%s.Properties", [name]), @@ -23,17 +25,18 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].Resources[name] + some document in input.document + resource := document.Resources[name] resource.Type == "AWS::ECS::Service" - isInCluster(resource, i) + isInCluster(resource, document) taskDefinition := resource.Properties.TaskDefinition - existsTaskDefinition(taskDefinition, i) == null + existsTaskDefinition(taskDefinition, document) == null result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), "searchKey": sprintf("Resources.%s.Properties.TaskDefinition", [name]), @@ -44,20 +47,21 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].Resources[name] + some document in input.document + resource := document.Resources[name] resource.Type == "AWS::ECS::Service" - isInCluster(resource, i) + isInCluster(resource, document) taskDefinition := resource.Properties.TaskDefinition - taskDef := existsTaskDefinition(taskDefinition, i) + taskDef := existsTaskDefinition(taskDefinition, document) taskDef != null hasTaskRole(taskDef) == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), "searchKey": sprintf("Resources.%s.Properties.TaskDefinition", [name]), @@ -67,10 +71,10 @@ CxPolicy[result] { } } -isInCluster(service, i) { +isInCluster(service, document) { cluster := service.Properties.Cluster is_string(cluster) - input.document[i].Resources[cluster] + document.Resources[cluster] } else { cluster := service.Properties.Cluster is_object(cluster) @@ -79,15 +83,15 @@ isInCluster(service, i) { true } -existsTaskDefinition(taskDefName, i) = taskDef { +existsTaskDefinition(taskDefName, document) = taskDef { is_string(taskDefName) - input.document[i].Resources[taskDefName].Type == "AWS::ECS::TaskDefinition" - taskDef := input.document[i].Resources[taskDefName] + document.Resources[taskDefName].Type == "AWS::ECS::TaskDefinition" + taskDef := document.Resources[taskDefName] } else = taskDef { is_object(taskDefName) ref := taskDefName.Ref - input.document[i].Resources[ref].Type == "AWS::ECS::TaskDefinition" - taskDef := input.document[i].Resources[ref] + document.Resources[ref].Type == "AWS::ECS::TaskDefinition" + taskDef := document.Resources[ref] } else = null { true } diff --git a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/query.rego b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/query.rego index ab2c193cf05..9a97f00ddd7 100644 --- a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/query.rego +++ b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/query.rego @@ -2,11 +2,12 @@ package Cx import data.generic.common as common_lib import input as cf +import future.keywords.in extensions := {".json", ".yaml"} CxPolicy[result] { - doc := input.document[i] + some doc in input.document resources := doc.Resources count(resources) > 0 count({i | resources[_].Type == "AWS::AccessAnalyzer::Analyzer"}) == 0 diff --git a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/query.rego b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/query.rego index 439a099fbdb..4c7fc637a31 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/query.rego +++ b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/query.rego @@ -2,18 +2,19 @@ package Cx import data.generic.cloudformation as cf_lib import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { resourceBucket := input.document[indexBucket].Resources[nameBucket] resourceBucket.Type == "AWS::S3::Bucket" policyStatements := [policyStatement | - resourcePolicy := input.document[indexBucket].Resources[_] + some resourcePolicy in input.document[indexBucket].Resources resourcePolicy.Type == "AWS::S3::BucketPolicy" check_ref(resourcePolicy.Properties.Bucket, resourceBucket, nameBucket) policy := resourcePolicy.Properties.PolicyDocument st := common_lib.get_statement(common_lib.get_policy(policy)) - policyStatement := st[_] + some policyStatement in st common_lib.is_allow_effect(policyStatement) ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/query.rego b/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/query.rego index 5da5f197633..cee3e403f7b 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/query.rego @@ -2,9 +2,10 @@ package Cx import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import future.keywords.in CxPolicy[result] { - docs := input.document[i] + some docs in input.document [path, Resources] := walk(docs) resource := Resources[name] resource.Type == "AWS::S3::Bucket" @@ -20,7 +21,7 @@ CxPolicy[result] { not common_lib.valid_key(resource.Properties, "LoggingConfiguration") result := { - "documentId": input.document[i].id, + "documentId": docs.id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path),name]), diff --git a/assets/queries/terraform/gcp_bom/pst/query.rego b/assets/queries/terraform/gcp_bom/pst/query.rego index b9e0a560754..c7a0ee7b808 100644 --- a/assets/queries/terraform/gcp_bom/pst/query.rego +++ b/assets/queries/terraform/gcp_bom/pst/query.rego @@ -2,9 +2,11 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - pubsub_topic := input.document[i].resource.google_pubsub_topic[name] + some document in input.document + pubsub_topic := document.resource.google_pubsub_topic[name] bom_output = { "resource_type": "google_pubsub_topic", @@ -16,7 +18,7 @@ CxPolicy[result] { } result := { - "documentId": input.document[i].id, + "documentId": document.id, "searchKey": sprintf("google_pubsub_topic[%s]", [name]), "issueType": "BillOfMaterials", "keyExpectedValue": "", @@ -34,14 +36,16 @@ check_encrytion(resource) = enc_status { } get_accessibility(topic_name) = accessibility_status { - iam_binding := input.document[i].resource.google_pubsub_topic_iam_binding[_] + some document in input.document + some iam_binding in document.resource.google_pubsub_topic_iam_binding topicRefArray := split(iam_binding.topic, ".") topicRefArray[1] == topic_name iam_binding.role == "roles/pubsub.publisher" checkMembers(iam_binding) accessibility_status := "public" } else = accessibility_status { - iam_binding := input.document[i].resource.google_pubsub_topic_iam_member[_] + some document in input.document + some iam_binding in document.resource.google_pubsub_topic_iam_member topicRefArray := split(iam_binding.topic, ".") topicRefArray[1] == topic_name iam_binding.role == "roles/pubsub.publisher" diff --git a/assets/queries/terraform/gcp_bom/redis/query.rego b/assets/queries/terraform/gcp_bom/redis/query.rego index 68fd45b8d7e..d666d489859 100644 --- a/assets/queries/terraform/gcp_bom/redis/query.rego +++ b/assets/queries/terraform/gcp_bom/redis/query.rego @@ -2,9 +2,11 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - redis := input.document[i].resource.google_redis_instance[name] + some document in input.document + redis := document.resource.google_redis_instance[name] bom_output = { "resource_type": "google_redis_instance", @@ -16,7 +18,7 @@ CxPolicy[result] { } result := { - "documentId": input.document[i].id, + "documentId": document.id, "searchKey": sprintf("google_redis_instance[%s]", [name]), "issueType": "BillOfMaterials", "keyExpectedValue": "", @@ -35,7 +37,7 @@ check_accessability(redis_instance) = acc_status { } has_public_firewall(authorized_network) { - firewall := input.document[_].resource.google_compute_firewall[_] + some firewall in input.document[_].resource.google_compute_firewall common_lib.is_ingress(firewall) common_lib.is_unrestricted(firewall.source_ranges[_]) diff --git a/assets/queries/terraform/gcp_bom/sb/query.rego b/assets/queries/terraform/gcp_bom/sb/query.rego index 8ca006cf517..6baec318ee3 100644 --- a/assets/queries/terraform/gcp_bom/sb/query.rego +++ b/assets/queries/terraform/gcp_bom/sb/query.rego @@ -2,9 +2,11 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - s_bucket := input.document[i].resource.google_storage_bucket[name] + some document in input.document + s_bucket := document.resource.google_storage_bucket[name] bom_output = { "resource_type": "google_storage_bucket", @@ -16,7 +18,7 @@ CxPolicy[result] { } result := { - "documentId": input.document[i].id, + "documentId": document.id, "searchKey": sprintf("google_storage_bucket[%s]", [name]), "issueType": "BillOfMaterials", "keyExpectedValue": "", @@ -36,19 +38,22 @@ check_encrytion(resource) = enc_status { consideredPublicPolicyMembers := {"allUsers", "allAuthenticatedUsers"} get_accessibility(bucket_name) = accessibility_status { - access_control := input.document[i].resource.google_storage_bucket_access_control[_] + some document in input.document + some access_control in document.resource.google_storage_bucket_access_control bucketRefArray := split(access_control.bucket, ".") bucketRefArray[1] == bucket_name access_control.entity == consideredPublicPolicyMembers[_] accessibility_status := "public" } else = accessibility_status { - iam_binding := input.document[i].resource.google_storage_bucket_iam_binding[_] + some document in input.document + some iam_binding in document.resource.google_storage_bucket_iam_binding bucketRefArray := split(iam_binding.bucket, ".") bucketRefArray[1] == bucket_name checkMembers(iam_binding) accessibility_status := "public" } else = accessibility_status { - iam_member := input.document[i].resource.google_storage_bucket_iam_member[_] + some document in input.document + some iam_member in document.resource.google_storage_bucket_iam_member bucketRefArray := split(iam_member.bucket, ".") bucketRefArray[1] == bucket_name checkMembers(iam_member) diff --git a/assets/queries/terraform/general/generic_git_module_without_revision/query.rego b/assets/queries/terraform/general/generic_git_module_without_revision/query.rego index 66a9d377073..3376af35fb6 100644 --- a/assets/queries/terraform/general/generic_git_module_without_revision/query.rego +++ b/assets/queries/terraform/general/generic_git_module_without_revision/query.rego @@ -1,12 +1,15 @@ package Cx +import future.keywords.in + CxPolicy[result] { - module := input.document[i].module[moduleName] + some document in input.document + module := document.module[moduleName] startswith(module.source, "git::") not contains(module.source, "?ref=") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "n/a", "resourceName": "n/a", "searchKey": sprintf("module.{{%s}}.source", [moduleName]), diff --git a/assets/queries/terraform/general/name_is_not_snake_case/query.rego b/assets/queries/terraform/general/name_is_not_snake_case/query.rego index 84bb4b5a3e9..879a18887c8 100644 --- a/assets/queries/terraform/general/name_is_not_snake_case/query.rego +++ b/assets/queries/terraform/general/name_is_not_snake_case/query.rego @@ -2,15 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - doc := input.document[i] - res_type := doc.resource[type] + some document in input.document + res_type := document.resource[type] res_type[name] not is_snake_case(name) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": type, "resourceName": tf_lib.get_resource_name(res_type, name), "searchKey": sprintf("resource.%s.%s", [type, name]), @@ -22,12 +23,12 @@ CxPolicy[result] { } CxPolicy[result] { - doc := input.document[i] - module := doc.module[name] + some document in input.document + module := document.module[name] not is_snake_case(name) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "n/a", "resourceName": "n/a", "searchKey": sprintf("module.%s", [name]), diff --git a/assets/queries/terraform/general/output_without_description/query.rego b/assets/queries/terraform/general/output_without_description/query.rego index d3e235962ab..7e4f857de48 100644 --- a/assets/queries/terraform/general/output_without_description/query.rego +++ b/assets/queries/terraform/general/output_without_description/query.rego @@ -1,13 +1,15 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - output := input.document[i].output[outputName] + some document in input.document + output := document.output[outputName] not common_lib.valid_key(output, "description") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "n/a", "resourceName": "n/a", "searchKey": sprintf("output.{{%s}}", [outputName]), @@ -18,11 +20,12 @@ CxPolicy[result] { } CxPolicy[result] { - description := input.document[i].output[outputName].description + some document in input.document + description := document.output[outputName].description count(trim(description, " ")) == 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "n/a", "resourceName": "n/a", "searchKey": sprintf("output.{{%s}}.description", [outputName]), diff --git a/assets/queries/terraform/general/variable_without_description/query.rego b/assets/queries/terraform/general/variable_without_description/query.rego index ddc5b189f4b..0e5434f5313 100644 --- a/assets/queries/terraform/general/variable_without_description/query.rego +++ b/assets/queries/terraform/general/variable_without_description/query.rego @@ -1,13 +1,15 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - variable := input.document[i].variable[variableName] + some document in input.document + variable := document.variable[variableName] not common_lib.valid_key(variable, "description") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "n/a", "resourceName": "n/a", "searchKey": sprintf("variable.{{%s}}", [variableName]), @@ -18,11 +20,12 @@ CxPolicy[result] { } CxPolicy[result] { - description := input.document[i].variable[variableName].description + some document in input.document + description := document.variable[variableName].description count(trim(description, " ")) == 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "n/a", "resourceName": "n/a", "searchKey": sprintf("variable.{{%s}}.description", [variableName]), diff --git a/assets/queries/terraform/general/variable_without_type/query.rego b/assets/queries/terraform/general/variable_without_type/query.rego index 5b4d0649be5..b45f318f5ff 100644 --- a/assets/queries/terraform/general/variable_without_type/query.rego +++ b/assets/queries/terraform/general/variable_without_type/query.rego @@ -1,13 +1,15 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { - variable := input.document[i].variable[variableName] + some document in input.document + variable := document.variable[variableName] not common_lib.valid_key(variable, "type") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "n/a", "resourceName": "n/a", "searchKey": sprintf("variable.{{%s}}", [variableName]), @@ -18,11 +20,12 @@ CxPolicy[result] { } CxPolicy[result] { - type := input.document[i].variable[variableName].type + some document in input.document + type := document.variable[variableName].type count(trim(type, " ")) == 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "n/a", "resourceName": "n/a", "searchKey": sprintf("variable.{{%s}}.type", [variableName]), diff --git a/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/query.rego b/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/query.rego index 252c72d0f77..e7342bbc5b4 100644 --- a/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/query.rego +++ b/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/query.rego @@ -1,13 +1,15 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - webhook := input.document[i].resource.github_organization_webhook[name] + some document in input.document + webhook := document.resource.github_organization_webhook[name] webhook.configuration.insecure_ssl == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "github_organization_webhook", "resourceName": tf_lib.get_resource_name(webhook, name), "searchKey": sprintf("github_organization_webhook[%s].configuration.insecure_ssl", [name]), diff --git a/assets/queries/terraform/github/github_repository_set_to_public/query.rego b/assets/queries/terraform/github/github_repository_set_to_public/query.rego index dae0fb4585d..abfaf53f932 100644 --- a/assets/queries/terraform/github/github_repository_set_to_public/query.rego +++ b/assets/queries/terraform/github/github_repository_set_to_public/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.github_repository[example] + some document in input.document + resource := document.resource.github_repository[example] not common_lib.valid_key(resource, "private") not common_lib.valid_key(resource, "visibility") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "github_repository", "resourceName": tf_lib.get_resource_name(resource, example), "searchKey": sprintf("github_repository[%s]", [example]), @@ -20,12 +22,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.github_repository[example] + some document in input.document + resource := document.resource.github_repository[example] resource.private == false not resource.visibility result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "github_repository", "resourceName": tf_lib.get_resource_name(resource, example), "searchKey": sprintf("github_repository[%s].private", [example]), @@ -36,11 +39,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.github_repository[example] + some document in input.document + resource := document.resource.github_repository[example] resource.visibility == "public" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "github_repository", "resourceName": tf_lib.get_resource_name(resource, example), "searchKey": sprintf("github_repository[%s].visibility", [example]), diff --git a/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/query.rego b/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/query.rego index 347e289164a..7989219b790 100644 --- a/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/query.rego +++ b/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/query.rego @@ -1,13 +1,15 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_cluster_role_binding[name] + some document in input.document + resource := document.resource.kubernetes_cluster_role_binding[name] resource.role_ref.name == "cluster-admin" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_cluster_role_binding", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_cluster_role_binding[%s].role_ref.name", [name]), diff --git a/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/query.rego b/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/query.rego index afab2f12b46..ed9e22142f8 100644 --- a/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/query.rego +++ b/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod_security_policy[name] + some document in input.document + resource := document.resource.kubernetes_pod_security_policy[name] common_lib.valid_key(resource.spec, "allowed_unsafe_sysctls") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod_security_policy", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod_security_policy[%s].spec.allowed_unsafe_sysctls", [name]), @@ -20,13 +22,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod[name] + some document in input.document + resource := document.resource.kubernetes_pod[name] sysctl := resource.spec.security_context.sysctl[x].name check_unsafe(sysctl) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod[%s].spec.security_context.sysctl", [name]), diff --git a/assets/queries/terraform/kubernetes/container_host_pid_is_true/query.rego b/assets/queries/terraform/kubernetes/container_host_pid_is_true/query.rego index d162df44ceb..d77efddeeeb 100644 --- a/assets/queries/terraform/kubernetes/container_host_pid_is_true/query.rego +++ b/assets/queries/terraform/kubernetes/container_host_pid_is_true/query.rego @@ -2,16 +2,18 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) specInfo.spec.host_pid == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.host_pid", [resourceType, name, specInfo.path]), diff --git a/assets/queries/terraform/kubernetes/container_is_privileged/query.rego b/assets/queries/terraform/kubernetes/container_is_privileged/query.rego index c36e81668be..eceb10347b5 100644 --- a/assets/queries/terraform/kubernetes/container_is_privileged/query.rego +++ b/assets/queries/terraform/kubernetes/container_is_privileged/query.rego @@ -2,11 +2,13 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in types := {"init_container", "container"} CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -15,7 +17,7 @@ CxPolicy[result] { containers[y].security_context.privileged == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.name={{%s}}.security_context.privileged", [resourceType, name, specInfo.path, types[x], containers[y].name]), @@ -32,7 +34,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -41,7 +44,7 @@ CxPolicy[result] { containers.security_context.privileged == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.security_context.privileged", [resourceType, name, specInfo.path, types[x]]), diff --git a/assets/queries/terraform/kubernetes/container_resources_limits_undefined/query.rego b/assets/queries/terraform/kubernetes/container_resources_limits_undefined/query.rego index 37c4ebaf10f..a9e31cf3a62 100644 --- a/assets/queries/terraform/kubernetes/container_resources_limits_undefined/query.rego +++ b/assets/queries/terraform/kubernetes/container_resources_limits_undefined/query.rego @@ -2,11 +2,13 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in types := {"init_container", "container"} CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -16,7 +18,7 @@ CxPolicy[result] { not common_lib.valid_key(containerTypes, "resources") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -27,7 +29,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -36,7 +39,7 @@ CxPolicy[result] { not common_lib.valid_key(containers, "resources") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -47,7 +50,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -56,12 +60,12 @@ CxPolicy[result] { resources := {"limits", "requests"} containerResources := containers[y].resources - resourceTypes := resources[_] + some resourceTypes in resources not common_lib.valid_key(containerResources, resourceTypes) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -72,7 +76,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -80,12 +85,12 @@ CxPolicy[result] { is_object(containers) == true resources := {"limits", "requests"} - resourceTypes := resources[_] + some resourceTypes in resources not common_lib.valid_key(containers.resources, resourceTypes) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.resources", [resourceType, name, specInfo.path, types[x]]), diff --git a/assets/queries/terraform/kubernetes/container_with_added_capabilities/query.rego b/assets/queries/terraform/kubernetes/container_with_added_capabilities/query.rego index c8640de5d58..16568cde477 100644 --- a/assets/queries/terraform/kubernetes/container_with_added_capabilities/query.rego +++ b/assets/queries/terraform/kubernetes/container_with_added_capabilities/query.rego @@ -2,11 +2,13 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in types := {"init_container", "container"} CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -15,7 +17,7 @@ CxPolicy[result] { common_lib.valid_key(containers[y].security_context.capabilities, "add") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -26,7 +28,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -35,7 +38,7 @@ CxPolicy[result] { common_lib.valid_key(containers.security_context.capabilities, "add") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.security_context.capabilities.add", [resourceType, name, specInfo.path, types[x]]), diff --git a/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/query.rego b/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/query.rego index 924b704443d..8cfd64aedc2 100644 --- a/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/query.rego +++ b/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/query.rego @@ -1,11 +1,13 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in types := {"init_container", "container"} CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -14,7 +16,7 @@ CxPolicy[result] { containers[y].security_context.capabilities.add[_] = "SYS_ADMIN" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -25,7 +27,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -34,7 +37,7 @@ CxPolicy[result] { containers.security_context.capabilities.add[_] = "SYS_ADMIN" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.security_context.capabilities.add", [resourceType, name, specInfo.path, types[x]]), diff --git a/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/query.rego b/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/query.rego index d8beb310f29..ed5af8c161e 100644 --- a/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/query.rego +++ b/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_cron_job[name] + some document in input.document + resource := document.resource.kubernetes_cron_job[name] not common_lib.valid_key(resource.spec, "starting_deadline_seconds") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_cron_job", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_cron_job[%s].spec", [name]), diff --git a/assets/queries/terraform/kubernetes/default_service_account_in_use/query.rego b/assets/queries/terraform/kubernetes/default_service_account_in_use/query.rego index d4abb61a8ec..dae71eb6fff 100644 --- a/assets/queries/terraform/kubernetes/default_service_account_in_use/query.rego +++ b/assets/queries/terraform/kubernetes/default_service_account_in_use/query.rego @@ -2,16 +2,18 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_service_account[name] + some document in input.document + resource := document.resource.kubernetes_service_account[name] resource.metadata.name == "default" not common_lib.valid_key(resource, "automount_service_account_token") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_service_account", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_service_account[%s]", [name]), @@ -25,14 +27,15 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_service_account[name] + some document in input.document + resource := document.resource.kubernetes_service_account[name] resource.metadata.name == "default" resource.automount_service_account_token == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_service_account", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_service_account[%s].automount_service_account_token", [name]), diff --git a/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/query.rego b/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/query.rego index 5b95c5dc4e9..0aa58fb48a8 100644 --- a/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/query.rego +++ b/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/query.rego @@ -2,16 +2,18 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod[name] + some document in input.document + resource := document.resource.kubernetes_pod[name] volumes := resource.spec.volume volumes[c].host_path.path == "/var/run/docker.sock" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod[%s].spec.volume", [name]), @@ -22,7 +24,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource + some document in input.document + resource := document.resource listKinds := {"kubernetes_deployment", "kubernetes_daemonset", "kubernetes_job", "kubernetes_stateful_set", "kubernetes_replication_controller"} kind := listKinds[x] common_lib.valid_key(resource, kind) @@ -33,7 +36,7 @@ CxPolicy[result] { volumes[c].host_path.path == "/var/run/docker.sock" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": kind, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].spec.template.spec.volume", [kind, name]), @@ -44,12 +47,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_cron_job[name] + some document in input.document + resource := document.resource.kubernetes_cron_job[name] spec := resource.spec.job_template.spec.template.spec volumes := spec.volume volumes[c].host_path.path == "/var/run/docker.sock" + result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_cron_job", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_cron_job[%s].spec.job_template.spec.template.spec.volume", [name]), diff --git a/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/query.rego b/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/query.rego index 29abc0916cc..859779c3974 100644 --- a/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/query.rego +++ b/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/query.rego @@ -1,16 +1,18 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_horizontal_pod_autoscaler[name] + some document in input.document + resource := document.resource.kubernetes_horizontal_pod_autoscaler[name] metric := resource.spec.metric not checkIsValidObject(metric) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_horizontal_pod_autoscaler", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_horizontal_pod_autoscaler[%s].spec.metric", [name]), diff --git a/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/query.rego b/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/query.rego index 24d1911bbed..07ecac6d436 100644 --- a/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/query.rego +++ b/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/query.rego @@ -1,11 +1,13 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { types := {"kubernetes_pod": "spec.container", "kubernetes_deployment": "spec.template.spec.container"} resource_prefix := types[x] - resource := input.document[i].resource[x][name] + some document in input.document + resource := document.resource[x][name] path := checkPath(resource) @@ -13,7 +15,7 @@ CxPolicy[result] { not contains(path.image, ":latest") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": x, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.image_pull_policy", [x, name, resource_prefix]), diff --git a/assets/queries/terraform/kubernetes/image_without_digest/query.rego b/assets/queries/terraform/kubernetes/image_without_digest/query.rego index bf2dc3f7baf..4a141989db1 100644 --- a/assets/queries/terraform/kubernetes/image_without_digest/query.rego +++ b/assets/queries/terraform/kubernetes/image_without_digest/query.rego @@ -2,22 +2,24 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in types := {"init_container", "container"} CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] is_array(containers) == true - containerTypes := containers[_] + some containerTypes in containers not common_lib.valid_key(containerTypes, "image") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -28,7 +30,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -38,7 +41,7 @@ CxPolicy[result] { not contains(image, "@") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -49,7 +52,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -58,7 +62,7 @@ CxPolicy[result] { not common_lib.valid_key(containers, "image") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -69,7 +73,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -79,7 +84,7 @@ CxPolicy[result] { not contains(image, "@") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.image", [resourceType, name, specInfo.path, types[x]]), diff --git a/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/query.rego b/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/query.rego index d1039c38066..41b8adb10c9 100644 --- a/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/query.rego +++ b/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/query.rego @@ -1,16 +1,18 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_stateful_set[name] + some document in input.document + resource := document.resource.kubernetes_stateful_set[name] volume_claim_template := resource.spec.volume_claim_template vClaimsWitReadWriteOnce := [vClaims | contains(volume_claim_template[vm].spec.access_modes[am], "ReadWriteOnce") == true; vClaims := volume_claim_template[vm].metadata.name] count(vClaimsWitReadWriteOnce) == 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_stateful_set", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_stateful_set[%s].spec.volume_claim_template", [name]), @@ -21,14 +23,15 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_stateful_set[name] + some document in input.document + resource := document.resource.kubernetes_stateful_set[name] volume_claim_template := resource.spec.volume_claim_template vClaimsWitReadWriteOnce := [vClaims | contains(volume_claim_template[vm].spec.access_modes[am], "ReadWriteOnce") == true; vClaims := volume_claim_template[vm].metadata.name] count(vClaimsWitReadWriteOnce) > 1 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_stateful_set", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_stateful_set[%s].spec.volume_claim_template", [name]), diff --git a/assets/queries/terraform/kubernetes/invalid_image/query.rego b/assets/queries/terraform/kubernetes/invalid_image/query.rego index 2dc19808a41..055192ab5fd 100644 --- a/assets/queries/terraform/kubernetes/invalid_image/query.rego +++ b/assets/queries/terraform/kubernetes/invalid_image/query.rego @@ -2,22 +2,24 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in types := {"init_container", "container"} CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] is_array(containers) == true - containerTypes := containers[_] + some containerTypes in containers not common_lib.valid_key(containerTypes, "image") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -28,7 +30,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -38,7 +41,7 @@ CxPolicy[result] { check_content(image) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -49,7 +52,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -58,7 +62,7 @@ CxPolicy[result] { not common_lib.valid_key(containers, "image") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -69,7 +73,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -79,7 +84,7 @@ CxPolicy[result] { check_content(image) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.image", [resourceType, name, specInfo.path, types[x]]), diff --git a/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/query.rego b/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/query.rego index 81f9efb830c..1008832fd8c 100644 --- a/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/query.rego +++ b/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/query.rego @@ -2,18 +2,20 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { types := {"kubernetes_pod": "spec.container", "kubernetes_deployment": "spec.template.spec.container"} resource_prefix := types[x] - resource := input.document[i].resource[x][name] + some document in input.document + resource := document.resource[x][name] path := checkPath(resource) not common_lib.valid_key(path, "liveness_probe") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": x, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s", [x, name, resource_prefix]), diff --git a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego index 5a559557aab..cfdb8bd4851 100644 --- a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego +++ b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego @@ -1,17 +1,19 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { some i, resourceType, name, key - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] labels := resource[name].metadata.labels regex.match(`^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$`, labels[key]) == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].metadata.labels", [resourceType, name]), diff --git a/assets/queries/terraform/kubernetes/missing_app_armor_config/query.rego b/assets/queries/terraform/kubernetes/missing_app_armor_config/query.rego index 30fdff9aabc..216e593148d 100644 --- a/assets/queries/terraform/kubernetes/missing_app_armor_config/query.rego +++ b/assets/queries/terraform/kubernetes/missing_app_armor_config/query.rego @@ -1,16 +1,18 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod[name] + some document in input.document + resource := document.resource.kubernetes_pod[name] metadata := resource.metadata metadata.annotations[key] expectedKey := "container.apparmor.security.beta.kubernetes.io" not startswith(key, expectedKey) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod[%s].metadata.annotations", [name]), @@ -21,12 +23,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod[name] + some document in input.document + resource := document.resource.kubernetes_pod[name] metadata := resource.metadata not metadata.annotations result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod[%s].metadata", [name]), diff --git a/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/query.rego b/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/query.rego index 9bc669c9ebf..6463866c62f 100644 --- a/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/query.rego +++ b/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/query.rego @@ -2,15 +2,17 @@ package Cx import data.generic.common as commonLib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod_security_policy[name] + some document in input.document + resource := document.resource.kubernetes_pod_security_policy[name] spec := resource.spec not commonLib.compareArrays(spec.required_drop_capabilities, ["ALL", "NET_RAW"]) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod_security_policy", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod_security_policy[%s].spec.required_drop_capabilities", [name]), diff --git a/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/query.rego b/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/query.rego index f5c555ab33c..f93f94dca84 100644 --- a/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/query.rego +++ b/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/query.rego @@ -1,15 +1,18 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod[name] + some document in input.document + resource := document.resource.kubernetes_pod[name] metadata := resource.metadata not metadata.namespace volumes := resource.spec.volume volumes[_].path + result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod[%s].spec.volume.host_path.path", [name]), @@ -28,14 +31,16 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod[name] + some document in input.document + resource := document.resource.kubernetes_pod[name] metadata := resource.metadata namespace := metadata.namespace namespace != "kube-system" volumes := resource.spec.volume volumes[_].path + result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod[%s].spec.volume.host_path.path", [name]), @@ -54,13 +59,15 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_persistent_volume[name] + some document in input.document + resource := document.resource.kubernetes_persistent_volume[name] metadata := resource.metadata not metadata.namespace volumes := resource.spec.volume volumes[_].path + result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_persistent_volume", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_persistent_volume[%s].spec.volume.host_path.path", [name]), @@ -79,14 +86,16 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_persistent_volume[name] + some document in input.document + resource := document.resource.kubernetes_persistent_volume[name] metadata := resource.metadata namespace := metadata.namespace namespace != "kube-system" volumes := resource.spec.volume volumes[_].path + result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_persistent_volume", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_persistent_volume[%s].spec.volume.host_path.path", [name]), diff --git a/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/query.rego b/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/query.rego index cbd615ada48..83feb7a34bf 100644 --- a/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/query.rego +++ b/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/query.rego @@ -2,16 +2,18 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod[name] + some document in input.document + resource := document.resource.kubernetes_pod[name] spec := resource.spec not common_lib.valid_key(spec, "security_context") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod[%s].spec", [name]), @@ -24,7 +26,8 @@ CxPolicy[result] { types := {"init_container", "container"} CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -33,7 +36,7 @@ CxPolicy[result] { not common_lib.valid_key(containers, "security_context") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -44,18 +47,19 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] is_array(containers) == true - containersType := containers[_] + some containersType in containers not common_lib.valid_key(containersType, "security_context") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), diff --git a/assets/queries/terraform/kubernetes/privilege_escalation_allowed/query.rego b/assets/queries/terraform/kubernetes/privilege_escalation_allowed/query.rego index 7008e8d12d6..da9b9ad79eb 100644 --- a/assets/queries/terraform/kubernetes/privilege_escalation_allowed/query.rego +++ b/assets/queries/terraform/kubernetes/privilege_escalation_allowed/query.rego @@ -2,11 +2,13 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in types := {"init_container", "container"} CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -15,7 +17,7 @@ CxPolicy[result] { containers[y].security_context.allow_privilege_escalation == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.name={{%s}}.security_context.allow_privilege_escalation", [resourceType, name, specInfo.path, types[x], containers[y].name]), @@ -32,7 +34,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) containers := specInfo.spec[types[x]] @@ -41,7 +44,7 @@ CxPolicy[result] { containers.security_context.allow_privilege_escalation == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.security_context.allow_privilege_escalation", [resourceType, name, specInfo.path, types[x]]), diff --git a/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/query.rego b/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/query.rego index 175366e8d0f..1cf379e0885 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/query.rego +++ b/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/query.rego @@ -1,16 +1,18 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod_security_policy[name] + some document in input.document + resource := document.resource.kubernetes_pod_security_policy[name] spec := resource.spec object.get(spec, "host_network", "undefined") == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod_security_policy", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod_security_policy[%s].spec.host_network", [name]), diff --git a/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/query.rego b/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/query.rego index b6139a9650f..3f0cd51a2aa 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/query.rego +++ b/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod_security_policy[name] + some document in input.document + resource := document.resource.kubernetes_pod_security_policy[name] not common_lib.valid_key(resource.spec, "allow_privilege_escalation") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod_security_policy", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod_security_policy[%s].spec", [name]), @@ -23,12 +25,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod_security_policy[name] + some document in input.document + resource := document.resource.kubernetes_pod_security_policy[name] resource.spec.allow_privilege_escalation != false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod_security_policy", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod_security_policy[%s].spec.allow_privilege_escalation", [name]), diff --git a/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/query.rego b/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/query.rego index 7fbbece1d9a..83207702178 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/query.rego +++ b/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod_security_policy[name] + some document in input.document + resource := document.resource.kubernetes_pod_security_policy[name] resource.spec.host_ipc == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod_security_policy", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod_security_policy[%s].spec.host_ipc", [name]), diff --git a/assets/queries/terraform/kubernetes/psp_set_to_privileged/query.rego b/assets/queries/terraform/kubernetes/psp_set_to_privileged/query.rego index a50bcda0b6a..dfeed926afa 100644 --- a/assets/queries/terraform/kubernetes/psp_set_to_privileged/query.rego +++ b/assets/queries/terraform/kubernetes/psp_set_to_privileged/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod_security_policy[name] + some document in input.document + resource := document.resource.kubernetes_pod_security_policy[name] resource.spec.privileged != false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod_security_policy", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod_security_policy[%s].spec.privileged", [name]), diff --git a/assets/queries/terraform/kubernetes/psp_with_added_capabilities/query.rego b/assets/queries/terraform/kubernetes/psp_with_added_capabilities/query.rego index 28c72c12f6f..1d40cdc3e03 100644 --- a/assets/queries/terraform/kubernetes/psp_with_added_capabilities/query.rego +++ b/assets/queries/terraform/kubernetes/psp_with_added_capabilities/query.rego @@ -1,14 +1,16 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod_security_policy[name] + some document in input.document + resource := document.resource.kubernetes_pod_security_policy[name] resource.spec.allowed_capabilities result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod_security_policy", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod_security_policy[%s].spec.allowed_capabilities", [name]), diff --git a/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/query.rego b/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/query.rego index 90e6bfa61f7..779b2afb9ba 100644 --- a/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/query.rego +++ b/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/query.rego @@ -1,16 +1,18 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_role_binding[name] + some document in input.document + resource := document.resource.kubernetes_role_binding[name] resource.subject[k].kind == "ServiceAccount" resource.subject[k].name == "default" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_role_binding", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("resource.kubernetes_role_binding[%s]", [name]), diff --git a/assets/queries/terraform/kubernetes/root_containers_admitted/query.rego b/assets/queries/terraform/kubernetes/root_containers_admitted/query.rego index 1194543d10d..f490719b764 100644 --- a/assets/queries/terraform/kubernetes/root_containers_admitted/query.rego +++ b/assets/queries/terraform/kubernetes/root_containers_admitted/query.rego @@ -1,16 +1,18 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod_security_policy[name] + some document in input.document + resource := document.resource.kubernetes_pod_security_policy[name] privilege := {"privileged", "allow_privilege_escalation"} resource.spec[privilege[p]] == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod_security_policy", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod_security_policy[%s].spec.%s", [name, privilege[p]]), @@ -21,12 +23,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod_security_policy[name] + some document in input.document + resource := document.resource.kubernetes_pod_security_policy[name] resource.spec.run_as_user.rule != "MustRunAsNonRoot" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod_security_policy", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod_security_policy[%s].spec.run_as_user.rule", [name]), @@ -37,14 +40,15 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod_security_policy[name] + some document in input.document + resource := document.resource.kubernetes_pod_security_policy[name] groups := {"fs_group", "supplemental_groups"} resource.spec[groups[p]].rule != "MustRunAs" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod_security_policy", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod_security_policy[%s].spec.%s.rule", [name, groups[p]]), @@ -55,7 +59,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod_security_policy[name] + some document in input.document + resource := document.resource.kubernetes_pod_security_policy[name] groups := {"fs_group", "supplemental_groups"} @@ -63,7 +68,7 @@ CxPolicy[result] { resource.spec[groups[p]].range.min == 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod_security_policy", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod_security_policy[%s].spec.%s.range.min", [name, groups[p]]), diff --git a/assets/queries/terraform/kubernetes/secrets_as_environment_variables/query.rego b/assets/queries/terraform/kubernetes/secrets_as_environment_variables/query.rego index bcb30a78e7b..307fdff20bf 100644 --- a/assets/queries/terraform/kubernetes/secrets_as_environment_variables/query.rego +++ b/assets/queries/terraform/kubernetes/secrets_as_environment_variables/query.rego @@ -2,11 +2,13 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in types := {"init_container", "container"} CxPolicy[result] { - resource := input.document[i].resource[resourceType][name] + some document in input.document + resource := document.resource[resourceType][name] specInfo := tf_lib.getSpecInfo(resource[name]) @@ -17,7 +19,7 @@ CxPolicy[result] { has_secret_key_ref(containers[y]) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -28,7 +30,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) @@ -39,7 +42,7 @@ CxPolicy[result] { has_secret_key_ref(containers) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.env", [resourceType, name, specInfo.path, types[x]]), @@ -50,7 +53,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) @@ -61,7 +65,7 @@ CxPolicy[result] { has_secret_key_ref(containers[y]) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s", [resourceType, name, specInfo.path, types[x]]), @@ -72,7 +76,8 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) @@ -83,7 +88,7 @@ CxPolicy[result] { has_secret_key_ref(containers) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.%s.env_from", [resourceType, name, specInfo.path, types[x]]), diff --git a/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/query.rego b/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/query.rego index 6faa9e82e8b..4506639c61a 100644 --- a/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/query.rego +++ b/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/query.rego @@ -2,15 +2,17 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod[name] + some document in input.document + resource := document.resource.kubernetes_pod[name] spec := resource.spec not common_lib.valid_key(spec, "service_account_name") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod[%s].spec", [name]), @@ -21,13 +23,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod[name] + some document in input.document + resource := document.resource.kubernetes_pod[name] service_account_name := resource.spec.service_account_name service_account_name == "" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod[%s].spec.service_account_name", [name]), diff --git a/assets/queries/terraform/kubernetes/service_type_is_nodeport/query.rego b/assets/queries/terraform/kubernetes/service_type_is_nodeport/query.rego index 34cef5380e3..c404af43828 100644 --- a/assets/queries/terraform/kubernetes/service_type_is_nodeport/query.rego +++ b/assets/queries/terraform/kubernetes/service_type_is_nodeport/query.rego @@ -1,14 +1,16 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_service[name] + some document in input.document + resource := document.resource.kubernetes_service[name] resource.spec.type == "NodePort" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_service", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_service[%s].spec.type", [name]), diff --git a/assets/queries/terraform/kubernetes/service_with_external_load_balancer/query.rego b/assets/queries/terraform/kubernetes/service_with_external_load_balancer/query.rego index 6c5d43172bf..37f62f28263 100644 --- a/assets/queries/terraform/kubernetes/service_with_external_load_balancer/query.rego +++ b/assets/queries/terraform/kubernetes/service_with_external_load_balancer/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_service[name] + some document in input.document + resource := document.resource.kubernetes_service[name] resource.spec.type == "LoadBalancer" not common_lib.valid_key(resource.metadata, "annotations") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_service", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_service[%s].metadata.name", [name]), @@ -20,12 +22,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_service[name] + some document in input.document + resource := document.resource.kubernetes_service[name] common_lib.valid_key(resource.metadata, "annotations") not checkLoadBalancer(resource.metadata.annotations) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_service", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_service[%s].metadata.name.annotations", [name]), diff --git a/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/query.rego b/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/query.rego index dac7a491c11..060ab679344 100644 --- a/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/query.rego +++ b/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/query.rego @@ -2,16 +2,18 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) specInfo.spec.host_ipc == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.host_ipc", [resourceType, name, specInfo.path]), diff --git a/assets/queries/terraform/kubernetes/shared_host_network_namespace/query.rego b/assets/queries/terraform/kubernetes/shared_host_network_namespace/query.rego index 97e584ac710..009e3f10645 100644 --- a/assets/queries/terraform/kubernetes/shared_host_network_namespace/query.rego +++ b/assets/queries/terraform/kubernetes/shared_host_network_namespace/query.rego @@ -2,16 +2,18 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) specInfo.spec.host_network == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.host_network", [resourceType, name, specInfo.path]), diff --git a/assets/queries/terraform/kubernetes/shared_service_account/query.rego b/assets/queries/terraform/kubernetes/shared_service_account/query.rego index a02cbdc0887..8ed7676957b 100644 --- a/assets/queries/terraform/kubernetes/shared_service_account/query.rego +++ b/assets/queries/terraform/kubernetes/shared_service_account/query.rego @@ -1,9 +1,11 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource[resourceType] + some document in input.document + resource := document.resource[resourceType] specInfo := tf_lib.getSpecInfo(resource[name]) @@ -14,7 +16,7 @@ CxPolicy[result] { service_account_name == name_service result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.service_account_name", [resourceType, name, specInfo.path]), diff --git a/assets/queries/terraform/kubernetes/statefulset_requests_storage/query.rego b/assets/queries/terraform/kubernetes/statefulset_requests_storage/query.rego index 375ca3b2bcc..44ee826379e 100644 --- a/assets/queries/terraform/kubernetes/statefulset_requests_storage/query.rego +++ b/assets/queries/terraform/kubernetes/statefulset_requests_storage/query.rego @@ -1,15 +1,17 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_stateful_set[name] + some document in input.document + resource := document.resource.kubernetes_stateful_set[name] volume_claim_template := resource.spec.volume_claim_template storage := volume_claim_template.spec.resources.requests.storage result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_stateful_set", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_stateful_set[%s].spec.volume_claim_template.spec.resources.requests.storage", [name]), diff --git a/assets/queries/terraform/kubernetes/statefulset_without_service_name/query.rego b/assets/queries/terraform/kubernetes/statefulset_without_service_name/query.rego index 66bdd7f87fd..beef8ae8e6a 100644 --- a/assets/queries/terraform/kubernetes/statefulset_without_service_name/query.rego +++ b/assets/queries/terraform/kubernetes/statefulset_without_service_name/query.rego @@ -1,9 +1,11 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - stateful := input.document[i].resource.kubernetes_stateful_set[name] + some document in input.document + stateful := document.resource.kubernetes_stateful_set[name] count({x | resource := input.document[_].resource.kubernetes_service[x] @@ -14,7 +16,7 @@ CxPolicy[result] { }) == 0 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_stateful_set", "resourceName": tf_lib.get_resource_name(stateful, name), "searchKey": sprintf("kubernetes_stateful_set[%s].spec.service_name", [name]), diff --git a/assets/queries/terraform/kubernetes/using_default_namespace/query.rego b/assets/queries/terraform/kubernetes/using_default_namespace/query.rego index a55c5c9502d..5716e3ad0d3 100644 --- a/assets/queries/terraform/kubernetes/using_default_namespace/query.rego +++ b/assets/queries/terraform/kubernetes/using_default_namespace/query.rego @@ -2,11 +2,13 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in listKinds := {"kubernetes_ingress", "kubernetes_config_map", "kubernetes_secret", "kubernetes_service", "kubernetes_cron_job", "kubernetes_service_account", "kubernetes_role", "kubernetes_role_binding", "kubernetes_pod", "kubernetes_deployment", "kubernetes_daemonset", "kubernetes_job", "kubernetes_stateful_set", "kubernetes_replication_controller"} CxPolicy[result] { - resource := input.document[i].resource + some document in input.document + resource := document.resource common_lib.valid_key(resource, listKinds[x]) k8 := resource[listKinds[x]][name] @@ -14,7 +16,7 @@ CxPolicy[result] { not common_lib.valid_key(k8.metadata, "namespace") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": listKinds[x], "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].metadata", [listKinds[x], name]), @@ -25,12 +27,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource + some document in input.document + resource := document.resource resource[listKinds[x]][name].metadata.namespace == "default" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": listKinds[x], "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].metadata.namespace", [listKinds[x], name]), diff --git a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/query.rego b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/query.rego index d325bde7233..ffb867920b6 100644 --- a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/query.rego +++ b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/query.rego @@ -2,17 +2,19 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { types := {"kubernetes_pod": "spec.container", "kubernetes_deployment": "spec.template.spec.container"} resource_prefix := types[x] - resource := input.document[i].resource[x][name] + some document in input.document + resource := document.resource[x][name] path := checkPath(resource) not common_lib.valid_key(path.port, "host_port") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": x, "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].%s.port", [x, name, resource_prefix]), diff --git a/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/query.rego b/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/query.rego index d4f74e58563..6c52030b94e 100644 --- a/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/query.rego +++ b/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/query.rego @@ -1,14 +1,17 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.kubernetes_pod[name] + some document in input.document + resource := document.resource.kubernetes_pod[name] metadata := resource.metadata volumes := resource.spec.volume isOSDir(volumes[j].path) + result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_pod", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_pod[%s].spec.volume.host_path.path", [name]), @@ -25,12 +28,14 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.kubernetes_persistent_volume[name] + some document in input.document + resource := document.resource.kubernetes_persistent_volume[name] metadata := resource.metadata volumes := resource.spec.volume isOSDir(volumes[j].path) + result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "kubernetes_persistent_volume", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_persistent_volume[%s].spec.volume.host_path.path", [name]), diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/query.rego b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/query.rego index 83e04bff24c..de55038663a 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/query.rego +++ b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - instance := input.document[i].resource.nifcloud_instance[name] + some document in input.document + instance := document.resource.nifcloud_instance[name] instance.network_interface[_].network_id == "net-COMMON_PRIVATE" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_instance", "resourceName": tf_lib.get_resource_name(instance, name), "searchKey": sprintf("nifcloud_instance[%s]", [name]), @@ -19,11 +21,12 @@ CxPolicy[result] { } CxPolicy[result] { - instance := input.document[i].resource.nifcloud_instance[name] + some document in input.document + instance := document.resource.nifcloud_instance[name] instance.network_interface.network_id == "net-COMMON_PRIVATE" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_instance", "resourceName": tf_lib.get_resource_name(instance, name), "searchKey": sprintf("nifcloud_instance[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/query.rego b/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/query.rego index 646c77d6f8c..69536a7aff2 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/query.rego +++ b/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - securityGroupRule := input.document[i].resource.nifcloud_security_group_rule[name] + some document in input.document + securityGroupRule := document.resource.nifcloud_security_group_rule[name] cidr := split(securityGroupRule.cidr_ip, "/") to_number(cidr[1]) < 1 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_security_group_rule", "resourceName": tf_lib.get_resource_name(securityGroupRule, name), "searchKey": sprintf("nifcloud_security_group_rule[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/query.rego b/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/query.rego index 2faa60ef8d1..fa820f597fb 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/query.rego +++ b/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - instance := input.document[i].resource.nifcloud_instance[name] + some document in input.document + instance := document.resource.nifcloud_instance[name] not common_lib.valid_key(instance, "security_group") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_instance", "resourceName": tf_lib.get_resource_name(instance, name), "searchKey": sprintf("nifcloud_instance[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/query.rego b/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/query.rego index 8341d350929..b15462ad33a 100644 --- a/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/query.rego +++ b/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - securityGroup := input.document[i].resource.nifcloud_security_group[name] + some document in input.document + securityGroup := document.resource.nifcloud_security_group[name] not common_lib.valid_key(securityGroup, "description") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_security_group", "resourceName": tf_lib.get_resource_name(securityGroup, name), "searchKey": sprintf("nifcloud_security_group[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/query.rego b/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/query.rego index 494febbcfde..6902291d67d 100644 --- a/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/query.rego +++ b/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - securityGroupRule := input.document[i].resource.nifcloud_security_group_rule[name] + some document in input.document + securityGroupRule := document.resource.nifcloud_security_group_rule[name] not common_lib.valid_key(securityGroupRule, "description") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_security_group_rule", "resourceName": tf_lib.get_resource_name(securityGroupRule, name), "searchKey": sprintf("nifcloud_security_group_rule[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/query.rego b/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/query.rego index d76d96359f2..6f05e54a444 100644 --- a/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/query.rego +++ b/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - dbInstance := input.document[i].resource.nifcloud_db_instance[name] + some document in input.document + dbInstance := document.resource.nifcloud_db_instance[name] not common_lib.valid_key(dbInstance, "backup_retention_period") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_db_instance", "resourceName": tf_lib.get_resource_name(dbInstance, name), "searchKey": sprintf("nifcloud_db_instance[%s]", [name]), @@ -19,11 +21,12 @@ CxPolicy[result] { } CxPolicy[result] { - dbInstance := input.document[i].resource.nifcloud_db_instance[name] + some document in input.document + dbInstance := document.resource.nifcloud_db_instance[name] dbInstance.backup_retention_period < 7 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_db_instance", "resourceName": tf_lib.get_resource_name(dbInstance, name), "searchKey": sprintf("nifcloud_db_instance[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/db_has_public_access/query.rego b/assets/queries/terraform/nifcloud/db_has_public_access/query.rego index c2c7196acdd..04c64af69b0 100644 --- a/assets/queries/terraform/nifcloud/db_has_public_access/query.rego +++ b/assets/queries/terraform/nifcloud/db_has_public_access/query.rego @@ -2,12 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - dbInstance := input.document[i].resource.nifcloud_db_instance[name] + some document in input.document + dbInstance := document.resource.nifcloud_db_instance[name] dbInstance.publicly_accessible == true + result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_db_instance", "resourceName": tf_lib.get_resource_name(dbInstance, name), "searchKey": sprintf("nifcloud_db_instance[%s]", [name]), @@ -18,11 +21,12 @@ CxPolicy[result] { } CxPolicy[result] { - dbInstance := input.document[i].resource.nifcloud_db_instance[name] + some document in input.document + dbInstance := document.resource.nifcloud_db_instance[name] not common_lib.valid_key(dbInstance, "publicly_accessible") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_db_instance", "resourceName": tf_lib.get_resource_name(dbInstance, name), "searchKey": sprintf("nifcloud_db_instance[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/db_instance_has_common_private/query.rego b/assets/queries/terraform/nifcloud/db_instance_has_common_private/query.rego index ce8019a5e87..a584fbd0f9a 100644 --- a/assets/queries/terraform/nifcloud/db_instance_has_common_private/query.rego +++ b/assets/queries/terraform/nifcloud/db_instance_has_common_private/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - dbInstance := input.document[i].resource.nifcloud_db_instance[name] + some document in input.document + dbInstance := document.resource.nifcloud_db_instance[name] dbInstance.network_id == "net-COMMON_PRIVATE" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_db_instance", "resourceName": tf_lib.get_resource_name(dbInstance, name), "searchKey": sprintf("nifcloud_db_instance[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/db_security_group_description_undefined/query.rego b/assets/queries/terraform/nifcloud/db_security_group_description_undefined/query.rego index 7cd36e6d187..a22dcf164f0 100644 --- a/assets/queries/terraform/nifcloud/db_security_group_description_undefined/query.rego +++ b/assets/queries/terraform/nifcloud/db_security_group_description_undefined/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - dbSecurityGroup := input.document[i].resource.nifcloud_db_security_group[name] + some document in input.document + dbSecurityGroup := document.resource.nifcloud_db_security_group[name] not common_lib.valid_key(dbSecurityGroup, "description") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_db_security_group", "resourceName": tf_lib.get_resource_name(dbSecurityGroup, name), "searchKey": sprintf("nifcloud_db_security_group[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/query.rego b/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/query.rego index 5a56b9f92f9..6aa8bd49a2d 100644 --- a/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/query.rego +++ b/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - dbSecurityGroupRule := input.document[i].resource.nifcloud_db_security_group[name] + some document in input.document + dbSecurityGroupRule := document.resource.nifcloud_db_security_group[name] cidr := split(getRules(dbSecurityGroupRule.rule)[_].cidr_ip, "/") to_number(cidr[1]) < 1 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_db_security_group", "resourceName": tf_lib.get_resource_name(dbSecurityGroupRule, name), "searchKey": sprintf("nifcloud_db_security_group[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/dns_has_verified_record/query.rego b/assets/queries/terraform/nifcloud/dns_has_verified_record/query.rego index 5a8b9c9ef38..75615c85a39 100644 --- a/assets/queries/terraform/nifcloud/dns_has_verified_record/query.rego +++ b/assets/queries/terraform/nifcloud/dns_has_verified_record/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - dnsRecord := input.document[i].resource.nifcloud_dns_record[name] + some document in input.document + dnsRecord := document.resource.nifcloud_dns_record[name] contains(dnsRecord.record, "nifty-dns-verify=") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_dns_record", "resourceName": tf_lib.get_resource_name(dnsRecord, name), "searchKey": sprintf("nifcloud_dns_record[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/elb_has_common_private/query.rego b/assets/queries/terraform/nifcloud/elb_has_common_private/query.rego index 1e3b7948c61..4d98b18387e 100644 --- a/assets/queries/terraform/nifcloud/elb_has_common_private/query.rego +++ b/assets/queries/terraform/nifcloud/elb_has_common_private/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - elb := input.document[i].resource.nifcloud_elb[name] + some document in input.document + elb := document.resource.nifcloud_elb[name] elb.network_interface[_].network_id == "net-COMMON_PRIVATE" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_elb", "resourceName": tf_lib.get_resource_name(elb, name), "searchKey": sprintf("nifcloud_elb[%s]", [name]), @@ -19,11 +21,12 @@ CxPolicy[result] { } CxPolicy[result] { - elb := input.document[i].resource.nifcloud_elb[name] + some document in input.document + elb := document.resource.nifcloud_elb[name] elb.network_interface.network_id == "net-COMMON_PRIVATE" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_elb", "resourceName": tf_lib.get_resource_name(elb, name), "searchKey": sprintf("nifcloud_elb[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/elb_listener_use_http/query.rego b/assets/queries/terraform/nifcloud/elb_listener_use_http/query.rego index d4ecde81f8a..821610e203a 100644 --- a/assets/queries/terraform/nifcloud/elb_listener_use_http/query.rego +++ b/assets/queries/terraform/nifcloud/elb_listener_use_http/query.rego @@ -2,19 +2,21 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - elb_listener := input.document[i].resource.nifcloud_elb_listener[name] + some document in input.document + elb_listener := document.resource.nifcloud_elb_listener[name] - elbRef := getElbNetworkInterface(input.document[i].resource, elb_listener.elb_id) - elbNetworkInterface := getNetworkInterfaces(elbRef.network_interface)[_] + elbRef := getElbNetworkInterface(document.resource, elb_listener.elb_id) + some elbNetworkInterface in getNetworkInterfaces(elbRef.network_interface) elbNetworkInterface.network_id == "net-COMMON_GLOBAL" elbNetworkInterface.is_vip_network == true elb_listener.protocol == "HTTP" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_elb_listener", "resourceName": tf_lib.get_resource_name(elb_listener, name), "searchKey": sprintf("nifcloud_elb_listener[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/query.rego b/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/query.rego index f950bfa2800..983cbe1a096 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/query.rego +++ b/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - lb_listener := input.document[i].resource.nifcloud_load_balancer_listener[name] + some document in input.document + lb_listener := document.resource.nifcloud_load_balancer_listener[name] lb_listener.load_balancer_port == 80 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_load_balancer_listener", "resourceName": tf_lib.get_resource_name(lb_listener, name), "searchKey": sprintf("nifcloud_load_balancer_listener[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/load_balancer_use_http/query.rego b/assets/queries/terraform/nifcloud/load_balancer_use_http/query.rego index 47e285b44c5..1971aa0ee30 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_use_http/query.rego +++ b/assets/queries/terraform/nifcloud/load_balancer_use_http/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - lb := input.document[i].resource.nifcloud_load_balancer[name] + some document in input.document + lb := document.resource.nifcloud_load_balancer[name] lb.load_balancer_port == 80 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_load_balancer", "resourceName": tf_lib.get_resource_name(lb, name), "searchKey": sprintf("nifcloud_load_balancer[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/query.rego b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/query.rego index 23c06d33457..2ec263f9b1b 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/query.rego +++ b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in outdatedSSLPolicies := { "1", @@ -12,11 +13,12 @@ outdatedSSLPolicies := { } CxPolicy[result] { - lb := input.document[i].resource.nifcloud_load_balancer[name] + some document in input.document + lb := document.resource.nifcloud_load_balancer[name] not common_lib.valid_key(lb, "ssl_policy_id") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_load_balancer", "resourceName": tf_lib.get_resource_name(lb, name), "searchKey": sprintf("nifcloud_load_balancer[%s]", [name]), @@ -27,11 +29,12 @@ CxPolicy[result] { } CxPolicy[result] { - lb := input.document[i].resource.nifcloud_load_balancer[name] + some document in input.document + lb := document.resource.nifcloud_load_balancer[name] lb.ssl_policy_id == outdatedSSLPolicies[_] result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_load_balancer", "resourceName": tf_lib.get_resource_name(lb, name), "searchKey": sprintf("nifcloud_load_balancer[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/query.rego b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/query.rego index 32c8f19d5e0..63f002178ae 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/query.rego +++ b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in outdatedSSLPolicies := { "Standard Ciphers A ver1", @@ -12,11 +13,12 @@ outdatedSSLPolicies := { } CxPolicy[result] { - lb := input.document[i].resource.nifcloud_load_balancer[name] + some document in input.document + lb := document.resource.nifcloud_load_balancer[name] not common_lib.valid_key(lb, "ssl_policy_name") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_load_balancer", "resourceName": tf_lib.get_resource_name(lb, name), "searchKey": sprintf("nifcloud_load_balancer[%s]", [name]), @@ -27,11 +29,12 @@ CxPolicy[result] { } CxPolicy[result] { - lb := input.document[i].resource.nifcloud_load_balancer[name] + some document in input.document + lb := document.resource.nifcloud_load_balancer[name] lb.ssl_policy_name == outdatedSSLPolicies[_] result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_load_balancer", "resourceName": tf_lib.get_resource_name(lb, name), "searchKey": sprintf("nifcloud_load_balancer[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/nas_instance_has_common_private/query.rego b/assets/queries/terraform/nifcloud/nas_instance_has_common_private/query.rego index c996cca46f7..083bc10ddb4 100644 --- a/assets/queries/terraform/nifcloud/nas_instance_has_common_private/query.rego +++ b/assets/queries/terraform/nifcloud/nas_instance_has_common_private/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - nasInstance := input.document[i].resource.nifcloud_nas_instance[name] + some document in input.document + nasInstance := document.resource.nifcloud_nas_instance[name] nasInstance.network_id == "net-COMMON_PRIVATE" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_nas_instance", "resourceName": tf_lib.get_resource_name(nasInstance, name), "searchKey": sprintf("nifcloud_nas_instance[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/query.rego b/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/query.rego index b89fce86b8c..759c3df25ca 100644 --- a/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/query.rego +++ b/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - nasSecurityGroup := input.document[i].resource.nifcloud_nas_security_group[name] + some document in input.document + nasSecurityGroup := document.resource.nifcloud_nas_security_group[name] not common_lib.valid_key(nasSecurityGroup, "description") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_nas_security_group", "resourceName": tf_lib.get_resource_name(nasSecurityGroup, name), "searchKey": sprintf("nifcloud_nas_security_group[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/query.rego b/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/query.rego index e030aecedd4..8bad6f85686 100644 --- a/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/query.rego +++ b/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - nasSecurityGroupRule := input.document[i].resource.nifcloud_nas_security_group[name] + some document in input.document + nasSecurityGroupRule := document.resource.nifcloud_nas_security_group[name] cidr := split(getRules(nasSecurityGroupRule.rule)[_].cidr_ip, "/") to_number(cidr[1]) < 1 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_nas_security_group", "resourceName": tf_lib.get_resource_name(nasSecurityGroupRule, name), "searchKey": sprintf("nifcloud_nas_security_group[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/router_has_common_private/query.rego b/assets/queries/terraform/nifcloud/router_has_common_private/query.rego index 6e91670febe..5e594b83753 100644 --- a/assets/queries/terraform/nifcloud/router_has_common_private/query.rego +++ b/assets/queries/terraform/nifcloud/router_has_common_private/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - router := input.document[i].resource.nifcloud_router[name] + some document in input.document + router := document.resource.nifcloud_router[name] router.network_interface[_].network_id == "net-COMMON_PRIVATE" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_router", "resourceName": tf_lib.get_resource_name(router, name), "searchKey": sprintf("nifcloud_router[%s]", [name]), @@ -19,11 +21,12 @@ CxPolicy[result] { } CxPolicy[result] { - router := input.document[i].resource.nifcloud_router[name] + some document in input.document + router := document.resource.nifcloud_router[name] router.network_interface.network_id == "net-COMMON_PRIVATE" result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_router", "resourceName": tf_lib.get_resource_name(router, name), "searchKey": sprintf("nifcloud_router[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/router_security_group_undefined/query.rego b/assets/queries/terraform/nifcloud/router_security_group_undefined/query.rego index ddc0e231235..5e3b4fd79fc 100644 --- a/assets/queries/terraform/nifcloud/router_security_group_undefined/query.rego +++ b/assets/queries/terraform/nifcloud/router_security_group_undefined/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - router := input.document[i].resource.nifcloud_router[name] + some document in input.document + router := document.resource.nifcloud_router[name] not common_lib.valid_key(router, "security_group") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_router", "resourceName": tf_lib.get_resource_name(router, name), "searchKey": sprintf("nifcloud_router[%s]", [name]), diff --git a/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/query.rego b/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/query.rego index 1fecb03f5fd..4e151205c34 100644 --- a/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/query.rego +++ b/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - vpnGateway := input.document[i].resource.nifcloud_vpn_gateway[name] + some document in input.document + vpnGateway := document.resource.nifcloud_vpn_gateway[name] not common_lib.valid_key(vpnGateway, "security_group") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "nifcloud_vpn_gateway", "resourceName": tf_lib.get_resource_name(vpnGateway, name), "searchKey": sprintf("nifcloud_vpn_gateway[%s]", [name]), diff --git a/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/query.rego b/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/query.rego index 1b0ca97b5ab..511191501af 100644 --- a/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/query.rego +++ b/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - some i, name - resource := input.document[i].resource.tencentcloud_mysql_instance[name] + some name + some document in input.document + resource := document.resource.tencentcloud_mysql_instance[name] resource.internet_service == 1 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_mysql_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_mysql_instance[%s].internet_service", [name]), diff --git a/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/query.rego b/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/query.rego index e418b6f4e24..a4df9a5d3aa 100644 --- a/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/query.rego +++ b/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_mysql_instance[name] + some document in input.document + resource := document.resource.tencentcloud_mysql_instance[name] resource.intranet_port == 3306 result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_mysql_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_mysql_instance[%s].intranet_port", [name]), @@ -20,11 +22,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_mysql_instance[name] + some document in input.document + resource := document.resource.tencentcloud_mysql_instance[name] not common_lib.valid_key(resource, "intranet_port") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_mysql_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_mysql_instance[%s]", [name]), diff --git a/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/query.rego b/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/query.rego index 7fd6e33600f..e7f8434b9a2 100644 --- a/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/query.rego +++ b/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_mysql_instance[name] + some document in input.document + resource := document.resource.tencentcloud_mysql_instance[name] not any_backup_policy_matches_instance(name) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_mysql_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_mysql_instance[%s]", [name]), diff --git a/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/query.rego b/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/query.rego index ff4ddbf3df5..48707d20aac 100644 --- a/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/query.rego +++ b/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/query.rego @@ -2,14 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_clb_instance[name] + some document in input.document + resource := document.resource.tencentcloud_clb_instance[name] not common_lib.valid_key(resource, "log_set_id") not common_lib.valid_key(resource, "log_topic_id") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_clb_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_clb_instance[%s]", [name]), diff --git a/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/query.rego b/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/query.rego index 80d19117070..bd2dee2a534 100644 --- a/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/query.rego +++ b/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/query.rego @@ -2,16 +2,18 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in insecure_protocols := {"TCP", "UDP", "HTTP"} CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_clb_listener[name] + some document in input.document + resource := document.resource.tencentcloud_clb_listener[name] protocolCheck := resource.protocol insecure_protocols[protocolCheck] result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_clb_listener", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_clb_listener[%s].protocol", [name]), diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/query.rego b/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/query.rego index ad4b6b9afe0..5541ac577fd 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/query.rego +++ b/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_instance[name] + some document in input.document + resource := document.resource.tencentcloud_instance[name] resource.disable_monitor_service == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_instance[%s].disable_monitor_service", [name]), diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/query.rego b/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/query.rego index 83f770eb619..70636ba864c 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/query.rego +++ b/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_instance[name] + some document in input.document + resource := document.resource.tencentcloud_instance[name] resource.allocate_public_ip == true result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_instance[%s].allocate_public_ip", [name]), diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/query.rego b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/query.rego index 681b28b3d44..13e4250c51e 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/query.rego +++ b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/query.rego @@ -2,19 +2,20 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - doc := input.document[i] - resource := doc.resource.tencentcloud_instance[name] + some document in input.document + resource := document.resource.tencentcloud_instance[name] sgs := {"orderly_security_groups", "security_groups"} - sgInfo := resource[sgs[s]][_] + some sgInfo in resource[sgs[s]] contains(lower(sgInfo), "default") result := { - "documentId": doc.id, + "documentId": document.id, "resourceType": "tencentcloud_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_instance[%s].%s", [name, sgs[s]]), diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/query.rego b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/query.rego index 3d1a855cfe0..a1a8ca345ca 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/query.rego +++ b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/query.rego @@ -2,16 +2,17 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - doc := input.document[i] - resource := doc.resource.tencentcloud_instance[name] + some document in input.document + resource := document.resource.tencentcloud_instance[name] vpc_id := resource.vpc_id contains(lower(vpc_id), "default") result := { - "documentId": doc.id, + "documentId": document.id, "resourceType": "tencentcloud_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_instance[%s].vpc_id", [name]), @@ -23,14 +24,14 @@ CxPolicy[result] { } CxPolicy[result] { - doc := input.document[i] - resource := doc.resource.tencentcloud_instance[name] + some document in input.document + resource := document.resource.tencentcloud_instance[name] subnet_id := resource.subnet_id contains(lower(subnet_id), "default") result := { - "documentId": doc.id, + "documentId": document.id, "resourceType": "tencentcloud_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_instance[%s].subnet_id", [name]), diff --git a/assets/queries/terraform/tencentcloud/disk_encryption_disabled/query.rego b/assets/queries/terraform/tencentcloud/disk_encryption_disabled/query.rego index 2b297bbd0bc..e3222ca2cf5 100644 --- a/assets/queries/terraform/tencentcloud/disk_encryption_disabled/query.rego +++ b/assets/queries/terraform/tencentcloud/disk_encryption_disabled/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_cbs_storage[name] + some document in input.document + resource := document.resource.tencentcloud_cbs_storage[name] resource.encrypt == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_cbs_storage", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_cbs_storage[%s].encrypt", [name]), @@ -20,11 +22,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_cbs_storage[name] + some document in input.document + resource := document.resource.tencentcloud_cbs_storage[name] not common_lib.valid_key(resource, "encrypt") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_cbs_storage", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_cbs_storage[%s]", [name]), diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego index 5d0420d06fe..fdb76fa2fe2 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego +++ b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + some document in input.document + resource := document.resource.tencentcloud_kubernetes_cluster[name] not any_kubernetes_encryption_protection(name) result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s]", [name]), @@ -20,7 +22,7 @@ CxPolicy[result] { } any_kubernetes_encryption_protection(resource_name) { - encryption := input.document[_].resource.tencentcloud_kubernetes_encryption_protection[_] + some encryption in input.document[_].resource.tencentcloud_kubernetes_encryption_protection split_name := split(encryption.cluster_id, ".")[1] split_name == resource_name } diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/query.rego index a8c1f219548..3fb0829476a 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/query.rego +++ b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - cluster := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + some document in input.document + cluster := document.resource.tencentcloud_kubernetes_cluster[name] not common_lib.valid_key(cluster, "log_agent") result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": tf_lib.get_resource_name(cluster, name), "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s]", [name]), @@ -20,14 +22,15 @@ CxPolicy[result] { } CxPolicy[result] { - cluster := input.document[i].resource.tencentcloud_kubernetes_cluster[name] + some document in input.document + cluster := document.resource.tencentcloud_kubernetes_cluster[name] common_lib.valid_key(cluster, "log_agent") log_agent := cluster.log_agent log_agent.enabled == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_kubernetes_cluster", "resourceName": tf_lib.get_resource_name(cluster, name), "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].log_agent.enabled", [name]), diff --git a/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/query.rego b/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/query.rego index 508f2d7d773..edf470d69df 100644 --- a/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/query.rego +++ b/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/query.rego @@ -2,13 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_vpc_flow_log_config[name] + some document in input.document + resource := document.resource.tencentcloud_vpc_flow_log_config[name] resource.enable == false result := { - "documentId": input.document[i].id, + "documentId": document.id, "resourceType": "tencentcloud_vpc_flow_log_config", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("tencentcloud_vpc_flow_log_config[%s].enable", [name]),