diff --git a/.github/workflows/validate-rego.yaml b/.github/workflows/validate-rego.yaml new file mode 100644 index 00000000000..222901962eb --- /dev/null +++ b/.github/workflows/validate-rego.yaml @@ -0,0 +1,24 @@ +name: validate-rego + +on: + pull_request: + paths: + - "assets/**/*.rego" + +jobs: + lint-rego: + name: Run Regal Linter on Rego Files + runs-on: ubuntu-latest + steps: + - name: Check out repository code + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Setup Regal + uses: StyraInc/setup-regal@33a142b1189004e0f14bf42b15972c67eecce776 #v1.0.0 + with: + version: v0.31.0 + + - name: Run Regal Linter + run: regal lint --format=github assets --config-file=assets/.regal/config.yml diff --git a/assets/.regal/config.yml b/assets/.regal/config.yml new file mode 100644 index 00000000000..c45acdd3e75 --- /dev/null +++ b/assets/.regal/config.yml @@ -0,0 +1,138 @@ +# Since the linting rules will be tackled in separate PRs, we are temporarily ignoring all rules. +# We will update rule severities as each PR is merged. + +rules: + bugs: + not-equals-in-loop: + # https://docs.styra.com/regal/rules/bugs/not-equals-in-loop + level: ignore + rule-shadows-builtin: + # https://docs.styra.com/regal/rules/bugs/rule-shadows-builtin + level: warn + var-shadows-builtin: + # https://docs.styra.com/regal/rules/bugs/var-shadows-builtin + level: warn + unused-output-variable: + # https://docs.styra.com/regal/rules/bugs/unused-output-variable + level: ignore + deprecated-builtin: + # https://docs.styra.com/regal/rules/bugs/deprecated-builtin + level: ignore + leaked-internal-reference: + # https://docs.styra.com/regal/rules/bugs/leaked-internal-reference + level: ignore + sprintf-arguments-mismatch: + # https://docs.styra.com/regal/rules/bugs/sprintf-arguments-mismatch + level: ignore + inconsistent-args: + # https://docs.styra.com/regal/rules/bugs/inconsistent-args + level: ignore + redundant-existence-check: + # https://docs.styra.com/regal/rules/bugs/redundant-existence-check + level: ignore + idiomatic: + no-defined-entrypoint: + # https://docs.styra.com/regal/rules/idiomatic/no-defined-entrypoint + # No single entrypoint for this project + level: ignore + # temporary + non-raw-regex-pattern: + # https://docs.styra.com/regal/rules/idiomatic/non-raw-regex-pattern + level: warn + use-in-operator: + # https://docs.styra.com/regal/rules/idiomatic/use-in-operator + level: warn + use-some-for-output-vars: + # https://docs.styra.com/regal/rules/idiomatic/use-some-for-output-vars + # These would be good to address, but would require a concentrated effort + level: ignore + custom-has-key-construct: + # https://docs.styra.com/regal/rules/idiomatic/custom-has-key-construct + level: warn + equals-pattern-matching: + # https://docs.styra.com/regal/rules/idiomatic/equals-pattern-matching + level: warn + use-contains: + # https://docs.styra.com/regal/rules/idiomatic/use-contains + level: ignore + use-if: + # https://docs.styra.com/regal/rules/idiomatic/use-if + level: ignore + directory-package-mismatch: + # https://docs.styra.com/regal/rules/idiomatic/directory-package-mismatch + level: ignore + custom-in-construct: + # https://docs.styra.com/regal/rules/idiomatic/custom-in-construct + level: ignore + style: + avoid-get-and-list-prefix: + # https://docs.styra.com/regal/rules/style/avoid-get-and-list-prefix + level: ignore + external-reference: + # https://docs.styra.com/regal/rules/style/external-reference + level: ignore + file-length: + # https://docs.styra.com/regal/rules/style/file-length + level: ignore + line-length: + # https://docs.styra.com/regal/rules/style/line-length + level: ignore + no-whitespace-comment: + # https://docs.styra.com/regal/rules/style/no-whitespace-comment + level: warn + opa-fmt: + # https://docs.styra.com/regal/rules/style/opa-fmt + level: warn + prefer-some-in-iteration: + # https://docs.styra.com/regal/rules/style/prefer-some-in-iteration + # 10000+ violations fixed but way more to go + level: ignore + prefer-snake-case: + # https://docs.styra.com/regal/rules/style/prefer-snake-case + level: ignore + rule-length: + # https://docs.styra.com/regal/rules/style/rule-length + level: ignore + todo-comment: + # https://docs.styra.com/regal/rules/style/todo-comment + # only one TODO comment in the codebase to fix this issue + level: ignore + use-assignment-operator: + # https://docs.styra.com/regal/rules/style/use-assignment-operator + level: ignore + rule-name-repeats-package: + # https://docs.styra.com/regal/rules/style/rule-name-repeats-package + level: ignore + messy-rule: + # https://docs.styra.com/regal/rules/style/messy-rule + level: ignore + comprehension-term-assignment: + # https://docs.styra.com/regal/rules/style/comprehension-term-assignment + level: ignore + pointless-reassignment: + # https://docs.styra.com/regal/rules/style/pointless-reassignment + level: ignore + unconditional-assignment: + # https://docs.styra.com/regal/rules/style/unconditional-assignment + level: ignore + default-over-else: + # https://docs.styra.com/regal/rules/style/default-over-else + level: ignore + imports: + use-rego-v1: + # https://docs.styra.com/regal/rules/imports/use-rego-v1 + level: ignore + redundant-alias: + # https://docs.styra.com/regal/rules/performance/non-loop-expression + level: ignore + import-after-rule: + # https://docs.styra.com/regal/rules/imports/import-after-rule + level: ignore + performance: + non-loop-expression: + # https://docs.styra.com/regal/rules/performance/non-loop-expression + level: ignore + defer-assignment: + # https://docs.styra.com/regal/rules/performance/defer-assignment + level: ignore + diff --git a/assets/libraries/ansible.rego b/assets/libraries/ansible.rego index fd3735cd532..29cb4640a74 100644 --- a/assets/libraries/ansible.rego +++ b/assets/libraries/ansible.rego @@ -1,5 +1,7 @@ package generic.ansible +import future.keywords.in + # Global variable with all tasks in input tasks := TasksPerDocument @@ -33,14 +35,12 @@ getTasksFromBlocks(playbook) = result { not task.block validPath(path) ] -} else = [playbook] { - true -} +} else = [playbook] # Validates the path of a nested element inside a block task to assure it's a task validPath(path) { count(path) > 1 - validGroup(path[minus(count(path), 2)]) + validGroup(path[count(path) - 2]) } # Identifies a block task @@ -95,10 +95,8 @@ allowsPort(allowed, port) { low <= portNumber high >= portNumber } else { - allowed.ports[_] == port -} else = false { - true -} + port in allowed.ports +} else = false # Checks if a given port is included in a network rule isPortInRule(rule, portNumber) { @@ -112,7 +110,7 @@ isPortInRule(rule, portNumber) { } isPortInRule(rule, portNumber) { - rule.ports[_] == portNumber + portNumber in rule.ports } isPortInRule(rule, portNumber) { @@ -149,11 +147,11 @@ isEntireNetwork(cidr) { } installer_modules := [ - "community.general.apk", "ansible.builtin.apt", "ansible.builtin.apt", "community.general.bundler", "ansible.builtin.dnf", "community.general.easy_install", - "community.general.gem", "community.general.homebrew", "community.general.jenkins_plugin", "community.general.npm", "community.general.openbsd_pkg", - "ansible.builtin.package", "ansible.builtin.package", "community.general.pear", "community.general.pacman", "ansible.builtin.pip", "community.general.pkg5", - "community.general.pkgutil", "community.general.pkgutil", "community.general.portage", "community.general.slackpkg", "community.general.sorcery", - "community.general.swdepot", "win_chocolatey", "community.general.yarn", "ansible.builtin.yum", "community.general.zypper", "apk", "apt", "bower", "bundler", - "dnf", "easy_install", "gem", "homebrew", "jenkins_plugin", "npm", "openbsd_package", "openbsd_pkg", "package", "pacman", "pear", "pip", "pkg5", "pkgutil", + "community.general.apk", "ansible.builtin.apt", "ansible.builtin.apt", "community.general.bundler", "ansible.builtin.dnf", "community.general.easy_install", + "community.general.gem", "community.general.homebrew", "community.general.jenkins_plugin", "community.general.npm", "community.general.openbsd_pkg", + "ansible.builtin.package", "ansible.builtin.package", "community.general.pear", "community.general.pacman", "ansible.builtin.pip", "community.general.pkg5", + "community.general.pkgutil", "community.general.pkgutil", "community.general.portage", "community.general.slackpkg", "community.general.sorcery", + "community.general.swdepot", "win_chocolatey", "community.general.yarn", "ansible.builtin.yum", "community.general.zypper", "apk", "apt", "bower", "bundler", + "dnf", "easy_install", "gem", "homebrew", "jenkins_plugin", "npm", "openbsd_package", "openbsd_pkg", "package", "pacman", "pear", "pip", "pkg5", "pkgutil", "portage", "slackpkg", "sorcery", "swdepot", "win_chocolatey", "yarn", "yum", "zypper", -] \ No newline at end of file +] diff --git a/assets/libraries/azureresourcemanager.rego b/assets/libraries/azureresourcemanager.rego index 8a14adc2aaa..4df4b83f34c 100644 --- a/assets/libraries/azureresourcemanager.rego +++ b/assets/libraries/azureresourcemanager.rego @@ -2,20 +2,20 @@ package generic.azureresourcemanager # gets the network security group properties for two types of resource ('Microsoft.Network/networkSecurityGroups' and 'Microsoft.Network/networkSecurityGroups/securityRules') get_sg_info(value) = typeInfo { - value.type == "Microsoft.Network/networkSecurityGroups/securityRules" + value.type == "Microsoft.Network/networkSecurityGroups/securityRules" typeInfo := { - "type": value.type, - "properties": value.properties, + "type": value.type, + "properties": value.properties, "path": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", - "sl": ["properties"] - } + "sl": ["properties"], + } } else = typeInfo { value.type == "securityRules" typeInfo := { - "type": value.type, - "properties": value.properties, + "type": value.type, + "properties": value.properties, "path": "resources.type={{securityRules}}.properties", - "sl": ["properties"] + "sl": ["properties"], } } @@ -84,11 +84,10 @@ isParameterReference(valueToCheck) = parameterName { parameterName := trim_right(trim_left(trim_left(valueToCheck, "[parameters"), "('"), "')]") } - -isDisabledOrUndefined(doc, resource, parametersPath){ +isDisabledOrUndefined(doc, resource, parametersPath) { object.get(resource, split(parametersPath, "."), "not defined") == "not defined" } else { - value := object.get(resource, split(parametersPath, "."),"") + value := object.get(resource, split(parametersPath, "."), "") [check, _] := getDefaultValueFromParametersIfPresent(doc, value) check == false } diff --git a/assets/libraries/cicd.rego b/assets/libraries/cicd.rego index 37b0c4de356..97a75be27df 100644 --- a/assets/libraries/cicd.rego +++ b/assets/libraries/cicd.rego @@ -1,2 +1 @@ package generic.cicd - diff --git a/assets/libraries/common.rego b/assets/libraries/common.rego index c0ebd0db02e..82348baf55f 100644 --- a/assets/libraries/common.rego +++ b/assets/libraries/common.rego @@ -35,9 +35,7 @@ resolve_path(pathItem) = resolved { } else = resolved { is_number(pathItem) resolved := "" -} else = pathItem { - true -} +} else = pathItem json_unmarshal(s) = result { s == null @@ -52,16 +50,16 @@ json_unmarshal(s) = result { calc_IP_value(ip) = result { ips := split(ip, ".") - #calculate the value of an ip - #a.b.c.d - #a*16777216 + b*65536 + c*256 + d + # calculate the value of an ip + # a.b.c.d + # a*16777216 + b*65536 + c*256 + d result = (((to_number(ips[0]) * 16777216) + (to_number(ips[1]) * 65536)) + (to_number(ips[2]) * 256)) + to_number(ips[3]) } # Checks if a value is within a range -between(value, min, max) { - value >= min - value <= max +between(value, lowerBound, upperBound) { + value >= lowerBound + value <= upperBound } # Checks if a list contains an item @@ -263,16 +261,12 @@ allowsAllPrincipalsToAssume(resource, statement) { compareArrays(arrayOne, arrayTwo) { upper(arrayOne[_]) == upper(arrayTwo[_]) -} else = false { - true -} +} else = false valid_key(obj, key) { _ = obj[key] not is_null(obj[key]) -} else = false { - true -} +} else = false getDays(date, daysInMonth) = days { index := date[1] - 2 @@ -311,8 +305,8 @@ unsecured_cors_rule(methods, headers, origins) { } get_module_equivalent_key(provider, moduleName, resource, key) = keyInResource { - providers := data.common_lib.modules[provider] - module := providers[moduleName] + provider_modules := data.common_lib.modules[provider] + module := provider_modules[moduleName] inArray(module.resources, resource) keyInResource := module.inputs[key] } @@ -321,9 +315,7 @@ check_selector(filter, value, op, name) { selector := find_selector_by_value(filter, value) selector._op == op selector._selector == name -} else = false { - true -} +} else = false find_selector_by_value(filter, str) = rtn { [_, fvalue] := walk(filter) @@ -359,7 +351,6 @@ get_tag_name_if_exists(resource) = name { name := tag } - get_encryption_if_exists(resource) = encryption { resource.encrypted == true encryption := "encrypted" @@ -412,7 +403,7 @@ is_allow_effect(statement) { } else { statement.Effect == "Allow" } else { - statement.effect == "Allow" + statement.effect == "Allow" } get_policy(p) = policy { @@ -423,10 +414,10 @@ get_policy(p) = policy { is_cross_account(statement) { is_string(statement.Principal.AWS) - regex.match("(^[0-9]{12}$)|(^arn:aws:(iam|sts)::[0-9]{12})", statement.Principal.AWS) + regex.match(`(^[0-9]{12}$)|(^arn:aws:(iam|sts)::[0-9]{12})`, statement.Principal.AWS) } else { is_array(statement.Principal.AWS) - regex.match("(^[0-9]{12}$)|(^arn:aws:(iam|sts)::[0-9]{12})", statement.Principal.AWS[_]) + regex.match(`(^[0-9]{12}$)|(^arn:aws:(iam|sts)::[0-9]{12})`, statement.Principal.AWS[_]) } is_assume_role(statement) { @@ -463,11 +454,11 @@ is_recommended_tls(field) { is_unrestricted(sourceRange) { cidrs := {"0.0.0.0/0", "::/0"} - sourceRange == cidrs[_] + sourceRange in cidrs } check_principals(statement) { - statement.principals.identifiers[_] == "*" + "*" in statement.principals.identifiers statement.principals.type == "AWS" } else { is_object(statement.Principal) == true @@ -502,11 +493,11 @@ has_wildcard(statement, typeAction) { # array_vals := ["elem1", "elem2", "elem4"] # # return_value := {"valid": false, "searchKey": "elem1.elem2"} -get_nested_values_info(object, array_vals) = return_value { +get_nested_values_info(obj, array_vals) = return_value { arr := [x | some i, _ in array_vals path := array.slice(array_vals, 0, i + 1) - walk(object, [path, _]) # evaluates to false if path is not in object + walk(obj, [path, _]) # evaluates to false if path is not in object x := path[i] ] @@ -560,24 +551,23 @@ weakCipher(aux) { "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384", "TLS_DHE_PSK_WITH_NULL_SHA256", "TLS_DHE_PSK_WITH_NULL_SHA384", "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256", "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384", "TLS_RSA_PSK_WITH_NULL_SHA256", "TLS_RSA_PSK_WITH_NULL_SHA384", "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256", "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256", "TLS_SM4_GCM_SM3", "TLS_SM4_CCM_SM3", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", "TLS_AES_128_CCM_8_SHA256", "TLS_ECDH_ECDSA_WITH_NULL_SHA", "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_NULL_SHA", "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_RSA_WITH_NULL_SHA", "TLS_ECDH_RSA_WITH_RC4_128_SHA", "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_NULL_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_anon_WITH_NULL_SHA", "TLS_ECDH_anon_WITH_RC4_128_SHA", "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", "TLS_ECDH_anon_WITH_AES_256_CBC_SHA", "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA", "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_SRP_SHA_WITH_AES_128_CBC_SHA", "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA", "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA", "TLS_SRP_SHA_WITH_AES_256_CBC_SHA", "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA", "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_PSK_WITH_RC4_128_SHA", "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_PSK_WITH_NULL_SHA", "TLS_ECDHE_PSK_WITH_NULL_SHA256", "TLS_ECDHE_PSK_WITH_NULL_SHA384", "TLS_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256", "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384", "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256", "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384", "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256", "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256", "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384", "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256", "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384", "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256", "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_PSK_WITH_ARIA_128_CBC_SHA256", "TLS_PSK_WITH_ARIA_256_CBC_SHA384", "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256", "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384", "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256", "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384", "TLS_PSK_WITH_ARIA_128_GCM_SHA256", "TLS_PSK_WITH_ARIA_256_GCM_SHA384", "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256", "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384", "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256", "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384", "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256", "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384", "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256", "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384", "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256", "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384", "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256", "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384", "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256", "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384", "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", "TLS_RSA_WITH_AES_128_CCM", "TLS_RSA_WITH_AES_256_CCM", "TLS_RSA_WITH_AES_128_CCM_8", "TLS_RSA_WITH_AES_256_CCM_8", "TLS_DHE_RSA_WITH_AES_128_CCM_8", "TLS_DHE_RSA_WITH_AES_256_CCM_8", "TLS_PSK_WITH_AES_128_CCM", "TLS_PSK_WITH_AES_256_CCM", "TLS_PSK_WITH_AES_128_CCM_8", "TLS_PSK_WITH_AES_256_CCM_8", "TLS_PSK_DHE_WITH_AES_128_CCM_8", "TLS_PSK_DHE_WITH_AES_256_CCM_8", "TLS_ECDHE_ECDSA_WITH_AES_128_CCM", "TLS_ECDHE_ECDSA_WITH_AES_256_CCM", "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8", "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8", "TLS_ECCPWD_WITH_AES_128_GCM_SHA256", "TLS_ECCPWD_WITH_AES_256_GCM_SHA384", "TLS_ECCPWD_WITH_AES_128_CCM_SHA256", "TLS_ECCPWD_WITH_AES_256_CCM_SHA384", "TLS_SHA256_SHA256", "TLS_SHA384_SHA384", "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC", "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC", "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT", "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L", "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L", "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S", "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S", "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256", "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256", } - weak_ciphers_IANA_Format[_] == aux + aux in weak_ciphers_IANA_Format } # OpenSSL weakCipher(aux) { weak_ciphers_OpenSSL_Format = {"NULL-MD5", "NULL-SHA", "IDEA-CBC-SHA", "DES-CBC3-SHA", "DHE-DSS-DES-CBC3-SHA", "DHE-RSA-DES-CBC3-SHA", "ADH-DES-CBC3-SHA", "PSK-NULL-SHA", "DHE-PSK-NULL-SHA", "RSA-PSK-NULL-SHA", "AES128-SHA", "DHE-DSS-AES128-SHA", "DHE-RSA-AES128-SHA", "ADH-AES128-SHA", "AES256-SHA", "DHE-DSS-AES256-SHA", "DHE-RSA-AES256-SHA", "ADH-AES256-SHA", "NULL-SHA256", "AES128-SHA256", "AES256-SHA256", "DHE-DSS-AES128-SHA256", "CAMELLIA128-SHA", "DHE-DSS-CAMELLIA128-SHA", "DHE-RSA-CAMELLIA128-SHA", "ADH-CAMELLIA128-SHA", "DHE-RSA-AES128-SHA256", "DHE-DSS-AES256-SHA256", "DHE-RSA-AES256-SHA256", "ADH-AES128-SHA256", "ADH-AES256-SHA256", "CAMELLIA256-SHA", "DHE-DSS-CAMELLIA256-SHA", "DHE-RSA-CAMELLIA256-SHA", "ADH-CAMELLIA256-SHA", "PSK-3DES-EDE-CBC-SHA", "PSK-AES128-CBC-SHA", "PSK-AES256-CBC-SHA", "DHE-PSK-3DES-EDE-CBC-SHA", "DHE-PSK-AES128-CBC-SHA", "DHE-PSK-AES256-CBC-SHA", "RSA-PSK-3DES-EDE-CBC-SHA", "RSA-PSK-AES128-CBC-SHA", "RSA-PSK-AES256-CBC-SHA", "SEED-SHA", "DHE-DSS-SEED-SHA", "DHE-RSA-SEED-SHA", "ADH-SEED-SHA", "AES128-GCM-SHA256", "AES256-GCM-SHA384", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES256-GCM-SHA384", "ADH-AES128-GCM-SHA256", "ADH-AES256-GCM-SHA384", "PSK-AES128-GCM-SHA256", "PSK-AES256-GCM-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES256-GCM-SHA384", "PSK-AES128-CBC-SHA256", "PSK-AES256-CBC-SHA384", "PSK-NULL-SHA256", "PSK-NULL-SHA384", "DHE-PSK-AES128-CBC-SHA256", "DHE-PSK-AES256-CBC-SHA384", "DHE-PSK-NULL-SHA256", "DHE-PSK-NULL-SHA384", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-NULL-SHA256", "RSA-PSK-NULL-SHA384", "CAMELLIA128-SHA256", "DHE-DSS-CAMELLIA128-SHA256", "DHE-RSA-CAMELLIA128-SHA256", "ADH-CAMELLIA128-SHA256", "CAMELLIA256-SHA256", "DHE-DSS-CAMELLIA256-SHA256", "DHE-RSA-CAMELLIA256-SHA256", "ADH-CAMELLIA256-SHA256", "ECDHE-ECDSA-NULL-SHA", "ECDHE-ECDSA-DES-CBC3-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-NULL-SHA", "ECDHE-RSA-DES-CBC3-SHA", "ECDHE-RSA-AES128-SHA", "ECDHE-RSA-AES256-SHA", "AECDH-NULL-SHA", "AECDH-DES-CBC3-SHA", "AECDH-AES128-SHA", "AECDH-AES256-SHA", "SRP-3DES-EDE-CBC-SHA", "SRP-RSA-3DES-EDE-CBC-SHA", "SRP-DSS-3DES-EDE-CBC-SHA", "SRP-AES-128-CBC-SHA", "SRP-RSA-AES-128-CBC-SHA", "SRP-DSS-AES-128-CBC-SHA", "SRP-AES-256-CBC-SHA", "SRP-RSA-AES-256-CBC-SHA", "SRP-DSS-AES-256-CBC-SHA", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES128-SHA256", "ECDHE-RSA-AES256-SHA384", "ECDHE-PSK-3DES-EDE-CBC-SHA", "ECDHE-PSK-AES128-CBC-SHA", "ECDHE-PSK-AES256-CBC-SHA", "ECDHE-PSK-AES128-CBC-SHA256", "ECDHE-PSK-AES256-CBC-SHA384", "ECDHE-PSK-NULL-SHA", "ECDHE-PSK-NULL-SHA256", "ECDHE-PSK-NULL-SHA384", "ECDHE-ECDSA-CAMELLIA128-SHA256", "ECDHE-ECDSA-CAMELLIA256-SHA384", "ECDHE-RSA-CAMELLIA128-SHA256", "ECDHE-RSA-CAMELLIA256-SHA384", "PSK-CAMELLIA128-SHA256", "PSK-CAMELLIA256-SHA384", "DHE-PSK-CAMELLIA128-SHA256", "DHE-PSK-CAMELLIA256-SHA384", "RSA-PSK-CAMELLIA128-SHA256", "RSA-PSK-CAMELLIA256-SHA384", "ECDHE-PSK-CAMELLIA128-SHA256", "ECDHE-PSK-CAMELLIA256-SHA384", "AES128-CCM", "AES256-CCM", "AES128-CCM8", "AES256-CCM8", "DHE-RSA-AES128-CCM8", "DHE-RSA-AES256-CCM8", "PSK-AES128-CCM", "PSK-AES256-CCM", "PSK-AES128-CCM8", "PSK-AES256-CCM8", "DHE-PSK-AES128-CCM8", "DHE-PSK-AES256-CCM8", "ECDHE-ECDSA-AES128-CCM", "ECDHE-ECDSA-AES256-CCM", "ECDHE-ECDSA-AES128-CCM8", "ECDHE-ECDSA-AES256-CCM8", "PSK-CHACHA20-POLY1305", "RSA-PSK-CHACHA20-POLY1305"} - weak_ciphers_OpenSSL_Format[_] == aux + aux in weak_ciphers_OpenSSL_Format } # GnuTLS weakCipher(aux) { weak_ciphers_GnuTLS_Format = {"TLS_RSA_NULL_MD5", "TLS_RSA_NULL_SHA1", "TLS_RSA_ARCFOUR_128_MD5", "TLS_RSA_ARCFOUR_128_SHA1", "TLS_RSA_3DES_EDE_CBC_SHA1", "TLS_DHE_DSS_3DES_EDE_CBC_SHA1", "TLS_DHE_RSA_3DES_EDE_CBC_SHA1", "TLS_DH_ANON_ARCFOUR_128_MD5", "TLS_DH_ANON_3DES_EDE_CBC_SHA1", "TLS_PSK_NULL_SHA1", "TLS_DHE_PSK_NULL_SHA1", "TLS_RSA_PSK_NULL_SHA1", "TLS_RSA_AES_128_CBC_SHA1", "TLS_DHE_DSS_AES_128_CBC_SHA1", "TLS_DHE_RSA_AES_128_CBC_SHA1", "TLS_DH_ANON_AES_128_CBC_SHA1", "TLS_RSA_AES_256_CBC_SHA1", "TLS_DHE_DSS_AES_256_CBC_SHA1", "TLS_DHE_RSA_AES_256_CBC_SHA1", "TLS_DH_ANON_AES_256_CBC_SHA1", "TLS_RSA_NULL_SHA256", "TLS_RSA_AES_128_CBC_SHA256", "TLS_RSA_AES_256_CBC_SHA256", "TLS_DHE_DSS_AES_128_CBC_SHA256", "TLS_RSA_CAMELLIA_128_CBC_SHA1", "TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1", "TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1", "TLS_DH_ANON_CAMELLIA_128_CBC_SHA1", "TLS_DHE_RSA_AES_128_CBC_SHA256", "TLS_DHE_DSS_AES_256_CBC_SHA256", "TLS_DHE_RSA_AES_256_CBC_SHA256", "TLS_DH_ANON_AES_128_CBC_SHA256", "TLS_DH_ANON_AES_256_CBC_SHA256", "TLS_RSA_CAMELLIA_256_CBC_SHA1", "TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1", "TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1", "TLS_DH_ANON_CAMELLIA_256_CBC_SHA1", "TLS_PSK_ARCFOUR_128_SHA1", "TLS_PSK_3DES_EDE_CBC_SHA1", "TLS_PSK_AES_128_CBC_SHA1", "TLS_PSK_AES_256_CBC_SHA1", "TLS_DHE_PSK_ARCFOUR_128_SHA1", "TLS_DHE_PSK_3DES_EDE_CBC_SHA1", "TLS_DHE_PSK_AES_128_CBC_SHA1", "TLS_DHE_PSK_AES_256_CBC_SHA1", "TLS_RSA_PSK_ARCFOUR_128_SHA1", "TLS_RSA_PSK_3DES_EDE_CBC_SHA1", "TLS_RSA_PSK_AES_128_CBC_SHA1", "TLS_RSA_PSK_AES_256_CBC_SHA1", "TLS_RSA_AES_128_GCM_SHA256", "TLS_RSA_AES_256_GCM_SHA384", "TLS_DHE_DSS_AES_128_GCM_SHA256", "TLS_DHE_DSS_AES_256_GCM_SHA384", "TLS_DH_ANON_AES_128_GCM_SHA256", "TLS_DH_ANON_AES_256_GCM_SHA384", "TLS_PSK_AES_128_GCM_SHA256", "TLS_PSK_AES_256_GCM_SHA384", "TLS_RSA_PSK_AES_128_GCM_SHA256", "TLS_RSA_PSK_AES_256_GCM_SHA384", "TLS_PSK_AES_128_CBC_SHA256", "TLS_PSK_AES_256_CBC_SHA384", "TLS_PSK_NULL_SHA256", "TLS_PSK_NULL_SHA384", "TLS_DHE_PSK_AES_128_CBC_SHA256", "TLS_DHE_PSK_AES_256_CBC_SHA384", "TLS_DHE_PSK_NULL_SHA256", "TLS_DHE_PSK_NULL_SHA384", "TLS_RSA_PSK_AES_128_CBC_SHA256", "TLS_RSA_PSK_AES_256_CBC_SHA384", "TLS_RSA_PSK_NULL_SHA256", "TLS_RSA_PSK_NULL_SHA384", "TLS_RSA_CAMELLIA_128_CBC_SHA256", "TLS_DHE_DSS_CAMELLIA_128_CBC_SHA256", "TLS_DHE_RSA_CAMELLIA_128_CBC_SHA256", "TLS_DH_ANON_CAMELLIA_128_CBC_SHA256", "TLS_RSA_CAMELLIA_256_CBC_SHA256", "TLS_DHE_DSS_CAMELLIA_256_CBC_SHA256", "TLS_DHE_RSA_CAMELLIA_256_CBC_SHA256", "TLS_DH_ANON_CAMELLIA_256_CBC_SHA256", "TLS_ECDHE_ECDSA_NULL_SHA1", "TLS_ECDHE_ECDSA_ARCFOUR_128_SHA1", "TLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1", "TLS_ECDHE_ECDSA_AES_128_CBC_SHA1", "TLS_ECDHE_ECDSA_AES_256_CBC_SHA1", "TLS_ECDHE_RSA_NULL_SHA1", "TLS_ECDHE_RSA_ARCFOUR_128_SHA1", "TLS_ECDHE_RSA_3DES_EDE_CBC_SHA1", "TLS_ECDHE_RSA_AES_128_CBC_SHA1", "TLS_ECDHE_RSA_AES_256_CBC_SHA1", "TLS_ECDH_ANON_NULL_SHA1", "TLS_ECDH_ANON_ARCFOUR_128_SHA1", "TLS_ECDH_ANON_3DES_EDE_CBC_SHA1", "TLS_ECDH_ANON_AES_128_CBC_SHA1", "TLS_ECDH_ANON_AES_256_CBC_SHA1", "TLS_SRP_SHA_3DES_EDE_CBC_SHA1", "TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1", "TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1", "TLS_SRP_SHA_AES_128_CBC_SHA1", "TLS_SRP_SHA_RSA_AES_128_CBC_SHA1", "TLS_SRP_SHA_DSS_AES_128_CBC_SHA1", "TLS_SRP_SHA_AES_256_CBC_SHA1", "TLS_SRP_SHA_RSA_AES_256_CBC_SHA1", "TLS_SRP_SHA_DSS_AES_256_CBC_SHA1", "TLS_ECDHE_ECDSA_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_AES_256_CBC_SHA384", "TLS_ECDHE_PSK_ARCFOUR_128_SHA1", "TLS_ECDHE_PSK_3DES_EDE_CBC_SHA1", "TLS_ECDHE_PSK_AES_128_CBC_SHA1", "TLS_ECDHE_PSK_AES_256_CBC_SHA1", "TLS_ECDHE_PSK_AES_128_CBC_SHA256", "TLS_ECDHE_PSK_AES_256_CBC_SHA384", "TLS_ECDHE_PSK_NULL_SHA1", "TLS_ECDHE_PSK_NULL_SHA256", "TLS_ECDHE_PSK_NULL_SHA384", "TLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384", "TLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384", "TLS_RSA_CAMELLIA_128_GCM_SHA256", "TLS_RSA_CAMELLIA_256_GCM_SHA384", "TLS_DHE_RSA_CAMELLIA_128_GCM_SHA256", "TLS_DHE_RSA_CAMELLIA_256_GCM_SHA384", "TLS_DHE_DSS_CAMELLIA_128_GCM_SHA256", "TLS_DHE_DSS_CAMELLIA_256_GCM_SHA384", "TLS_DH_ANON_CAMELLIA_128_GCM_SHA256", "TLS_DH_ANON_CAMELLIA_256_GCM_SHA384", "TLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256", "TLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384", "TLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256", "TLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384", "TLS_PSK_CAMELLIA_128_GCM_SHA256", "TLS_PSK_CAMELLIA_256_GCM_SHA384", "TLS_DHE_PSK_CAMELLIA_128_GCM_SHA256", "TLS_DHE_PSK_CAMELLIA_256_GCM_SHA384", "TLS_RSA_PSK_CAMELLIA_128_GCM_SHA256", "TLS_RSA_PSK_CAMELLIA_256_GCM_SHA384", "TLS_PSK_CAMELLIA_128_CBC_SHA256", "TLS_PSK_CAMELLIA_256_CBC_SHA384", "TLS_DHE_PSK_CAMELLIA_128_CBC_SHA256", "TLS_DHE_PSK_CAMELLIA_256_CBC_SHA384", "TLS_RSA_PSK_CAMELLIA_128_CBC_SHA256", "TLS_RSA_PSK_CAMELLIA_256_CBC_SHA384", "TLS_ECDHE_PSK_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_PSK_CAMELLIA_256_CBC_SHA384", "TLS_RSA_AES_128_CCM", "TLS_RSA_AES_256_CCM", "TLS_RSA_AES_128_CCM_8", "TLS_RSA_AES_256_CCM_8", "TLS_DHE_RSA_AES_128_CCM_8", "TLS_DHE_RSA_AES_256_CCM_8", "TLS_PSK_AES_128_CCM", "TLS_PSK_AES_256_CCM", "TLS_PSK_AES_128_CCM_8", "TLS_PSK_AES_256_CCM_8", "TLS_DHE_PSK_AES_128_CCM_8", "TLS_DHE_PSK_AES_256_CCM_8", "TLS_ECDHE_ECDSA_AES_128_CCM", "TLS_ECDHE_ECDSA_AES_256_CCM", "TLS_ECDHE_ECDSA_AES_128_CCM_8", "TLS_ECDHE_ECDSA_AES_256_CCM_8", "TLS_PSK_CHACHA20_POLY1305", "TLS_RSA_PSK_CHACHA20_POLY1305"} - weak_ciphers_GnuTLS_Format[_] == aux + aux in weak_ciphers_GnuTLS_Format } - -#aurora is equivelent to mysql 5.6 https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html#UsingWithRDS.IAMDBAuth.Availability -#all aurora-postgresql versions that do not support IAM auth are deprecated Source:console.aws (launch rds instance) +# aurora is equivelent to mysql 5.6 https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html#UsingWithRDS.IAMDBAuth.Availability +# all aurora-postgresql versions that do not support IAM auth are deprecated Source:console.aws (launch rds instance) valid_for_iam_engine_and_version_check(resource, engineVar, engineVersionVar, instanceClassVar) { key_list := [engineVar, engineVersionVar] contains(lower(resource[engineVar]), "mariadb") @@ -723,16 +713,16 @@ get_latest_software_version(name) = version { get_version(name) = version { val := get_latest_software_version(name) splited := split(val, ".") - version := concat(".", [splited[0],splited[1]]) + version := concat(".", [splited[0], splited[1]]) } contains_element(arr, element) { - element == arr[_] + element in arr } -contains_with_size(arr, element){ - count(arr)>0 - test := arr[j] +contains_with_size(arr, element) { + count(arr) > 0 + test := arr[j] contains(test, element) } diff --git a/assets/libraries/dockerfile.rego b/assets/libraries/dockerfile.rego index 1ef6f6244f2..6bc8d257866 100644 --- a/assets/libraries/dockerfile.rego +++ b/assets/libraries/dockerfile.rego @@ -7,13 +7,13 @@ getPackages(commands, command) = output { commandWithAll := substring(commands, len + index, count(commands)) contains(commandWithAll, ";") - commandWithAllNoTabs:= replace(commandWithAll, "\t", "") + commandWithAllNoTabs := replace(commandWithAll, "\t", "") commandWithAllSplit := split(commandWithAllNoTabs, ";") packages := split(trim_space(commandWithAllSplit[0]), " ") output = packages -}else = output { +} else = output { index := indexof(commands, command[0]) len := count(command[0]) @@ -25,48 +25,48 @@ getPackages(commands, command) = output { packages := split(commandWithAllSplit[0], " ") output = packages -}else = output { +} else = output { index := indexof(commands, command[0]) len := count(command[0]) commandWithAll := substring(commands, len + index, count(commands)) not contains(commandWithAll, ";") - not contains(commandWithAll, "&&") + not contains(commandWithAll, "&&") packages := split(commandWithAll, " ") output = packages } -getCommands(commands) = output{ +getCommands(commands) = output { output := split(commands, "&&") -} else = output{ +} else = output { output := split(commands, "; ") } withVersion(pack) { - regex.match("[A-Za-z0-9_\\+-]+[-:][$](.+)", pack) + regex.match(`[A-Za-z0-9_\+-]+[-:][$](.+)`, pack) } withVersion(pack) { - regex.match("[A-Za-z0-9_\\+-]+[:-]([0-9]+.)+[0-9]+", pack) + regex.match(`[A-Za-z0-9_\+-]+[:-]([0-9]+.)+[0-9]+`, pack) } withVersion(pack) { - regex.match("[A-Za-z0-9_\\+-]+~?=(.+)", pack) + regex.match(`[A-Za-z0-9_\+-]+~?=(.+)`, pack) } -arrayContains(array, list) { - contains(array[_], list[_]) +arrayContains(array_obj, list) { + contains(array_obj[_], list[_]) } check_multi_stage(imageName, images) { - unsortedIndex := {x | - images[name][i].Cmd == "from" - x := {"Name": name, "Line": images[name][i].EndLine} - } - - sortedIndex := sort(unsortedIndex) - imageName == sortedIndex[minus(count(sortedIndex), 1)].Name -} + unsortedIndex := {x | + images[name][i].Cmd == "from" + x := {"Name": name, "Line": images[name][i].EndLine} + } + + sortedIndex := sort(unsortedIndex) + imageName == sortedIndex[count(sortedIndex) - 1].Name +} diff --git a/assets/libraries/k8s.rego b/assets/libraries/k8s.rego index bd24727dcd4..a0d3cb1a816 100644 --- a/assets/libraries/k8s.rego +++ b/assets/libraries/k8s.rego @@ -1,6 +1,7 @@ package generic.k8s import data.generic.common as common_lib +import future.keywords.in getSpecInfo(document) = specInfo { # this one can be also used for the result templates := {"job_template", "jobTemplate"} @@ -25,7 +26,6 @@ checkKindWithKnative(doc, listKinds, knativeKinds) { doc.kind == knativeKinds[i] } - hasFlag(container, flag) { common_lib.inArray(container.command, flag) } else { @@ -56,7 +56,7 @@ hasFlagWithValue(container, flag, value) { hasValue(values, value) { splittedValues := split(values, ",") - splittedValues[_] == value + value in splittedValues } startAndEndWithFlag(container, flag, ext) { @@ -82,21 +82,21 @@ hasFlagEqualOrGreaterThanValue(container, flag, value) { to_number(flag_value) >= value } -hasFlagBetweenValues(container, flag, higher, lower) { +hasFlagBetweenValues(container, flag, upperBound, lowerBound) { command := container.command startswith(command[a], flag) value := split(command[a], "=")[1] - betweenValues(value, higher, lower) + betweenValues(value, upperBound, lowerBound) } else { args := container.args startswith(args[a], flag) value := split(args[a], "=")[1] - betweenValues(value, higher, lower) + betweenValues(value, upperBound, lowerBound) } -betweenValues(value, higher, lower) { - to_number(value) > higher - to_number(value) < lower +betweenValues(value, upperBound, lowerBound) { + to_number(value) > upperBound + to_number(value) < lowerBound } # Valid K8s/Knative Kinds that support podSpec or PodSpecTemplate diff --git a/assets/libraries/openapi.rego b/assets/libraries/openapi.rego index d0dd9ef220c..91d14c4b07d 100644 --- a/assets/libraries/openapi.rego +++ b/assets/libraries/openapi.rego @@ -1,8 +1,10 @@ package generic.openapi +import future.keywords.in + check_openapi(doc) = version { object.get(doc, "openapi", "undefined") != "undefined" - regex.match("^3\\.0\\.\\d+$", doc.openapi) + regex.match(`^3\.0\.\d+$`, doc.openapi) version = "3.0" } else = version { object.get(doc, "swagger", "undefined") != "undefined" @@ -16,11 +18,11 @@ is_valid_url(url) { } improperly_defined(params, value) { - params.in == "header" + params["in"] == "header" params.name == value } -incorrect_ref(ref, object) { +incorrect_ref(reference, obj_type) { references := { "schemas": "#/components/schemas/", "responses": "#/components/responses/", @@ -32,17 +34,17 @@ incorrect_ref(ref, object) { "parameters": "#/components/parameters/", } - not startswith(ref, references[object]) + not startswith(reference, references[obj_type]) } -incorrect_ref_swagger(ref, object) { +incorrect_ref_swagger(reference, obj_type) { references := { "parameters": "#/parameters/", "responses": "#/responses/", "schemas": "#/definitions/", } - not startswith(ref, references[object]) + not startswith(reference, references[obj_type]) } content_allowed(operation, code) { @@ -69,9 +71,9 @@ undefined_field_in_json_object(doc, schema_ref, field, version) { } check_unused_reference(doc, referenceName, type) { - ref := sprintf("#/components/%s/%s", [type, referenceName]) + reference := sprintf("#/components/%s/%s", [type, referenceName]) - count({ref | [_, value] := walk(doc); ref == value["$ref"]}) == 0 + count({reference | [_, value] := walk(doc); reference == value["$ref"]}) == 0 } check_reference_unexisting(doc, reference, type) = checkComponents { @@ -98,9 +100,7 @@ resolve_path(pathItem) = resolved { } else = resolved { is_number(pathItem) resolved := "" -} else = pathItem { - true -} +} else = pathItem # It verifies if the path contains an operation. If true, keeps the operation type and the response code related to it is_operation(path) = info { @@ -118,7 +118,7 @@ is_operation(path) = info { is_numeric_type(type) { numeric := {"integer", "number"} - type == numeric[_] + type in numeric } # It verifies if the string schema does not have the 'field' defined @@ -236,7 +236,7 @@ api_key_exposed(doc, version, s) { version == "2.0" doc.securityDefinitions[s].type == "apiKey" scheme := doc.schemes[_] - scheme == "http" + scheme == "http" } else { version == "2.0" doc.securityDefinitions[s].type == "apiKey" @@ -270,7 +270,7 @@ concat_default_value(path, defaultValue) = searchKey { } get_name(p, name) = sk { - p[minus(count(p), 1)] == "components" + p[count(p) - 1] == "components" sk := name } else = sk { sk := concat("", ["name=", name]) @@ -296,10 +296,10 @@ get_discriminator(schema, version) = discriminator { discriminator := {"obj": schema.discriminator, "path": "discriminator"} } -check_definitions(doc, object, name) { +check_definitions(doc, obj_type, name) { [path, value] := walk(doc) - ref := value["$ref"] - count({x | ref == sprintf("#/%s/%s", [object, name]); x := ref}) == 0 + reference := value["$ref"] + count({x | reference == sprintf("#/%s/%s", [obj_type, name]); x := reference}) == 0 } is_valid_mime(mime) { diff --git a/assets/libraries/pulumi.rego b/assets/libraries/pulumi.rego index d5d40c995d4..70a7624da61 100644 --- a/assets/libraries/pulumi.rego +++ b/assets/libraries/pulumi.rego @@ -12,6 +12,6 @@ getResourceName(resource, logicName) = name { } pulumiResourcesWithName = { - "gcp:storage:Bucket" : "name", - "gcp:compute:SSLPolicy" : "name", + "gcp:storage:Bucket": "name", + "gcp:compute:SSLPolicy": "name", } diff --git a/assets/libraries/serverlessfw.rego b/assets/libraries/serverlessfw.rego index 0e7eb3f57da..672303d75a7 100644 --- a/assets/libraries/serverlessfw.rego +++ b/assets/libraries/serverlessfw.rego @@ -2,36 +2,36 @@ package generic.serverlessfw import data.generic.common as common_lib -resourceTypeMapping(resourceType, provider)= resourceTypeVal{ - resourceTypeVal :=resourcesMap[provider][resourceType] +resourceTypeMapping(resourceType, provider) = resourceTypeVal { + resourceTypeVal := resourcesMap[provider][resourceType] } resourcesMap = { - "aws": { - "function": "AWS::Lambda", - "api": "AWS::ApiGateway", - "iam": "AWS::IAM" - }, - "azure":{ - "function": "Azure:Function", - "api": "Azure:APIManagement", - "iam": "Azure:Role" - }, - "google":{ - "function": "Google:Cloudfunctions", - "api": "Google:ApiGateway", - "iam": "Google:IAM" - }, - "aliyun":{ - "function": "Aliyun:FunctionCompute", - "api": "Aliyun:ApiGateway", - "iam": "Aliyun:RAM" - } + "aws": { + "function": "AWS::Lambda", + "api": "AWS::ApiGateway", + "iam": "AWS::IAM", + }, + "azure": { + "function": "Azure:Function", + "api": "Azure:APIManagement", + "iam": "Azure:Role", + }, + "google": { + "function": "Google:Cloudfunctions", + "api": "Google:ApiGateway", + "iam": "Google:IAM", + }, + "aliyun": { + "function": "Aliyun:FunctionCompute", + "api": "Aliyun:ApiGateway", + "iam": "Aliyun:RAM", + }, } -get_service_name(document) = name{ - name := document.service.name +get_service_name(document) = name { + name := document.service.name } else = name { - is_string(document.service) - name := document.service + is_string(document.service) + name := document.service } diff --git a/assets/libraries/terraform.rego b/assets/libraries/terraform.rego index 032a6dc775c..abeec31b3a9 100644 --- a/assets/libraries/terraform.rego +++ b/assets/libraries/terraform.rego @@ -1,9 +1,10 @@ package generic.terraform import data.generic.common as common_lib +import future.keywords.in check_cidr(rule) { - rule.cidr_blocks[_] == "0.0.0.0/0" + "0.0.0.0/0" in rule.cidr_blocks } else { rule.cidr_block == "0.0.0.0/0" } @@ -448,7 +449,7 @@ getStatement(policy) = st { is_publicly_accessible(policy) { statements := getStatement(policy) - statement:= statements[_] + statement := statements[_] statement.Effect == "Allow" anyPrincipal(statement) } @@ -484,8 +485,8 @@ get_accessibility(resource, name, resourcePolicyName, resourceTarget) = info { } is_default_password(password) = output { - contains(password, data.common_lib.default_passwords[_]) - output = true + contains(password, data.common_lib.default_passwords[_]) + output = true } else = output { # repetition of the same number more than three times regex.match(`(0{3,}|1{3,}|2{3,}|3{3,}|4{3,}|5{3,}|6{3,}|7{3,}|8{3,}|9{3,})`, password) == true @@ -524,21 +525,20 @@ matches(target, name) { target == name } - has_target_resource(bucketName, resourceName) { resource := input.document[i].resource[resourceName][_] split(resource.bucket, ".")[1] == bucketName } -#Checks if an action is allowed for all principals +# Checks if an action is allowed for all principals allows_action_from_all_principals(json_policy, action) { - policy := common_lib.json_unmarshal(json_policy) + policy := common_lib.json_unmarshal(json_policy) st := common_lib.get_statement(policy) statement := st[_] statement.Effect == "Allow" - anyPrincipal(statement) - common_lib.containsOrInArrayContains(statement.Action, action) + anyPrincipal(statement) + common_lib.containsOrInArrayContains(statement.Action, action) } resourceFieldName = { @@ -553,10 +553,10 @@ resourceFieldName = { } get_resource_name(resource, resourceDefinitionName) = name { - name := resource["name"] + name := resource.name +} else = name { + name := resource.display_name } else = name { - name := resource["display_name"] -} else = name { name := resource.metadata.name } else = name { prefix := resource.name_prefix diff --git a/assets/queries/ansible/aws/api_gateway_without_waf/query.rego b/assets/queries/ansible/aws/api_gateway_without_waf/query.rego index 5342fe2c185..43ee1c032f7 100644 --- a/assets/queries/ansible/aws/api_gateway_without_waf/query.rego +++ b/assets/queries/ansible/aws/api_gateway_without_waf/query.rego @@ -27,10 +27,10 @@ CxPolicy[result] { has_waf_associated(stage) { waf := {"community.aws.wafv2_resources", "wafv2_resources"} - task2 := ans_lib.tasks[_][_] + task2 := ans_lib.tasks[_][_] wafResource := task2[waf[_]] - ans_lib.checkState(wafResource) - contains(wafResource.arn, "arn:aws:apigateway:") - associatedStage := split(wafResource.arn, "/") - associatedStage[4] == stage + ans_lib.checkState(wafResource) + contains(wafResource.arn, "arn:aws:apigateway:") + associatedStage := split(wafResource.arn, "/") + associatedStage[4] == stage } diff --git a/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/query.rego b/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/query.rego index 3d3b240f6e9..ed61a8f54b4 100644 --- a/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/query.rego +++ b/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/query.rego @@ -24,9 +24,7 @@ CxPolicy[result] { issueType(str) = "MissingAttribute" { str == "" -} else = "IncorrectValue" { - true -} +} else = "IncorrectValue" checkAllowPass(pwPolicy) = ".allow_pw_change" { ansLib.isAnsibleFalse(pwPolicy.allow_pw_change) @@ -35,6 +33,4 @@ checkAllowPass(pwPolicy) = ".allow_pw_change" { } else = "" { not pwPolicy.allow_pw_change not pwPolicy.allow_password_change -} else = "none" { - true -} +} else = "none" diff --git a/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/query.rego b/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/query.rego index 9d0a134f015..163e02b8938 100644 --- a/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/query.rego +++ b/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { result := { "documentId": id, - "resourceType": "community.aws.aws_acm", + "resourceType": "community.aws.aws_acm", "resourceName": task.name, "searchKey": sprintf("name={{%s}}.community.aws.aws_acm.certificate", [task.name]), "issueType": "IncorrectValue", diff --git a/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/query.rego b/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/query.rego index b66809eebab..9115fc6d150 100644 --- a/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/query.rego +++ b/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/query.rego @@ -10,7 +10,7 @@ CxPolicy[result] { searchKey := getCidrBlock(group) - splitted := regex.split("{{|}}", searchKey) + splitted := regex.split(`{{|}}`, searchKey) errorPath := substring(splitted[0], 0, count(splitted[0]) - 1) errorValue := splitted[1] diff --git a/assets/queries/ansible/aws/ec2_group_has_public_interface/query.rego b/assets/queries/ansible/aws/ec2_group_has_public_interface/query.rego index 13f1311aeaf..29e3398dddc 100644 --- a/assets/queries/ansible/aws/ec2_group_has_public_interface/query.rego +++ b/assets/queries/ansible/aws/ec2_group_has_public_interface/query.rego @@ -11,8 +11,8 @@ CxPolicy[result] { ans_lib.checkState(ec2_instance) rule := ec2_instance.rules[idx] - - cidrs := {"cidr_ip": "0.0.0.0/0", "cidr_ipv6" : "::/0"} + + cidrs := {"cidr_ip": "0.0.0.0/0", "cidr_ipv6": "::/0"} cidrValue := cidrs[cidr] diff --git a/assets/queries/ansible/aws/ec2_instance_using_default_security_group/query.rego b/assets/queries/ansible/aws/ec2_instance_using_default_security_group/query.rego index 1b0e139eec4..58699b8448f 100644 --- a/assets/queries/ansible/aws/ec2_instance_using_default_security_group/query.rego +++ b/assets/queries/ansible/aws/ec2_instance_using_default_security_group/query.rego @@ -23,7 +23,7 @@ CxPolicy[result] { "searchKey": sprintf("name={{%s}}.{{%s}}.%s", [task.name, modules[m], sgs[s]]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s' should not be using default security group", [sgs[s]]), - "keyActualValue": sprintf("'%s' is using default security group", [sgs[s]]), + "keyActualValue": sprintf("'%s' is using default security group", [sgs[s]]), "searchLine": common_lib.build_search_line(["playbooks", t, modules[m], sgs[s]], [idx]), } } @@ -48,8 +48,7 @@ CxPolicy[result] { "searchKey": sprintf("name={{%s}}.{{%s}}.%s", [task.name, modules[m], sgs[s]]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s' should not be using default security group", [sgs[s]]), - "keyActualValue": sprintf("'%s' is using default security group", [sgs[s]]), + "keyActualValue": sprintf("'%s' is using default security group", [sgs[s]]), "searchLine": common_lib.build_search_line(["playbooks", t, modules[m], sgs[s]], []), } } - diff --git a/assets/queries/ansible/aws/ec2_instance_using_default_vpc/query.rego b/assets/queries/ansible/aws/ec2_instance_using_default_vpc/query.rego index d4911ed9657..9d179179142 100644 --- a/assets/queries/ansible/aws/ec2_instance_using_default_vpc/query.rego +++ b/assets/queries/ansible/aws/ec2_instance_using_default_vpc/query.rego @@ -3,7 +3,6 @@ package Cx import data.generic.ansible as ans_lib import data.generic.common as common_lib - CxPolicy[result] { task := ans_lib.tasks[id][t] modules := {"amazon.aws.ec2", "ec2"} @@ -30,7 +29,7 @@ CxPolicy[result] { "searchKey": sprintf("name={{%s}}.{{%s}}.vpc_subnet_id", [task.name, modules[m]]), "issueType": "IncorrectValue", "keyExpectedValue": "'vpc_subnet_id' should not be associated with a default VPC", - "keyActualValue": "'vpc_subnet_id' is associated with a default VPC", + "keyActualValue": "'vpc_subnet_id' is associated with a default VPC", "searchLine": common_lib.build_search_line(["playbooks", t, modules[m], "vpc_subnet_id"], []), } } diff --git a/assets/queries/ansible/aws/ecs_service_without_running_tasks/query.rego b/assets/queries/ansible/aws/ecs_service_without_running_tasks/query.rego index afc693972a8..bfc6f172efb 100644 --- a/assets/queries/ansible/aws/ecs_service_without_running_tasks/query.rego +++ b/assets/queries/ansible/aws/ecs_service_without_running_tasks/query.rego @@ -42,8 +42,9 @@ CxPolicy[result] { } checkContent(deploymentConfiguration) { - common_lib.valid_key(deploymentConfiguration, "maximum_percent") + common_lib.valid_key(deploymentConfiguration, "maximum_percent") } + checkContent(deploymentConfiguration) { - common_lib.valid_key(deploymentConfiguration, "minimum_healthy_percent") + common_lib.valid_key(deploymentConfiguration, "minimum_healthy_percent") } diff --git a/assets/queries/ansible/aws/elasticsearch_with_https_disabled/query.rego b/assets/queries/ansible/aws/elasticsearch_with_https_disabled/query.rego index e6367a7fe3b..3bb365e7b7a 100644 --- a/assets/queries/ansible/aws/elasticsearch_with_https_disabled/query.rego +++ b/assets/queries/ansible/aws/elasticsearch_with_https_disabled/query.rego @@ -19,7 +19,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("name={{%s}}.{{%s}}.domain_endpoint_options.enforce_https should be set to 'true'", [task.name, modules[m]]), "keyActualValue": sprintf("name={{%s}}.{{%s}}.domain_endpoint_options.enforce_https is set to 'false'", [task.name, modules[m]]), - "searchLine": common_lib.build_search_line(["playbooks", t, modules[m],"domain_endpoint_options","enforce_https"], []), + "searchLine": common_lib.build_search_line(["playbooks", t, modules[m], "domain_endpoint_options", "enforce_https"], []), } } @@ -39,7 +39,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("name={{%s}}.{{%s}}.domain_endpoint_options.enforce_https should be defined and set to 'true'", [task.name, modules[m]]), "keyActualValue": sprintf("name={{%s}}.{{%s}}.domain_endpoint_options.enforce_https is not set", [task.name, modules[m]]), - "searchLine": common_lib.build_search_line(["playbooks", t, modules[m],"domain_endpoint_options"], []), + "searchLine": common_lib.build_search_line(["playbooks", t, modules[m], "domain_endpoint_options"], []), } } @@ -61,4 +61,4 @@ CxPolicy[result] { "keyActualValue": sprintf("name={{%s}}.{{%s}}.domain_endpoint_options.enforce_https is not set", [task.name, modules[m]]), "searchLine": common_lib.build_search_line(["playbooks", t, modules[m]], []), } -} \ No newline at end of file +} diff --git a/assets/queries/ansible/aws/iam_database_auth_not_enabled/query.rego b/assets/queries/ansible/aws/iam_database_auth_not_enabled/query.rego index 26d6ac23220..8c15b320cbe 100644 --- a/assets/queries/ansible/aws/iam_database_auth_not_enabled/query.rego +++ b/assets/queries/ansible/aws/iam_database_auth_not_enabled/query.rego @@ -10,10 +10,9 @@ CxPolicy[result] { rds_instance := task[modules[m]] ansLib.checkState(rds_instance) - common_lib.valid_for_iam_engine_and_version_check(rds_instance,"engine", "engine_version", "instance_type") + common_lib.valid_for_iam_engine_and_version_check(rds_instance, "engine", "engine_version", "instance_type") ansLib.isAnsibleFalse(rds_instance.enable_iam_database_authentication) - result := { "documentId": id, "resourceType": modules[m], @@ -30,7 +29,7 @@ CxPolicy[result] { rds_instance := task[modules[m]] ansLib.checkState(rds_instance) - common_lib.valid_for_iam_engine_and_version_check(rds_instance,"engine", "engine_version", "instance_type") + common_lib.valid_for_iam_engine_and_version_check(rds_instance, "engine", "engine_version", "instance_type") not common_lib.valid_key(rds_instance, "enable_iam_database_authentication") result := { diff --git a/assets/queries/ansible/aws/iam_group_without_users/query.rego b/assets/queries/ansible/aws/iam_group_without_users/query.rego index f1488b10a6a..45ba4a49b90 100644 --- a/assets/queries/ansible/aws/iam_group_without_users/query.rego +++ b/assets/queries/ansible/aws/iam_group_without_users/query.rego @@ -6,19 +6,19 @@ import data.generic.common as common_lib modules := {"community.aws.iam_group", "iam_group"} CxPolicy[result] { - task := ansLib.tasks[id][t] - iam_group := task[modules[m]] - ansLib.checkState(iam_group) + task := ansLib.tasks[id][t] + iam_group := task[modules[m]] + ansLib.checkState(iam_group) - not common_lib.valid_key(iam_group, "users") + not common_lib.valid_key(iam_group, "users") - result := { - "documentId": id, - "resourceType": modules[m], + result := { + "documentId": id, + "resourceType": modules[m], "resourceName": task.name, - "searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("%s.users should be defined and not null", [modules[m]]), - "keyActualValue": sprintf("%s.users is undefined or null", [modules[m]]), - } + "searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("%s.users should be defined and not null", [modules[m]]), + "keyActualValue": sprintf("%s.users is undefined or null", [modules[m]]), + } } diff --git a/assets/queries/ansible/aws/iam_password_without_minimum_length/query.rego b/assets/queries/ansible/aws/iam_password_without_minimum_length/query.rego index 1d8654f4124..8009b51d036 100644 --- a/assets/queries/ansible/aws/iam_password_without_minimum_length/query.rego +++ b/assets/queries/ansible/aws/iam_password_without_minimum_length/query.rego @@ -46,6 +46,4 @@ getName(policyBody) = "min_pw_length" { common_lib.valid_key(policyBody, "min_pw_length") } else = "minimum_password_length" { common_lib.valid_key(policyBody, "minimum_password_length") -} else = false { - true -} +} else = false diff --git a/assets/queries/ansible/aws/kms_key_with_full_permissions/query.rego b/assets/queries/ansible/aws/kms_key_with_full_permissions/query.rego index 372995b5fc4..c5c8269a7b3 100644 --- a/assets/queries/ansible/aws/kms_key_with_full_permissions/query.rego +++ b/assets/queries/ansible/aws/kms_key_with_full_permissions/query.rego @@ -3,7 +3,6 @@ package Cx import data.generic.ansible as ans_lib import data.generic.common as common_lib - CxPolicy[result] { task := ans_lib.tasks[id][t] modules := {"community.aws.aws_kms", "aws_kms"} diff --git a/assets/queries/ansible/aws/misconfigured_password_policy_expiration/query.rego b/assets/queries/ansible/aws/misconfigured_password_policy_expiration/query.rego index 87e920c311f..c5919f721a3 100644 --- a/assets/queries/ansible/aws/misconfigured_password_policy_expiration/query.rego +++ b/assets/queries/ansible/aws/misconfigured_password_policy_expiration/query.rego @@ -24,9 +24,7 @@ CxPolicy[result] { issueType(str) = "MissingAttribute" { str == "" -} else = "IncorrectValue" { - true -} +} else = "IncorrectValue" checkPwMaxAge(pwPolicy) = ".pw_max_age" { pwPolicy.pw_max_age > 90 @@ -35,6 +33,4 @@ checkPwMaxAge(pwPolicy) = ".pw_max_age" { } else = "" { not pwPolicy.pw_max_age not pwPolicy.password_max_age -} else = "none" { - true -} +} else = "none" diff --git a/assets/queries/ansible/aws/password_without_reuse_prevention/query.rego b/assets/queries/ansible/aws/password_without_reuse_prevention/query.rego index a49594dad2b..80bcf914734 100644 --- a/assets/queries/ansible/aws/password_without_reuse_prevention/query.rego +++ b/assets/queries/ansible/aws/password_without_reuse_prevention/query.rego @@ -24,9 +24,7 @@ CxPolicy[result] { issueType(str) = "MissingAttribute" { str == "" -} else = "IncorrectValue" { - true -} +} else = "IncorrectValue" checkPwReusePrevent(pwPolicy) = ".password_reuse_prevent" { pwPolicy.password_reuse_prevent == 0 @@ -38,6 +36,4 @@ checkPwReusePrevent(pwPolicy) = ".password_reuse_prevent" { not pwPolicy.password_reuse_prevent not pwPolicy.pw_reuse_prevent not pwPolicy.prevent_reuse -} else = "none" { - true -} +} else = "none" diff --git a/assets/queries/ansible/aws/rds_associated_with_public_subnet/query.rego b/assets/queries/ansible/aws/rds_associated_with_public_subnet/query.rego index ff5d008efb9..4989ca4d772 100644 --- a/assets/queries/ansible/aws/rds_associated_with_public_subnet/query.rego +++ b/assets/queries/ansible/aws/rds_associated_with_public_subnet/query.rego @@ -49,7 +49,6 @@ unrestricted_cidr(sb) { sb.ipv6_cidr == "::/0" } - is_public(subnets) { subnet := subnets[_] subnetNameUnclean := split(subnet, ".")[0] diff --git a/assets/queries/ansible/aws/redshift_using_default_port/query.rego b/assets/queries/ansible/aws/redshift_using_default_port/query.rego index 88bad6cee97..0fcece399fe 100644 --- a/assets/queries/ansible/aws/redshift_using_default_port/query.rego +++ b/assets/queries/ansible/aws/redshift_using_default_port/query.rego @@ -1,7 +1,7 @@ package Cx import data.generic.ansible as ans_lib -import data.generic.common as common_lib +import data.generic.common as common_lib CxPolicy[result] { task := ans_lib.tasks[id][t] diff --git a/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/query.rego b/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/query.rego index 940287695db..01153de4245 100644 --- a/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/query.rego +++ b/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/query.rego @@ -8,7 +8,7 @@ CxPolicy[result] { modules := {"community.aws.sns_topic", "sns_topic"} snsTopicCommunity := task[modules[m]] ansLib.checkState(snsTopicCommunity) - st := common_lib.get_statement(common_lib.get_policy(snsTopicCommunity.policy)) + st := common_lib.get_statement(common_lib.get_policy(snsTopicCommunity.policy)) statement := st[_] statement.Effect == "Allow" diff --git a/assets/queries/ansible/aws/stack_retention_disabled/query.rego b/assets/queries/ansible/aws/stack_retention_disabled/query.rego index 95361506741..8d3e2dedf2b 100644 --- a/assets/queries/ansible/aws/stack_retention_disabled/query.rego +++ b/assets/queries/ansible/aws/stack_retention_disabled/query.rego @@ -5,7 +5,7 @@ import data.generic.common as common_lib CxPolicy[result] { task := ansLib.tasks[id][t] - modules := {"community.aws.cloudformation_stack_set",} + modules := {"community.aws.cloudformation_stack_set"} cloudformation_stack_set := task[modules[m]] ansLib.checkState(cloudformation_stack_set) @@ -30,7 +30,7 @@ CxPolicy[result] { common_lib.valid_key(cloudformation_stack_set, "purge_stacks") - cloudformation_stack_set.purge_stacks + cloudformation_stack_set.purge_stacks result := { "documentId": id, diff --git a/assets/queries/ansible/aws/unknown_port_exposed_to_internet/query.rego b/assets/queries/ansible/aws/unknown_port_exposed_to_internet/query.rego index 07eaac56c6c..c2f5bb0f1f0 100644 --- a/assets/queries/ansible/aws/unknown_port_exposed_to_internet/query.rego +++ b/assets/queries/ansible/aws/unknown_port_exposed_to_internet/query.rego @@ -11,7 +11,7 @@ CxPolicy[result] { ansLib.checkState(ec2_group) rule := ec2_group.rules[index] - unknownPort(rule.from_port,rule.to_port) + unknownPort(rule.from_port, rule.to_port) isEntireNetwork(rule) result := { @@ -26,8 +26,7 @@ CxPolicy[result] { } } - -unknownPort(from_port,to_port) { +unknownPort(from_port, to_port) { port := numbers.range(from_port, to_port)[i] not commonLib.valid_key(commonLib.tcpPortsMap, port) } diff --git a/assets/queries/ansible/aws/unrestricted_security_group_ingress/query.rego b/assets/queries/ansible/aws/unrestricted_security_group_ingress/query.rego index 2846af140f9..9c9540833c4 100644 --- a/assets/queries/ansible/aws/unrestricted_security_group_ingress/query.rego +++ b/assets/queries/ansible/aws/unrestricted_security_group_ingress/query.rego @@ -10,7 +10,7 @@ CxPolicy[result] { searchKey := getCidrBlock(group) - splitted := regex.split("{{|}}", searchKey) + splitted := regex.split(`{{|}}`, searchKey) errorPath := substring(splitted[0], 0, count(splitted[0]) - 1) errorValue := splitted[1] diff --git a/assets/queries/ansible/azure/aks_network_policy_misconfigured/query.rego b/assets/queries/ansible/azure/aks_network_policy_misconfigured/query.rego index 5172d6f60b7..2916710c8f4 100644 --- a/assets/queries/ansible/azure/aks_network_policy_misconfigured/query.rego +++ b/assets/queries/ansible/azure/aks_network_policy_misconfigured/query.rego @@ -3,7 +3,6 @@ package Cx import data.generic.ansible as ansLib import data.generic.common as common_lib - modules := {"azure.azcollection.azure_rm_aks", "azure_rm_aks"} CxPolicy[result] { @@ -64,6 +63,4 @@ isValidNetworkPolicy(policy) { policy = "calico" } else { policy = "azure" -} else = false { - true -} +} else = false diff --git a/assets/queries/ansible/azure/azure_container_registry_with_no_locks/query.rego b/assets/queries/ansible/azure/azure_container_registry_with_no_locks/query.rego index 96b607e5c4c..2b0912553e4 100644 --- a/assets/queries/ansible/azure/azure_container_registry_with_no_locks/query.rego +++ b/assets/queries/ansible/azure/azure_container_registry_with_no_locks/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.ansible as ans_lib +import data.generic.common as common_lib CxPolicy[result] { task := ans_lib.tasks[id][t] diff --git a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/query.rego b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/query.rego index 15a8888beaf..61f74c6cb3b 100644 --- a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/query.rego +++ b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/query.rego @@ -4,9 +4,9 @@ import future.keywords.if CxPolicy[result] { vm := input.document[i].playbooks[k].azure_rm_virtualmachine - is_linux_vm(vm) - not vm.ssh_password_enabled == false - not vm.linux_config.disable_password_authentication == false + is_linux_vm(vm) + not vm.ssh_password_enabled == false + not vm.linux_config.disable_password_authentication == false result := { "documentId": input.document[i].id, "resourceType": "azure_rm_virtualmachine", @@ -18,8 +18,8 @@ CxPolicy[result] { } } -is_linux_vm(vm) { - lower(vm.os_type) == "linux" -} else { - not vm.os_type +is_linux_vm(vm) if { + lower(vm.os_type) == "linux" +} else if { + not vm.os_type } diff --git a/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/query.rego b/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/query.rego index 26bf26e90a7..328cf6c0672 100644 --- a/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/query.rego +++ b/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/query.rego @@ -9,12 +9,12 @@ CxPolicy[result] { storageAccount := task[modules[index]] ansLib.checkState(storageAccount) - res1 := publicNetworkAccessEnabled(storageAccount) - res2 := aclsDefaultActionAllow(storageAccount) + res1 := publicNetworkAccessEnabled(storageAccount) + res2 := aclsDefaultActionAllow(storageAccount) - issue := prepare_issue(res1, res2) + issue := prepare_issue(res1, res2) - result := { + result := { "documentId": id, "resourceType": modules[index], "resourceName": task.name, @@ -36,34 +36,34 @@ publicNetworkAccessEnabled(sa) = reason { aclsDefaultActionAllow(sa) = reason { not sa.network_acls.default_action - reason := "not defined" + reason := "not defined" } else = reason { sa.network_acls.default_action - lower(sa.network_acls.default_action) == "allow" - reason := "allow" + lower(sa.network_acls.default_action) == "allow" + reason := "allow" } prepare_issue(val1, val2) = issue { val1 == "not defined" - val2 == "not defined" + val2 == "not defined" - issue := { - "kav": "azure_rm_storageaccount.public_network_access is not set (default is 'Enabled')", - "kev": "azure_rm_storageaccount.public_network_access should be set to 'Disabled'", - "issueType": "MissingAttribute" - } + issue := { + "kav": "azure_rm_storageaccount.public_network_access is not set (default is 'Enabled')", + "kev": "azure_rm_storageaccount.public_network_access should be set to 'Disabled'", + "issueType": "MissingAttribute", + } } else = issue { val1 == "enabled" - issue := { - "kav": "azure_rm_storageaccount.public_network_access is set to 'Enabled'", - "kev": "azure_rm_storageaccount.public_network_access should be set to 'Disabled'", - "issueType": "IncorrectValue" - } + issue := { + "kav": "azure_rm_storageaccount.public_network_access is set to 'Enabled'", + "kev": "azure_rm_storageaccount.public_network_access should be set to 'Disabled'", + "issueType": "IncorrectValue", + } } else = issue { - val2 == "allow" - issue := { - "kav": "azure_rm_storageaccountnetworkAcls.network_acls.default_action is set to 'Allow'", - "kev": "azure_rm_storageaccountnetworkAcls.network_acls.default_action should be set to 'Deny'", - "issueType": "IncorrectValue" - } -} \ No newline at end of file + val2 == "allow" + issue := { + "kav": "azure_rm_storageaccountnetworkAcls.network_acls.default_action is set to 'Allow'", + "kev": "azure_rm_storageaccountnetworkAcls.network_acls.default_action should be set to 'Deny'", + "issueType": "IncorrectValue", + } +} diff --git a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/query.rego b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/query.rego index ecdd8646841..aa4086f017f 100644 --- a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/query.rego +++ b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/query.rego @@ -83,8 +83,8 @@ isTCPorUDP(protocol) = is { is := upper(protocol) != "ICMP" } -inbound_direction(resource){ +inbound_direction(resource) { upper(resource.direction) == "INBOUND" -}else{ - not commonLib.valid_key(resource,"direction") +} else { + not commonLib.valid_key(resource, "direction") } diff --git a/assets/queries/ansible/azure/storage_account_not_forcing_https/query.rego b/assets/queries/ansible/azure/storage_account_not_forcing_https/query.rego index 2aa66279308..c66403e9cc9 100644 --- a/assets/queries/ansible/azure/storage_account_not_forcing_https/query.rego +++ b/assets/queries/ansible/azure/storage_account_not_forcing_https/query.rego @@ -10,7 +10,7 @@ CxPolicy[result] { storageAccount := task[modules[index]] ansLib.checkState(storageAccount) - not common_lib.valid_key(storageAccount, "https_only") + not common_lib.valid_key(storageAccount, "https_only") result := { "documentId": id, diff --git a/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/query.rego b/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/query.rego index 1aa029b132e..36c4e865c48 100644 --- a/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/query.rego +++ b/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/query.rego @@ -22,9 +22,7 @@ CxPolicy[result] { } } -containsAzureService(bypass) { - bypass == "\"\"" -} +containsAzureService("\"\"") = true containsAzureService(bypass) { values := split(bypass, ",") diff --git a/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/query.rego b/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/query.rego index 2f866d6c8eb..9fc93008206 100644 --- a/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/query.rego +++ b/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/query.rego @@ -5,7 +5,7 @@ import data.generic.ansible as ansLib CxPolicy[result] { defaultsGroup := input.document[i].groups.defaults - defaultsGroup.allow_unsafe_lookups == true + defaultsGroup.allow_unsafe_lookups == true result := { "documentId": input.document[i].id, diff --git a/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/query.rego b/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/query.rego index 4b32ceeec49..52a0d280498 100644 --- a/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/query.rego +++ b/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/query.rego @@ -5,7 +5,7 @@ import data.generic.common as common_lib CxPolicy[result] { defaultsGroup := input.document[i].groups.defaults - not common_lib.valid_key(defaultsGroup, "no_log") + not common_lib.valid_key(defaultsGroup, "no_log") result := { "documentId": input.document[i].id, @@ -21,7 +21,7 @@ CxPolicy[result] { CxPolicy[result] { defaultsGroup := input.document[i].groups.defaults - defaultsGroup.no_log == false + defaultsGroup.no_log == false result := { "documentId": input.document[i].id, @@ -32,4 +32,4 @@ CxPolicy[result] { "keyExpectedValue": "no_log should be set to 'true'", "keyActualValue": "no_log is set to 'false'", } -} \ No newline at end of file +} diff --git a/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/query.rego b/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/query.rego index 354370ef715..acd99ff20a6 100644 --- a/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/query.rego +++ b/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/query.rego @@ -6,7 +6,7 @@ import data.generic.common as common_lib CxPolicy[result] { defaultsGroup := input.document[i].groups.defaults - not common_lib.valid_key(defaultsGroup, "become") + not common_lib.valid_key(defaultsGroup, "become") common_lib.valid_key(defaultsGroup, "become_user") result := { @@ -23,7 +23,7 @@ CxPolicy[result] { CxPolicy[result] { defaultsGroup := input.document[i].groups.defaults - defaultsGroup.become == false + defaultsGroup.become == false common_lib.valid_key(defaultsGroup, "become_user") result := { @@ -35,4 +35,4 @@ CxPolicy[result] { "keyExpectedValue": "'become' should be set to 'true'", "keyActualValue": "'become' is set to 'false'", } -} \ No newline at end of file +} diff --git a/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/query.rego b/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/query.rego index b80741e29e5..2eae9fe7af8 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/query.rego +++ b/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/query.rego @@ -17,7 +17,6 @@ CxPolicy[result] { ans_lib.checkState(computeNetwork) firewall.network == sprintf("{{ %s }}", [tk.register]) - result := { "documentId": id, "resourceType": modulesCompute[m], @@ -29,4 +28,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["playbooks", t, modulesCompute[m]], []), } } - diff --git a/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/query.rego b/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/query.rego index fb9ea48db31..736177a1ba8 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/query.rego +++ b/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/query.rego @@ -10,7 +10,7 @@ CxPolicy[result] { ans_lib.checkState(firewall) common_lib.is_ingress(firewall) - regex.match("[0-9]+-[0-9]+", firewall.allowed[_].ports[_]) + regex.match(`[0-9]+-[0-9]+`, firewall.allowed[_].ports[_]) firewall.allowed[_].ports[_] != "0-65535" tk := ans_lib.tasks[id][_] @@ -19,7 +19,6 @@ CxPolicy[result] { ans_lib.checkState(computeNetwork) firewall.network == sprintf("{{ %s }}", [tk.register]) - result := { "documentId": id, "resourceType": modulesCompute[m], diff --git a/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/query.rego b/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/query.rego index c7e61743ce6..964ed8a144c 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/query.rego +++ b/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/query.rego @@ -18,7 +18,6 @@ CxPolicy[result] { ans_lib.checkState(computeNetwork) firewall.network == sprintf("{{ %s }}", [tk.register]) - result := { "documentId": id, "resourceType": modulesCompute[m], diff --git a/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/query.rego b/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/query.rego index a225bb8087f..ab4de145d44 100644 --- a/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/query.rego +++ b/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/query.rego @@ -37,7 +37,7 @@ CxPolicy[result] { "resourceName": task.name, "searchKey": sprintf("name={{%s}}.{{%s}}.private_ip_google_access", [task.name, modules[m]]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("%s.private_ip_google_access should be set to yes", [modules[m]]), + "keyExpectedValue": sprintf("%s.private_ip_google_access should be set to yes", [modules[m]]), "keyActualValue": sprintf("%s.private_ip_google_access is set to no", [modules[m]]), "searchLine": common_lib.build_search_line(["playbooks", t, modules[m], "private_ip_google_access"], []), } diff --git a/assets/queries/ansible/gcp/ssh_access_is_not_restricted/query.rego b/assets/queries/ansible/gcp/ssh_access_is_not_restricted/query.rego index b76f6f76462..8e2181ec842 100644 --- a/assets/queries/ansible/gcp/ssh_access_is_not_restricted/query.rego +++ b/assets/queries/ansible/gcp/ssh_access_is_not_restricted/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.ansible as ansLib +import data.generic.common as common_lib CxPolicy[result] { task := ansLib.tasks[id][t] @@ -10,7 +10,7 @@ CxPolicy[result] { ansLib.checkState(instance) common_lib.is_ingress(instance) - common_lib.is_unrestricted(instance.source_ranges[_]) #Allow traffic ingressing from anywhere + common_lib.is_unrestricted(instance.source_ranges[_]) # Allow traffic ingressing from anywhere allowed := instance.allowed ansLib.allowsPort(allowed[k], "22") diff --git a/assets/queries/ansible/general/communication_over_http/query.rego b/assets/queries/ansible/general/communication_over_http/query.rego index c77466df65b..4b6c8585e81 100644 --- a/assets/queries/ansible/general/communication_over_http/query.rego +++ b/assets/queries/ansible/general/communication_over_http/query.rego @@ -3,7 +3,6 @@ package Cx import data.generic.ansible as ansLib import data.generic.common as common_lib - CxPolicy[result] { task := ansLib.tasks[id][t] modules := {"ansible.builtin.uri"} diff --git a/assets/queries/ansible/general/insecure_relative_path_resolution/query.rego b/assets/queries/ansible/general/insecure_relative_path_resolution/query.rego index b48eb837a10..98755e70017 100644 --- a/assets/queries/ansible/general/insecure_relative_path_resolution/query.rego +++ b/assets/queries/ansible/general/insecure_relative_path_resolution/query.rego @@ -3,10 +3,10 @@ package Cx import data.generic.ansible as ansLib module_to_folder = { - "copy": "files", - "win_copy": "files", - "template": "templates", - "win_template": "win_templates", + "copy": "files", + "win_copy": "files", + "template": "templates", + "win_template": "win_templates", "ansible.builtin.template": "templates", "ansible.builtin.copy": "files", } @@ -30,4 +30,3 @@ CxPolicy[result] { "keyActualValue": sprintf("%s.src is a relative path", [m]), } } - diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/query.rego b/assets/queries/ansible/general/logging_of_sensitive_data/query.rego index d1040f7585b..a7ff6be9307 100644 --- a/assets/queries/ansible/general/logging_of_sensitive_data/query.rego +++ b/assets/queries/ansible/general/logging_of_sensitive_data/query.rego @@ -39,4 +39,4 @@ CxPolicy[result] { "keyExpectedValue": "'no_log' should be set to 'true' in order to not expose sensitive data", "keyActualValue": "'no_log' is set to false", } -} \ No newline at end of file +} diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego index 2b47c1c39b0..c79f959f76c 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego @@ -40,7 +40,7 @@ CxPolicy[result] { task.become == false commonLib.valid_key(task, "become_user") - result := { + result := { "documentId": id, "resourceType": "n/a", "resourceName": "n/a", @@ -56,7 +56,7 @@ CxPolicy[result] { not commonLib.valid_key(task, "become") commonLib.valid_key(task, "become_user") - result := { + result := { "documentId": id, "resourceType": "n/a", "resourceName": "n/a", @@ -65,4 +65,4 @@ CxPolicy[result] { "keyExpectedValue": sprintf("'become' should be defined and set to 'true' in order to perform an action with %s", [task.become_user]), "keyActualValue": "'become' is not defined", } -} \ No newline at end of file +} diff --git a/assets/queries/ansible/general/risky_file_permissions/query.rego b/assets/queries/ansible/general/risky_file_permissions/query.rego index 0f3bff789f1..8aa6ea5be0b 100644 --- a/assets/queries/ansible/general/risky_file_permissions/query.rego +++ b/assets/queries/ansible/general/risky_file_permissions/query.rego @@ -3,15 +3,14 @@ package Cx import data.generic.ansible as ansLib import data.generic.common as common_lib - CxPolicy[result] { task := ansLib.tasks[id][e] - action := task[m] - action.mode == "preserve" - - modules_with_preserve := ["copy", "template"] - count([x | x := modules_with_preserve[mp]; x == m]) == 0 - + action := task[m] + action.mode == "preserve" + + modules_with_preserve := ["copy", "template"] + count([x | x := modules_with_preserve[mp]; x == m]) == 0 + result := { "documentId": id, "resourceType": m, @@ -25,20 +24,20 @@ CxPolicy[result] { CxPolicy[result] { task := ansLib.tasks[id][_] - modules := [ - "archive", "community.general.archive", "assemble", "ansible.builtin.assemble", "copy", "ansible.builtin.copy", "file", "ansible.builtin.file", - "get_url", "ansible.builtin.get_url", "template", "ansible.builtin.template", - ] + modules := [ + "archive", "community.general.archive", "assemble", "ansible.builtin.assemble", "copy", "ansible.builtin.copy", "file", "ansible.builtin.file", + "get_url", "ansible.builtin.get_url", "template", "ansible.builtin.template", + ] action := task[modules[m]] - state := object.get(action, "state", "none") + state := object.get(action, "state", "none") state != "absent" - state != "link" + state != "link" not common_lib.valid_key(action, "recurse") - not file_module(action, modules[m]) - - not common_lib.valid_key(action, "mode") + not file_module(action, modules[m]) + + not common_lib.valid_key(action, "mode") result := { "documentId": id, @@ -51,25 +50,24 @@ CxPolicy[result] { } } - CxPolicy[result] { task := ansLib.tasks[id][_] - modules := { - "blockinfile": false, - "ansible.builtin.blockinfile": false, - "htpasswd": true, - "community.general.htpasswd": true, - "ini_file": true, - "community.general.ini_file": true, - "lineinfile": false, - "ansible.builtin.lineinfile": false, - } + modules := { + "blockinfile": false, + "ansible.builtin.blockinfile": false, + "htpasswd": true, + "community.general.htpasswd": true, + "ini_file": true, + "community.general.ini_file": true, + "lineinfile": false, + "ansible.builtin.lineinfile": false, + } action := task[m] - not common_lib.valid_key(action, "mode") + not common_lib.valid_key(action, "mode") - bool := modules[m] - object.get(action, "create", bool) == true + bool := modules[m] + object.get(action, "create", bool) == true result := { "documentId": id, @@ -82,10 +80,10 @@ CxPolicy[result] { } } -file_module(action, module_name){ - module_name == "file" - object.get(action, "state", "file") == "file" +file_module(action, module_name) { + module_name == "file" + object.get(action, "state", "file") == "file" } else { module_name == "ansible.builtin.file" - object.get(action, "state", "file") == "file" + object.get(action, "state", "file") == "file" } diff --git a/assets/queries/ansible/general/unpinned_package_version/query.rego b/assets/queries/ansible/general/unpinned_package_version/query.rego index 5ef48669239..faf406c4d0f 100644 --- a/assets/queries/ansible/general/unpinned_package_version/query.rego +++ b/assets/queries/ansible/general/unpinned_package_version/query.rego @@ -9,8 +9,8 @@ CxPolicy[result] { ansLib.checkState(package_installer) not common_lib.valid_key(package_installer, "version") - not common_lib.valid_key(package_installer, "update_only") - package_installer.state == "latest" + not common_lib.valid_key(package_installer, "update_only") + package_installer.state == "latest" result := { "documentId": id, @@ -29,8 +29,8 @@ CxPolicy[result] { ansLib.checkState(package_installer) not common_lib.valid_key(package_installer, "version") - package_installer.update_only == false - package_installer.state == "latest" + package_installer.update_only == false + package_installer.state == "latest" result := { "documentId": id, diff --git a/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/query.rego b/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/query.rego index 1713470b821..617ae38efde 100644 --- a/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/query.rego +++ b/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/query.rego @@ -6,7 +6,7 @@ CxPolicy[result] { doc := input.document[id].all doc.children.tower.hosts[ip] - not common_lib.isPrivateIP(ip) + not common_lib.isPrivateIP(ip) result := { "documentId": input.document[id].id, diff --git a/assets/queries/azureResourceManager/account_admins_not_notified_by_email/query.rego b/assets/queries/azureResourceManager/account_admins_not_notified_by_email/query.rego index 951820c6d6c..a497b348cf6 100644 --- a/assets/queries/azureResourceManager/account_admins_not_notified_by_email/query.rego +++ b/assets/queries/azureResourceManager/account_admins_not_notified_by_email/query.rego @@ -1,17 +1,18 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { types := ["Microsoft.Sql/servers/databases/securityAlertPolicies", "securityAlertPolicies"] doc := input.document[i] [path, value] := walk(doc) - value.type == types[_] + value.type in types properties := value.properties - + [state_value, _] := arm_lib.getDefaultValueFromParametersIfPresent(doc, properties.state) [emailAccountAdmins_value, emailAccountAdmins_type] := arm_lib.getDefaultValueFromParametersIfPresent(doc, properties.emailAccountAdmins) @@ -35,12 +36,12 @@ CxPolicy[result] { doc := input.document[i] [path, value] := walk(doc) - value.type == types[_] + value.type in types properties := value.properties [state_value, _] := arm_lib.getDefaultValueFromParametersIfPresent(doc, properties.state) - + lower(state_value) == "enabled" not common_lib.valid_key(properties, "emailAccountAdmins") diff --git a/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/query.rego b/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/query.rego index 3b9f2b3c843..e22b842236a 100644 --- a/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/query.rego +++ b/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i] @@ -36,8 +36,8 @@ CxPolicy[result] { "resourceName": value.name, "searchKey": sprintf("%s.name={{%s}}.properties.enableRBAC", [common_lib.concat_path(path), value.name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' %s set to true",[enableRBAC_type]), - "keyActualValue": sprintf("resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true",[enableRBAC_type]), + "keyExpectedValue": sprintf("resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' %s set to true", [enableRBAC_type]), + "keyActualValue": sprintf("resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true", [enableRBAC_type]), "searchLine": common_lib.build_search_line(path, ["properties", "enableRBAC"]), } } diff --git a/assets/queries/azureResourceManager/aks_dashboard_enabled/query.rego b/assets/queries/azureResourceManager/aks_dashboard_enabled/query.rego index 4198f8ec738..ef3bec1745c 100644 --- a/assets/queries/azureResourceManager/aks_dashboard_enabled/query.rego +++ b/assets/queries/azureResourceManager/aks_dashboard_enabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/query.rego b/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/query.rego index 7b0f955297f..b64e01fdc27 100644 --- a/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/query.rego +++ b/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib # addonProfiles not implemented (apiVersion < 2017-08-03) CxPolicy[result] { @@ -47,12 +47,12 @@ CxPolicy[result] { } prepare_issue(doc, resource) = issue { - [ _ ,type] := arm_lib.getDefaultValueFromParametersIfPresent(doc, resource.properties.addonProfiles.omsagent.enabled) + [_, type] := arm_lib.getDefaultValueFromParametersIfPresent(doc, resource.properties.addonProfiles.omsagent.enabled) issue := { "resourceType": resource.type, "resourceName": resource.name, "issueType": "IncorrectValue", - "keyActualValue":sprintf("'addonProfiles.omsagent.enabled' %s is set to false", [type]), + "keyActualValue": sprintf("'addonProfiles.omsagent.enabled' %s is set to false", [type]), "sk": ".properties.addonProfiles.omsagent.enabled", "sl": ["properties", "addonProfiles", "omsagent", "enabled"], } diff --git a/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/query.rego b/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/query.rego index d848f9058a0..eaf142c358b 100644 --- a/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/query.rego +++ b/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.common as common_lib +import future.keywords.in # IP Ranges are not implemented (apiVersion < 2019-02-01) CxPolicy[result] { @@ -75,12 +76,12 @@ CxPolicy[result] { is_invalid_api_version(value) { invalidAPIs := ["2017-08-31", "2018-03-31"] - value.apiVersion == invalidAPIs[_] + value.apiVersion in invalidAPIs } is_old_valid_api_version(value) { oldAPIs := ["2019-02-01", "2019-04-01", "2019-06-01"] - value.apiVersion == oldAPIs[_] + value.apiVersion in oldAPIs } array_is_filled(arr) { diff --git a/assets/queries/azureResourceManager/app_service_authentication_not_set/query.rego b/assets/queries/azureResourceManager/app_service_authentication_not_set/query.rego index 208e8b4de71..53c414e23d8 100644 --- a/assets/queries/azureResourceManager/app_service_authentication_not_set/query.rego +++ b/assets/queries/azureResourceManager/app_service_authentication_not_set/query.rego @@ -1,8 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib - +import data.generic.common as common_lib # Check outside parent resource CxPolicy[result] { @@ -13,7 +12,7 @@ CxPolicy[result] { endswith(value.name, "authsettings") arm_lib.isDisabledOrUndefined(doc, value.properties, "enabled") - issue := prepare_issue(doc,value) + issue := prepare_issue(doc, value) result := { "documentId": input.document[i].id, @@ -55,12 +54,12 @@ CxPolicy[result] { prepare_issue(doc, resource) = issue { common_lib.valid_key(resource, "properties") - [_ , type] := arm_lib.getDefaultValueFromParametersIfPresent(doc, resource.properties.enabled) + [_, type] := arm_lib.getDefaultValueFromParametersIfPresent(doc, resource.properties.enabled) issue := { "resourceType": resource.type, "resourceName": resource.name, "issueType": "IncorrectValue", - "keyActualValue": sprintf("'enabled' %s is false on authsettings properties",[type]), + "keyActualValue": sprintf("'enabled' %s is false on authsettings properties", [type]), "sk": ".properties.enabled", "sl": ["properties", "enabled"], } diff --git a/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/query.rego b/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/query.rego index 7b018c195ca..bbbed521a7b 100644 --- a/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/query.rego +++ b/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i] @@ -10,11 +10,10 @@ CxPolicy[result] { value.type == "Microsoft.Compute/virtualMachines" not is_windows(value) - arm_lib.isDisabledOrUndefined(doc, value.properties, "osProfile.linuxConfiguration.disablePasswordAuthentication") + arm_lib.isDisabledOrUndefined(doc, value.properties, "osProfile.linuxConfiguration.disablePasswordAuthentication") issue := prepare_issue(doc, value) - result := { "documentId": input.document[i].id, "resourceType": value.type, @@ -32,9 +31,8 @@ is_windows(resource) { contains(lower(resource.properties.storageProfile.imageReference.publisher), validMSWindowsVer[_]) } - prepare_issue(doc, resource) = issue { - disablePasswordAuthentication:= resource.properties.osProfile.linuxConfiguration.disablePasswordAuthentication + disablePasswordAuthentication := resource.properties.osProfile.linuxConfiguration.disablePasswordAuthentication [dpa_value, dpa_type] := arm_lib.getDefaultValueFromParametersIfPresent(doc, disablePasswordAuthentication) dpa_value == false @@ -42,13 +40,13 @@ prepare_issue(doc, resource) = issue { "resourceType": resource.type, "resourceName": resource.name, "issueType": "IncorrectValue", - "keyActualValue": sprintf("'disablePasswordAuthentication' %s is set to false",[dpa_type]), + "keyActualValue": sprintf("'disablePasswordAuthentication' %s is set to false", [dpa_type]), "sk": ".properties.osProfile.linuxConfiguration.disablePasswordAuthentication", "sl": ["properties", "osProfile", "linuxConfiguration", "disablePasswordAuthentication"], } } else = issue { not resource.properties.osProfile.linuxConfiguration.disablePasswordAuthentication - + issue := { "resourceType": resource.type, "resourceName": resource.name, @@ -56,6 +54,5 @@ prepare_issue(doc, resource) = issue { "keyActualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined", "sk": "", "sl": ["name"], - } } diff --git a/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/query.rego b/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/query.rego index 32265a757dc..191caf20353 100644 --- a/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/query.rego +++ b/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/query.rego b/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/query.rego index 236ced1ff13..2835b75adf7 100644 --- a/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/query.rego +++ b/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/query.rego @@ -9,16 +9,16 @@ CxPolicy[result] { value.type == "Microsoft.Storage/storageAccounts" res1 := publicNetworkAccessEnabled(value.properties) - res2 := aclsDefaultActionAllow(value.properties) + res2 := aclsDefaultActionAllow(value.properties) - issue := prepare_issue(res1, res2) + issue := prepare_issue(res1, res2) result := { "documentId": input.document[i].id, "resourceType": value.type, "resourceName": value.name, "searchKey": sprintf("%s.name=%s%s", [common_lib.concat_path(path), value.name, issue.sk]), - "searchLine": common_lib.build_search_line(path, issue.sl), + "searchLine": common_lib.build_search_line(path, issue.sl), "issueType": issue.issueType, "keyExpectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", "keyActualValue": issue.kav, @@ -27,45 +27,45 @@ CxPolicy[result] { publicNetworkAccessEnabled(properties) = reason { not properties.publicNetworkAccess - reason := "not defined" + reason := "not defined" } else = reason { properties.publicNetworkAccess lower(properties.publicNetworkAccess) == "enabled" - reason := "enabled" + reason := "enabled" } aclsDefaultActionAllow(properties) = reason { not properties.networkAcls.defaultAction - reason := "not defined" + reason := "not defined" } else = reason { properties.networkAcls.defaultAction - lower(properties.networkAcls.defaultAction) == "allow" - reason := "allow" + lower(properties.networkAcls.defaultAction) == "allow" + reason := "allow" } prepare_issue(val1, val2) = issue { val1 == "not defined" - val2 == "not defined" - issue := { - "kav": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is not set (default is 'Enabled')", - "sk": ".properties.publicNetworkAccess", - "sl": ["properties"], - "issueType": "MissingAttribute" - } + val2 == "not defined" + issue := { + "kav": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is not set (default is 'Enabled')", + "sk": ".properties.publicNetworkAccess", + "sl": ["properties"], + "issueType": "MissingAttribute", + } } else = issue { val1 == "enabled" - issue := { - "kav": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is set to 'Enabled')", - "sk": ".properties.publicNetworkAccess", - "sl": ["properties", "publicNetworkAccess"], - "issueType": "IncorrectValue" - } + issue := { + "kav": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is set to 'Enabled')", + "sk": ".properties.publicNetworkAccess", + "sl": ["properties", "publicNetworkAccess"], + "issueType": "IncorrectValue", + } } else = issue { - val2 == "allow" - issue := { - "kav": "resource with type 'Microsoft.Storage/storageAccounts' networkAcls.defaultAction is set to 'Allow')", - "sk": ".properties.networkAcls.defaultAction", - "sl": ["properties", "networkAcls", "defaultAction"], - "issueType": "IncorrectValue" - } -} \ No newline at end of file + val2 == "allow" + issue := { + "kav": "resource with type 'Microsoft.Storage/storageAccounts' networkAcls.defaultAction is set to 'Allow')", + "sk": ".properties.networkAcls.defaultAction", + "sl": ["properties", "networkAcls", "defaultAction"], + "issueType": "IncorrectValue", + } +} diff --git a/assets/queries/azureResourceManager/email_notifications_set_off/query.rego b/assets/queries/azureResourceManager/email_notifications_set_off/query.rego index 8442dc3a4e0..8934d0bab0c 100644 --- a/assets/queries/azureResourceManager/email_notifications_set_off/query.rego +++ b/assets/queries/azureResourceManager/email_notifications_set_off/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib emailType := ["alertNotifications", "notificationsByRole"] @@ -48,7 +48,7 @@ CxPolicy[result] { [path, value] = walk(doc) value.type == "Microsoft.Security/securityContacts" - [val, type]:= arm_lib.getDefaultValueFromParametersIfPresent(doc, value.properties[emailType[x]].state) + [val, type] := arm_lib.getDefaultValueFromParametersIfPresent(doc, value.properties[emailType[x]].state) lower(val) == "off" result := { @@ -57,7 +57,7 @@ CxPolicy[result] { "resourceName": value.name, "searchKey": sprintf("%s.name={{%s}}.properties.%s.state", [common_lib.concat_path(path), value.name, emailType[x]]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("resource with type 'Microsoft.Security/securityContacts' %s should have '%s.state' property set to 'On'", [type ,emailType[x]]), + "keyExpectedValue": sprintf("resource with type 'Microsoft.Security/securityContacts' %s should have '%s.state' property set to 'On'", [type, emailType[x]]), "keyActualValue": sprintf("resource with type 'Microsoft.Security/securityContacts' should have '%s.state' property set to 'Off'", [emailType[x]]), "searchLine": common_lib.build_search_line(path, ["properties", emailType[x], "state"]), } diff --git a/assets/queries/azureResourceManager/key_vault_not_recoverable/query.rego b/assets/queries/azureResourceManager/key_vault_not_recoverable/query.rego index 8f5431a7c6a..5562bf6e133 100644 --- a/assets/queries/azureResourceManager/key_vault_not_recoverable/query.rego +++ b/assets/queries/azureResourceManager/key_vault_not_recoverable/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i] @@ -21,7 +21,7 @@ CxPolicy[result] { "keyExpectedValue": sprintf("resource with type 'Microsoft.KeyVault/vaults' should have '%s' property defined", [fields[x]]), "keyActualValue": sprintf("resource with type 'Microsoft.KeyVault/vaults' doesn't have '%s' property defined", [fields[x]]), "searchLine": common_lib.build_search_line(path, ["properties"]), - "searchValue": sprintf("%s",[fields[x]]), + "searchValue": sprintf("%s", [fields[x]]), } } @@ -45,6 +45,6 @@ CxPolicy[result] { "keyExpectedValue": sprintf("resource with type 'Microsoft.KeyVault/vaults' %s should have '%s' property set to true", [type, fields[x]]), "keyActualValue": sprintf("resource with type 'Microsoft.KeyVault/vaults' doesn't have '%s' property set to true", [fields[x]]), "searchLine": common_lib.build_search_line(path, ["properties", fields[x]]), - "searchValue": sprintf("%s",[fields[x]]), + "searchValue": sprintf("%s", [fields[x]]), } } diff --git a/assets/queries/azureResourceManager/log_profile_incorrect_category/query.rego b/assets/queries/azureResourceManager/log_profile_incorrect_category/query.rego index bcf74567226..8a69d23d074 100644 --- a/assets/queries/azureResourceManager/log_profile_incorrect_category/query.rego +++ b/assets/queries/azureResourceManager/log_profile_incorrect_category/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/query.rego b/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/query.rego index 6dc50d3e2dc..dbb5de1ff4a 100644 --- a/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/query.rego +++ b/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/query.rego b/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/query.rego index b27dd871a98..2288fae4ba9 100644 --- a/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/query.rego +++ b/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.azureresourcemanager as arm_lib import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { types := ["configurations", "Microsoft.DBforPostgreSQL/servers/configurations"] @@ -13,10 +14,10 @@ CxPolicy[result] { childrenArr := arm_lib.get_children(doc, value, path) children := childrenArr[c].value - children.type == types[_] + children.type in types endswith(children.name, "connection_throttling") - [c_value, c_type]:= arm_lib.getDefaultValueFromParametersIfPresent(doc, children.properties.value) + [c_value, c_type] := arm_lib.getDefaultValueFromParametersIfPresent(doc, children.properties.value) lower(c_value) != "on" diff --git a/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/query.rego b/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/query.rego index dd2eee3b151..2d724c255c2 100644 --- a/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/query.rego +++ b/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/query.rego b/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/query.rego index 3872ea5b602..9227b3a2155 100644 --- a/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/query.rego +++ b/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/query.rego b/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/query.rego index a90067f95ef..08a2723ecb4 100644 --- a/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/query.rego +++ b/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/query.rego b/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/query.rego index 72f1c9fb29d..dbf35f1506b 100644 --- a/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/query.rego +++ b/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/query.rego @@ -8,7 +8,7 @@ CxPolicy[result] { value.type == "Microsoft.Authorization/roleDefinitions" - regex.match("/$|/subscriptions/[\\w\\d-]+$|\\[subscription\\(\\)\\.id\\]", value.properties.assignableScopes[a]) == true + regex.match(`/$|/subscriptions/[\w\d-]+$|\[subscription\(\)\.id\]`, value.properties.assignableScopes[a]) == true allows_custom_roles_creation(value.properties.permissions[x].actions) diff --git a/assets/queries/azureResourceManager/secret_without_expiration_date/query.rego b/assets/queries/azureResourceManager/secret_without_expiration_date/query.rego index c9f8ada374b..ebd25998582 100644 --- a/assets/queries/azureResourceManager/secret_without_expiration_date/query.rego +++ b/assets/queries/azureResourceManager/secret_without_expiration_date/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.common as common_lib +import future.keywords.in resourceTypes := ["Microsoft.KeyVault/vaults/secrets", "secrets"] @@ -9,7 +10,7 @@ CxPolicy[result] { [path, value] := walk(doc) - value.type == resourceTypes[_] + value.type in resourceTypes not common_lib.valid_key(value.properties, "attributes") result := { @@ -29,7 +30,7 @@ CxPolicy[result] { [path, value] := walk(doc) - value.type == resourceTypes[_] + value.type in resourceTypes not common_lib.valid_key(value.properties.attributes, "exp") result := { diff --git a/assets/queries/azureResourceManager/sql_alert_policy_without_emails/query.rego b/assets/queries/azureResourceManager/sql_alert_policy_without_emails/query.rego index 0924b26954d..5a1f6577fa9 100644 --- a/assets/queries/azureResourceManager/sql_alert_policy_without_emails/query.rego +++ b/assets/queries/azureResourceManager/sql_alert_policy_without_emails/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { types := ["Microsoft.Sql/servers/databases/securityAlertPolicies", "securityAlertPolicies"] @@ -8,7 +9,7 @@ CxPolicy[result] { doc := input.document[i] [path, value] := walk(doc) - value.type == types[_] + value.type in types properties := value.properties lower(properties.state) == "enabled" @@ -32,7 +33,7 @@ CxPolicy[result] { doc := input.document[i] [path, value] := walk(doc) - value.type == types[_] + value.type in types properties := value.properties lower(properties.state) == "enabled" diff --git a/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/query.rego b/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/query.rego index aef8db6e4ec..a8392b0e4e6 100644 --- a/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/query.rego +++ b/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { types := ["Microsoft.Sql/servers/firewallRules", "firewallRules", "firewallrules"] @@ -26,6 +27,6 @@ CxPolicy[result] { check_all_ips(start, end) { ipsOpts := ["0.0.0.0", "0.0.0.0/0"] - start == ipsOpts[_] + start in ipsOpts end == "255.255.255.255" } diff --git a/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/query.rego b/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/query.rego index 2568fae10e6..a2972f778e1 100644 --- a/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/query.rego +++ b/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/query.rego @@ -1,7 +1,8 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib +import future.keywords.in types := ["Microsoft.Sql/servers/databases/auditingSettings", "auditingSettings"] @@ -10,7 +11,7 @@ CxPolicy[result] { [path, value] = walk(doc) - value.type == types[_] + value.type in types properties := value.properties [val, _] := arm_lib.getDefaultValueFromParametersIfPresent(doc, properties.state) lower(val) == "enabled" @@ -33,7 +34,7 @@ CxPolicy[result] { [path, value] = walk(doc) - value.type == types[_] + value.type in types properties := value.properties [val, _] := arm_lib.getDefaultValueFromParametersIfPresent(doc, properties.state) lower(val) == "enabled" diff --git a/assets/queries/azureResourceManager/sql_server_database_without_auditing/query.rego b/assets/queries/azureResourceManager/sql_server_database_without_auditing/query.rego index 84e5916b1c9..0c09e80e908 100644 --- a/assets/queries/azureResourceManager/sql_server_database_without_auditing/query.rego +++ b/assets/queries/azureResourceManager/sql_server_database_without_auditing/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.azureresourcemanager as arm_lib import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { types := ["auditingSettings", "Microsoft.Sql/servers/databases/auditingSettings"] @@ -10,7 +11,7 @@ CxPolicy[result] { doc := input.document[i] [path, value] = walk(doc) - value.type == dbTypes[_] + value.type in dbTypes childrenArr := arm_lib.get_children(doc, value, path) count([x | diff --git a/assets/queries/azureResourceManager/standard_price_not_selected/query.rego b/assets/queries/azureResourceManager/standard_price_not_selected/query.rego index 2ae2db490f4..2d61efd00b4 100644 --- a/assets/queries/azureResourceManager/standard_price_not_selected/query.rego +++ b/assets/queries/azureResourceManager/standard_price_not_selected/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i] @@ -21,6 +21,5 @@ CxPolicy[result] { "keyExpectedValue": "'pricingTier' should be set to standard", "keyActualValue": sprintf("'pricingTier' %s is set to %s", [val_type, val]), "searchLine": common_lib.build_search_line(path, ["properties", "pricingTier"]), - } } diff --git a/assets/queries/azureResourceManager/storage_account_allows_network_default_access/query.rego b/assets/queries/azureResourceManager/storage_account_allows_network_default_access/query.rego index 0bc990ea106..c3105ae76d4 100644 --- a/assets/queries/azureResourceManager/storage_account_allows_network_default_access/query.rego +++ b/assets/queries/azureResourceManager/storage_account_allows_network_default_access/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/query.rego b/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/query.rego index 7e171c5f164..60f2c2f9914 100644 --- a/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/query.rego +++ b/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/query.rego b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/query.rego index 9438fc98431..bc2ef409846 100644 --- a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/query.rego +++ b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib publicOptions := {"Container", "Blob"} @@ -44,7 +44,7 @@ CxPolicy[result] { "resourceName": value.name, "searchKey": sprintf("%s.name=%s.resources.name=%s.properties.publicAccess", [common_lib.concat_path(path), value.name, childValue.name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("resource with type 'containers' shouldn't have 'publicAccess' %s set to 'Container' or 'Blob'",[val_type]), + "keyExpectedValue": sprintf("resource with type 'containers' shouldn't have 'publicAccess' %s set to 'Container' or 'Blob'", [val_type]), "keyActualValue": sprintf("resource with type 'containers' has 'publicAccess' property set to '%s'", [publicOptions[o]]), "searchLine": common_lib.build_search_line(childPath, ["properties", "publicAccess"]), } @@ -66,7 +66,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": value.type, "resourceName": value.name, - "searchKey": sprintf("%s.name=%s.resources.name=%s.properties.publicAccess", [common_lib.concat_path(path), value.name, childValue.name]), + "searchKey": sprintf("%s.name=%s.resources.name=%s.properties.publicAccess", [common_lib.concat_path(path), value.name, childValue.name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("resource with type 'blobServices/containers' shouldn't have 'publicAccess' %s set to 'Container' or 'Blob'", [val_type]), "keyActualValue": sprintf("resource with type 'blobServices/containers' has 'publicAccess' property set to '%s'", [publicOptions[o]]), @@ -74,11 +74,9 @@ CxPolicy[result] { } } - - CxPolicy[result] { doc := input.document[i] - + [path, value] = walk(doc) value.type == "Microsoft.Storage/storageAccounts" @@ -87,7 +85,7 @@ CxPolicy[result] { [subchildPath, subchildValue] := walk(childValue.resources) subchildValue.type == "containers" - + [val, val_type] := arm_lib.getDefaultValueFromParametersIfPresent(doc, subchildValue.properties.publicAccess) val == publicOptions[o] @@ -95,10 +93,10 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": value.type, "resourceName": value.name, - "searchKey": sprintf("%s.name=%s.resources.name=%s.resources.name=%s.properties.publicAccess", [common_lib.concat_path(path), value.name, childValue.name, subchildValue.name]), + "searchKey": sprintf("%s.name=%s.resources.name=%s.resources.name=%s.properties.publicAccess", [common_lib.concat_path(path), value.name, childValue.name, subchildValue.name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("resource with type 'containers' shouldn't have 'publicAccess' %s set to 'Container' or 'Blob'", [val_type]), "keyActualValue": sprintf("resource with type 'containers' has 'publicAccess' property set to '%s'", [publicOptions[o]]), "searchLine": common_lib.build_search_line(path, ["resources", childPath[0], "resources", subchildPath[0], "properties", "publicAccess"]), } -} \ No newline at end of file +} diff --git a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/query.rego b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/query.rego index d8ec169411d..c424ef48116 100644 --- a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/query.rego +++ b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/query.rego @@ -10,22 +10,20 @@ CxPolicy[result] { value.type == "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings" - #array containing data that will be used to help build the following objects - valSlice:= [x | x := { - sprintf("%s", [value.properties.logs[n].category]): [value.properties.logs[n].enabled, n] - }] + # array containing data that will be used to help build the following objects + valSlice := [x | x := {sprintf("%s", [value.properties.logs[n].category]): [value.properties.logs[n].enabled, n]}] - #object that maps category names to their respective enabled values + # object that maps category names to their respective enabled values unionObject := {k: v | some i, k - v := valSlice[i][k][0] - } + v := valSlice[i][k][0] + } - #object that maps category names to their respective index values in the document + # object that maps category names to their respective index values in the document catIndexObject := {k: v | some i, k - v := valSlice[i][k][1] - } + v := valSlice[i][k][1] + } issue := actual_issue(unionObject, catIndexObject, cats[l]) @@ -44,17 +42,17 @@ CxPolicy[result] { actual_issue(obj, catIndexObject, key) = issue { not common_lib.valid_key(obj, key) issue := { - "expected_value": sprintf("'Storage Logging' in 'diagnosticsettings' needs '%s' method", [key]), - "actual_value": sprintf("'Storage Logging' in 'diagnosticsettings' doesn't have a '%s' method", [key]), - "type": "MissingAttribute", - "sl": ["properties", "logs"] - } + "expected_value": sprintf("'Storage Logging' in 'diagnosticsettings' needs '%s' method", [key]), + "actual_value": sprintf("'Storage Logging' in 'diagnosticsettings' doesn't have a '%s' method", [key]), + "type": "MissingAttribute", + "sl": ["properties", "logs"], + } } else = issue { obj[key] == false issue := { - "expected_value": sprintf("Storage Logging in 'diagnosticsettings' should be enabled for '%s' method", [replace(key, "Storage", "")]), - "actual_value": sprintf("Storage Logging in 'diagnosticsettings' is disabled for '%s' method", [replace(key, "Storage", "")]), - "type": "IncorrectValue", - "sl": ["properties", "logs", catIndexObject[key], "enabled"] - } -} \ No newline at end of file + "expected_value": sprintf("Storage Logging in 'diagnosticsettings' should be enabled for '%s' method", [replace(key, "Storage", "")]), + "actual_value": sprintf("Storage Logging in 'diagnosticsettings' is disabled for '%s' method", [replace(key, "Storage", "")]), + "type": "IncorrectValue", + "sl": ["properties", "logs", catIndexObject[key], "enabled"], + } +} diff --git a/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/query.rego b/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/query.rego index 20c9a071ee2..bf13dac2c3e 100644 --- a/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/query.rego +++ b/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i] @@ -9,7 +9,7 @@ CxPolicy[result] { value.type == "Microsoft.Storage/storageAccounts" - [da_val , _] := arm_lib.getDefaultValueFromParametersIfPresent(doc, value.properties.networkAcls.defaultAction) + [da_val, _] := arm_lib.getDefaultValueFromParametersIfPresent(doc, value.properties.networkAcls.defaultAction) da_val != "Allow" [bp_val, bp_val_type] := arm_lib.getDefaultValueFromParametersIfPresent(doc, value.properties.networkAcls.bypass) @@ -21,7 +21,7 @@ CxPolicy[result] { "resourceName": value.name, "searchKey": sprintf("%s.name=%s.properties.networkAcls", [common_lib.concat_path(path), value.name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' %s enabled", [bp_val_type]) , + "keyExpectedValue": sprintf("resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' %s enabled", [bp_val_type]), "keyActualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", "searchLine": common_lib.build_search_line(path, ["properties", "networkAcls"]), } diff --git a/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/query.rego b/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/query.rego index 041665c29a9..bea565fc560 100644 --- a/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/query.rego +++ b/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/query.rego b/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/query.rego index a2e962792f7..ba08c01c2ed 100644 --- a/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/query.rego +++ b/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib types := {"Microsoft.Network/networkWatchers/flowLogs", "Microsoft.Network/networkWatchers/FlowLogs"} diff --git a/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/query.rego b/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/query.rego index edcee4c5d97..739a4781ea2 100644 --- a/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/query.rego +++ b/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i] @@ -26,7 +26,7 @@ CxPolicy[result] { } is_last_tls(doc, resource) { - [val, _] := arm_lib.getDefaultValueFromParametersIfPresent(doc, resource.properties.siteConfig.minTlsVersion) + [val, _] := arm_lib.getDefaultValueFromParametersIfPresent(doc, resource.properties.siteConfig.minTlsVersion) val == "1.2" } diff --git a/assets/queries/azureResourceManager/website_not_forcing_https/query.rego b/assets/queries/azureResourceManager/website_not_forcing_https/query.rego index 9b157920f9e..af575e6a91c 100644 --- a/assets/queries/azureResourceManager/website_not_forcing_https/query.rego +++ b/assets/queries/azureResourceManager/website_not_forcing_https/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/query.rego b/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/query.rego index 39b309ea8df..c55d5689657 100644 --- a/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/query.rego +++ b/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i] @@ -37,7 +37,7 @@ CxPolicy[result] { "resourceName": value.name, "searchKey": sprintf("%s.name={{%s}}.properties.clientCertEnabled", [common_lib.concat_path(path), value.name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' %s set to true", [val_type]), + "keyExpectedValue": sprintf("resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' %s set to true", [val_type]), "keyActualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true", "searchLine": common_lib.build_search_line(path, ["properties", "clientCertEnabled"]), } diff --git a/assets/queries/azureResourceManager/website_with_http20enabled_disabled/query.rego b/assets/queries/azureResourceManager/website_with_http20enabled_disabled/query.rego index 1d4db0cd6f7..3fc1155a8bf 100644 --- a/assets/queries/azureResourceManager/website_with_http20enabled_disabled/query.rego +++ b/assets/queries/azureResourceManager/website_with_http20enabled_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.azureresourcemanager as arm_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i] @@ -53,7 +53,6 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": value.type, "resourceName": value.name, - "searchKey": sprintf("%s.name={{%s}}.properties.siteConfig.http20Enabled", [common_lib.concat_path(path), value.name]), "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", "issueType": "IncorrectValue", "keyExpectedValue": sprintf("resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' %s set to true in siteConfig", [val_type]), diff --git a/assets/queries/cicd/github/run_block_injection/query.rego b/assets/queries/cicd/github/run_block_injection/query.rego index ae9a223c10e..cc94f89c86d 100644 --- a/assets/queries/cicd/github/run_block_injection/query.rego +++ b/assets/queries/cicd/github/run_block_injection/query.rego @@ -3,19 +3,18 @@ package Cx import data.generic.common as common_lib CxPolicy[result] { - - input.document[i].on["pull_request_target"] + input.document[i].on.pull_request_target run := input.document[i].jobs[j].steps[k].run patterns := [ - "github.head_ref", - "github.event.pull_request.body", - "github.event.pull_request.head.label", - "github.event.pull_request.head.ref", - "github.event.pull_request.head.repo.default_branch", - "github.event.pull_request.head.repo.description", - "github.event.pull_request.head.repo.homepage", - "github.event.pull_request.title" + "github.head_ref", + "github.event.pull_request.body", + "github.event.pull_request.head.label", + "github.event.pull_request.head.ref", + "github.event.pull_request.head.repo.default_branch", + "github.event.pull_request.head.repo.description", + "github.event.pull_request.head.repo.homepage", + "github.event.pull_request.title", ] matched = containsPatterns(run, patterns) @@ -26,19 +25,18 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]), - "searchValue": matched[m] + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"], []), + "searchValue": matched[m], } } CxPolicy[result] { - - input.document[i].on["issues"] + input.document[i].on.issues run := input.document[i].jobs[j].steps[k].run patterns := [ - "github.event.issue.body", - "github.event.issue.title" + "github.event.issue.body", + "github.event.issue.title", ] matched = containsPatterns(run, patterns) @@ -49,20 +47,19 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]), - "searchValue": matched[m] + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"], []), + "searchValue": matched[m], } } CxPolicy[result] { - - input.document[i].on["issue_comment"] + input.document[i].on.issue_comment run := input.document[i].jobs[j].steps[k].run patterns := [ - "github.event.comment.body", - "github.event.issue.body", - "github.event.issue.title" + "github.event.comment.body", + "github.event.issue.body", + "github.event.issue.title", ] matched = containsPatterns(run, patterns) @@ -73,19 +70,18 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]), - "searchValue": matched[m] + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"], []), + "searchValue": matched[m], } } CxPolicy[result] { - - input.document[i].on["discussion"] + input.document[i].on.discussion run := input.document[i].jobs[j].steps[k].run patterns := [ - "github.event.discussion.body", - "github.event.discussion.title" + "github.event.discussion.body", + "github.event.discussion.title", ] matched = containsPatterns(run, patterns) @@ -96,20 +92,19 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]), - "searchValue": matched[m] + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"], []), + "searchValue": matched[m], } } CxPolicy[result] { - - input.document[i].on["discussion_comment"] + input.document[i].on.discussion_comment run := input.document[i].jobs[j].steps[k].run patterns := [ - "github.event.comment.body", - "github.event.discussion.body", - "github.event.discussion.title" + "github.event.comment.body", + "github.event.discussion.body", + "github.event.discussion.title", ] matched = containsPatterns(run, patterns) @@ -120,23 +115,22 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]), - "searchValue": matched[m] + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"], []), + "searchValue": matched[m], } } CxPolicy[result] { - - input.document[i].on["workflow_run"] + input.document[i].on.workflow_run run := input.document[i].jobs[j].steps[k].run patterns := [ - "github.event.workflow.path", - "github.event.workflow_run.head_branch", - "github.event.workflow_run.head_commit.author.email", - "github.event.workflow_run.head_commit.author.name", - "github.event.workflow_run.head_commit.message", - "github.event.workflow_run.head_repository.description" + "github.event.workflow.path", + "github.event.workflow_run.head_branch", + "github.event.workflow_run.head_commit.author.email", + "github.event.workflow_run.head_commit.author.name", + "github.event.workflow_run.head_commit.message", + "github.event.workflow_run.head_repository.description", ] matched = containsPatterns(run, patterns) @@ -147,19 +141,18 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]), - "searchValue": matched[m] + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"], []), + "searchValue": matched[m], } } CxPolicy[result] { - - input.document[i].on["author"] + input.document[i].on.author run := input.document[i].jobs[j].steps[k].run patterns := [ - "github.*.authors.name", - "github.*.authors.email" + "github.*.authors.name", + "github.*.authors.email", ] matched = containsPatterns(run, patterns) @@ -170,17 +163,14 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]), - "searchValue": matched[m] + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"], []), + "searchValue": matched[m], } } - - containsPatterns(str, patterns) = matched { - matched := {pattern | - pattern := patterns[_] - regex.match(pattern, str) - } + matched := {pattern | + pattern := patterns[_] + regex.match(pattern, str) + } } - diff --git a/assets/queries/cicd/github/script_block_injection/query.rego b/assets/queries/cicd/github/script_block_injection/query.rego index e93b11a0814..291df271d6a 100644 --- a/assets/queries/cicd/github/script_block_injection/query.rego +++ b/assets/queries/cicd/github/script_block_injection/query.rego @@ -3,24 +3,23 @@ package Cx import data.generic.common as common_lib CxPolicy[result] { + input.document[i].on.pull_request_target - input.document[i].on["pull_request_target"] + uses := input.document[i].jobs[j].steps[k].uses - uses := input.document[i].jobs[j].steps[k].uses + startswith(uses, "actions/github-script") - startswith(uses, "actions/github-script") - - script := input.document[i].jobs[j].steps[k]["with"].script + script := input.document[i].jobs[j].steps[k]["with"].script patterns := [ - "github.head_ref", - "github.event.pull_request.body", - "github.event.pull_request.head.label", - "github.event.pull_request.head.ref", - "github.event.pull_request.head.repo.default_branch", - "github.event.pull_request.head.repo.description", - "github.event.pull_request.head.repo.homepage", - "github.event.pull_request.title" + "github.head_ref", + "github.event.pull_request.body", + "github.event.pull_request.head.label", + "github.event.pull_request.head.ref", + "github.event.pull_request.head.repo.default_branch", + "github.event.pull_request.head.repo.description", + "github.event.pull_request.head.repo.homepage", + "github.event.pull_request.title", ] matched = containsPatterns(script, patterns) @@ -31,24 +30,23 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"],[]), - "searchValue": matched[m] + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"], []), + "searchValue": matched[m], } } CxPolicy[result] { - - input.document[i].on["issues"] + input.document[i].on.issues uses := input.document[i].jobs[j].steps[k].uses - startswith(uses, "actions/github-script") - - script := input.document[i].jobs[j].steps[k]["with"].script + startswith(uses, "actions/github-script") + + script := input.document[i].jobs[j].steps[k]["with"].script patterns := [ - "github.event.issue.body", - "github.event.issue.title" + "github.event.issue.body", + "github.event.issue.title", ] matched = containsPatterns(script, patterns) @@ -59,25 +57,24 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"],[]), - "searchValue": matched[m] + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"], []), + "searchValue": matched[m], } } CxPolicy[result] { + input.document[i].on.issue_comment - input.document[i].on["issue_comment"] - uses := input.document[i].jobs[j].steps[k].uses - startswith(uses, "actions/github-script") - - script := input.document[i].jobs[j].steps[k]["with"].script + startswith(uses, "actions/github-script") + + script := input.document[i].jobs[j].steps[k]["with"].script patterns := [ - "github.event.comment.body", - "github.event.issue.body", - "github.event.issue.title" + "github.event.comment.body", + "github.event.issue.body", + "github.event.issue.title", ] matched = containsPatterns(script, patterns) @@ -88,24 +85,23 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with","script"],[]), - "searchValue": matched[m] + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"], []), + "searchValue": matched[m], } } CxPolicy[result] { + input.document[i].on.discussion - input.document[i].on["discussion"] - uses := input.document[i].jobs[j].steps[k].uses - startswith(uses, "actions/github-script") - - script := input.document[i].jobs[j].steps[k]["with"].script + startswith(uses, "actions/github-script") + + script := input.document[i].jobs[j].steps[k]["with"].script patterns := [ - "github.event.discussion.body", - "github.event.discussion.title" + "github.event.discussion.body", + "github.event.discussion.title", ] matched = containsPatterns(script, patterns) @@ -116,25 +112,24 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"],[]), - "searchValue": matched[m] + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"], []), + "searchValue": matched[m], } } CxPolicy[result] { + input.document[i].on.discussion_comment - input.document[i].on["discussion_comment"] - uses := input.document[i].jobs[j].steps[k].uses - startswith(uses, "actions/github-script") - - script := input.document[i].jobs[j].steps[k]["with"].script + startswith(uses, "actions/github-script") + + script := input.document[i].jobs[j].steps[k]["with"].script patterns := [ - "github.event.comment.body", - "github.event.discussion.body", - "github.event.discussion.title" + "github.event.comment.body", + "github.event.discussion.body", + "github.event.discussion.title", ] matched = containsPatterns(script, patterns) @@ -145,28 +140,27 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"],[]), - "searchValue": matched[m] + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"], []), + "searchValue": matched[m], } } CxPolicy[result] { + input.document[i].on.workflow_run - input.document[i].on["workflow_run"] - uses := input.document[i].jobs[j].steps[k].uses - startswith(uses, "actions/github-script") - - script := input.document[i].jobs[j].steps[k]["with"].script + startswith(uses, "actions/github-script") + + script := input.document[i].jobs[j].steps[k]["with"].script patterns := [ - "github.event.workflow.path", - "github.event.workflow_run.head_branch", - "github.event.workflow_run.head_commit.author.email", - "github.event.workflow_run.head_commit.author.name", - "github.event.workflow_run.head_commit.message", - "github.event.workflow_run.head_repository.description" + "github.event.workflow.path", + "github.event.workflow_run.head_branch", + "github.event.workflow_run.head_commit.author.email", + "github.event.workflow_run.head_commit.author.name", + "github.event.workflow_run.head_commit.message", + "github.event.workflow_run.head_repository.description", ] matched = containsPatterns(script, patterns) @@ -177,24 +171,23 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"],[]), - "searchValue": matched[m] + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"], []), + "searchValue": matched[m], } } CxPolicy[result] { + input.document[i].on.author - input.document[i].on["author"] - uses := input.document[i].jobs[j].steps[k].uses - startswith(uses, "actions/github-script") - - script := input.document[i].jobs[j].steps[k]["with"].script + startswith(uses, "actions/github-script") + + script := input.document[i].jobs[j].steps[k]["with"].script patterns := [ - "github.*.authors.name", - "github.*.authors.email" + "github.*.authors.name", + "github.*.authors.email", ] matched = containsPatterns(script, patterns) @@ -205,16 +198,14 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"],[]), - "searchValue": matched[m] + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "with", "script"], []), + "searchValue": matched[m], } } - containsPatterns(str, patterns) = matched { - matched := {pattern | - pattern := patterns[_] - regex.match(pattern, str) - } + matched := {pattern | + pattern := patterns[_] + regex.match(pattern, str) + } } - diff --git a/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/query.rego b/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/query.rego index baacd90083f..7b29e6d6f6a 100644 --- a/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/query.rego +++ b/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/query.rego @@ -3,34 +3,31 @@ package Cx import data.generic.common as common_lib CxPolicy[result] { - uses := input.document[i].jobs[j].steps[k].uses not isAllowed(uses) not isPinned(uses) not isRelative(uses) - + result := { "documentId": input.document[i].id, "searchKey": sprintf("uses={{%s}}", [uses]), "issueType": "IncorrectValue", "keyExpectedValue": "Action pinned to a full length commit SHA.", "keyActualValue": "Action is not pinned to a full length commit SHA.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "uses"],[]) + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "uses"], []), } } - -isAllowed(use){ +isAllowed(use) { allowed := ["actions/"] - startswith(use,allowed[i]) + startswith(use, allowed[i]) } -isPinned(use){ - regex.match("@[a-f0-9]{40}$", use) +isPinned(use) { + regex.match(`@[a-f0-9]{40}$`, use) } -isRelative(use){ +isRelative(use) { allowed := ["./"] - startswith(use,allowed[i]) + startswith(use, allowed[i]) } - diff --git a/assets/queries/cicd/github/unsecured_commands/query.rego b/assets/queries/cicd/github/unsecured_commands/query.rego index a3295b5e8ec..1a4a6f7b857 100644 --- a/assets/queries/cicd/github/unsecured_commands/query.rego +++ b/assets/queries/cicd/github/unsecured_commands/query.rego @@ -3,53 +3,43 @@ package Cx import data.generic.common as common_lib CxPolicy[result] { - - env := input.document[i].env["ACTIONS_ALLOW_UNSECURE_COMMANDS"] + env := input.document[i].env.ACTIONS_ALLOW_UNSECURE_COMMANDS env == true - - + result := { "documentId": input.document[i].id, "searchKey": sprintf("env.actions_allow_unsecure_commands={{%s}}", [env]), "issueType": "IncorrectValue", "keyExpectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", "keyActualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true.", - "searchLine": common_lib.build_search_line(["env", "ACTIONS_ALLOW_UNSECURE_COMMANDS"],[]) + "searchLine": common_lib.build_search_line(["env", "ACTIONS_ALLOW_UNSECURE_COMMANDS"], []), } } CxPolicy[result] { - - env := input.document[i].jobs[j].env["ACTIONS_ALLOW_UNSECURE_COMMANDS"] + env := input.document[i].jobs[j].env.ACTIONS_ALLOW_UNSECURE_COMMANDS env == true - - + result := { "documentId": input.document[i].id, "searchKey": sprintf("env.actions_allow_unsecure_commands={{%s}}", [env]), "issueType": "IncorrectValue", "keyExpectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", "keyActualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true.", - "searchLine": common_lib.build_search_line(["jobs", j, "env", "ACTIONS_ALLOW_UNSECURE_COMMANDS"],[]) + "searchLine": common_lib.build_search_line(["jobs", j, "env", "ACTIONS_ALLOW_UNSECURE_COMMANDS"], []), } } CxPolicy[result] { - - env := input.document[i].jobs[j].steps[k].env["ACTIONS_ALLOW_UNSECURE_COMMANDS"] + env := input.document[i].jobs[j].steps[k].env.ACTIONS_ALLOW_UNSECURE_COMMANDS env == true - - + result := { "documentId": input.document[i].id, "searchKey": sprintf("env.actions_allow_unsecure_commands={{%s}}", [env]), "issueType": "IncorrectValue", "keyExpectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", "keyActualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true.", - "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "env", "ACTIONS_ALLOW_UNSECURE_COMMANDS"],[]) + "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "env", "ACTIONS_ALLOW_UNSECURE_COMMANDS"], []), } } - - - - diff --git a/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/query.rego b/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/query.rego index ee7d3433a9d..220ad491ada 100644 --- a/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/query.rego +++ b/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/query.rego @@ -1,11 +1,11 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] - resource.Type == "AWS::Config::ConfigRule" + resource.Type == "AWS::Config::ConfigRule" not hasAccessKeyRotationRule(resource) result := { @@ -61,6 +61,4 @@ CxPolicy[result] { hasAccessKeyRotationRule(configRule) { configRule.Properties.Source.SourceIdentifier == "ACCESS_KEYS_ROTATED" -} else = false { - true -} +} else = false diff --git a/assets/queries/cloudFormation/aws/alb_listening_on_http/query.rego b/assets/queries/cloudFormation/aws/alb_listening_on_http/query.rego index 01e4eac0052..853a7eed025 100644 --- a/assets/queries/cloudFormation/aws/alb_listening_on_http/query.rego +++ b/assets/queries/cloudFormation/aws/alb_listening_on_http/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] @@ -17,7 +17,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'Resources.%s.Listeners.Protocol' should not equal to 'HTTP'", [name]), "keyActualValue": sprintf("'Resources.%s.Listeners.Protocol' equals to 'HTTP'", [name]), - "searchLine": common_lib.build_search_line(["Resources", name, "Properties","Listeners",l,"Protocol"], []), + "searchLine": common_lib.build_search_line(["Resources", name, "Properties", "Listeners", l, "Protocol"], []), } } @@ -36,6 +36,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'Resources.%s.Protocol' should not equal to 'HTTP'", [name]), "keyActualValue": sprintf("'Resources.%s.Protocol' equals to 'HTTP'", [name]), - "searchLine": common_lib.build_search_line(["Resources", name, "Properties","Protocol"], []), + "searchLine": common_lib.build_search_line(["Resources", name, "Properties", "Protocol"], []), } } diff --git a/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/query.rego b/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/query.rego index bea3a985a93..6fbddcb35fd 100644 --- a/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/query.rego +++ b/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/query.rego b/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/query.rego index 0e56d8ec24b..339fee5d630 100644 --- a/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/query.rego +++ b/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document @@ -38,4 +38,4 @@ CxPolicy[result] { "keyExpectedValue": sprintf("Resources.%s.Properties.PubliclyAccessible should be defined to 'false'", [name]), "keyActualValue": sprintf("Resources.%s.Properties.PubliclyAccessible is not defined", [name]), } -} \ No newline at end of file +} diff --git a/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/query.rego b/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/query.rego index f9807221666..be183b05548 100644 --- a/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document diff --git a/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/query.rego b/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/query.rego index c234af39a5f..6ee6dd0efc0 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/query.rego +++ b/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { defaultToken := document.Parameters[paramName].Default count(defaultToken) > 50 - #Access Token is a JWT token from following docs: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-access-token + # Access Token is a JWT token from following docs: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-access-token regex.match(`^[A-Za-z0-9-_=]+\.[A-Za-z0-9-_=]+\.?[A-Za-z0-9-_.+/=]*$`, defaultToken) not cf_lib.hasSecretManager(defaultToken, document.Resources) diff --git a/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/query.rego b/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/query.rego index 720289023c5..ba8992cad62 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/query.rego +++ b/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/query.rego @@ -80,4 +80,3 @@ CxPolicy[result] { "keyActualValue": sprintf("Resources.%s.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", [key]), } } - diff --git a/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/query.rego b/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/query.rego index d572cb6f2ff..c329ea65c44 100644 --- a/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/query.rego +++ b/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/query.rego @@ -3,7 +3,6 @@ package Cx import data.generic.cloudformation as cf_lib import data.generic.common as common_lib - CxPolicy[result] { document := input.document[i] resource := document.Resources[key] @@ -79,4 +78,3 @@ CxPolicy[result] { "keyActualValue": sprintf("Resources.%s.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", [key]), } } - diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/query.rego b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/query.rego index 6212b3fdcb2..20f7a0c0871 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document diff --git a/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/query.rego b/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/query.rego index 69e9ba6a6cf..b2abd864543 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document diff --git a/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/query.rego b/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/query.rego index ec28d2d6949..b9c267c6016 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { deployment := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/query.rego b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/query.rego index e4f9f431efa..794629defd9 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/query.rego +++ b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/query.rego @@ -1,8 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib - +import data.generic.common as common_lib CxPolicy[result] { document := input.document diff --git a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/query.rego b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/query.rego index cd734aae4c9..68046dbfa6d 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/query.rego +++ b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/query.rego @@ -2,7 +2,6 @@ package Cx import data.generic.cloudformation as cf_lib - CxPolicy[result] { document := input.document resource = document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/query.rego b/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/query.rego index 4d3b949954b..0265d969da8 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/query.rego +++ b/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.cloudformation as cf_lib import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { docs := input.document[i] @@ -63,5 +64,5 @@ CxPolicy[result] { } containsPrivate(types) { - types[_] == "PRIVATE" + "PRIVATE" in types } diff --git a/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/query.rego b/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/query.rego index 5360095aecf..741eeb20793 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/query.rego +++ b/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/query.rego b/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/query.rego index 6e295a26d63..e3567d35aad 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/query.rego +++ b/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib types := {"AWS::ApiGateway::RestApi": "AWS::ApiGateway::Authorizer", "AWS::ApiGatewayV2::Api": "AWS::ApiGatewayV2::Authorizer"} @@ -27,10 +27,10 @@ CxPolicy[result] { has_authorizer_associated(apiName, type) { type == "AWS::ApiGatewayV2::Authorizer" - count({x | resource := input.document[_].Resources[x]; resource.Type == "AWS::ApiGatewayV2::Authorizer"; get_value(resource.Properties,"ApiId") == apiName}) != 0 + count({x | resource := input.document[_].Resources[x]; resource.Type == "AWS::ApiGatewayV2::Authorizer"; get_value(resource.Properties, "ApiId") == apiName}) != 0 } else { type == "AWS::ApiGateway::Authorizer" - count({x | resource := input.document[_].Resources[x]; resource.Type == "AWS::ApiGateway::Authorizer"; get_value(resource.Properties,"RestApiId") == apiName}) != 0 + count({x | resource := input.document[_].Resources[x]; resource.Type == "AWS::ApiGateway::Authorizer"; get_value(resource.Properties, "RestApiId") == apiName}) != 0 } get_value(properties, field) = value { diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/query.rego b/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/query.rego index ade9781892b..041376d005b 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/query.rego +++ b/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/query.rego b/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/query.rego index f4b79b0db45..a3279395f2d 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/query.rego +++ b/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_waf/query.rego b/assets/queries/cloudFormation/aws/api_gateway_without_waf/query.rego index 06c7ae5ff18..7faa4905c34 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_waf/query.rego +++ b/assets/queries/cloudFormation/aws/api_gateway_without_waf/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] @@ -25,7 +25,7 @@ has_waf_associated(stage) { resource := input.document[i].Resources[name] resource.Type == "AWS::WAFv2::WebACLAssociation" - contains(resource.Properties.ResourceArn, "arn:aws:apigateway:") - associatedStage := split(resource.Properties.ResourceArn, "/") - associatedStage[4] == stage + contains(resource.Properties.ResourceArn, "arn:aws:apigateway:") + associatedStage := split(resource.Properties.ResourceArn, "/") + associatedStage[4] == stage } diff --git a/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/query.rego b/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/query.rego index 6c3376dd3cf..f04c2f01170 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document diff --git a/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/query.rego b/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/query.rego index fdab43230e2..48eeea0c7ae 100644 --- a/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/query.rego +++ b/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] @@ -23,7 +23,7 @@ CxPolicy[result] { resource := input.document[i].Resources[name] resource.Type == "AWS::AutoScaling::AutoScalingGroup" elbs := resource.Properties.LoadBalancerNames - check_size(elbs) + check_array_size(elbs) result := { "documentId": input.document[i].id, @@ -36,7 +36,7 @@ CxPolicy[result] { } } -check_size(array) { - is_array(array) - count(array) == 0 +check_array_size(array_obj) { + is_array(array_obj) + count(array_obj) == 0 } diff --git a/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/query.rego b/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/query.rego index 800e8b32134..9d124f886df 100644 --- a/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/query.rego +++ b/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/query.rego b/assets/queries/cloudFormation/aws/cloudfront_without_waf/query.rego index fb6e2a30ca1..cc883e4ed5b 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_waf/query.rego +++ b/assets/queries/cloudFormation/aws/cloudfront_without_waf/query.rego @@ -22,7 +22,7 @@ CxPolicy[result] { "keyExpectedValue": sprintf("Resources.%s.Properties.DistributionConfig.WebACLId should be defined", [name]), "keyActualValue": sprintf("Resources.%s.Properties.DistributionConfig.WebACLId is undefined", [name]), } -} +} CxPolicy[result] { docs := input.document[i] @@ -43,4 +43,4 @@ CxPolicy[result] { "keyExpectedValue": sprintf("Resources.%s.Properties.DistributionConfig.WebACLId should be properly defined", [distributionConfig.WebACLId]), "keyActualValue": sprintf("Resources.%s.Properties.DistributionConfig.WebACLId contains invalid value", [distributionConfig.WebACLId]), } -} \ No newline at end of file +} diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/query.rego b/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/query.rego index bce0a237387..7f908201b24 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/query.rego b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/query.rego index ef88e25d2de..87a85592366 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/query.rego +++ b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/query.rego b/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/query.rego index b15268289ab..954a4cf0e1c 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/query.rego b/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/query.rego index f7c030eae4a..7ff7adb90b9 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/query.rego +++ b/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/query.rego b/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/query.rego index 7ceee334e08..fa047643e23 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/query.rego +++ b/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/query.rego @@ -1,13 +1,13 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] resource.Type == "AWS::CloudTrail::Trail" - isMissing(resource.Properties,"SnsTopicName") + isMissing(resource.Properties, "SnsTopicName") result := { "documentId": input.document[i].id, @@ -20,10 +20,10 @@ CxPolicy[result] { } } -isMissing(properties,attribute) { - not common_lib.valid_key(properties, attribute) +isMissing(properties, attribute) { + not common_lib.valid_key(properties, attribute) } -isMissing(properties,attribute) { - properties[attribute] == "" +isMissing(properties, attribute) { + properties[attribute] == "" } diff --git a/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/query.rego b/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/query.rego index 30da244d4b2..86811ff5797 100644 --- a/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/query.rego @@ -1,14 +1,14 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document resource = document[i].Resources[name] resource.Type == "AWS::Route53::HostedZone" - not common_lib.valid_key(resource.Properties,"QueryLoggingConfig") + not common_lib.valid_key(resource.Properties, "QueryLoggingConfig") result := { "documentId": input.document[i].id, diff --git a/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/query.rego b/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/query.rego index dbe40dd211a..2838f5857d3 100644 --- a/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws/cmk_rotation_disabled/query.rego b/assets/queries/cloudFormation/aws/cmk_rotation_disabled/query.rego index 4c7333b12ed..9673175305b 100644 --- a/assets/queries/cloudFormation/aws/cmk_rotation_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/cmk_rotation_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/query.rego b/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/query.rego index fec647234f3..8545426d318 100644 --- a/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/query.rego +++ b/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/query.rego @@ -3,12 +3,12 @@ package Cx import data.generic.cloudformation as cf_lib import data.generic.common as common_lib -CxPolicy[result] { #Resource Type DB and StorageEncrypted is False +CxPolicy[result] { # Resource Type DB and StorageEncrypted is False document := input.document[i] resource := document.Resources[key] - common_lib.inArray({"AWS::DocDB::DBCluster", "AWS::Neptune::DBCluster", "AWS::RDS::DBCluster", "AWS::RDS::DBInstance", "AWS::RDS::GlobalCluster"}, resource.Type) + common_lib.inArray({"AWS::DocDB::DBCluster", "AWS::Neptune::DBCluster", "AWS::RDS::DBCluster", "AWS::RDS::DBInstance", "AWS::RDS::GlobalCluster"}, resource.Type) - properties := resource.Properties + properties := resource.Properties cf_lib.isCloudFormationFalse(properties.StorageEncrypted) result := { @@ -25,7 +25,7 @@ CxPolicy[result] { #Resource Type DB and StorageEncrypted is False CxPolicy[result] { # DBTypes any DB, but without storage encrypted is undefined document := input.document[i] resource := document.Resources[key] - common_lib.inArray({"AWS::DocDB::DBCluster", "AWS::Neptune::DBCluster", "AWS::RDS::DBCluster", "AWS::RDS::DBInstance", "AWS::RDS::GlobalCluster"}, resource.Type) + common_lib.inArray({"AWS::DocDB::DBCluster", "AWS::Neptune::DBCluster", "AWS::RDS::DBCluster", "AWS::RDS::DBInstance", "AWS::RDS::GlobalCluster"}, resource.Type) properties := resource.Properties not common_lib.valid_key(properties, "StorageEncrypted") diff --git a/assets/queries/cloudFormation/aws/codebuild_not_encrypted/query.rego b/assets/queries/cloudFormation/aws/codebuild_not_encrypted/query.rego index 33b85e1438d..802acfac3db 100644 --- a/assets/queries/cloudFormation/aws/codebuild_not_encrypted/query.rego +++ b/assets/queries/cloudFormation/aws/codebuild_not_encrypted/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/query.rego b/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/query.rego index d717cbf8462..2272e8303d8 100644 --- a/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/query.rego +++ b/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/query.rego b/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/query.rego index b432c527197..bb383158d75 100644 --- a/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/query.rego @@ -1,13 +1,13 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] resource.Type == "AWS::Config::ConfigurationAggregator" - not hasAggregationSources(resource.Properties) + not hasAggregationSources(resource.Properties) result := { "documentId": input.document[i].id, @@ -24,9 +24,9 @@ CxPolicy[result] { resource := input.document[i].Resources[name] resource.Type == "AWS::Config::ConfigurationAggregator" - accSources := resource.Properties.AccountAggregationSources + accSources := resource.Properties.AccountAggregationSources accs := accSources[j] - not common_lib.valid_key(accs,"AllAwsRegions") + not common_lib.valid_key(accs, "AllAwsRegions") result := { "documentId": input.document[i].id, @@ -43,9 +43,9 @@ CxPolicy[result] { resource := input.document[i].Resources[name] resource.Type == "AWS::Config::ConfigurationAggregator" - accSources := resource.Properties.AccountAggregationSources + accSources := resource.Properties.AccountAggregationSources - accSources[j].AllAwsRegions == false + accSources[j].AllAwsRegions == false result := { "documentId": input.document[i].id, @@ -62,9 +62,9 @@ CxPolicy[result] { resource := input.document[i].Resources[name] resource.Type == "AWS::Config::ConfigurationAggregator" - orgSource := resource.Properties.OrganizationAggregationSource + orgSource := resource.Properties.OrganizationAggregationSource - not common_lib.valid_key(orgSource,"AllAwsRegions") + not common_lib.valid_key(orgSource, "AllAwsRegions") result := { "documentId": input.document[i].id, @@ -81,9 +81,9 @@ CxPolicy[result] { resource := input.document[i].Resources[name] resource.Type == "AWS::Config::ConfigurationAggregator" - orgSource := resource.Properties.OrganizationAggregationSource + orgSource := resource.Properties.OrganizationAggregationSource - orgSource.AllAwsRegions == false + orgSource.AllAwsRegions == false result := { "documentId": input.document[i].id, @@ -97,6 +97,6 @@ CxPolicy[result] { } hasAggregationSources(resource) { - aggregators := ["AccountAggregationSources","OrganizationAggregationSource"] + aggregators := ["AccountAggregationSources", "OrganizationAggregationSource"] common_lib.valid_key(resource, aggregators[_]) } diff --git a/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/query.rego b/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/query.rego index 3e6dda73bcd..a16ec77d53c 100644 --- a/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/query.rego @@ -4,28 +4,28 @@ import data.generic.cloudformation as cf_lib CxPolicy[result] { resources := input.document[i].Resources - configRules := cf_lib.getResourcesByType(resources, "AWS::Config::ConfigRule") + configRules := cf_lib.getResourcesByType(resources, "AWS::Config::ConfigRule") - count(configRules) > 0 - not hasEncryptedVolsRule(configRules) + count(configRules) > 0 + not hasEncryptedVolsRule(configRules) - firstRule := resources[name] - firstRule.Type == "AWS::Config::ConfigRule" + firstRule := resources[name] + firstRule.Type == "AWS::Config::ConfigRule" result := { "documentId": input.document[i].id, - "resourceType": firstRule.Type, + "resourceType": firstRule.Type, "resourceName": cf_lib.get_resource_name(firstRule, name), "searchKey": sprintf("Resources.%s", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "There should be a ConfigRule for encrypted volumes.", - "keyActualValue": "There isn't a ConfigRule for encrypted volumes." + "keyActualValue": "There isn't a ConfigRule for encrypted volumes.", } } hasEncryptedVolsRule(configRules) { - configRule := configRules[_] - source := configRule.Properties.Source - source_id := source.SourceIdentifier - source_id == "ENCRYPTED_VOLUMES" + configRule := configRules[_] + source := configRule.Properties.Source + source_id := source.SourceIdentifier + source_id == "ENCRYPTED_VOLUMES" } diff --git a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/query.rego b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/query.rego index e26de7f3036..cd1d8c11db3 100644 --- a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/query.rego +++ b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.cloudformation as cf_lib import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { docs := input.document[i] @@ -65,11 +66,11 @@ CxPolicy[result] { check_mask_ipv4(ipv4) { masks := {"25", "26", "27", "28", "29", "30", "31", "32"} output := split(ipv4, "/") - masks[_] == output[1] + output[1] in masks } check_ipv6(ipv6) { prefixes := {"120", "121", "122", "123", "124", "125", "126", "127", "128"} output := split(ipv6, "/") - prefixes[_] == output[1] + output[1] in prefixes } diff --git a/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/query.rego b/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/query.rego index b4398957457..2883ebbb014 100644 --- a/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/query.rego +++ b/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/query.rego @@ -76,4 +76,3 @@ CxPolicy[result] { "keyActualValue": sprintf("Resources.%s.Properties.Password must be defined as a parameter or have a secret manager referenced", [key]), } } - diff --git a/assets/queries/cloudFormation/aws/docdb_logging_disabled/query.rego b/assets/queries/cloudFormation/aws/docdb_logging_disabled/query.rego index ef98506b956..82288bb999a 100644 --- a/assets/queries/cloudFormation/aws/docdb_logging_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/docdb_logging_disabled/query.rego @@ -33,7 +33,7 @@ CxPolicy[result] { resource.Type == "AWS::DocDB::DBCluster" properties := resource.Properties logs := properties.EnableCloudwatchLogsExports - + logsSet := {log | log := logs[_]} missingTypes := validTypes - logsSet @@ -49,4 +49,4 @@ CxPolicy[result] { "keyExpectedValue": sprintf("AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should have all following values: %s", [validTypeConcat]), "keyActualValue": sprintf("AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: %s", [concat(", ", missingTypes)]), } -} \ No newline at end of file +} diff --git a/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/query.rego b/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/query.rego index 547ab87abbc..a0e0542f941 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/query.rego +++ b/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/query.rego b/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/query.rego index 5ac17c30751..6f3bdd6e5b9 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/query.rego @@ -1,14 +1,14 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] resource := document.Resources[key] resource.Type == "AWS::DynamoDB::Table" properties := resource.Properties - + properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled == false result := { @@ -59,4 +59,4 @@ CxPolicy[result] { "keyExpectedValue": sprintf("Resources[%s].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", [key]), "keyActualValue": sprintf("Resources[%s].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is not defined", [key]), } -} \ No newline at end of file +} diff --git a/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/query.rego b/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/query.rego index 4d1f11986e5..0b20272caba 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/query.rego +++ b/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/query.rego b/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/query.rego index c863723b296..f737f1ad506 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/query.rego +++ b/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/query.rego @@ -20,6 +20,6 @@ CxPolicy[result] { } } -containsBilling(array, elem) { - lower(array[_]) == lower(elem) +containsBilling(array_obj, elem) { + lower(array_obj[_]) == lower(elem) } diff --git a/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/query.rego b/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/query.rego index 0d62705ec63..a2e7da0c45c 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document diff --git a/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/query.rego b/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/query.rego index 4256d425790..92dfb9a2e7f 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/query.rego +++ b/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/query.rego b/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/query.rego index dcdb87f4aa9..5e6b00423e0 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/query.rego +++ b/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i].Resources diff --git a/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/query.rego b/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/query.rego index aaa9c7994ab..2b6dcd4a1b5 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i].Resources diff --git a/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/query.rego b/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/query.rego index e149cf87c0f..44a2c2786aa 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/query.rego +++ b/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.MapPublicIpOnLaunch", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties.MapPublicIpOnLaunch", [cf_lib.getPath(path), name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'Resources.%s.Properties.MapPublicIpOnLaunch' should be false", [name]), "keyActualValue": sprintf("'Resources.%s.Properties.MapPublicIpOnLaunch' is true", [name]), diff --git a/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/query.rego b/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/query.rego index 8fb3eea383d..81f5b727ee0 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/query.rego +++ b/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i].Resources diff --git a/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/query.rego b/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/query.rego index 61e8c3ee338..317a8e2b504 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/query.rego +++ b/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/query.rego b/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/query.rego index 607411bce3e..51e9ffa98b4 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/query.rego +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { entry1 := input.document[i].Resources[name] @@ -34,22 +34,20 @@ CxPolicy[result] { getRef(obj) = obj.Ref { common_lib.valid_key(obj, "Ref") -} else = obj { - true -} +} else = obj getTraffic(entry) = "egress" { - lower(sprintf("%v",[entry.Properties.Egress])) == "true" + lower(sprintf("%v", [entry.Properties.Egress])) == "true" } else = "ingress" { - lower(sprintf("%v",[entry.Properties.Egress])) == "false" + lower(sprintf("%v", [entry.Properties.Egress])) == "false" } else = "egress" { - lower(sprintf("%v",[entry.Properties.Ingress])) == "false" + lower(sprintf("%v", [entry.Properties.Ingress])) == "false" } else = "ingress" { - lower(sprintf("%v",[entry.Properties.Ingress])) == "true" + lower(sprintf("%v", [entry.Properties.Ingress])) == "true" } -compareRuleNumber(entry1, entry2){ - ruleNumberEntry1 := to_number(entry1.Properties.RuleNumber) - ruleNumberEntry2 := to_number(entry2.Properties.RuleNumber) - ruleNumberEntry1 == ruleNumberEntry2 +compareRuleNumber(entry1, entry2) { + ruleNumberEntry1 := to_number(entry1.Properties.RuleNumber) + ruleNumberEntry2 := to_number(entry2.Properties.RuleNumber) + ruleNumberEntry1 == ruleNumberEntry2 } diff --git a/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/query.rego b/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/query.rego index db4ad12b1a1..129bfa288f2 100644 --- a/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/query.rego +++ b/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/query.rego b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/query.rego index 206c3149118..f7fc3a9ca62 100644 --- a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/query.rego +++ b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.cloudformation as cf_lib import data.generic.common as commonLib +import future.keywords.in isAccessibleFromEntireNetwork(ingress) { endswith(ingress.CidrIp, "/0") @@ -47,7 +48,7 @@ CxPolicy[result] { secGroup := securityGroupList[k] - ec2Instance.properties.Properties.SecurityGroups[_] == secGroup.name + secGroup.name in ec2Instance.properties.Properties.SecurityGroups ingress := secGroup.properties.Properties.SecurityGroupIngress[l] diff --git a/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/query.rego b/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/query.rego index b7b85a15622..6cd1d1f3949 100644 --- a/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/query.rego +++ b/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/query.rego b/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/query.rego index 525a14e6f32..e34603607ed 100644 --- a/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/query.rego +++ b/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/query.rego @@ -1,11 +1,11 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] - resource.Type == "AWS::ECR::Repository" + resource.Type == "AWS::ECR::Repository" policy := resource.Properties.RepositoryPolicyText st := common_lib.get_statement(common_lib.get_policy(policy)) statement := st[_] diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/query.rego b/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/query.rego index d97a902eef9..4ac5bb5ed14 100644 --- a/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources @@ -43,7 +43,7 @@ CxPolicy[result] { } } -container_insights(settings){ +container_insights(settings) { settings[0].Name == "containerInsights" settings[0].Value == "enabled" } diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/query.rego b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/query.rego index 44fc5ddd2ae..c7ce12b35bb 100644 --- a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/query.rego +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources diff --git a/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/query.rego b/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/query.rego index 49d78293d95..8ab87eaa403 100644 --- a/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/query.rego +++ b/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/query.rego @@ -22,7 +22,7 @@ CxPolicy[result] { resource := input.document[i].Resources[name] resource.Type == "AWS::ECS::Service" resource.Properties.LoadBalancers - check_size(resource.Properties.LoadBalancers) + check_array_size(resource.Properties.LoadBalancers) result := { "documentId": input.document[i].id, @@ -35,7 +35,7 @@ CxPolicy[result] { } } -check_size(array) { - is_array(array) - count(array) == 0 +check_array_size(array_obj) { + is_array(array_obj) + count(array_obj) == 0 } diff --git a/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/query.rego b/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/query.rego index 84dee3ad626..b1a2ae187fc 100644 --- a/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/query.rego +++ b/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/query.rego b/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/query.rego index 3f7ddd2b527..0ab5e33cc00 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/query.rego +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] @@ -9,17 +9,17 @@ CxPolicy[result] { contDef := resource.Properties.ContainerDefinitions[idx] not common_lib.valid_key(contDef, "HealthCheck") - getkey := cf_lib.createSearchKey(contDef) - searchkey := sprintf("Resources.%s.Properties.ContainerDefinitions.%v.Name%s", [name,idx,getkey]) + getkey := cf_lib.createSearchKey(contDef) + searchkey := sprintf("Resources.%s.Properties.ContainerDefinitions.%v.Name%s", [name, idx, getkey]) result := { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": searchkey, + "searchKey": searchkey, "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'Resources.%s.Properties.ContainerDefinitions' should contain 'HealthCheck' property", [name]), "keyActualValue": sprintf("'Resources.%s.Properties.ContainerDefinitions' doesn't contain 'HealthCheck' property", [name]), - "searchLine": common_lib.build_search_line(["Resources", name, "Properties", "ContainerDefinitions"], [idx, "Name","Ref" ]), + "searchLine": common_lib.build_search_line(["Resources", name, "Properties", "ContainerDefinitions"], [idx, "Name", "Ref"]), } } diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/query.rego b/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/query.rego index 92d905524ae..ac63620439d 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/query.rego +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as commonLib import data.generic.cloudformation as cf_lib +import data.generic.common as commonLib CxPolicy[result] { resource := input.document[i].Resources[name] @@ -20,8 +20,8 @@ CxPolicy[result] { checkMemory(taskDef, memory) == true - getkey := cf_lib.createSearchKey(taskDef.Properties.ContainerDefinitions[_]) - searchkey = sprintf("Resources.%s.Properties.ContainerDefinitions.Name%s", [name2, getkey]) + getkey := cf_lib.createSearchKey(taskDef.Properties.ContainerDefinitions[_]) + searchkey = sprintf("Resources.%s.Properties.ContainerDefinitions.Name%s", [name2, getkey]) result := { "documentId": input.document[i].id, @@ -44,7 +44,7 @@ CxPolicy[result] { cpu := taskDef.Properties.ContainerDefinitions[_].Cpu not commonLib.inArray(cpuMem, cpu) getkey := cf_lib.createSearchKey(taskDef.Properties.ContainerDefinitions[_]) - searchkey := sprintf("Resources.%s.Properties.ContainerDefinitions.Name%s", [name2, getkey]) + searchkey := sprintf("Resources.%s.Properties.ContainerDefinitions.Name%s", [name2, getkey]) result := { "documentId": input.document[i].id, @@ -69,13 +69,7 @@ checkMemory(res, memory) { checkRemainder(mem, res.Properties.ContainerDefinitions[_].Cpu) } -contains(arr, elem) { - arr[_] = elem -} - checkRemainder(mem, cpu) { not cpu == 256 not mem % 1024 == 0 } - - diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/query.rego b/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/query.rego index e6b20ca42bd..2179edf2654 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/query.rego +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] @@ -25,7 +25,7 @@ CxPolicy[result] { resource.Type == "AWS::ECS::TaskDefinition" properties := resource.Properties - properties.NetworkMode != "awsvpc" + properties.NetworkMode != "awsvpc" result := { "documentId": input.document[i].id, "resourceType": resource.Type, @@ -33,6 +33,6 @@ CxPolicy[result] { "searchKey": sprintf("Resources.%s.Properties.NetworkMode", [name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'Resources.%s.Properties.NetworkMode' should be 'awsvpc'", [name]), - "keyActualValue": sprintf("'Resources.%s.Properties.NetworkMode' is '%s'", [name,properties.NetworkMode]), + "keyActualValue": sprintf("'Resources.%s.Properties.NetworkMode' is '%s'", [name, properties.NetworkMode]), } } diff --git a/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/query.rego b/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/query.rego index 91a1a654b4e..99a33488e92 100644 --- a/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/query.rego +++ b/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/query.rego @@ -1,17 +1,17 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources elem := resource[key] elem.Type == "AWS::ECS::TaskDefinition" - efs := elem.Properties.volumes[index].efsVolumeConfiguration - value := efs.TransitEncryption + efs := elem.Properties.volumes[index].efsVolumeConfiguration + value := efs.TransitEncryption not value == "ENABLED" - result := { + result := { "documentId": input.document[i].id, "resourceType": elem.Type, "resourceName": cf_lib.get_resource_name(elem, key), @@ -19,7 +19,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'Resources.%s.Properties.volumes[%d].efsVolumeConfiguration.TransitEncryption' should be set to 'ENABLED'", [key, index]), "keyActualValue": sprintf("'Resources.%s.Properties.volumes[%d].efsVolumeConfiguration.TransitEncryption' is set to '%s'", [key, index, value]), - "searchLine": common_lib.build_search_line(["Resources",key,"Properties","volumes", index,"efsVolumeConfiguration","TransitEncryption"], []), + "searchLine": common_lib.build_search_line(["Resources", key, "Properties", "volumes", index, "efsVolumeConfiguration", "TransitEncryption"], []), } } @@ -27,10 +27,10 @@ CxPolicy[result] { resource := input.document[i].Resources elem := resource[key] elem.Type == "AWS::ECS::TaskDefinition" - efs := elem.Properties.volumes[index].efsVolumeConfiguration - not efs.TransitEncryption + efs := elem.Properties.volumes[index].efsVolumeConfiguration + not efs.TransitEncryption - result := { + result := { "documentId": input.document[i].id, "resourceType": elem.Type, "resourceName": cf_lib.get_resource_name(elem, key), @@ -38,6 +38,6 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'Resources.%s.Properties.volumes[%d].efsVolumeConfiguration.TransitEncryption' should be set to 'ENABLED'", [key, index]), "keyActualValue": sprintf("'Resources.%s.Properties.volumes[%d].efsVolumeConfiguration.TransitEncryption' is not set", [key, index]), - "searchLine": common_lib.build_search_line(["Resources",key,"Properties","volumes", index,"efsVolumeConfiguration"], []), + "searchLine": common_lib.build_search_line(["Resources", key, "Properties", "volumes", index, "efsVolumeConfiguration"], []), } -} \ No newline at end of file +} diff --git a/assets/queries/cloudFormation/aws/efs_without_kms/query.rego b/assets/queries/cloudFormation/aws/efs_without_kms/query.rego index 203e02d92c5..861ff4fee72 100644 --- a/assets/queries/cloudFormation/aws/efs_without_kms/query.rego +++ b/assets/queries/cloudFormation/aws/efs_without_kms/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws/efs_without_tags/query.rego b/assets/queries/cloudFormation/aws/efs_without_tags/query.rego index 20098b5def9..ad558d993e9 100644 --- a/assets/queries/cloudFormation/aws/efs_without_tags/query.rego +++ b/assets/queries/cloudFormation/aws/efs_without_tags/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws/eks_node_group_remote_access/query.rego b/assets/queries/cloudFormation/aws/eks_node_group_remote_access/query.rego index ca1bc6c411d..d317177a34c 100644 --- a/assets/queries/cloudFormation/aws/eks_node_group_remote_access/query.rego +++ b/assets/queries/cloudFormation/aws/eks_node_group_remote_access/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/query.rego b/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/query.rego index 97ef811d760..98da9bb2afe 100644 --- a/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/query.rego +++ b/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/elasticache_using_default_port/query.rego b/assets/queries/cloudFormation/aws/elasticache_using_default_port/query.rego index 834dba65965..2eda8f9d2e4 100644 --- a/assets/queries/cloudFormation/aws/elasticache_using_default_port/query.rego +++ b/assets/queries/cloudFormation/aws/elasticache_using_default_port/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/query.rego b/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/query.rego index 164de002721..f07891980bc 100644 --- a/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/query.rego +++ b/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/query.rego b/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/query.rego index 7045636a762..a299c474e5d 100644 --- a/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/query.rego +++ b/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws/elasticache_without_vpc/query.rego b/assets/queries/cloudFormation/aws/elasticache_without_vpc/query.rego index d7422ff1d21..91e4d10b312 100644 --- a/assets/queries/cloudFormation/aws/elasticache_without_vpc/query.rego +++ b/assets/queries/cloudFormation/aws/elasticache_without_vpc/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_logs_disabled/query.rego b/assets/queries/cloudFormation/aws/elasticsearch_logs_disabled/query.rego index ab0a8ed3b9b..c1168492f8f 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_logs_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/elasticsearch_logs_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib LogTypes := ["INDEX_SLOW_LOGS", "SEARCH_SLOW_LOGS", "ES_APPLICATION_LOGS", "AUDIT_LOGS"] @@ -18,7 +18,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.LogPublishingOptions.%s.Enabled", [cf_lib.getPath(path),name, logName]), + "searchKey": sprintf("%s%s.Properties.LogPublishingOptions.%s.Enabled", [cf_lib.getPath(path), name, logName]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Resources.%s.Properties.LogPublishingOptions.%s should be enabled if is a log", [name, logName]), "keyActualValue": sprintf("Resources.%s.Properties.LogPublishingOptions.%s is a log but isn't enabled", [name, logName]), @@ -39,7 +39,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.LogPublishingOptions.%s", [cf_lib.getPath(path),name, logName]), + "searchKey": sprintf("%s%s.Properties.LogPublishingOptions.%s", [cf_lib.getPath(path), name, logName]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Resources.%s.Properties.LogPublishingOptions.%s.Enabled should be defined and set to 'true'", [name, logName]), "keyActualValue": sprintf("Resources.%s.Properties.LogPublishingOptions.%s.Enabled isn't defined", [name, logName]), @@ -61,14 +61,8 @@ CxPolicy[result] { "resourceName": cf_lib.get_resource_name(resource, name), "searchKey": sprintf("Resources.%s.Properties", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("%s%s.Properties.LogPublishingOptions should be defined and not null", [cf_lib.getPath(path),name]), + "keyExpectedValue": sprintf("%s%s.Properties.LogPublishingOptions should be defined and not null", [cf_lib.getPath(path), name]), "keyActualValue": sprintf("Resources.%s.Properties.LogPublishingOptions is undefined or null", [name]), "searchLine": common_lib.build_search_line(["Resource", name, "Properties"], []), } } - -contains(array, elem) { - array[_] == elem -} else = false { - true -} diff --git a/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/query.rego b/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/query.rego index eec58a1cdcb..46c96f0927d 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/query.rego +++ b/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/query.rego @@ -1,9 +1,9 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib -CxPolicy[result] { +CxPolicy[result] { docs := input.document[i] [path, Resources] := walk(docs) resource := Resources[name] @@ -16,7 +16,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("Resources.%s.Properties.EncryptionAtRestOptions should be defined and not null", [name]), "keyActualValue": sprintf("Resources.%s.Properties.EncryptionAtRestOptions is undefined or null", [name]), @@ -36,7 +36,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.EncryptionAtRestOptions.Enabled", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties.EncryptionAtRestOptions.Enabled", [cf_lib.getPath(path), name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Resources.%s.Properties.EncryptionAtRestOptions should be enabled", [name]), "keyActualValue": sprintf("Resources.%s.Properties.EncryptionAtRestOptions is disabled", [name]), diff --git a/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/query.rego b/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/query.rego index f4781efe848..6908be6d23a 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/query.rego @@ -22,7 +22,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("%s%s.Properties.DomainEndpointOptions.EnforceHTTPS should be defined and set to 'true'", [cf_lib.getPath(path), name]), "keyActualValue": sprintf("%s%s.Properties.DomainEndpointOptions.EnforceHTTPS is not set", [cf_lib.getPath(path), name]), - "searchLine": common_lib.build_search_line([path, Resources, name, field, "Properties"],[]), + "searchLine": common_lib.build_search_line([path, Resources, name, field, "Properties"], []), } } @@ -43,7 +43,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("%s%s.Properties.DomainEndpointOptions.EnforceHTTPS should be defined and set to 'true'", [cf_lib.getPath(path), name]), "keyActualValue": sprintf("%s%s.Properties.DomainEndpointOptions.EnforceHTTPS is not set", [cf_lib.getPath(path), name]), - "searchLine": common_lib.build_search_line([path, Resources, name, field, "Properties", "DomainEndpointOptions"],[]), + "searchLine": common_lib.build_search_line([path, Resources, name, field, "Properties", "DomainEndpointOptions"], []), } } @@ -64,6 +64,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s%s.Properties.DomainEndpointOptions.EnforceHTTPS should be set to 'true'", [cf_lib.getPath(path), name]), "keyActualValue": sprintf("%s%s.Properties.DomainEndpointOptions.EnforceHTTPS is set to 'false'", [cf_lib.getPath(path), name]), - "searchLine": common_lib.build_search_line([path, Resources, name, field, "Properties", "DomainEndpointOptions","EnforceHTTPS"],[]), + "searchLine": common_lib.build_search_line([path, Resources, name, field, "Properties", "DomainEndpointOptions", "EnforceHTTPS"], []), } -} \ No newline at end of file +} diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/query.rego b/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/query.rego index 921311abc69..cd8950ee9fe 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/query.rego +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/query.rego @@ -1,7 +1,8 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib +import future.keywords.in slowLogs := ["INDEX_SLOW_LOGS", "SEARCH_SLOW_LOGS"] @@ -11,14 +12,14 @@ CxPolicy[result] { resource := Resources[name] resource.Type == "AWS::Elasticsearch::Domain" common_lib.valid_key(resource.Properties, "LogPublishingOptions") - logs := [logName | contains(slowLogs, logName); log := resource.Properties.LogPublishingOptions[logName]] + logs := [logName | array_contains(slowLogs, logName); log := resource.Properties.LogPublishingOptions[logName]] count(logs) == 0 result := { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.LogPublishingOptions", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties.LogPublishingOptions", [cf_lib.getPath(path), name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("Resources.%s.Properties.LogPublishingOptions should declare slow logs", [name]), "keyActualValue": sprintf("Resources.%s.Properties.LogPublishingOptions does not declares slow logs", [name]), @@ -39,7 +40,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.LogPublishingOptions.%s.Enabled", [cf_lib.getPath(path),name, logName]), + "searchKey": sprintf("%s%s.Properties.LogPublishingOptions.%s.Enabled", [cf_lib.getPath(path), name, logName]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Resources.%s.Properties.LogPublishingOptions.%s should be enabled if is a slow log", [name, logName]), "keyActualValue": sprintf("Resources.%s.Properties.LogPublishingOptions.%s is a slow log but isn't enabled", [name, logName]), @@ -61,14 +62,12 @@ CxPolicy[result] { "resourceName": cf_lib.get_resource_name(resource, name), "searchKey": sprintf("Resources.%s.Properties", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("%s%s.Properties.LogPublishingOptions should be defined and not null", [cf_lib.getPath(path),name]), + "keyExpectedValue": sprintf("%s%s.Properties.LogPublishingOptions should be defined and not null", [cf_lib.getPath(path), name]), "keyActualValue": sprintf("Resources.%s.Properties.LogPublishingOptions is undefined or null", [name]), "searchLine": common_lib.build_search_line(["Resource", name, "Properties"], []), } } -contains(array, elem) { - array[_] == elem -} else = false { - true -} +array_contains(array_obj, elem) { + elem in array_obj +} else = false diff --git a/assets/queries/cloudFormation/aws/elb_access_log_disabled/query.rego b/assets/queries/cloudFormation/aws/elb_access_log_disabled/query.rego index 2660437553d..8d8c6347be3 100644 --- a/assets/queries/cloudFormation/aws/elb_access_log_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/elb_access_log_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/query.rego b/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/query.rego index f03f10aaef9..35320c46822 100644 --- a/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/query.rego +++ b/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as commonLib import data.generic.cloudformation as cf_lib +import data.generic.common as commonLib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/query.rego b/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/query.rego index c3482d53363..3911aef7763 100644 --- a/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/query.rego +++ b/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as commonLib import data.generic.cloudformation as cf_lib +import data.generic.common as commonLib CxPolicy[result] { resource := input.document[i].Resources[name] @@ -27,12 +27,12 @@ check_vulnerability(cipher) { "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384", "TLS_DHE_PSK_WITH_NULL_SHA256", "TLS_DHE_PSK_WITH_NULL_SHA384", "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256", "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384", "TLS_RSA_PSK_WITH_NULL_SHA256", "TLS_RSA_PSK_WITH_NULL_SHA384", "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256", "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256", "TLS_SM4_GCM_SM3", "TLS_SM4_CCM_SM3", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", "TLS_AES_128_CCM_8_SHA256", "TLS_ECDH_ECDSA_WITH_NULL_SHA", "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_NULL_SHA", "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_RSA_WITH_NULL_SHA", "TLS_ECDH_RSA_WITH_RC4_128_SHA", "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_NULL_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_anon_WITH_NULL_SHA", "TLS_ECDH_anon_WITH_RC4_128_SHA", "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", "TLS_ECDH_anon_WITH_AES_256_CBC_SHA", "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA", "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_SRP_SHA_WITH_AES_128_CBC_SHA", "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA", "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA", "TLS_SRP_SHA_WITH_AES_256_CBC_SHA", "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA", "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_PSK_WITH_RC4_128_SHA", "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_PSK_WITH_NULL_SHA", "TLS_ECDHE_PSK_WITH_NULL_SHA256", "TLS_ECDHE_PSK_WITH_NULL_SHA384", "TLS_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256", "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384", "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256", "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384", "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256", "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384", "TLS_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256", "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384", "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256", "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384", "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256", "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384", "TLS_PSK_WITH_ARIA_128_CBC_SHA256", "TLS_PSK_WITH_ARIA_256_CBC_SHA384", "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256", "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384", "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256", "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384", "TLS_PSK_WITH_ARIA_128_GCM_SHA256", "TLS_PSK_WITH_ARIA_256_GCM_SHA384", "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256", "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384", "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256", "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384", "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256", "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384", "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256", "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384", "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384", "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256", "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384", "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256", "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384", "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256", "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384", "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", "TLS_RSA_WITH_AES_128_CCM", "TLS_RSA_WITH_AES_256_CCM", "TLS_RSA_WITH_AES_128_CCM_8", "TLS_RSA_WITH_AES_256_CCM_8", "TLS_DHE_RSA_WITH_AES_128_CCM_8", "TLS_DHE_RSA_WITH_AES_256_CCM_8", "TLS_PSK_WITH_AES_128_CCM", "TLS_PSK_WITH_AES_256_CCM", "TLS_PSK_WITH_AES_128_CCM_8", "TLS_PSK_WITH_AES_256_CCM_8", "TLS_PSK_DHE_WITH_AES_128_CCM_8", "TLS_PSK_DHE_WITH_AES_256_CCM_8", "TLS_ECDHE_ECDSA_WITH_AES_128_CCM", "TLS_ECDHE_ECDSA_WITH_AES_256_CCM", "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8", "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8", "TLS_ECCPWD_WITH_AES_128_GCM_SHA256", "TLS_ECCPWD_WITH_AES_256_GCM_SHA384", "TLS_ECCPWD_WITH_AES_128_CCM_SHA256", "TLS_ECCPWD_WITH_AES_256_CCM_SHA384", "TLS_SHA256_SHA256", "TLS_SHA384_SHA384", "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC", "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC", "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT", "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L", "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L", "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S", "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S", "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256", "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256", } - commonLib.inArray(weak_ciphers_IANA_Format, cipher) + commonLib.inArray(weak_ciphers_IANA_Format, cipher) } check_vulnerability(cipher) { weak_ciphers_OpenSSL_Format = {"NULL-MD5", "NULL-SHA", "IDEA-CBC-SHA", "DES-CBC3-SHA", "DHE-DSS-DES-CBC3-SHA", "DHE-RSA-DES-CBC3-SHA", "ADH-DES-CBC3-SHA", "PSK-NULL-SHA", "DHE-PSK-NULL-SHA", "RSA-PSK-NULL-SHA", "AES128-SHA", "DHE-DSS-AES128-SHA", "DHE-RSA-AES128-SHA", "ADH-AES128-SHA", "AES256-SHA", "DHE-DSS-AES256-SHA", "DHE-RSA-AES256-SHA", "ADH-AES256-SHA", "NULL-SHA256", "AES128-SHA256", "AES256-SHA256", "DHE-DSS-AES128-SHA256", "CAMELLIA128-SHA", "DHE-DSS-CAMELLIA128-SHA", "DHE-RSA-CAMELLIA128-SHA", "ADH-CAMELLIA128-SHA", "DHE-RSA-AES128-SHA256", "DHE-DSS-AES256-SHA256", "DHE-RSA-AES256-SHA256", "ADH-AES128-SHA256", "ADH-AES256-SHA256", "CAMELLIA256-SHA", "DHE-DSS-CAMELLIA256-SHA", "DHE-RSA-CAMELLIA256-SHA", "ADH-CAMELLIA256-SHA", "PSK-3DES-EDE-CBC-SHA", "PSK-AES128-CBC-SHA", "PSK-AES256-CBC-SHA", "DHE-PSK-3DES-EDE-CBC-SHA", "DHE-PSK-AES128-CBC-SHA", "DHE-PSK-AES256-CBC-SHA", "RSA-PSK-3DES-EDE-CBC-SHA", "RSA-PSK-AES128-CBC-SHA", "RSA-PSK-AES256-CBC-SHA", "SEED-SHA", "DHE-DSS-SEED-SHA", "DHE-RSA-SEED-SHA", "ADH-SEED-SHA", "AES128-GCM-SHA256", "AES256-GCM-SHA384", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES256-GCM-SHA384", "ADH-AES128-GCM-SHA256", "ADH-AES256-GCM-SHA384", "PSK-AES128-GCM-SHA256", "PSK-AES256-GCM-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES256-GCM-SHA384", "PSK-AES128-CBC-SHA256", "PSK-AES256-CBC-SHA384", "PSK-NULL-SHA256", "PSK-NULL-SHA384", "DHE-PSK-AES128-CBC-SHA256", "DHE-PSK-AES256-CBC-SHA384", "DHE-PSK-NULL-SHA256", "DHE-PSK-NULL-SHA384", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-NULL-SHA256", "RSA-PSK-NULL-SHA384", "CAMELLIA128-SHA256", "DHE-DSS-CAMELLIA128-SHA256", "DHE-RSA-CAMELLIA128-SHA256", "ADH-CAMELLIA128-SHA256", "CAMELLIA256-SHA256", "DHE-DSS-CAMELLIA256-SHA256", "DHE-RSA-CAMELLIA256-SHA256", "ADH-CAMELLIA256-SHA256", "ECDHE-ECDSA-NULL-SHA", "ECDHE-ECDSA-DES-CBC3-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-NULL-SHA", "ECDHE-RSA-DES-CBC3-SHA", "ECDHE-RSA-AES128-SHA", "ECDHE-RSA-AES256-SHA", "AECDH-NULL-SHA", "AECDH-DES-CBC3-SHA", "AECDH-AES128-SHA", "AECDH-AES256-SHA", "SRP-3DES-EDE-CBC-SHA", "SRP-RSA-3DES-EDE-CBC-SHA", "SRP-DSS-3DES-EDE-CBC-SHA", "SRP-AES-128-CBC-SHA", "SRP-RSA-AES-128-CBC-SHA", "SRP-DSS-AES-128-CBC-SHA", "SRP-AES-256-CBC-SHA", "SRP-RSA-AES-256-CBC-SHA", "SRP-DSS-AES-256-CBC-SHA", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES128-SHA256", "ECDHE-RSA-AES256-SHA384", "ECDHE-PSK-3DES-EDE-CBC-SHA", "ECDHE-PSK-AES128-CBC-SHA", "ECDHE-PSK-AES256-CBC-SHA", "ECDHE-PSK-AES128-CBC-SHA256", "ECDHE-PSK-AES256-CBC-SHA384", "ECDHE-PSK-NULL-SHA", "ECDHE-PSK-NULL-SHA256", "ECDHE-PSK-NULL-SHA384", "ECDHE-ECDSA-CAMELLIA128-SHA256", "ECDHE-ECDSA-CAMELLIA256-SHA384", "ECDHE-RSA-CAMELLIA128-SHA256", "ECDHE-RSA-CAMELLIA256-SHA384", "PSK-CAMELLIA128-SHA256", "PSK-CAMELLIA256-SHA384", "DHE-PSK-CAMELLIA128-SHA256", "DHE-PSK-CAMELLIA256-SHA384", "RSA-PSK-CAMELLIA128-SHA256", "RSA-PSK-CAMELLIA256-SHA384", "ECDHE-PSK-CAMELLIA128-SHA256", "ECDHE-PSK-CAMELLIA256-SHA384", "AES128-CCM", "AES256-CCM", "AES128-CCM8", "AES256-CCM8", "DHE-RSA-AES128-CCM8", "DHE-RSA-AES256-CCM8", "PSK-AES128-CCM", "PSK-AES256-CCM", "PSK-AES128-CCM8", "PSK-AES256-CCM8", "DHE-PSK-AES128-CCM8", "DHE-PSK-AES256-CCM8", "ECDHE-ECDSA-AES128-CCM", "ECDHE-ECDSA-AES256-CCM", "ECDHE-ECDSA-AES128-CCM8", "ECDHE-ECDSA-AES256-CCM8", "PSK-CHACHA20-POLY1305", "RSA-PSK-CHACHA20-POLY1305"} - commonLib.inArray(weak_ciphers_OpenSSL_Format, cipher) + commonLib.inArray(weak_ciphers_OpenSSL_Format, cipher) } check_vulnerability(cipher) { diff --git a/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/query.rego b/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/query.rego index e12705e0737..f1a19d548d2 100644 --- a/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/query.rego @@ -1,14 +1,14 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] resource.Type == "AWS::ElasticLoadBalancingV2::LoadBalancer" prop := resource.Properties - not common_lib.valid_key(prop, "LoadBalancerAttributes") + not common_lib.valid_key(prop, "LoadBalancerAttributes") result := { "documentId": input.document[i].id, @@ -26,7 +26,7 @@ CxPolicy[result] { resource.Type == "AWS::ElasticLoadBalancingV2::LoadBalancer" prop := resource.Properties - contains(prop.LoadBalancerAttributes, "access_logs.s3.enabled") + array_contains(prop.LoadBalancerAttributes, "access_logs.s3.enabled") result := { "documentId": input.document[i].id, @@ -39,7 +39,7 @@ CxPolicy[result] { } } -contains(arr, elem) { +array_contains(arr, elem) { arr[i].Key == elem arr[i].Value == false } diff --git a/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/query.rego b/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/query.rego index 01396989990..f3c7b35a9fe 100644 --- a/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/query.rego +++ b/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/query.rego @@ -37,11 +37,11 @@ withoutOutboundRules(securityGroupName) = result { } withoutOutboundRules(securityGroupName) = result { - some j - resource := input.document[i].Resources[j] - resource.Type == "AWS::EC2::SecurityGroupIngress" - groupId := resource.Properties.GroupId - id := replace(groupId, "!Ref ", "") - not id == securityGroupName - result := {"expected": "defined", "actual": "undefined", "path": "", "issue": "MissingAttribute"} + some j + resource := input.document[i].Resources[j] + resource.Type == "AWS::EC2::SecurityGroupIngress" + groupId := resource.Properties.GroupId + id := replace(groupId, "!Ref ", "") + not id == securityGroupName + result := {"expected": "defined", "actual": "undefined", "path": "", "issue": "MissingAttribute"} } diff --git a/assets/queries/cloudFormation/aws/elb_without_secure_protocol/query.rego b/assets/queries/cloudFormation/aws/elb_without_secure_protocol/query.rego index 73639b2764d..652878c50f8 100644 --- a/assets/queries/cloudFormation/aws/elb_without_secure_protocol/query.rego +++ b/assets/queries/cloudFormation/aws/elb_without_secure_protocol/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] @@ -25,7 +25,6 @@ CxPolicy[result] { } } - is_secure(listener, protocol) { secureProtocols := {"SSL", "HTTPS"} listener[protocol] == secureProtocols[_] diff --git a/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/query.rego b/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/query.rego index 16a670b676c..06045cbc701 100644 --- a/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/query.rego +++ b/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] @@ -75,9 +75,7 @@ isInCluster(service, i) { cluster := service.Properties.Cluster is_object(cluster) common_lib.valid_key(cluster, "Ref") -} else = false { - true -} +} else = false existsTaskDefinition(taskDefName, i) = taskDef { is_string(taskDefName) @@ -88,12 +86,8 @@ existsTaskDefinition(taskDefName, i) = taskDef { ref := taskDefName.Ref input.document[i].Resources[ref].Type == "AWS::ECS::TaskDefinition" taskDef := input.document[i].Resources[ref] -} else = null { - true -} +} else = null hasTaskRole(taskDef) { common_lib.valid_key(taskDef.Properties, "TaskRoleArn") -} else = false { - true -} +} else = false diff --git a/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/query.rego b/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/query.rego index dca2d8530c3..80ea9a98561 100644 --- a/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/query.rego +++ b/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document diff --git a/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/query.rego b/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/query.rego index 5986f158237..321f750ca99 100644 --- a/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/query.rego +++ b/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws/emr_wihout_vpc/query.rego b/assets/queries/cloudFormation/aws/emr_wihout_vpc/query.rego index 2dbf31d39e6..8810b0d2222 100644 --- a/assets/queries/cloudFormation/aws/emr_wihout_vpc/query.rego +++ b/assets/queries/cloudFormation/aws/emr_wihout_vpc/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document diff --git a/assets/queries/cloudFormation/aws/fully_open_ingress/query.rego b/assets/queries/cloudFormation/aws/fully_open_ingress/query.rego index 638771e3ac6..8d90234ba32 100644 --- a/assets/queries/cloudFormation/aws/fully_open_ingress/query.rego +++ b/assets/queries/cloudFormation/aws/fully_open_ingress/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as commonLib import data.generic.cloudformation as cf_lib +import data.generic.common as commonLib CxPolicy[result] { doc := input.document[i] @@ -25,7 +25,7 @@ CxPolicy[result] { doc.Resources[k].Type == "AWS::EC2::SecurityGroupIngress" doc.Resources[k].Properties.CidrIp == "0.0.0.0/0" doc.Resources[k].Properties.ToPort == 0 - commonLib.inArray(securityGroupList, doc.Resources[k].Properties.GroupId) + commonLib.inArray(securityGroupList, doc.Resources[k].Properties.GroupId) result := { "documentId": input.document[i].id, diff --git a/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/query.rego b/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/query.rego index d01e6569c7b..7e6d6eacf64 100644 --- a/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/query.rego +++ b/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/query.rego @@ -9,8 +9,8 @@ CxPolicy[result] { properties := resource.Properties fromPort := to_number(properties.EC2InboundPermissions[index].FromPort) - toPort := to_number(properties.EC2InboundPermissions[index].ToPort) - fromPort != toPort + toPort := to_number(properties.EC2InboundPermissions[index].ToPort) + fromPort != toPort result := { "documentId": input.document[i].id, diff --git a/assets/queries/cloudFormation/aws/github_repository_set_to_public/query.rego b/assets/queries/cloudFormation/aws/github_repository_set_to_public/query.rego index 9a88d99b083..7c3b7498d13 100644 --- a/assets/queries/cloudFormation/aws/github_repository_set_to_public/query.rego +++ b/assets/queries/cloudFormation/aws/github_repository_set_to_public/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/http_port_open/query.rego b/assets/queries/cloudFormation/aws/http_port_open/query.rego index 5925503abeb..487ea790bec 100644 --- a/assets/queries/cloudFormation/aws/http_port_open/query.rego +++ b/assets/queries/cloudFormation/aws/http_port_open/query.rego @@ -19,7 +19,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.SecurityGroupIngress", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties.SecurityGroupIngress", [cf_lib.getPath(path), name]), "searchLine": common_lib.build_search_line(["Resources", name, "Properties", "SecurityGroupIngress", index, "FromPort"], []), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Resources.%s.Properties.SecurityGroupIngress[%d] should not open the HTTP port (80)", [name, index]), @@ -27,7 +27,6 @@ CxPolicy[result] { } } - CxPolicy[result] { docs := input.document[i] [path, Resources] := walk(docs) @@ -44,7 +43,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.SecurityGroupIngress", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties.SecurityGroupIngress", [cf_lib.getPath(path), name]), "searchLine": common_lib.build_search_line(["Resources", name, "Properties", "SecurityGroupIngress", index, "ToPort"], []), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Resources.%s.Properties.SecurityGroupIngress[%d] should not open the HTTP port (80)", [name, index]), @@ -64,4 +63,4 @@ isTCP("tcp") = true isTCP("-1") = true -isTCP("6") = true \ No newline at end of file +isTCP("6") = true diff --git a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/query.rego b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/query.rego index ed295d5fd47..4983e04fa96 100644 --- a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/query.rego +++ b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/query.rego @@ -1,13 +1,12 @@ package Cx -import input as cf import data.generic.common as common_lib +import input as cf extensions := {".json", ".yaml"} CxPolicy[result] { - - resources := input.document[i].Resources; + resources := input.document[i].Resources count(resources) > 0 count({i | resources[_].Type == "AWS::AccessAnalyzer::Analyzer"}) == 0 @@ -20,5 +19,5 @@ CxPolicy[result] { "keyExpectedValue": "'AWS::AccessAnalyzer::Analyzer' should be set", "keyActualValue": "'AWS::AccessAnalyzer::Analyzer' is undefined", "searchLine": common_lib.build_search_line(["Resources"], []), - } -} \ No newline at end of file + } +} diff --git a/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/query.rego b/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/query.rego index 92da74ce968..717a7e6d3a9 100644 --- a/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/query.rego +++ b/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { docs := input.document[i] @@ -16,7 +16,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.EnableIAMDatabaseAuthentication", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties.EnableIAMDatabaseAuthentication", [cf_lib.getPath(path), name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Resources.%s.Properties.EnableIAMDatabaseAuthentication should be true", [name]), "keyActualValue": sprintf("Resources.%s.Properties.EnableIAMDatabaseAuthentication is false", [name]), @@ -36,7 +36,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("Resources.%s.Properties.EnableIAMDatabaseAuthentication should be defined", [name]), "keyActualValue": sprintf("Resources.%s.Properties.EnableIAMDatabaseAuthentication is not defined", [name]), diff --git a/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/query.rego b/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/query.rego index fe8b04cd5b8..93d6b0ef192 100644 --- a/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/query.rego +++ b/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/query.rego @@ -6,7 +6,7 @@ CxPolicy[result] { resource := input.document[i].Resources[name] password := resource.Properties.LoginProfile.Password is_string(password) - not contains(lower(password), "secretsmanager") + not contains(lower(password), "secretsmanager") count(password) < 14 result := { diff --git a/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/query.rego b/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/query.rego index 026e58d7866..46fb6c1dd04 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/query.rego +++ b/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/query.rego b/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/query.rego index 47fffa178fe..9ed2f33dd3a 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/query.rego +++ b/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/query.rego b/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/query.rego index 3748d43af8a..da8fa997d57 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/query.rego +++ b/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/iam_policy_on_user/query.rego b/assets/queries/cloudFormation/aws/iam_policy_on_user/query.rego index 33299cc4f22..2d445caff54 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_on_user/query.rego +++ b/assets/queries/cloudFormation/aws/iam_policy_on_user/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "resourceType": document.Resources[policyName].Type, "resourceName": cf_lib.get_resource_name(document.Resources[policyName], policyName), "searchKey": sprintf("Resources.%s.Properties.Users", [policyName]), - "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" + "issueType": "IncorrectValue", # "MissingAttribute" / "RedundantAttribute" "keyExpectedValue": sprintf("Resources.%s is assigned to a set of users", [policyName]), "keyActualValue": sprintf("Resources.%s should be assigned to a set of groups", [policyName]), } diff --git a/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/query.rego b/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/query.rego index 6d10ccb1971..de7ccf7b3db 100644 --- a/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/query.rego +++ b/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/query.rego @@ -23,6 +23,4 @@ findAnotherAccessKey(firstKey, userName) { key := input.document[_].Resources[secondKey] firstKey != secondKey key.Properties.UserName == userName -} else = false { - true -} +} else = false diff --git a/assets/queries/cloudFormation/aws/iam_user_with_no_group/query.rego b/assets/queries/cloudFormation/aws/iam_user_with_no_group/query.rego index f06f5f61268..4a87f158a40 100644 --- a/assets/queries/cloudFormation/aws/iam_user_with_no_group/query.rego +++ b/assets/queries/cloudFormation/aws/iam_user_with_no_group/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] @@ -10,7 +10,7 @@ CxPolicy[result] { not common_lib.valid_key(properties, "Groups") - result := { + result := { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), diff --git a/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/query.rego b/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/query.rego index eee3d6d8701..940e4f89a33 100644 --- a/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/query.rego +++ b/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/query.rego @@ -29,6 +29,4 @@ getInlinePolicy(role) = policy { is_object(role) input.document[_].Resources[role.Ref].Type == "AWS::IAM::Policy" policy := role.Ref -} else = "undefined" { - true -} +} else = "undefined" diff --git a/assets/queries/cloudFormation/aws/instance_with_no_vpc/query.rego b/assets/queries/cloudFormation/aws/instance_with_no_vpc/query.rego index 53cfd0f1259..324ae9ba6f8 100644 --- a/assets/queries/cloudFormation/aws/instance_with_no_vpc/query.rego +++ b/assets/queries/cloudFormation/aws/instance_with_no_vpc/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/query.rego b/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/query.rego index e73638d5b0b..ee1d79d56c4 100644 --- a/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/query.rego +++ b/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resources := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/query.rego b/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/query.rego index b10ead43a22..393fc069d79 100644 --- a/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/query.rego +++ b/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/query.rego @@ -1,12 +1,12 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resources := input.document[i].Resources[name] resources.Type == "AWS::IoT::Policy" - + policy := resources.Properties.PolicyDocument st := common_lib.get_statement(common_lib.get_policy(policy)) statement := st[_] diff --git a/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/query.rego b/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/query.rego index 7df34ce8338..8203dacb44e 100644 --- a/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/query.rego +++ b/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resources := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/query.rego b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/query.rego index f5f89398300..b5f788fa66e 100644 --- a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resources := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/query.rego b/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/query.rego index 4f3f4da3a18..bc12c028f20 100644 --- a/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/query.rego +++ b/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resources := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/query.rego b/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/query.rego index f97c62da16a..f335307487c 100644 --- a/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/query.rego +++ b/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws/lambda_function_without_tags/query.rego b/assets/queries/cloudFormation/aws/lambda_function_without_tags/query.rego index 7095a1a7349..947d6d2c8dc 100644 --- a/assets/queries/cloudFormation/aws/lambda_function_without_tags/query.rego +++ b/assets/queries/cloudFormation/aws/lambda_function_without_tags/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/query.rego b/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/query.rego index 74b439b792e..2f3d1b24c5d 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/query.rego +++ b/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resources := input.document[i].Resources @@ -35,6 +35,6 @@ check_policy(policy) { statement := st[_] common_lib.is_allow_effect(statement) - common_lib.containsOrInArrayContains(statement.Resource, "*") + common_lib.containsOrInArrayContains(statement.Resource, "*") common_lib.containsOrInArrayContains(statement.Action, "*") } diff --git a/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/query.rego b/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/query.rego index 82d5ad3c023..517018ffd3a 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/query.rego +++ b/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/query.rego b/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/query.rego index 5c55c718f5b..f31113739b6 100644 --- a/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/query.rego +++ b/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/query.rego @@ -8,7 +8,7 @@ CxPolicy[result] { resource.Type == "AWS::AmazonMQ::Broker" properties := resource.Properties - properties.PubliclyAccessible + properties.PubliclyAccessible result := { "documentId": input.document[i].id, diff --git a/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/query.rego b/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/query.rego index e536d783fed..11b240316e5 100644 --- a/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document @@ -28,9 +28,9 @@ CxPolicy[result] { properties := resource.Properties common_lib.valid_key(properties, "Logs") - logTypes := ["Audit","General"] + logTypes := ["Audit", "General"] lTypes := logTypes[j] - not common_lib.valid_key(properties.Logs,lTypes) + not common_lib.valid_key(properties.Logs, lTypes) result := { "documentId": input.document[i].id, @@ -38,8 +38,8 @@ CxPolicy[result] { "resourceName": cf_lib.get_resource_name(resource, name), "searchKey": sprintf("Resources.%s.Properties.Logs", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("Resources.%s.Properties.Logs.%s should be set", [name,lTypes]), - "keyActualValue": sprintf("Resources.%s.Properties.Logs.%s is undefined", [name,lTypes]), + "keyExpectedValue": sprintf("Resources.%s.Properties.Logs.%s should be set", [name, lTypes]), + "keyActualValue": sprintf("Resources.%s.Properties.Logs.%s is undefined", [name, lTypes]), } } @@ -50,18 +50,18 @@ CxPolicy[result] { properties := resource.Properties common_lib.valid_key(properties, "Logs") - logTypes := ["Audit","General"] + logTypes := ["Audit", "General"] - common_lib.valid_key(properties.Logs,logTypes[j]) + common_lib.valid_key(properties.Logs, logTypes[j]) properties.Logs[logTypes[j]] == false result := { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("Resources.%s.Properties.Logs.%s", [name,logTypes[j]]), + "searchKey": sprintf("Resources.%s.Properties.Logs.%s", [name, logTypes[j]]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("Resources.%s.Properties.Logs.%s is true", [name,logTypes[j]]), - "keyActualValue": sprintf("Resources.%s.Properties.Logs.%s is false", [name,logTypes[j]]), + "keyExpectedValue": sprintf("Resources.%s.Properties.Logs.%s is true", [name, logTypes[j]]), + "keyActualValue": sprintf("Resources.%s.Properties.Logs.%s is false", [name, logTypes[j]]), } } diff --git a/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/query.rego b/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/query.rego index 22994e235bd..8cb0a7d20d6 100644 --- a/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/query.rego +++ b/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/query.rego @@ -1,14 +1,13 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document resource = document[i].Resources[name] resource.Type == "AWS::MSK::Cluster" - resource.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type == "SERVICE_PROVIDED_EIPS" result := { @@ -19,6 +18,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Resources.%s.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type should be set to 'DISABLED' or undefined", [name]), "keyActualValue": sprintf("Resources.%s.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type is set to 'SERVICE_PROVIDED_EIPS'", [name]), - "searchLine": common_lib.build_search_line(["Resources", name, "Properties","BrokerNodeGroupInfo","ConnectivityInfo","PublicAccess", "Type"], []), + "searchLine": common_lib.build_search_line(["Resources", name, "Properties", "BrokerNodeGroupInfo", "ConnectivityInfo", "PublicAccess", "Type"], []), } } diff --git a/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/query.rego b/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/query.rego index 6c4a7c1e66f..0bee4db4feb 100644 --- a/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/query.rego b/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/query.rego index 42018cee76b..7deb5ccc66d 100644 --- a/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resources := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/query.rego b/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/query.rego index ad3c8c0049a..031c515a360 100644 --- a/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/query.rego @@ -40,6 +40,6 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("Resources.%s.Properties.IamAuthEnabled should be set to true", [name]), "keyActualValue": sprintf("Resources.%s.Properties.IamAuthEnabled is undefined", [name]), - "searchLine": common_lib.build_search_line(path, [name,"Properties"]), + "searchLine": common_lib.build_search_line(path, [name, "Properties"]), } } diff --git a/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/query.rego b/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/query.rego index 6a6f2ad99ce..3c04936d374 100644 --- a/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { docs := input.document[i] @@ -15,7 +15,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.DeletionProtection", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties.DeletionProtection", [cf_lib.getPath(path), name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Resources.%s.Properties.DeletionProtection should be set to true", [name]), "keyActualValue": sprintf("Resources.%s.Properties.DeletionProtection is set to false", [name]), @@ -34,7 +34,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("Resources.%s.Properties.DeletionProtection should be defined", [name]), "keyActualValue": sprintf("Resources.%s.Properties.DeletionProtection is undefined", [name]), diff --git a/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/query.rego b/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/query.rego index 142a0546b87..9bc29516ae6 100644 --- a/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { docs := input.document[i] @@ -15,7 +15,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.MultiAZ", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties.MultiAZ", [cf_lib.getPath(path), name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("The RDS DBInstance '%s' should have Multi-Availability Zone enabled", [name]), "keyActualValue": sprintf("The RDS DBInstance '%s' has MultiAZ value set to false", [name]), @@ -34,7 +34,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("The RDS DBInstance '%s' should have Multi-Availability Zone enabled", [name]), "keyActualValue": sprintf("The RDS DBInstance '%s' MultiAZ property is undefined and by default disabled", [name]), diff --git a/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/query.rego b/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/query.rego index bc97a2f37c9..00d6aa2cb70 100644 --- a/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/query.rego b/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/query.rego index d67633988ae..fb964025285 100644 --- a/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/query.rego +++ b/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/redshift_not_encrypted/query.rego b/assets/queries/cloudFormation/aws/redshift_not_encrypted/query.rego index 183b4fb9931..75375f3a18a 100644 --- a/assets/queries/cloudFormation/aws/redshift_not_encrypted/query.rego +++ b/assets/queries/cloudFormation/aws/redshift_not_encrypted/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/redshift_publicly_accessible/query.rego b/assets/queries/cloudFormation/aws/redshift_publicly_accessible/query.rego index 4a87946f364..0cbfa8a4622 100644 --- a/assets/queries/cloudFormation/aws/redshift_publicly_accessible/query.rego +++ b/assets/queries/cloudFormation/aws/redshift_publicly_accessible/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/redshift_using_default_port/query.rego b/assets/queries/cloudFormation/aws/redshift_using_default_port/query.rego index 693b15c92c2..1ed7dd1cd2e 100644 --- a/assets/queries/cloudFormation/aws/redshift_using_default_port/query.rego +++ b/assets/queries/cloudFormation/aws/redshift_using_default_port/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/query.rego b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/query.rego index 34f8cd3093a..439a099fbdb 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/query.rego +++ b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resourceBucket := input.document[indexBucket].Resources[nameBucket] @@ -31,7 +31,7 @@ CxPolicy[result] { } } -check_ref(obj, bucketResource , logicName) { +check_ref(obj, bucketResource, logicName) { obj.Ref == logicName } else { obj == logicName diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/query.rego b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/query.rego index 622fa627b01..fc36589522e 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/query.rego +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.AccessControl", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties.AccessControl", [cf_lib.getPath(path), name]), "issueType": "IncorrectValue", "keyExpectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", "keyActualValue": sprintf("S3 bucket named '%s' has ACL set to '%s'", [object.get(resource.Properties, "BucketName", "undefined"), properties.AccessControl]), diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/query.rego b/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/query.rego index ff17c199019..52797630c88 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/query.rego +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/query.rego @@ -1,14 +1,14 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] resource.Type == "AWS::S3::Bucket" Properties := resource.Properties - not common_lib.valid_key(Properties, "PublicAccessBlockConfiguration") + not common_lib.valid_key(Properties, "PublicAccessBlockConfiguration") result := { "documentId": input.document[i].id, @@ -27,7 +27,7 @@ CxPolicy[result] { resource.Type == "AWS::S3::Bucket" PublicAccessBlockConfiguration := resource.Properties.PublicAccessBlockConfiguration - not common_lib.valid_key(PublicAccessBlockConfiguration, "BlockPublicAcls") + not common_lib.valid_key(PublicAccessBlockConfiguration, "BlockPublicAcls") result := { "documentId": input.document[i].id, @@ -46,7 +46,7 @@ CxPolicy[result] { resource.Type == "AWS::S3::Bucket" PublicAccessBlockConfiguration := resource.Properties.PublicAccessBlockConfiguration - PublicAccessBlockConfiguration.BlockPublicAcls == false + PublicAccessBlockConfiguration.BlockPublicAcls == false result := { "documentId": input.document[i].id, diff --git a/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/query.rego b/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/query.rego index e1f10b35792..e5e4eb75672 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { docs := input.document[i] @@ -23,7 +23,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("S3 bucket '%s' should have logging enabled", [name]), "keyActualValue": sprintf("S3 bucket '%s' doesn't have logging enabled", [name]), diff --git a/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/query.rego b/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/query.rego index 3cb708c2cda..2c71aade551 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/query.rego +++ b/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { docs := input.document[i] @@ -15,7 +15,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s", [cf_lib.getPath(path), name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'Resources.%s.Properties.BucketName' or 'Resources.[%s]' should be associated with an 'AWS::S3::BucketPolicy'", [name, name]), "keyActualValue": sprintf("'Resources.%s.Properties.BucketName' or 'Resources.[%s]' is not associated with an 'AWS::S3::BucketPolicy'", [name, name]), @@ -23,14 +23,12 @@ CxPolicy[result] { } } - match(bucketResource, resourceName, bucketAssociated) { bucketAssociated == resourceName } else { bucketAssociated == bucketResource.Properties.BucketName } - has_bucket_policy(bucketResource, resourceName) { docs := input.document[_] [path, Resources] := walk(docs) @@ -39,5 +37,4 @@ has_bucket_policy(bucketResource, resourceName) { bucketAssociated := cf_lib.getBucketName(resource) match(bucketResource, resourceName, bucketAssociated) - } diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/query.rego b/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/query.rego index 5e168f28eec..e01b744e5b0 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/query.rego +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/query.rego @@ -1,14 +1,14 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] resource.Type == "AWS::S3::Bucket" Properties := resource.Properties - not common_lib.valid_key(Properties, "PublicAccessBlockConfiguration") + not common_lib.valid_key(Properties, "PublicAccessBlockConfiguration") result := { "documentId": input.document[i].id, @@ -27,7 +27,7 @@ CxPolicy[result] { resource.Type == "AWS::S3::Bucket" PublicAccessBlockConfiguration := resource.Properties.PublicAccessBlockConfiguration - not common_lib.valid_key(PublicAccessBlockConfiguration, "BlockPublicPolicy") + not common_lib.valid_key(PublicAccessBlockConfiguration, "BlockPublicPolicy") result := { "documentId": input.document[i].id, @@ -46,7 +46,7 @@ CxPolicy[result] { resource.Type == "AWS::S3::Bucket" PublicAccessBlockConfiguration := resource.Properties.PublicAccessBlockConfiguration - PublicAccessBlockConfiguration.BlockPublicPolicy == false + PublicAccessBlockConfiguration.BlockPublicPolicy == false result := { "documentId": input.document[i].id, diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/query.rego b/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/query.rego index aa3510e8f5d..4e4cede2575 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/query.rego +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/query.rego @@ -1,14 +1,14 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] resource.Type == "AWS::S3::Bucket" Properties := resource.Properties - not common_lib.valid_key(Properties, "PublicAccessBlockConfiguration") + not common_lib.valid_key(Properties, "PublicAccessBlockConfiguration") result := { "documentId": input.document[i].id, @@ -27,7 +27,7 @@ CxPolicy[result] { resource.Type == "AWS::S3::Bucket" PublicAccessBlockConfiguration := resource.Properties.PublicAccessBlockConfiguration - not common_lib.valid_key(PublicAccessBlockConfiguration, "IgnorePublicAcls") + not common_lib.valid_key(PublicAccessBlockConfiguration, "IgnorePublicAcls") result := { "documentId": input.document[i].id, @@ -46,7 +46,7 @@ CxPolicy[result] { resource.Type == "AWS::S3::Bucket" PublicAccessBlockConfiguration := resource.Properties.PublicAccessBlockConfiguration - PublicAccessBlockConfiguration.IgnorePublicAcls == false + PublicAccessBlockConfiguration.IgnorePublicAcls == false result := { "documentId": input.document[i].id, diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/query.rego b/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/query.rego index 45fabc84cff..c93981e85d1 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/query.rego +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/query.rego @@ -1,14 +1,14 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] resource.Type == "AWS::S3::Bucket" Properties := resource.Properties - not common_lib.valid_key(Properties, "PublicAccessBlockConfiguration") + not common_lib.valid_key(Properties, "PublicAccessBlockConfiguration") result := { "documentId": input.document[i].id, @@ -27,7 +27,7 @@ CxPolicy[result] { resource.Type == "AWS::S3::Bucket" PublicAccessBlockConfiguration := resource.Properties.PublicAccessBlockConfiguration - not common_lib.valid_key(PublicAccessBlockConfiguration, "RestrictPublicBuckets") + not common_lib.valid_key(PublicAccessBlockConfiguration, "RestrictPublicBuckets") result := { "documentId": input.document[i].id, @@ -46,7 +46,7 @@ CxPolicy[result] { resource.Type == "AWS::S3::Bucket" PublicAccessBlockConfiguration := resource.Properties.PublicAccessBlockConfiguration - PublicAccessBlockConfiguration.RestrictPublicBuckets == false + PublicAccessBlockConfiguration.RestrictPublicBuckets == false result := { "documentId": input.document[i].id, diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/query.rego b/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/query.rego index 62ff067508c..3584d759154 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/query.rego +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/query.rego @@ -86,13 +86,15 @@ isValidSslPolicyStatement(stmt) { action := st.Action[i] isUnsafeAction(action) equalsFalse(st.Condition.Bool["aws:SecureTransport"]) -} +} + else { is_object(stmt) stmt.Effect == "Deny" isUnsafeAction(stmt.Action) equalsFalse(stmt.Condition.Bool["aws:SecureTransport"]) } + else { is_array(stmt) st := stmt[s] @@ -107,7 +109,8 @@ else { action := st.Action[i] isUnsafeAction(action) not equalsFalse(st.Condition.Bool["aws:SecureTransport"]) -} +} + else { is_object(stmt) stmt.Effect == "Allow" diff --git a/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/query.rego b/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/query.rego index 1486221d607..9a0415eb205 100644 --- a/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/query.rego +++ b/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/query.rego @@ -14,10 +14,10 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'Resources.%s.Properties.WebsiteConfiguration' should not be defined", [name]), "keyActualValue": sprintf("'Resources.%s.Properties.WebsiteConfiguration' is defined", [name]), - "searchLine": common_lib.build_search_line(path,[name, "Properties", "WebsiteConfiguration"]), + "searchLine": common_lib.build_search_line(path, [name, "Properties", "WebsiteConfiguration"]), } } diff --git a/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/query.rego b/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/query.rego index b2f90cce7e0..87a93a64470 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/query.rego b/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/query.rego index 02bd6bcbf72..0e5c99d9124 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/query.rego +++ b/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/query.rego b/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/query.rego index 138bfef32a4..289ea0b701c 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/query.rego +++ b/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document diff --git a/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/query.rego b/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/query.rego index 6bfac628dbd..bee6d4bfce0 100644 --- a/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/query.rego +++ b/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/secure_ciphers_disabled/query.rego b/assets/queries/cloudFormation/aws/secure_ciphers_disabled/query.rego index f4091549fe7..dbaa747e461 100644 --- a/assets/queries/cloudFormation/aws/secure_ciphers_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/secure_ciphers_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as commonLib import data.generic.cloudformation as cf_lib +import data.generic.common as commonLib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/query.rego b/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/query.rego index 2cf75dc1a0a..1b65ef56215 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/query.rego +++ b/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.IpProtocol", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties.IpProtocol", [cf_lib.getPath(path), name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Resources.%s.Properties.IpProtocol should not be set to -1", [name]), "keyActualValue": sprintf("Resources.%s.Properties.IpProtocol is set to -1", [name]), @@ -37,7 +37,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.SecurityGroupIngress.IpProtocol", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties.SecurityGroupIngress.IpProtocol", [cf_lib.getPath(path), name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Resources.%s.Properties.SecurityGroupIngress[%d].IpProtocol should not be set to -1", [name, index]), "keyActualValue": sprintf("Resources.%s.Properties.SecurityGroupIngress[%d].IpProtocol is set to -1", [name, index]), diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/query.rego b/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/query.rego index b61bcae4594..5f522289201 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/query.rego +++ b/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Resources.%s.Properties.FromPort should equal to Resources.%s.Properties.ToPort", [name, name]), "keyActualValue": sprintf("Resources.%s.Properties.FromPort is not equal to Resources.%s.Properties.ToPort", [name, name]), @@ -37,7 +37,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.SecurityGroupIngress", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties.SecurityGroupIngress", [cf_lib.getPath(path), name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Resources.%s.Properties.SecurityGroupIngress[%d].FromPort should equal to Resources.%s.Properties.SecurityGroupIngress[%d].ToPort", [name, index, name, index]), "keyActualValue": sprintf("Resources.%s.Properties.SecurityGroupIngress[%d].FromPort is not equal to Resources.%s.Properties.SecurityGroupIngress[%d].ToPort", [name, index, name, index]), diff --git a/assets/queries/cloudFormation/aws/security_group_rule_without_description/query.rego b/assets/queries/cloudFormation/aws/security_group_rule_without_description/query.rego index 1b375784a2c..1321a60f443 100644 --- a/assets/queries/cloudFormation/aws/security_group_rule_without_description/query.rego +++ b/assets/queries/cloudFormation/aws/security_group_rule_without_description/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { docs := input.document[i] @@ -15,7 +15,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("Resources.%s.Properties.GroupDescription should be set", [name]), "keyActualValue": sprintf("Resources.%s.Properties.GroupDescription is undefined", [name]), @@ -36,7 +36,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.%s", [cf_lib.getPath(path),name, properties[index]]), + "searchKey": sprintf("%s%s.Properties.%s", [cf_lib.getPath(path), name, properties[index]]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("Resources.%s.Properties.%s[%d].Description should be set", [name, properties[index], j]), "keyActualValue": sprintf("Resources.%s.Properties.%s[%d].Description is undefined", [name, properties[index], j]), @@ -57,7 +57,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("Resources.%s.Properties.Description should be set", [name]), "keyActualValue": sprintf("Resources.%s.Properties.Description is undefined", [name]), diff --git a/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/query.rego b/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/query.rego index de60938cdf7..fe2e4cbe6c8 100644 --- a/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/query.rego +++ b/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.SecurityGroupIngress", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties.SecurityGroupIngress", [cf_lib.getPath(path), name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("None of the Resources.%s.Properties.SecurityGroupIngress should have port %d", [name, port]), "keyActualValue": sprintf("One of the Resources.%s.Properties.SecurityGroupIngress has port %d", [name, port]), diff --git a/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/query.rego b/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/query.rego index da33ad06fdf..cca8bb06abb 100644 --- a/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/query.rego +++ b/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/query.rego @@ -1,14 +1,15 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib +import future.keywords.in resources := { "AWS::CloudFront::Distribution", "AWS::ElasticLoadBalancing::LoadBalancer", "AWS::GlobalAccelerator::Accelerator", "AWS::EC2::EIP", - "AWS::Route53::HostedZone" + "AWS::Route53::HostedZone", } CxPolicy[result] { @@ -34,5 +35,5 @@ has_shield_advanced(resource) { shield.Type == "AWS::FMS::Policy" shield.Properties.SecurityServicePolicyData.Type == "SHIELD_ADVANCED" - shield.Properties.ResourceTypeList[_] == resource + resource in shield.Properties.ResourceTypeList } diff --git a/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/query.rego b/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/query.rego index 7bbb9c753d3..9236ee256a0 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/query.rego +++ b/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/query.rego b/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/query.rego index 76d30875a3a..16a1b612836 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/query.rego +++ b/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/query.rego b/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/query.rego index 1c5e1e094d8..1941f9596e4 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/query.rego +++ b/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/query.rego b/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/query.rego index 547ace44bce..70da9ee1f99 100644 --- a/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/query.rego +++ b/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] @@ -49,7 +49,7 @@ has_wildcard_principal(p) { } has_star_or_star_after_colon(str) { - regex.match("^(\\w*:)*\\*$", str) + regex.match(`(\w*:)*\*$`, str) } has_dangerous_action(action) = result { diff --git a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/query.rego b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/query.rego index 9da8afcb7c6..85f8d8649ab 100644 --- a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/query.rego @@ -11,7 +11,7 @@ CxPolicy[result] { not common_lib.valid_key(resource.Properties, "KmsMasterKeyId") SqsManagedSseNotEnabled(resource.Properties) - + result := { "documentId": input.document[i].id, "resourceType": resource.Type, diff --git a/assets/queries/cloudFormation/aws/stack_notifications_disabled/query.rego b/assets/queries/cloudFormation/aws/stack_notifications_disabled/query.rego index 0afcccef0f9..e633acbb426 100644 --- a/assets/queries/cloudFormation/aws/stack_notifications_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/stack_notifications_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/stack_retention_disabled/query.rego b/assets/queries/cloudFormation/aws/stack_retention_disabled/query.rego index 42b9ee932c1..76d8d8746ef 100644 --- a/assets/queries/cloudFormation/aws/stack_retention_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/stack_retention_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] @@ -26,7 +26,7 @@ CxPolicy[result] { common_lib.valid_key(resource.Properties, "AutoDeployment") - autoDeployment := resource.Properties.AutoDeployment + autoDeployment := resource.Properties.AutoDeployment not common_lib.valid_key(autoDeployment, "Enabled") result := { @@ -44,9 +44,9 @@ CxPolicy[result] { resource := input.document[i].Resources[name] resource.Type == "AWS::CloudFormation::StackSet" - autoDeployment := resource.Properties.AutoDeployment + autoDeployment := resource.Properties.AutoDeployment - autoDeployment.Enabled == false + autoDeployment.Enabled == false result := { "documentId": input.document[i].id, @@ -62,9 +62,9 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i].Resources[name] resource.Type == "AWS::CloudFormation::StackSet" - autoDeployment := resource.Properties.AutoDeployment + autoDeployment := resource.Properties.AutoDeployment - autoDeployment.Enabled + autoDeployment.Enabled not common_lib.valid_key(autoDeployment, "RetainStacksOnAccountRemoval") result := { @@ -81,11 +81,11 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i].Resources[name] resource.Type == "AWS::CloudFormation::StackSet" - autoDeployment := resource.Properties.AutoDeployment + autoDeployment := resource.Properties.AutoDeployment - autoDeployment.Enabled + autoDeployment.Enabled - autoDeployment.RetainStacksOnAccountRemoval == false + autoDeployment.RetainStacksOnAccountRemoval == false result := { "documentId": input.document[i].id, @@ -97,4 +97,3 @@ CxPolicy[result] { "keyActualValue": sprintf("Resources.%s.Properties.AutoDeployment.RetainStacksOnAccountRemoval is false", [name]), } } - diff --git a/assets/queries/cloudFormation/aws/support_has_no_role_associated/query.rego b/assets/queries/cloudFormation/aws/support_has_no_role_associated/query.rego index 67e217771f9..549226a3dc1 100644 --- a/assets/queries/cloudFormation/aws/support_has_no_role_associated/query.rego +++ b/assets/queries/cloudFormation/aws/support_has_no_role_associated/query.rego @@ -58,6 +58,4 @@ CxPolicy[result] { hasAttributeList(resource, attribute) { count(resource[attribute]) > 0 -} else = false { - true -} +} else = false diff --git a/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/query.rego b/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/query.rego index c4823e64a9b..4aa55029b52 100644 --- a/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/query.rego +++ b/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/query.rego b/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/query.rego index e933c51aba7..4191afc7a92 100644 --- a/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/query.rego +++ b/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as commonLib import data.generic.cloudformation as cf_lib +import data.generic.common as commonLib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/query.rego b/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/query.rego index 2600cdd077f..82d85846755 100644 --- a/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/query.rego +++ b/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/query.rego @@ -17,7 +17,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.CidrIp", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties.CidrIp", [cf_lib.getPath(path), name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Resources.%s.Properties.CidrIp should not be open to the world (0.0.0.0/0)", [name]), "keyActualValue": sprintf("Resources.%s.Properties.CidrIp is open to the world (0.0.0.0/0)", [name]), @@ -38,7 +38,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.CidrIpv6", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties.CidrIpv6", [cf_lib.getPath(path), name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Resources.%s.Properties.CidrIpv6 should not be open to the world (::/0)", [name]), "keyActualValue": sprintf("Resources.%s.Properties.CidrIpv6 is open to the world (::/0)", [name]), @@ -59,7 +59,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.SecurityGroupIngress", [cf_lib.getPath(path),name]), + "searchKey": sprintf("%s%s.Properties.SecurityGroupIngress", [cf_lib.getPath(path), name]), "searchLine": common_lib.build_search_line(["Resources", name, "Properties", "SecurityGroupIngress", index, "CidrIp"], []), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Resources.%s.Properties.SecurityGroupIngress[%d].CidrIp should not be open to the world (0.0.0.0/0)", [name, index]), @@ -81,10 +81,10 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.SecurityGroupIngress[%d].CidrIpv6", [cf_lib.getPath(path),name, index]), + "searchKey": sprintf("%s%s.Properties.SecurityGroupIngress[%d].CidrIpv6", [cf_lib.getPath(path), name, index]), "searchLine": common_lib.build_search_line(["Resources", name, "Properties", "SecurityGroupIngress", index, "CidrIpv6"], []), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Resources.%s.Properties.SecurityGroupIngress[%d].CidrIpv6 should not be open to the world (::/0)", [name, index]), "keyActualValue": sprintf("Resources.%s.Properties.SecurityGroupIngress[%d].CidrIpv6 is open to the world (::/0)", [name, index]), } -} \ No newline at end of file +} diff --git a/assets/queries/cloudFormation/aws/unscanned_ecr_image/query.rego b/assets/queries/cloudFormation/aws/unscanned_ecr_image/query.rego index 0d87fd26003..6e4699f81ed 100644 --- a/assets/queries/cloudFormation/aws/unscanned_ecr_image/query.rego +++ b/assets/queries/cloudFormation/aws/unscanned_ecr_image/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/query.rego b/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/query.rego index dac8072d399..898ef8164b2 100644 --- a/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/query.rego +++ b/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/query.rego @@ -8,7 +8,7 @@ CxPolicy[result] { prop := resource.Properties userData := prop.UserData - contains(userData,"LS0tLS1CR") + contains(userData, "LS0tLS1CR") result := { "documentId": input.document[i].id, diff --git a/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/query.rego b/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/query.rego index 9b931c16023..7c4bc05033a 100644 --- a/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/query.rego +++ b/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].Resources[name] diff --git a/assets/queries/cloudFormation/aws/workspace_without_encryption/query.rego b/assets/queries/cloudFormation/aws/workspace_without_encryption/query.rego index 8a8d0493e9a..a8d8a0fc0bb 100644 --- a/assets/queries/cloudFormation/aws/workspace_without_encryption/query.rego +++ b/assets/queries/cloudFormation/aws/workspace_without_encryption/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws_bom/dynamo/query.rego b/assets/queries/cloudFormation/aws_bom/dynamo/query.rego index de5bcea2534..72934516236 100644 --- a/assets/queries/cloudFormation/aws_bom/dynamo/query.rego +++ b/assets/queries/cloudFormation/aws_bom/dynamo/query.rego @@ -32,20 +32,21 @@ CxPolicy[result] { } } -get_accessibility(resource) = info{ - info:= check_vpc_endpoint(resource) +get_accessibility(resource) = info { + info := check_vpc_endpoint(resource) } else = info { - info := {"accessibility":"private", "policy": ""} + info := {"accessibility": "private", "policy": ""} } -check_vpc_endpoint(resource) = info{ - values := [x | +check_vpc_endpoint(resource) = info { + values := [x | vpc_endpoint := input.document[_].Resources[_] vpc_endpoint.Type == "AWS::EC2::VPCEndpoint" policy_doc := vpc_endpoint.Properties.PolicyDocument - x := policy_accessibility(policy_doc, resource.Properties.TableName)] + x := policy_accessibility(policy_doc, resource.Properties.TableName) + ] - info := get_info(values) + info := get_info(values) } policy_accessibility(policy, table_name) = info { @@ -59,12 +60,12 @@ policy_accessibility(policy, table_name) = info { resources_arn := get_resource_arn(statement.Resource) has_all_or_dynamob_arn(resources_arn, table_name) - info := {"accessibility":"public", "policy": policy} -} else = info { + info := {"accessibility": "public", "policy": policy} +} else = info { common_lib.get_statement(policy) - info := {"accessibility":"private", "policy": policy} + info := {"accessibility": "private", "policy": policy} } else = info { - info := {"accessibility":"hasPolicy", "policy": policy} + info := {"accessibility": "hasPolicy", "policy": policy} } get_resource_arn(resources) = val { @@ -74,20 +75,20 @@ get_resource_arn(resources) = val { val := resources } -has_all_or_dynamob_arn(arn, table_name){ +has_all_or_dynamob_arn(arn, table_name) { arn == "*" } else { startswith(arn, "arn:aws:dynamodb:") - suffix := concat( "", [":table/", table_name]) + suffix := concat("", [":table/", table_name]) endswith(arn, suffix) } -get_encryption(resource) = encryption{ - sse := resource.Properties.SSESpecification - sse.SSEEnabled == true - encryption := "encrypted" -} else = encryption{ - encryption := "unencrypted" +get_encryption(resource) = encryption { + sse := resource.Properties.SSESpecification + sse.SSEEnabled == true + encryption := "encrypted" +} else = encryption { + encryption := "unencrypted" } dynamo_actions := { @@ -154,7 +155,7 @@ dynamo_actions := { "dynamodb:RestoreTableFromBackup", "dynamodb:DeleteBackup", "dynamodb:PartiQLDelete", - "dynamodb:*" + "dynamodb:*", } check_actions(actions) { @@ -163,9 +164,9 @@ check_actions(actions) { common_lib.equalsOrInArray(actions, "*") } -get_info(info_arr)= info{ - val := [ x | info_arr[x].accessibility == "public" ] +get_info(info_arr) = info { + val := [x | info_arr[x].accessibility == "public"] info := info_arr[val[0]] -} else = info{ +} else = info { info := info_arr[0] } diff --git a/assets/queries/cloudFormation/aws_bom/ebs/query.rego b/assets/queries/cloudFormation/aws_bom/ebs/query.rego index f738fc6226b..ced685c2209 100644 --- a/assets/queries/cloudFormation/aws_bom/ebs/query.rego +++ b/assets/queries/cloudFormation/aws_bom/ebs/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document diff --git a/assets/queries/cloudFormation/aws_bom/efs/query.rego b/assets/queries/cloudFormation/aws_bom/efs/query.rego index afec36fc95f..5e06aec9b24 100644 --- a/assets/queries/cloudFormation/aws_bom/efs/query.rego +++ b/assets/queries/cloudFormation/aws_bom/efs/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document diff --git a/assets/queries/cloudFormation/aws_bom/elasticache/query.rego b/assets/queries/cloudFormation/aws_bom/elasticache/query.rego index a5fc4164f26..350b82f67b4 100644 --- a/assets/queries/cloudFormation/aws_bom/elasticache/query.rego +++ b/assets/queries/cloudFormation/aws_bom/elasticache/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document @@ -32,14 +32,16 @@ CxPolicy[result] { get_accessibility(elasticache) = accessibility { count({ - x | securityGroupInfo := cf_lib.get_name(elasticache.Properties.CacheSecurityGroupNames[x]); + x | + securityGroupInfo := cf_lib.get_name(elasticache.Properties.CacheSecurityGroupNames[x]) is_unrestricted(securityGroupInfo) }) > 0 accessibility := "at least one security group associated with the elasticache is unrestricted" } else = accessibility { count({ - x | securityGroupInfo := cf_lib.get_name(elasticache.Properties.CacheSecurityGroupNames[x]); + x | + securityGroupInfo := cf_lib.get_name(elasticache.Properties.CacheSecurityGroupNames[x]) not is_unrestricted(securityGroupInfo) }) == count(elasticache.Properties.CacheSecurityGroupNames) @@ -51,7 +53,7 @@ get_accessibility(elasticache) = accessibility { is_unrestricted(securityGroupName) { document := input.document ingress := document[j].Resources[_] - ingress.Type == "AWS::ElastiCache::SecurityGroupIngress" + ingress.Type == "AWS::ElastiCache::SecurityGroupIngress" securityElastiCacheGroupName := cf_lib.get_name(ingress.Properties.CacheSecurityGroupName) @@ -69,5 +71,3 @@ unrestricted_cidr(ec2SecurityGroup) { options := {"0.0.0.0/0", "::/0"} ec2SecurityGroup.Properties.SecurityGroupIngress[j].CidrIp == options[_] } - - diff --git a/assets/queries/cloudFormation/aws_bom/kinesis/query.rego b/assets/queries/cloudFormation/aws_bom/kinesis/query.rego index a69918a4ad0..46721d53294 100644 --- a/assets/queries/cloudFormation/aws_bom/kinesis/query.rego +++ b/assets/queries/cloudFormation/aws_bom/kinesis/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document diff --git a/assets/queries/cloudFormation/aws_bom/mq/query.rego b/assets/queries/cloudFormation/aws_bom/mq/query.rego index 221bce8ffe5..7110f4be730 100644 --- a/assets/queries/cloudFormation/aws_bom/mq/query.rego +++ b/assets/queries/cloudFormation/aws_bom/mq/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document diff --git a/assets/queries/cloudFormation/aws_bom/msk/query.rego b/assets/queries/cloudFormation/aws_bom/msk/query.rego index 127d823af48..02d4ac289f1 100644 --- a/assets/queries/cloudFormation/aws_bom/msk/query.rego +++ b/assets/queries/cloudFormation/aws_bom/msk/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document diff --git a/assets/queries/cloudFormation/aws_bom/rds/query.rego b/assets/queries/cloudFormation/aws_bom/rds/query.rego index b8c23231ae9..5ee7a40ced9 100644 --- a/assets/queries/cloudFormation/aws_bom/rds/query.rego +++ b/assets/queries/cloudFormation/aws_bom/rds/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document @@ -33,27 +33,27 @@ CxPolicy[result] { } } -## get accessibility functions -get_resource_accessibility(resource) = accessibility{ - resource.Properties.PubliclyAccessible == true - accessibility:= "public" -} else = accessibility{ - resource.Properties.PubliclyAccessible == false - accessibility:= "private" -} else = accessibility{ - not common_lib.valid_key(resource,"PubliclyAccessible") - subnet_gp_name := resource.Properties.DBSubnetGroupName +# get accessibility functions +get_resource_accessibility(resource) = accessibility { + resource.Properties.PubliclyAccessible == true + accessibility := "public" +} else = accessibility { + resource.Properties.PubliclyAccessible == false + accessibility := "private" +} else = accessibility { + not common_lib.valid_key(resource, "PubliclyAccessible") + subnet_gp_name := resource.Properties.DBSubnetGroupName has_vpc_gateway_attached(subnet_gp_name) - accessibility:= "public" -} else = accessibility{ - not common_lib.valid_key(resource.Properties,"PubliclyAccessible") - common_lib.valid_key(resource.Properties, "DBSubnetGroupName") - accessibility:= "private" -} else = accessibility{ - accessibility:= "unknown" + accessibility := "public" +} else = accessibility { + not common_lib.valid_key(resource.Properties, "PubliclyAccessible") + common_lib.valid_key(resource.Properties, "DBSubnetGroupName") + accessibility := "private" +} else = accessibility { + accessibility := "unknown" } -has_vpc_gateway_attached(subnet_gp_name){ +has_vpc_gateway_attached(subnet_gp_name) { res_subnet_gp := input.document[_].Resources[subnet_gp_name] res_subnet_gp.Type == "AWS::RDS::DBSubnetGroup" subnet_name := res_subnet_gp.Properties.SubnetIds[_].Ref @@ -61,90 +61,90 @@ has_vpc_gateway_attached(subnet_gp_name){ res_subnet := input.document[_].Resources[subnet_name] res_subnet.Type == "AWS::EC2::Subnet" vpc_name := res_subnet.Properties.VpcId.Ref - + res_vpc_gateway := input.document[_].Resources[_] res_vpc_gateway.Type == "AWS::EC2::VPCGatewayAttachment" - res_vpc_gateway.Properties.VpcId == vpc_name + res_vpc_gateway.Properties.VpcId == vpc_name } -## get encryption functions -get_db_instance_encryption(resource) = encryption{ +# get encryption functions +get_db_instance_encryption(resource) = encryption { engine := lower(resource.Properties.Engine) not contains(engine, "aurora") encryption := get_enc_for_not_aurora(resource) -} else = encryption{ +} else = encryption { engine := lower(resource.Properties.Engine) contains(engine, "aurora") encryption := get_enc_for_aurora(resource) } -# get encytion for instances with engines that are not aurora -get_enc_for_not_aurora(resource) = encryption{ +# get encytion for instances with engines that are not aurora +get_enc_for_not_aurora(resource) = encryption { resource.Properties.StorageEncrypted == true encryption := "encrypted" -} else = encryption{ +} else = encryption { resource.Properties.StorageEncrypted == false encryption := "unencrypted" -} else = encryption{ +} else = encryption { not common_lib.valid_key(resource.Properties, "StorageEncrypted") dbInstanceIdentifier := cf_lib.get_name(resource.Properties.SourceDBInstanceIdentifier) res_subnet_gp := input.document[_].Resources[dbInstanceIdentifier] - res_subnet_gp.Type == "AWS::RDS::DBInstance" + res_subnet_gp.Type == "AWS::RDS::DBInstance" encryption := get_encryption(res_subnet_gp) -} else = encryption{ +} else = encryption { not common_lib.valid_key(resource.Properties, "StorageEncrypted") dbInstanceIdentifier := cf_lib.get_name(resource.Properties.SnapshotIdentifier) res_subnet_gp := input.document[_].Resources[dbInstanceIdentifier] - res_subnet_gp.Type == "AWS::RDS::DBInstance" + res_subnet_gp.Type == "AWS::RDS::DBInstance" encryption := get_encryption(res_subnet_gp) -} else = encryption{ +} else = encryption { encryption := "unencrypted" -} +} -get_encryption(resource) = encryption{ +get_encryption(resource) = encryption { resource.Properties.StorageEncrypted == true encryption := "encrypted" -} else = encryption{ +} else = encryption { encryption := "unencrypted" } -#get encytion for instances with aurora engines -get_enc_for_aurora(resource) = encryption{ +# get encytion for instances with aurora engines +get_enc_for_aurora(resource) = encryption { cluster_name := resource.Properties.DBClusterIdentifier cluster := input.document[_].Resources[cluster_name] cluster.Type == "AWS::RDS::DBCluster" - + encryption := get_cluster_enc(cluster) } # get encytion for for the cluster -get_cluster_enc(resource)= encryption{ +get_cluster_enc(resource) = encryption { resource.Properties.StorageEncrypted == true encryption := "encrypted" -} else = encryption{ +} else = encryption { resource.Properties.StorageEncrypted == false encryption := "unencrypted" -} else = encryption{ +} else = encryption { not common_lib.valid_key(resource.Properties, "SourceDBClusterIdentifier ") dbClusterIdentifier := cf_lib.get_name(resource.Properties.SourceDBClusterIdentifier) dbCluster := input.document[_].Resources[dbClusterIdentifier] - dbCluster.Type == "AWS::RDS::DBCluster" + dbCluster.Type == "AWS::RDS::DBCluster" encryption := get_encryption(dbCluster) -} else = encryption{ +} else = encryption { not common_lib.valid_key(resource.Properties, "StorageEncrypted") dbClusterIdentifier := cf_lib.get_name(resource.Properties.SnapshotIdentifier) dbCluster := input.document[_].Resources[dbClusterIdentifier] - dbCluster.Type == "AWS::RDS::DBCluster" + dbCluster.Type == "AWS::RDS::DBCluster" encryption := get_encryption(dbCluster) -} else = encryption{ +} else = encryption { encryption := "unencrypted" -} +} diff --git a/assets/queries/cloudFormation/aws_bom/sns/query.rego b/assets/queries/cloudFormation/aws_bom/sns/query.rego index 8bf59f8766d..91ba083e5a8 100644 --- a/assets/queries/cloudFormation/aws_bom/sns/query.rego +++ b/assets/queries/cloudFormation/aws_bom/sns/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document diff --git a/assets/queries/cloudFormation/aws_bom/sqs/query.rego b/assets/queries/cloudFormation/aws_bom/sqs/query.rego index b250aa33a7c..a511ad8f125 100644 --- a/assets/queries/cloudFormation/aws_bom/sqs/query.rego +++ b/assets/queries/cloudFormation/aws_bom/sqs/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/query.rego b/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/query.rego index e659bcfccde..fc4be5b0b03 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/query.rego +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib info := {"AWS::Serverless::HttpApi": "AccessLogSettings", "AWS::Serverless::Api": "AccessLogSetting"} diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/query.rego b/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/query.rego index 4777eabf4df..737fb12429c 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/query.rego +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/query.rego b/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/query.rego index dbae4567d29..7eb33a9a7fb 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/query.rego +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/query.rego @@ -1,7 +1,8 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { resource := input.document[i].Resources[name] @@ -60,5 +61,5 @@ CxPolicy[result] { } contains_private(types) { - types[_] == "PRIVATE" + "PRIVATE" in types } diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/query.rego b/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/query.rego index 7365b716973..bd7e7a6e004 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/query.rego +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document @@ -43,7 +43,6 @@ CxPolicy[result] { } } - unrecommended_minimum_compression_size(value) { value < 0 } else { diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/query.rego b/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/query.rego index 6cac6bb96ba..2e44c4b9935 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/query.rego +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/query.rego b/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/query.rego index a5fe83000a9..fc6bbc0d6b7 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/query.rego +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/query.rego b/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/query.rego index d218fe71995..dc4470e6d12 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/query.rego +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/query.rego b/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/query.rego index 7bcfcaf8210..6d151880ce2 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/query.rego +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/query.rego b/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/query.rego index 3d62f64c2a1..c1a806277f3 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/query.rego +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { resources := input.document[i].Resources @@ -20,6 +20,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Resource.%s.Properties.Role is only assigned to the function in question", [k]), "keyActualValue": sprintf("Resource.%s.Properties.Role is assigned to another funtion", [k]), - "searchLine": common_lib.build_search_line(["Resources", k, "Properties", "Role"], []), + "searchLine": common_lib.build_search_line(["Resources", k, "Properties", "Role"], []), } } diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/query.rego b/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/query.rego index 6e5d244b235..4cdbc152b8e 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/query.rego +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +import data.generic.common as common_lib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/crossplane/aws/cloudfront_logging_disabled/query.rego b/assets/queries/crossplane/aws/cloudfront_logging_disabled/query.rego index 63892b4a894..91a9f619dd3 100644 --- a/assets/queries/crossplane/aws/cloudfront_logging_disabled/query.rego +++ b/assets/queries/crossplane/aws/cloudfront_logging_disabled/query.rego @@ -61,7 +61,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.kind, "resourceName": cp_lib.getResourceName(resource), - "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.distributionConfig", [cp_lib.getPath(path),resource.metadata.name]), + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.distributionConfig", [cp_lib.getPath(path), resource.metadata.name]), "issueType": "MissingAttribute", "keyExpectedValue": "CloudFront logging enabled attribute should be defined and set to true", "keyActualValue": "CloudFront logging is not defined", diff --git a/assets/queries/crossplane/aws/docdb_logging_disabled/query.rego b/assets/queries/crossplane/aws/docdb_logging_disabled/query.rego index 29ad1c61291..5abb6d051f0 100644 --- a/assets/queries/crossplane/aws/docdb_logging_disabled/query.rego +++ b/assets/queries/crossplane/aws/docdb_logging_disabled/query.rego @@ -27,12 +27,11 @@ CxPolicy[result] { } } - CxPolicy[result] { docs := input.document[i] [path, resource] := walk(docs) resource.kind == "DBCluster" - + spec := resource.spec provider := spec.forProvider logs := provider.enableCloudwatchLogsExports @@ -47,7 +46,7 @@ CxPolicy[result] { "resourceType": "DBCluster", "resourceName": resource.metadata.name, "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider.enableCloudwatchLogsExports", [cp_lib.getPath(path), resource.metadata.name]), - "searchLine": common_lib.build_search_line(path, ["spec", "forProvider","enableCloudwatchLogsExports"]), + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider", "enableCloudwatchLogsExports"]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("DBCluster.enableCloudwatchLogsExports should have all following values: %s", [validTypeConcat]), "keyActualValue": sprintf("DBCluster.enableCloudwatchLogsExports has the following missing values: %s", [concat(", ", missingTypes)]), diff --git a/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/query.rego b/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/query.rego index 11d70a56019..d4c3cac251d 100644 --- a/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/query.rego +++ b/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/query.rego @@ -45,7 +45,7 @@ CxPolicy[result] { } } -container_insights(settings){ +container_insights(settings) { settings[0].name == "containerInsights" settings[0].value == "enabled" -} \ No newline at end of file +} diff --git a/assets/queries/crossplane/aws/efs_not_encrypted/query.rego b/assets/queries/crossplane/aws/efs_not_encrypted/query.rego index b6f8ae34b57..abb168ece75 100644 --- a/assets/queries/crossplane/aws/efs_not_encrypted/query.rego +++ b/assets/queries/crossplane/aws/efs_not_encrypted/query.rego @@ -41,6 +41,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "encrypted should be set to true", "keyActualValue": "encrypted is set to false", - "searchLine": common_lib.build_search_line(path ,["spec", "forProvider","encrypted"]), + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider", "encrypted"]), } } diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego index 458553ce571..137fa5fa657 100644 --- a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego @@ -9,46 +9,46 @@ getForProvider(apiVersion, kind, name, docs) = forProvider { startswith(resource.apiVersion, apiVersion) resource.kind == kind resource.metadata.name == name - forProvider := resource.spec.forProvider + forProvider := resource.spec.forProvider } existsInternetGateway(dbSubnetGroupName) { - DBSGforProvider := getForProvider("database.aws.crossplane.io", "DBSubnetGroup", dbSubnetGroupName, input.document) - subnetIds := DBSGforProvider.subnetIds + DBSGforProvider := getForProvider("database.aws.crossplane.io", "DBSubnetGroup", dbSubnetGroupName, input.document) + subnetIds := DBSGforProvider.subnetIds - count(subnetIds) > 0 - subnetId := subnetIds[s] + count(subnetIds) > 0 + subnetId := subnetIds[s] - EC2SforProvider := getForProvider("ec2.aws.crossplane.io", "Subnet", subnetId, input.document) + EC2SforProvider := getForProvider("ec2.aws.crossplane.io", "Subnet", subnetId, input.document) - vpcId := EC2SforProvider.vpcId + vpcId := EC2SforProvider.vpcId - IGdocs := input.document[_] - [_, IGresource] := walk(IGdocs) + IGdocs := input.document[_] + [_, IGresource] := walk(IGdocs) startswith(IGresource.apiVersion, "network.aws.crossplane.io") - IGresource.kind == "InternetGateway" - - IGforProvider := IGresource.spec.forProvider - - common_lib.valid_key(IGforProvider, "vpcId") + IGresource.kind == "InternetGateway" + + IGforProvider := IGresource.spec.forProvider + + common_lib.valid_key(IGforProvider, "vpcId") vpcId == IGforProvider.vpcId -} +} CxPolicy[result] { - docs := input.document[i] + docs := input.document[i] [path, resource] := walk(docs) startswith(resource.apiVersion, "database.aws.crossplane.io") - resource.kind == "RDSInstance" - - forProvider := resource.spec.forProvider + resource.kind == "RDSInstance" + + forProvider := resource.spec.forProvider - not common_lib.valid_key(forProvider, "publiclyAccessible") - - dbSubnetGroupName := forProvider.dbSubnetGroupName - - existsInternetGateway(dbSubnetGroupName) == true + not common_lib.valid_key(forProvider, "publiclyAccessible") - result := { + dbSubnetGroupName := forProvider.dbSubnetGroupName + + existsInternetGateway(dbSubnetGroupName) == true + + result := { "documentId": input.document[i].id, "resourceType": resource.kind, "resourceName": cp_lib.getResourceName(resource), @@ -60,15 +60,15 @@ CxPolicy[result] { } CxPolicy[result] { - docs := input.document[i] + docs := input.document[i] [path, resource] := walk(docs) startswith(resource.apiVersion, "database.aws.crossplane.io") - resource.kind == "RDSInstance" - - forProvider := resource.spec.forProvider - forProvider.publiclyAccessible == true + resource.kind == "RDSInstance" - result := { + forProvider := resource.spec.forProvider + forProvider.publiclyAccessible == true + + result := { "documentId": input.document[i].id, "resourceType": resource.kind, "resourceName": cp_lib.getResourceName(resource), @@ -77,4 +77,4 @@ CxPolicy[result] { "keyExpectedValue": "publiclyAccessible should be set to false", "keyActualValue": "publiclyAccessible is set to true", } -} \ No newline at end of file +} diff --git a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/query.rego b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/query.rego index 12e392a875a..33dbadf565e 100644 --- a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/query.rego +++ b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/query.rego @@ -42,7 +42,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "autoRepair should be defined and set to true", "keyActualValue": "autoRepair is not defined", - "searchLine": common_lib.build_search_line(path, ["spec", "forProvider","management"]), + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider", "management"]), } } @@ -64,6 +64,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "autoRepair should be set to true", "keyActualValue": "autoRepair is set to false", - "searchLine": common_lib.build_search_line(path, ["spec", "forProvider","management", "autoRepair"]), + "searchLine": common_lib.build_search_line(path, ["spec", "forProvider", "management", "autoRepair"]), } } diff --git a/assets/queries/dockerCompose/cgroup_not_default/query.rego b/assets/queries/dockerCompose/cgroup_not_default/query.rego index 59b4c4a46a4..b1943e90b7b 100644 --- a/assets/queries/dockerCompose/cgroup_not_default/query.rego +++ b/assets/queries/dockerCompose/cgroup_not_default/query.rego @@ -5,11 +5,11 @@ import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i] service_parameters := resource.services[name] - common_lib.valid_key(service_parameters, "cgroup_parent") - + common_lib.valid_key(service_parameters, "cgroup_parent") + result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.cgroup_parent",[name]), + "searchKey": sprintf("services.%s.cgroup_parent", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Cgroup_parent should be undefined", "keyActualValue": "Cgroup_parent is defined. Only use this when strictly required.", diff --git a/assets/queries/dockerCompose/container_capabilities_unrestricted/query.rego b/assets/queries/dockerCompose/container_capabilities_unrestricted/query.rego index 3636189c8e8..f438b39db5d 100644 --- a/assets/queries/dockerCompose/container_capabilities_unrestricted/query.rego +++ b/assets/queries/dockerCompose/container_capabilities_unrestricted/query.rego @@ -4,12 +4,12 @@ import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i] - service_parameters := resource.services[name] - common_lib.valid_key(service_parameters, "cap_add") - + service_parameters := resource.services[name] + common_lib.valid_key(service_parameters, "cap_add") + result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.cap_add",[name]), + "searchKey": sprintf("services.%s.cap_add", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Make sure you only add the necessary capabilities to your container.", "keyActualValue": "Docker compose file has 'cap_add' attribute.", @@ -19,12 +19,12 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i] - service_parameters := resource.services[name] - not common_lib.valid_key(service_parameters, "cap_drop") - + service_parameters := resource.services[name] + not common_lib.valid_key(service_parameters, "cap_drop") + result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s",[name]), + "searchKey": sprintf("services.%s", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Docker compose file to have 'cap_drop' attribute", "keyActualValue": "Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.", diff --git a/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/query.rego b/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/query.rego index 6a71bf87789..e2e3daa0f6b 100644 --- a/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/query.rego +++ b/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/query.rego @@ -3,28 +3,26 @@ package Cx import data.generic.common as common_lib CxPolicy[result] { - resource := input.document[i] service_parameters := resource.services[name] - ports := service_parameters.ports - port := ports[v] - check_ports(port) - + ports := service_parameters.ports + port := ports[v] + check_ports(port) + result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.ports",[name]), + "searchKey": sprintf("services.%s.ports", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Docker compose file to have 'ports' attribute bound to a specific host interface.", "keyActualValue": "Docker compose file doesn't have 'ports' attribute bound to a specific host interface", - "searchLine": common_lib.build_search_line(["services", name, "ports"], []), + "searchLine": common_lib.build_search_line(["services", name, "ports"], []), } } -check_ports(port) -{ +check_ports(port) { published := port.published - not contains(published,".") -}else{ + not contains(published, ".") +} else { not common_lib.valid_key(port, "published") - not contains(port,".") + not contains(port, ".") } diff --git a/assets/queries/dockerCompose/cpus_not_limited/query.rego b/assets/queries/dockerCompose/cpus_not_limited/query.rego index 4ffa75444eb..c1668fe80f5 100644 --- a/assets/queries/dockerCompose/cpus_not_limited/query.rego +++ b/assets/queries/dockerCompose/cpus_not_limited/query.rego @@ -2,18 +2,18 @@ package Cx import data.generic.common as common_lib -#FOR VERSION 3 +# For version 3 CxPolicy[result] { resource := input.document[i] - version := resource.version - to_number(version) >= 3 + version := resource.version + to_number(version) >= 3 service_parameters := resource.services[name] - limits := service_parameters.deploy.resources.limits - not common_lib.valid_key(limits, "cpus") + limits := service_parameters.deploy.resources.limits + not common_lib.valid_key(limits, "cpus") result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.deploy.resources.limits",[name]), + "searchKey": sprintf("services.%s.deploy.resources.limits", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'deploy.resources.limits.cpus' should be defined", "keyActualValue": "'deploy.resources.limits.cpus' is not defined", @@ -23,14 +23,14 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i] - version := resource.version - to_number(version) >= 3 + version := resource.version + to_number(version) >= 3 service_parameters := resource.services[name] - not common_lib.valid_key(service_parameters, "deploy") + not common_lib.valid_key(service_parameters, "deploy") result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s",[name]), + "searchKey": sprintf("services.%s", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'deploy.resources.limits.cpus' should be defined", "keyActualValue": "'deploy' is not defined", @@ -40,50 +40,50 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i] - version := resource.version - to_number(version) >= 3 + version := resource.version + to_number(version) >= 3 service_parameters := resource.services[name] - not common_lib.valid_key(service_parameters.deploy, "resources") + not common_lib.valid_key(service_parameters.deploy, "resources") result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.deploy",[name]), + "searchKey": sprintf("services.%s.deploy", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'deploy.resources' should be defined", - "keyActualValue": "'deploy.resources' is not defined", + "keyActualValue": "'deploy.resources' is not defined", "searchLine": common_lib.build_search_line(["services", name, "deploy"], []), } } CxPolicy[result] { resource := input.document[i] - version := resource.version - to_number(version) >= 3 + version := resource.version + to_number(version) >= 3 service_parameters := resource.services[name] - resources := service_parameters.deploy.resources - not common_lib.valid_key(resources, "limits") + resources := service_parameters.deploy.resources + not common_lib.valid_key(resources, "limits") result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.deploy.resources",[name]), + "searchKey": sprintf("services.%s.deploy.resources", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'deploy.resources.limits' should be defined", "keyActualValue": "'deploy.resources.limits' is not defined", "searchLine": common_lib.build_search_line(["services", name, "deploy", "resources"], []), - } + } } -#FOR VERSION 2 +# For version 2 CxPolicy[result] { resource := input.document[i] - version := resource.version - to_number(version) < 3 + version := resource.version + to_number(version) < 3 service_parameters := resource.services[name] - not common_lib.valid_key(service_parameters, "cpus") + not common_lib.valid_key(service_parameters, "cpus") result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s",[name]), + "searchKey": sprintf("services.%s", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "For cpus priority should be declared.", "keyActualValue": "There is no cpus priority declared.", diff --git a/assets/queries/dockerCompose/default_seccomp_profile_disabled/query.rego b/assets/queries/dockerCompose/default_seccomp_profile_disabled/query.rego index 1fbfc85c315..88f18333c7f 100644 --- a/assets/queries/dockerCompose/default_seccomp_profile_disabled/query.rego +++ b/assets/queries/dockerCompose/default_seccomp_profile_disabled/query.rego @@ -5,13 +5,13 @@ import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i] service_parameters := resource.services[name] - sec_opt_array := service_parameters.security_opt - sec_opt := sec_opt_array[a] - contains(sec_opt,"seccomp:unconfined") - + sec_opt_array := service_parameters.security_opt + sec_opt := sec_opt_array[a] + contains(sec_opt, "seccomp:unconfined") + result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.security_opt",[name]), + "searchKey": sprintf("services.%s.security_opt", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Seccomp default profile to not be disabled.", "keyActualValue": "Seccomp default profile is disabled.", diff --git a/assets/queries/dockerCompose/docker_socket_mounted_in_container/query.rego b/assets/queries/dockerCompose/docker_socket_mounted_in_container/query.rego index 329191ad608..387e88d23e8 100644 --- a/assets/queries/dockerCompose/docker_socket_mounted_in_container/query.rego +++ b/assets/queries/dockerCompose/docker_socket_mounted_in_container/query.rego @@ -5,16 +5,15 @@ import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i] service_parameters := resource.services[name] - volumes := service_parameters.volumes - volume := volumes[v] - path := split(volume,":") - host_path := path[0] - contains(host_path, "docker.sock") - - + volumes := service_parameters.volumes + volume := volumes[v] + path := split(volume, ":") + host_path := path[0] + contains(host_path, "docker.sock") + result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.volumes",[name]), + "searchKey": sprintf("services.%s.volumes", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "To not have docker socket named 'docker.sock' mounted in a volume", "keyActualValue": "There is a docker socket named 'docker.sock' mounted in a volume", diff --git a/assets/queries/dockerCompose/healthcheck_not_set/query.rego b/assets/queries/dockerCompose/healthcheck_not_set/query.rego index 403d53bb4ca..989d82289dc 100644 --- a/assets/queries/dockerCompose/healthcheck_not_set/query.rego +++ b/assets/queries/dockerCompose/healthcheck_not_set/query.rego @@ -5,11 +5,11 @@ import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i] service_parameters := resource.services[name] - not common_lib.valid_key(service_parameters, "healthcheck") - + not common_lib.valid_key(service_parameters, "healthcheck") + result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s",[name]), + "searchKey": sprintf("services.%s", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Healthcheck should be defined.", "keyActualValue": "Healthcheck is not defined.", @@ -20,11 +20,11 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i] service_parameters := resource.services[name] - service_parameters.healthcheck.disable == true - + service_parameters.healthcheck.disable == true + result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.healthcheck.disable",[name]), + "searchKey": sprintf("services.%s.healthcheck.disable", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Healthcheck should be enabled.", "keyActualValue": "Healthcheck is disabled.", @@ -35,12 +35,12 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i] service_parameters := resource.services[name] - test := service_parameters.healthcheck.test - test == ["NONE"] - + test := service_parameters.healthcheck.test + test == ["NONE"] + result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.healthcheck.test",[name]), + "searchKey": sprintf("services.%s.healthcheck.test", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Healthcheck should be enabled.", "keyActualValue": "Healthcheck is disabled.", diff --git a/assets/queries/dockerCompose/host_namespace_is_shared/query.rego b/assets/queries/dockerCompose/host_namespace_is_shared/query.rego index 2272829b8ae..4fcec283d89 100644 --- a/assets/queries/dockerCompose/host_namespace_is_shared/query.rego +++ b/assets/queries/dockerCompose/host_namespace_is_shared/query.rego @@ -5,12 +5,12 @@ import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i] service_parameters := resource.services[name] - pid := service_parameters.pid - pid == "host" + pid := service_parameters.pid + pid == "host" result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.pid",[name]), + "searchKey": sprintf("services.%s.pid", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "There shouldn't be pid mode declared as host", "keyActualValue": "There is a pid mode declared as host", diff --git a/assets/queries/dockerCompose/memory_not_limited/query.rego b/assets/queries/dockerCompose/memory_not_limited/query.rego index 483aac68070..7bf3a21aee1 100644 --- a/assets/queries/dockerCompose/memory_not_limited/query.rego +++ b/assets/queries/dockerCompose/memory_not_limited/query.rego @@ -2,18 +2,18 @@ package Cx import data.generic.common as common_lib -#FOR VERSION 3 +# For version 3 CxPolicy[result] { resource := input.document[i] - version := resource.version - to_number(version) >= 3 + version := resource.version + to_number(version) >= 3 service_parameters := resource.services[name] - limits := service_parameters.deploy.resources.limits - not common_lib.valid_key(limits, "memory") + limits := service_parameters.deploy.resources.limits + not common_lib.valid_key(limits, "memory") result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.deploy.resources.limits",[name]), + "searchKey": sprintf("services.%s.deploy.resources.limits", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'deploy.resources.limits.memory' should be defined", "keyActualValue": "'deploy.resources.limits.memory' is not defined", @@ -23,14 +23,14 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i] - version := resource.version - to_number(version) >= 3 + version := resource.version + to_number(version) >= 3 service_parameters := resource.services[name] - not common_lib.valid_key(service_parameters, "deploy") + not common_lib.valid_key(service_parameters, "deploy") result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s",[name]), + "searchKey": sprintf("services.%s", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'deploy.resources.limits.memory' should be defined", "keyActualValue": "'deploy' is not defined", @@ -40,50 +40,50 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i] - version := resource.version - to_number(version) >= 3 + version := resource.version + to_number(version) >= 3 service_parameters := resource.services[name] - not common_lib.valid_key(service_parameters.deploy, "resources") + not common_lib.valid_key(service_parameters.deploy, "resources") result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.deploy",[name]), + "searchKey": sprintf("services.%s.deploy", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'deploy.resources' should be defined", - "keyActualValue": "'deploy.resources' is not defined", + "keyActualValue": "'deploy.resources' is not defined", "searchLine": common_lib.build_search_line(["services", name, "deploy"], []), } } CxPolicy[result] { resource := input.document[i] - version := resource.version - to_number(version) >= 3 + version := resource.version + to_number(version) >= 3 service_parameters := resource.services[name] - resources := service_parameters.deploy.resources - not common_lib.valid_key(resources, "limits") + resources := service_parameters.deploy.resources + not common_lib.valid_key(resources, "limits") result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.deploy.resources",[name]), + "searchKey": sprintf("services.%s.deploy.resources", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'deploy.resources.limits' should be defined", "keyActualValue": "'deploy.resources.limits' is not defined", "searchLine": common_lib.build_search_line(["services", name, "deploy", "resources"], []), - } + } } -#FOR VERSION 2 +# For version 2 CxPolicy[result] { resource := input.document[i] - version := resource.version - to_number(version) < 3 + version := resource.version + to_number(version) < 3 service_parameters := resource.services[name] - not common_lib.valid_key(service_parameters, "mem_limit") + not common_lib.valid_key(service_parameters, "mem_limit") result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s",[name]), + "searchKey": sprintf("services.%s", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "For mem_limit should be declared.", "keyActualValue": "There is no mem_limit declared.", diff --git a/assets/queries/dockerCompose/no_new_privileges_not_set/query.rego b/assets/queries/dockerCompose/no_new_privileges_not_set/query.rego index 1f9dde4ed66..b9ea014bb1f 100644 --- a/assets/queries/dockerCompose/no_new_privileges_not_set/query.rego +++ b/assets/queries/dockerCompose/no_new_privileges_not_set/query.rego @@ -1,16 +1,17 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { resource := input.document[i] service_parameters := resource.services[name] - sec_opt := service_parameters.security_opt - not no_new_privileges(sec_opt) - + sec_opt := service_parameters.security_opt + not no_new_privileges(sec_opt) + result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.security_opt",[name]), + "searchKey": sprintf("services.%s.security_opt", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "no-new-privileges should be set in security_opt.", "keyActualValue": "no-new-privileges is not set in security_opt", @@ -19,5 +20,5 @@ CxPolicy[result] { } no_new_privileges(sec_opt) { - sec_opt[_] == "no-new-privileges:true" + "no-new-privileges:true" in sec_opt } diff --git a/assets/queries/dockerCompose/pids_limit_not_set/query.rego b/assets/queries/dockerCompose/pids_limit_not_set/query.rego index 605c3a8e5a0..8cd4979523d 100644 --- a/assets/queries/dockerCompose/pids_limit_not_set/query.rego +++ b/assets/queries/dockerCompose/pids_limit_not_set/query.rego @@ -5,13 +5,13 @@ import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i] service_parameters := resource.services[name] - version := resource.version - to_number(version) < 3 - not common_lib.valid_key(service_parameters, "pids_limit") - + version := resource.version + to_number(version) < 3 + not common_lib.valid_key(service_parameters, "pids_limit") + result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s",[name]), + "searchKey": sprintf("services.%s", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Pids_limit should be defined.", "keyActualValue": "Pids_limit is not defined.", @@ -22,14 +22,14 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i] service_parameters := resource.services[name] - version := resource.version - to_number(version) < 3 - pids_limit := service_parameters.pids_limit - pids_limit == -1 - + version := resource.version + to_number(version) < 3 + pids_limit := service_parameters.pids_limit + pids_limit == -1 + result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.pids_limit",[name]), + "searchKey": sprintf("services.%s.pids_limit", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Pids_limit should be limited.", "keyActualValue": "Pids_limit is not limited.", diff --git a/assets/queries/dockerCompose/privileged_containers_enabled/query.rego b/assets/queries/dockerCompose/privileged_containers_enabled/query.rego index 960e59902a1..3fc3fa805fd 100644 --- a/assets/queries/dockerCompose/privileged_containers_enabled/query.rego +++ b/assets/queries/dockerCompose/privileged_containers_enabled/query.rego @@ -4,16 +4,16 @@ import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i] - service_parameters := resource.services[name] - privileged := service_parameters.privileged - privileged == true - + service_parameters := resource.services[name] + privileged := service_parameters.privileged + privileged == true + result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.privileged",[name]), + "searchKey": sprintf("services.%s.privileged", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Docker compose file to have 'privileged' attribute set to false or not set", "keyActualValue": "Docker compose file has 'privileged' attribute as true", - "searchLine": common_lib.build_search_line(["services", name, "privileged"], []), + "searchLine": common_lib.build_search_line(["services", name, "privileged"], []), } } diff --git a/assets/queries/dockerCompose/privileged_ports_mapped_in_container/query.rego b/assets/queries/dockerCompose/privileged_ports_mapped_in_container/query.rego index 050f1796e7c..452157dcbd9 100644 --- a/assets/queries/dockerCompose/privileged_ports_mapped_in_container/query.rego +++ b/assets/queries/dockerCompose/privileged_ports_mapped_in_container/query.rego @@ -1,56 +1,67 @@ package Cx import data.generic.common as common_lib - +import future.keywords.in CxPolicy[result] { - resource := input.document[i] service_parameters := resource.services[name] - ports := service_parameters.ports - port := ports[v] + ports := service_parameters.ports + port := ports[v] is_privileged_port(port) - not has_cap_drop(service_parameters) + not has_cap_drop(service_parameters) result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.ports",[name]), + "searchKey": sprintf("services.%s.ports", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", "keyActualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", - "searchLine": common_lib.build_search_line(["services", name, "ports"], []), + "searchLine": common_lib.build_search_line(["services", name, "ports"], []), } } has_cap_drop(service_parameters) { - service_parameters.cap_drop[_] == "NET_BIND_SERVICE" + "NET_BIND_SERVICE" in service_parameters.cap_drop } -is_privileged_port(port) -{ #COVERS "HOST" port from short syntax "HOST:CONTAINER" and "CONTAINER" syntax - both_ports := split(port,":") - host_port := both_ports[0] - to_number(host_port) < 1024 -}else{#COVERS "CONTAINER" port from short syntax "HOST:CONTAINER" - both_ports := split(port,":") - container_port := both_ports[1] - to_number(container_port) < 1024 -}else{#Covers short syntax part '...:CONTAINER/PROTOCOL' - both_ports := split(port,":") - container_port := both_ports[1] - splitted_cp := split(container_port,"/") - to_number(splitted_cp[0]) < 1024 -}else{#covers "HOST-HOST:CONTAINER-CONTAINER", "IPADDR:HOSTPORT:CONTAINERPORT", "IPADDR:HOST-HOST:CONTAINER-CONTAINER" -# "IPADDR::CONTAINERPORT" and "HOST-HOST:CONTAINER" - both_ranges := split(port,":") - splitted_ports := split(both_ranges[p],"-") - to_number(splitted_ports[s]) < 1024 -}else{#covers "CONTAINER-CONTAINER" - both_ports := split(port,"-") - splitted_port := both_ports[p] - to_number(splitted_port) < 1024 -}else{#COVERS LONG SYNTAX PUBLISHED PORT +is_privileged_port(port) { + # Covers "HOST" port from short syntax "HOST:CONTAINER" and "CONTAINER" syntax + both_ports := split(port, ":") + host_port := both_ports[0] + to_number(host_port) < 1024 +} # Covers "CONTAINER" port from short syntax "HOST:CONTAINER" + +else { + both_ports := split(port, ":") + container_port := both_ports[1] + to_number(container_port) < 1024 +} # Covers short syntax part '...:CONTAINER/PROTOCOL' + +else { + both_ports := split(port, ":") + container_port := both_ports[1] + splitted_cp := split(container_port, "/") + to_number(splitted_cp[0]) < 1024 +} # Covers "HOST-HOST:CONTAINER-CONTAINER", "IPADDR:HOSTPORT:CONTAINERPORT", "IPADDR:HOST-HOST:CONTAINER-CONTAINER" + +else { + # "IPADDR::CONTAINERPORT" and "HOST-HOST:CONTAINER" + both_ranges := split(port, ":") + splitted_ports := split(both_ranges[p], "-") + to_number(splitted_ports[s]) < 1024 +} # Covers "CONTAINER-CONTAINER" + +else { + both_ports := split(port, "-") + splitted_port := both_ports[p] + to_number(splitted_port) < 1024 +} # Covers long syntax published port + +else { port.published < 1024 -}else{#COVERS LONG SYNTAX TARGET PORT +} # Covers long syntax target port + +else { port.target < 1024 } diff --git a/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/query.rego b/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/query.rego index c05418b0e4b..5df72dda899 100644 --- a/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/query.rego +++ b/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/query.rego @@ -5,14 +5,14 @@ import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i] service_parameters := resource.services[name] - restart := service_parameters.restart - splitted := split(restart, ":") - attempts := splitted[1] - to_number(attempts) != 5 - + restart := service_parameters.restart + splitted := split(restart, ":") + attempts := splitted[1] + to_number(attempts) != 5 + result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.restart",[name]), + "searchKey": sprintf("services.%s.restart", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "on-failure restart attempts should be 5", "keyActualValue": "on-failure restart attempts are not 5", @@ -23,17 +23,17 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i] service_parameters := resource.services[name] - deploy := service_parameters.deploy - restart_policy := deploy.restart_policy - restart_policy.condition == "on-failure" - restart_policy.max_attempts != 5 - + deploy := service_parameters.deploy + restart_policy := deploy.restart_policy + restart_policy.condition == "on-failure" + restart_policy.max_attempts != 5 + result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.deploy.restart_policy.max_attempts",[name]), + "searchKey": sprintf("services.%s.deploy.restart_policy.max_attempts", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "on-failure restart attempts should be 5", "keyActualValue": "on-failure restart attempts are not 5", - "searchLine": common_lib.build_search_line(["services", name, "deploy", "restart_policy", "max_attempts" ], []), + "searchLine": common_lib.build_search_line(["services", name, "deploy", "restart_policy", "max_attempts"], []), } } diff --git a/assets/queries/dockerCompose/security_opt_not_set/query.rego b/assets/queries/dockerCompose/security_opt_not_set/query.rego index 65a052a9102..0816c4da392 100644 --- a/assets/queries/dockerCompose/security_opt_not_set/query.rego +++ b/assets/queries/dockerCompose/security_opt_not_set/query.rego @@ -4,19 +4,19 @@ import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i] - service_parameters := resource.services[name] - not common_lib.valid_key(service_parameters, "security_opt") - + service_parameters := resource.services[name] + not common_lib.valid_key(service_parameters, "security_opt") + result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s",[name]), + "searchKey": sprintf("services.%s", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Docker compose file to have 'security_opt' attribute", "keyActualValue": "Docker compose file does not have 'security_opt' attribute", - "searchLine": common_lib.build_search_line(["services", name], []) + "searchLine": common_lib.build_search_line(["services", name], []), } } -#security_opt gets ignored when using docker in swarm mode (https://docs.docker.com/engine/swarm/), -#which enables the user to manage several docker engines at once -#a docker engine (https://docs.docker.com/engine/) is an instance of docker installed in a host +# security_opt gets ignored when using docker in swarm mode (https://docs.docker.com/engine/swarm/), +# which enables the user to manage several docker engines at once +# a docker engine (https://docs.docker.com/engine/) is an instance of docker installed in a host diff --git a/assets/queries/dockerCompose/shared_host_ipc_namespace/query.rego b/assets/queries/dockerCompose/shared_host_ipc_namespace/query.rego index 700b79481c8..25faf1d0f6f 100644 --- a/assets/queries/dockerCompose/shared_host_ipc_namespace/query.rego +++ b/assets/queries/dockerCompose/shared_host_ipc_namespace/query.rego @@ -4,16 +4,16 @@ import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i] - service_parameters := resource.services[name] - ipc := service_parameters.ipc - ipc == "host" - + service_parameters := resource.services[name] + ipc := service_parameters.ipc + ipc == "host" + result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.privileged",[name]), + "searchKey": sprintf("services.%s.privileged", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Docker compose file to have 'ipc' attribute not set to host, or not set", "keyActualValue": "Docker compose file has 'ipc' attribute as host", - "searchLine": common_lib.build_search_line(["services", name, "ipc"], []), + "searchLine": common_lib.build_search_line(["services", name, "ipc"], []), } } diff --git a/assets/queries/dockerCompose/shared_host_network_namespace/query.rego b/assets/queries/dockerCompose/shared_host_network_namespace/query.rego index d631a021913..38b7f50fbbf 100644 --- a/assets/queries/dockerCompose/shared_host_network_namespace/query.rego +++ b/assets/queries/dockerCompose/shared_host_network_namespace/query.rego @@ -5,12 +5,12 @@ import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i] service_parameters := resource.services[name] - network_mode := service_parameters.network_mode - network_mode == "host" + network_mode := service_parameters.network_mode + network_mode == "host" result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.network_mode",[name]), + "searchKey": sprintf("services.%s.network_mode", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "There shouldn't be network mode declared as host", "keyActualValue": "There is a network mode declared as host", diff --git a/assets/queries/dockerCompose/shared_host_user_namespace/query.rego b/assets/queries/dockerCompose/shared_host_user_namespace/query.rego index 98a1e829720..6fa1d236284 100644 --- a/assets/queries/dockerCompose/shared_host_user_namespace/query.rego +++ b/assets/queries/dockerCompose/shared_host_user_namespace/query.rego @@ -5,11 +5,11 @@ import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i] service_parameters := resource.services[name] - service_parameters.userns_mode == "host" + service_parameters.userns_mode == "host" result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.userns_mode",[name]), + "searchKey": sprintf("services.%s.userns_mode", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'userns_mode' should not be set or not set to host", "keyActualValue": "Attribute 'userns_mode' is set to host", diff --git a/assets/queries/dockerCompose/shared_volumes_between_containers/query.rego b/assets/queries/dockerCompose/shared_volumes_between_containers/query.rego index 4a09ab6bb6f..c29db705622 100644 --- a/assets/queries/dockerCompose/shared_volumes_between_containers/query.rego +++ b/assets/queries/dockerCompose/shared_volumes_between_containers/query.rego @@ -5,15 +5,15 @@ import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i] volumes_shared := resource.volumes - _:= volumes_shared[v1] + _ := volumes_shared[v1] service_parameters := resource.services[name] - volumes := service_parameters.volumes - volume2 := volumes[v2] + volumes := service_parameters.volumes + volume2 := volumes[v2] startswith(volume2, v1) result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.volumes",[name]), + "searchKey": sprintf("services.%s.volumes", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "There shouldn't be volumes created and shared between containers", "keyActualValue": sprintf("Volume %s created and shared between containers", [v1]), @@ -24,14 +24,14 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i] service_parameters := resource.services[name] - volumes := service_parameters.volumes - volume := volumes[v] - - dup(resource, name, volume) + volumes := service_parameters.volumes + volume := volumes[v] + + dup(resource, name, volume) result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.volumes",[name]), + "searchKey": sprintf("services.%s.volumes", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "There shouldn't be volumes shared between containers", "keyActualValue": sprintf("Volume %s shared between containers", [volume]), @@ -39,10 +39,10 @@ CxPolicy[result] { } } -dup(resource, resource_name, volume_name){ +dup(resource, resource_name, volume_name) { service_parameters := resource.services[name] - name != resource_name - volumes := service_parameters.volumes - vname := volumes[_] - vname == volume_name -} \ No newline at end of file + name != resource_name + volumes := service_parameters.volumes + vname := volumes[_] + vname == volume_name +} diff --git a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/query.rego b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/query.rego index a2aea517042..8c4c32efb2d 100644 --- a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/query.rego +++ b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/query.rego @@ -5,15 +5,15 @@ import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i] service_parameters := resource.services[name] - volumes := service_parameters.volumes - volume := volumes[v] - path := split(volume,":") - host_path := path[0] - common_lib.isOSDir(host_path) + volumes := service_parameters.volumes + volume := volumes[v] + path := split(volume, ":") + host_path := path[0] + common_lib.isOSDir(host_path) result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.volumes",[name]), + "searchKey": sprintf("services.%s.volumes", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "There shouldn't be sensitive directory mounted as a volume", "keyActualValue": sprintf("There is a sensitive directory (%s) mounted as a volume", [host_path]), @@ -24,14 +24,14 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i] service_parameters := resource.services[name] - volumes := service_parameters.volumes - volume := volumes[v] - host_path := volume.source - common_lib.isOSDir(host_path) + volumes := service_parameters.volumes + volume := volumes[v] + host_path := volume.source + common_lib.isOSDir(host_path) result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.volumes.source",[name]), + "searchKey": sprintf("services.%s.volumes.source", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "There shouldn't be sensitive directory mounted as a volume", "keyActualValue": sprintf("There is a sensitive directory (%s) mounted as a volume", [host_path]), @@ -42,12 +42,12 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i] volume := resource.volumes[name] - host_path := volume.driver_opts.device - common_lib.isOSDir(host_path) + host_path := volume.driver_opts.device + common_lib.isOSDir(host_path) result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("volumes.%s.driver_opts.device",[name]), + "searchKey": sprintf("volumes.%s.driver_opts.device", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "There shouldn't be sensitive directory mounted as a volume", "keyActualValue": sprintf("There is a sensitive directory (%s) mounted as a volume", [host_path]), @@ -58,12 +58,12 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i] volume := resource.volumes[name] - host_path := volume.driver_opts.mountpoint - common_lib.isOSDir(host_path) + host_path := volume.driver_opts.mountpoint + common_lib.isOSDir(host_path) result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("volumes.%s.driver_opts.mountpoint",[name]), + "searchKey": sprintf("volumes.%s.driver_opts.mountpoint", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "There shouldn't be sensitive directory mounted as a volume", "keyActualValue": sprintf("There is a sensitive directory (%s) mounted as a volume", [host_path]), diff --git a/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/query.rego b/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/query.rego index 0e992e9b31a..4efe0756f7e 100644 --- a/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/query.rego +++ b/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/query.rego @@ -5,15 +5,15 @@ import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i] service_parameters := resource.services[name] - volumes := service_parameters.volumes - volume := volumes[v] - propagation := volume.bind.propagation - possibilities := {"shared", "rshared", "slave", "rslave"} - propagation == possibilities[p] + volumes := service_parameters.volumes + volume := volumes[v] + propagation := volume.bind.propagation + possibilities := {"shared", "rshared", "slave", "rslave"} + propagation == possibilities[p] result := { "documentId": sprintf("%s", [resource.id]), - "searchKey": sprintf("services.%s.volumes.bind.propagation",[name]), + "searchKey": sprintf("services.%s.volumes.bind.propagation", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Volumes should not be mounted in multiple containers", "keyActualValue": sprintf("Volumes are being mounted in multiple containers, mode: %s", [possibilities[p]]), diff --git a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego index f39c4336de0..a3c4da8497f 100644 --- a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego +++ b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego @@ -5,7 +5,7 @@ CxPolicy[result] { resource.Cmd == "run" commands := resource.Value[0] - aptGet := regex.find_n("apt-get (-(-)?[a-zA-Z]+ *)*install", commands, -1) + aptGet := regex.find_n(`apt-get (-(-)?[a-zA-Z]+ *)*install`, commands, -1) aptGet != null not hasClean(resource.Value[0], aptGet[0]) @@ -13,7 +13,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, commands]), - "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" + "issueType": "IncorrectValue", # "MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "After using apt-get install, the apt-get lists should be deleted", "keyActualValue": "After using apt-get install, the apt-get lists were not deleted", } @@ -25,12 +25,12 @@ hasClean(resourceValue, aptGet) { res := replace(resourceValue, "\t", "") listCommands := split(res, options[_]) startswith(trim_space(listCommands[install]), aptGet) - startswith(trim_space(listCommands[clean]), "apt-get clean") + startswith(trim_space(listCommands[clean]), "apt-get clean") install < clean } else { res := replace(resourceValue, "\t", "") listCommands := split(res, options[_]) startswith(trim_space(listCommands[install]), aptGet) - startswith(trim_space(listCommands[remove]), "rm -rf") + startswith(trim_space(listCommands[remove]), "rm -rf") install < remove } diff --git a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego index f1637cf3309..09ffb506384 100644 --- a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego +++ b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego @@ -9,7 +9,7 @@ CxPolicy[result] { count(resource.Value) == 1 commands := resource.Value[0] - aptGet := regex.find_n("apt-get (-(-)?[a-zA-Z]+ *)*install", commands, -1) + aptGet := regex.find_n(`apt-get (-(-)?[a-zA-Z]+ *)*install`, commands, -1) aptGet != null packages = dockerLib.getPackages(commands, aptGet) @@ -41,7 +41,7 @@ CxPolicy[result] { packageName := resource.Value[j] - regex.match("^[a-zA-Z]", packageName) == true + regex.match(`^[a-zA-Z]`, packageName) == true not dockerLib.withVersion(packageName) result := { @@ -56,13 +56,13 @@ CxPolicy[result] { analyzePackages(j, currentPackage, packages, length) { j == length - 1 - regex.match("^[a-zA-Z]", currentPackage) == true + regex.match(`^[a-zA-Z]`, currentPackage) == true not dockerLib.withVersion(currentPackage) } analyzePackages(j, currentPackage, packages, length) { j != length - 1 - regex.match("^[a-zA-Z]", currentPackage) == true - packages[plus(j, 1)] != "-v" + regex.match(`^[a-zA-Z]`, currentPackage) == true + packages[j + 1] != "-v" not dockerLib.withVersion(currentPackage) } diff --git a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego index 251c8de4840..7ea903e3124 100644 --- a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego @@ -3,7 +3,7 @@ package Cx import data.generic.dockerfile as dockerLib import future.keywords.contains -CxPolicy[result] { +CxPolicy contains result { resource := input.document[i].command[name][_] resource.Cmd == "run" @@ -24,47 +24,47 @@ CxPolicy[result] { } } -CxPolicy[result] { - resource := input.document[i].command[name][_] - resource.Cmd == "run" +CxPolicy contains result { + resource := input.document[i].command[name][_] + resource.Cmd == "run" + + count(resource.Value) > 1 - count(resource.Value) > 1 + dockerLib.arrayContains(resource.Value, {"apt-get", "install"}) - dockerLib.arrayContains(resource.Value, {"apt-get", "install"}) + not avoidManualInputInList(resource.Value) - not avoidManualInputInList(resource.Value) - - result := { - "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), - "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), - } + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), + "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), + } } isAptGet(command) { - regex.match("apt-get (-(-)?[a-zA-Z]+ *)*install", command) + regex.match(`apt-get (-(-)?[a-zA-Z]+ *)*install`, command) } avoidManualInputInList(command) { - flags := ["-y", "--yes", "--assume-yes", "-qy", "-q=2", "-qq"] - flagfound := contains(command[_], flags[_]) - flagfound + flags := ["-y", "--yes", "--assume-yes", "-qy", "-q=2", "-qq"] + flagfound := contains(command[_], flags[_]) + flagfound } else { - flagsquiet := ["-q","--quiet"] - quietflag := {z | command[y] == flagsquiet[_]; z := y} - count(quietflag) == 2 + flagsquiet := ["-q", "--quiet"] + quietflag := {z | command[y] == flagsquiet[_]; z := y} + count(quietflag) == 2 } avoidManualInput(command) { - regex.match("apt-get (-(-)?[a-zA-Z]+ *)*(-([A-Za-z])*y|--yes|-qq|-q=2|--assume-yes|(-q|--quiet)(.*(-q|--quiet)){1}) (-(-)?[a-zA-Z]+ *)*install", command) + regex.match(`apt-get (-(-)?[a-zA-Z]+ *)*(-([A-Za-z])*y|--yes|-qq|-q=2|--assume-yes|(-q|--quiet)(.*(-q|--quiet)){1}) (-(-)?[a-zA-Z]+ *)*install`, command) } avoidManualInput(command) { - regex.match("apt-get (-(-)?[a-zA-Z]+ *)*install (-(-)?[a-zA-Z]+ *)*(-([A-Za-z])*y|--yes|-qq|-q=2|--assume-yes|(-q|--quiet)(.*(-q|--quiet)){1})", command) + regex.match(`apt-get (-(-)?[a-zA-Z]+ *)*install (-(-)?[a-zA-Z]+ *)*(-([A-Za-z])*y|--yes|-qq|-q=2|--assume-yes|(-q|--quiet)(.*(-q|--quiet)){1})`, command) } avoidManualInput(command) { - regex.match("apt-get (-(-)?[a-zA-Z]+ *)*install ([A-Za-z0-9\\W]+ *)*(-([A-Za-z])*y|--yes|-qq|-q=2|--assume-yes|(-q|--quiet)(.*(-q|--quiet)){1})", command) + regex.match(`apt-get (-(-)?[a-zA-Z]+ *)*install ([A-Za-z0-9\W]+ *)*(-([A-Za-z])*y|--yes|-qq|-q=2|--assume-yes|(-q|--quiet)(.*(-q|--quiet)){1})`, command) } diff --git a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/query.rego b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/query.rego index c405fd7f93c..351d8c2afac 100644 --- a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/query.rego +++ b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.dockerfile as dockerLib +import future.keywords.in CxPolicy[result] { resource := input.document[i].command[name][_] @@ -12,7 +13,7 @@ CxPolicy[result] { commandsSplit = dockerLib.getCommands(commands) some j - regex.match("apt-get (-(-)?[a-zA-Z]+ *)*install", commandsSplit[j]) == true + regex.match(`apt-get (-(-)?[a-zA-Z]+ *)*install`, commandsSplit[j]) == true not avoidAdditionalPackages(commandsSplit[j]) result := { @@ -32,8 +33,8 @@ CxPolicy[result] { commands := resource.Value - commands[_] == "apt-get" - commands[_] == "install" + "apt-get" in commands + "install" in commands not avoidAdditionalPackages(commands) @@ -54,5 +55,5 @@ avoidAdditionalPackages(cmd) { avoidAdditionalPackages(cmd) { is_array(cmd) == true - dockerLib.arrayContains(cmd, {"--no-install-recommends", "apt::install-recommends=false"}) + dockerLib.arrayContains(cmd, {"--no-install-recommends", "apt::install-recommends=false"}) } diff --git a/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego b/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego index 9e602aec2cd..aaad71f08bf 100644 --- a/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego +++ b/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego @@ -20,7 +20,7 @@ shell_possibilities := { CxPolicy[result] { resource := input.document[i].command[name][_] resource.Cmd == "run" - value := resource.Value + value := resource.Value contains(value[v], shell_possibilities[p]) run_values := split(value[v], " ") @@ -29,7 +29,7 @@ CxPolicy[result] { command == command_possibilities[cp] result := { - "debug": sprintf("%s", [value[v]]), + "debug": sprintf("%s", [value[v]]), "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", @@ -41,7 +41,7 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i].command[name][_] resource.Cmd == "run" - value := resource.Value + value := resource.Value run_values := split(value[v], " ") command := run_values[0] contains(command, "powershell") diff --git a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/query.rego b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/query.rego index c2ae55008f3..eb3d4dbb945 100644 --- a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/query.rego +++ b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/query.rego @@ -10,12 +10,12 @@ CxPolicy[result] { numElems := count(command) numElems > 2 - not endswith(command[minus(numElems, 1)], "/") + not endswith(command[numElems - 1], "/") result := { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.COPY={{%s}}", [name, resource.Value[0]]), - "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" + "issueType": "IncorrectValue", # "MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "When COPY command has more than two arguments, the last one should end with a slash", "keyActualValue": "COPY command has more than two arguments and the last one does not end with a slash", } diff --git a/assets/queries/dockerfile/curl_or_wget_instead_of_add/query.rego b/assets/queries/dockerfile/curl_or_wget_instead_of_add/query.rego index 7ebf5bccafa..cd0b6f7f855 100644 --- a/assets/queries/dockerfile/curl_or_wget_instead_of_add/query.rego +++ b/assets/queries/dockerfile/curl_or_wget_instead_of_add/query.rego @@ -15,5 +15,5 @@ CxPolicy[result] { } httpRequestChecker(cmdValue) { - regex.match("https?://", cmdValue[_]) + regex.match(`https?:/`, cmdValue[_]) } diff --git a/assets/queries/dockerfile/gem_install_without_version/query.rego b/assets/queries/dockerfile/gem_install_without_version/query.rego index c4d76a64232..ef1077976de 100644 --- a/assets/queries/dockerfile/gem_install_without_version/query.rego +++ b/assets/queries/dockerfile/gem_install_without_version/query.rego @@ -9,7 +9,7 @@ CxPolicy[result] { count(resource.Value) == 1 commands := resource.Value[0] - gem := regex.find_n("gem (-(-)?[a-zA-Z]+ *)*install", commands, -1) + gem := regex.find_n(`gem (-(-)?[a-zA-Z]+ *)*install`, commands, -1) gem != null packages := dockerLib.getPackages(commands, gem) @@ -33,11 +33,11 @@ CxPolicy[result] { count(resource.Value) > 1 - dockerLib.arrayContains(resource.Value, {"gem", "install"}) + dockerLib.arrayContains(resource.Value, {"gem", "install"}) resource.Value[j] != "install" resource.Value[j] != "gem" - regex.match("^[a-zA-Z]", resource.Value[j]) == true + regex.match(`^[a-zA-Z]`, resource.Value[j]) == true not dockerLib.withVersion(resource.Value[j]) result := { @@ -51,13 +51,13 @@ CxPolicy[result] { analyzePackages(j, currentPackage, packages, length) { j == length - 1 - regex.match("^[a-zA-Z]", currentPackage) == true + regex.match(`^[a-zA-Z]`, currentPackage) == true not dockerLib.withVersion(currentPackage) } analyzePackages(j, currentPackage, packages, length) { j != length - 1 - regex.match("^[a-zA-Z]", currentPackage) == true - packages[plus(j, 1)] != "-v" + regex.match(`^[a-zA-Z]`, currentPackage) == true + packages[j + 1] != "-v" not dockerLib.withVersion(currentPackage) } diff --git a/assets/queries/dockerfile/healthcheck_instruction_missing/query.rego b/assets/queries/dockerfile/healthcheck_instruction_missing/query.rego index 7ac3f3bb857..5567edb9e3c 100644 --- a/assets/queries/dockerfile/healthcheck_instruction_missing/query.rego +++ b/assets/queries/dockerfile/healthcheck_instruction_missing/query.rego @@ -6,7 +6,7 @@ CxPolicy[result] { resource := input.document[i].command[name] dockerLib.check_multi_stage(name, input.document[i].command) - not contains(resource, "healthcheck") + not cmd_contains(resource, "healthcheck") result := { "documentId": input.document[i].id, @@ -17,6 +17,6 @@ CxPolicy[result] { } } -contains(cmd, elem) { +cmd_contains(cmd, elem) { cmd[_].Cmd = elem } diff --git a/assets/queries/dockerfile/image_version_not_explicit/query.rego b/assets/queries/dockerfile/image_version_not_explicit/query.rego index 670e124ee41..10e6e667653 100644 --- a/assets/queries/dockerfile/image_version_not_explicit/query.rego +++ b/assets/queries/dockerfile/image_version_not_explicit/query.rego @@ -18,13 +18,13 @@ CxPolicy[result] { versionNotExplicit(cmd) { count(cmd) == 1 - regex.match("^\\$[{}A-z0-9-_+].*", cmd[0]) == false + regex.match(`^\$[{}A-z0-9-_+].*`, cmd[0]) == false not contains(cmd[0], ":") } versionNotExplicit(cmd) { count(cmd) == 1 - regex.match("^\\$[{}A-z0-9-_+].*", cmd[0]) == true + regex.match(`^\$[{}A-z0-9-_+].*`, cmd[0]) == true resource := input.document[i].command[name][_] not resource.Value[0] == "scratch" @@ -43,10 +43,10 @@ versionNotExplicit(cmd) { count(cmd) > 1 not contains(cmd[0], ":") - count([x | x := input.document[i].command[name][_]; build_name_exists(x, cmd[0])]) == 0 + count([x | x := input.document[i].command[name][_]; build_name_exists(x, cmd[0])]) == 0 } -build_name_exists(resource, build_name){ +build_name_exists(resource, build_name) { not resource.Value[0] == "scratch" resource.Cmd == "from" @@ -55,4 +55,4 @@ build_name_exists(resource, build_name){ lower(resource.Value[1]) == "as" resource.Value[2] == build_name -} \ No newline at end of file +} diff --git a/assets/queries/dockerfile/image_version_using_latest/query.rego b/assets/queries/dockerfile/image_version_using_latest/query.rego index cbce842332f..f72c587a1b8 100644 --- a/assets/queries/dockerfile/image_version_using_latest/query.rego +++ b/assets/queries/dockerfile/image_version_using_latest/query.rego @@ -9,7 +9,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}", [name]), - "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" + "issueType": "IncorrectValue", # "MissingAttribute" / "RedundantAttribute" "keyExpectedValue": sprintf("FROM %s:'version' where version should not be 'latest'", [resource.Value[0]]), "keyActualValue": sprintf("FROM %s'", [resource.Value[0]]), } diff --git a/assets/queries/dockerfile/last_user_is_root/query.rego b/assets/queries/dockerfile/last_user_is_root/query.rego index 28e2dca5a04..f0ccc757ef0 100644 --- a/assets/queries/dockerfile/last_user_is_root/query.rego +++ b/assets/queries/dockerfile/last_user_is_root/query.rego @@ -7,11 +7,11 @@ CxPolicy[result] { dockerLib.check_multi_stage(name, input.document[i].command) userCmd := [x | resource[j].Cmd == "user"; x := resource[j]] - userCmd[minus(count(userCmd), 1)].Value[0] == "root" + userCmd[count(userCmd) - 1].Value[0] == "root" result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, userCmd[minus(count(userCmd), 1)].Original]), + "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, userCmd[count(userCmd) - 1].Original]), "issueType": "IncorrectValue", "keyExpectedValue": "Last User shouldn't be root", "keyActualValue": "Last User is root", diff --git a/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego b/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego index 98973103c4f..b99baf2ac70 100644 --- a/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego +++ b/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.MAINTAINER={{%s}}", [name, resource.Value[0]]), - "issueType": "IncorrectValue", + "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Maintainer instruction being used in Label 'LABEL maintainer=%s'", [resource.Value[0]]), "keyActualValue": sprintf("Maintainer instruction not being used in Label 'MAINTAINER %s'", [resource.Value[0]]), } diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego b/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego index 639ce3d41d1..760da977f4f 100644 --- a/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego @@ -37,5 +37,5 @@ hasInstallCommandWithoutFlag(command) = c { } hasYesFlag(command) { - regex.match("\\b(microdnf|dnf *install (-y|-[\\D]{1}y|-y[\\D]{1}|-yes|--assumeyes))\\b [\\w\\W]*", command) + regex.match(`\b(microdnf|dnf *install (-y|-[\D]{1}y|-y[\D]{1}|-yes|--assumeyes))\b [\w\W]*`, command) } diff --git a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego index 0d50a1ebde0..59f94aa5c81 100644 --- a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego +++ b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego @@ -9,7 +9,7 @@ CxPolicy[result] { count(resource.Value) == 1 commands := resource.Value[0] - dnf := regex.find_n("dnf (-(-)?[a-zA-Z]+ *)*(in|rei)n?(stall)?", commands, -1) + dnf := regex.find_n(`dnf (-(-)?[a-zA-Z]+ *)*(in|rei)n?(stall)?`, commands, -1) dnf != null packages = dockerLib.getPackages(commands, dnf) @@ -37,9 +37,9 @@ CxPolicy[result] { isDnf(resource.Value) resource.Value[j] != "dnf" - regex.match("(in|rei)n?(stall)?", resource.Value[j]) == false + regex.match(`(in|rei)n?(stall)?`, resource.Value[j]) == false - regex.match("^[a-zA-Z]", resource.Value[j]) == true + regex.match(`^[a-zA-Z]`, resource.Value[j]) == true not dockerLib.withVersion(resource.Value[j]) result := { @@ -53,18 +53,18 @@ CxPolicy[result] { analyzePackages(j, currentPackage, packages, length) { j == length - 1 - regex.match("^[a-zA-Z]", currentPackage) == true + regex.match(`^[a-zA-Z]`, currentPackage) == true not dockerLib.withVersion(currentPackage) } analyzePackages(j, currentPackage, packages, length) { j != length - 1 - regex.match("^[a-zA-Z]", currentPackage) == true - packages[plus(j, 1)] != "-v" + regex.match(`^[a-zA-Z]`, currentPackage) == true + packages[j + 1] != "-v" not dockerLib.withVersion(currentPackage) } isDnf(command) { contains(command[x], "dnf") - regex.match("(in|rei)n?(stall)?", command[j]) == true + regex.match(`(in|rei)n?(stall)?`, command[j]) == true } diff --git a/assets/queries/dockerfile/missing_zypper_clean/query.rego b/assets/queries/dockerfile/missing_zypper_clean/query.rego index 9b19c044d0f..7327919b039 100644 --- a/assets/queries/dockerfile/missing_zypper_clean/query.rego +++ b/assets/queries/dockerfile/missing_zypper_clean/query.rego @@ -5,7 +5,7 @@ import data.generic.dockerfile as dockerLib CxPolicy[result] { document := input.document[i] commands = document.command - + commands[img][c].Cmd == "run" dockerLib.check_multi_stage(img, commands) @@ -45,20 +45,20 @@ hasCleanAfterInstall(commands, installCommandIndex, valueIndex) { } commandHasZypperUsage(command) { - list := ["zypper in", "zypper remove", "zypper rm", "zypper source-install", "zypper si", "zypper patch"][_] - index := indexof(command, list) - index != -1 + list := ["zypper in", "zypper remove", "zypper rm", "zypper source-install", "zypper si", "zypper patch"][_] + index := indexof(command, list) + index != -1 } commandHasZypperUsage(command) { - output := regex.find_n("zypper (-(-)?[a-zA-Z]+ *)*install", command, -1) - output != null - index := indexof(command, output[0]) - index != -1 + output := regex.find_n(`zypper (-(-)?[a-zA-Z]+ *)*install`, command, -1) + output != null + index := indexof(command, output[0]) + index != -1 } commandHasZypperClean(command) { - list := ["zypper clean", "zypper cc"][_] + list := ["zypper clean", "zypper cc"][_] index := indexof(command, list) index != -1 } diff --git a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/query.rego b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/query.rego index 419ef8597a0..d22e4dda646 100644 --- a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/query.rego +++ b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/query.rego @@ -24,18 +24,18 @@ CxPolicy[result] { } commandHasNonInteractiveSwitch(command) { - regex.match("zypper \\w+ (-y|--no-confirm)", command) + regex.match(`zypper \w+ (-y|--no-confirm)`, command) } commandHasZypperUsage(command) { - list := ["zypper in", "zypper remove", "zypper rm", "zypper source-install", "zypper si", "zypper patch"][_] + list := ["zypper in", "zypper remove", "zypper rm", "zypper source-install", "zypper si", "zypper patch"][_] index := indexof(command, list) index != -1 } commandHasZypperUsage(command) { - output := regex.find_n("zypper (-(-)?[a-zA-Z]+ *)*install", command, -1) - output != null - index := indexof(command, output[0]) - index != -1 + output := regex.find_n(`zypper (-(-)?[a-zA-Z]+ *)*install`, command, -1) + output != null + index := indexof(command, output[0]) + index != -1 } diff --git a/assets/queries/dockerfile/multiple_cmd_instructions_listed/query.rego b/assets/queries/dockerfile/multiple_cmd_instructions_listed/query.rego index 9976a3b449f..494dc23253a 100644 --- a/assets/queries/dockerfile/multiple_cmd_instructions_listed/query.rego +++ b/assets/queries/dockerfile/multiple_cmd_instructions_listed/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, cmdInst[0].Original]), - "issueType": "RedundantAttribute", #"MissingAttribute" / "RedundantAttribute" + "issueType": "RedundantAttribute", # "MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "There should be only one CMD instruction", "keyActualValue": sprintf("There are %d CMD instructions", [count(cmdInst)]), } diff --git a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/query.rego b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/query.rego index 4c07f1660e2..22fdef8bedf 100644 --- a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/query.rego +++ b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/query.rego @@ -5,11 +5,11 @@ import data.generic.dockerfile as dockerLib CxPolicy[result] { resource := input.document[i].command[name] dockerLib.check_multi_stage(name, input.document[i].command) - + instructions := {"copy", "add", "run"} some j cmdInst := [x | resource[j].Cmd == instructions[y]; x := resource[j]] - typeCMD := [x | cmd := cmdInst[_]; x := {"cmd": cmd.Cmd, "dest": cmd.Value[minus(count(cmd.Value), 1)]}] + typeCMD := [x | cmd := cmdInst[_]; x := {"cmd": cmd.Cmd, "dest": cmd.Value[count(cmd.Value) - 1]}] newCmdInst := [x | cmd := cmdInst[_]; check_dest(typeCMD, cmd); x := cmd] some n, m @@ -34,10 +34,8 @@ CxPolicy[result] { check_dest(typeCMD, cmd) { types := {"copy", "add"} cmd.Cmd == types[y] - cmdCheck = [x | cmd.Value[minus(count(cmd.Value), 1)] == typeCMD[z].dest; x := typeCMD[z]] + cmdCheck = [x | cmd.Value[count(cmd.Value) - 1] == typeCMD[z].dest; x := typeCMD[z]] count(cmdCheck) > 1 } else { cmd.Cmd == "run" -} else = false { - true -} +} else = false diff --git a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego index 2ab522b1177..b12330d16c8 100644 --- a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego +++ b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego @@ -30,6 +30,6 @@ CxPolicy[result] { "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should be in the JSON Notation", [resource.Original]), - "keyActualValue": sprintf("{{%s}} isn't in JSON Notation", [resource.Original]), + "keyActualValue": sprintf("{{%s}} isn't in JSON Notation", [resource.Original]), } } diff --git a/assets/queries/dockerfile/npm_install_without_pinned_version/query.rego b/assets/queries/dockerfile/npm_install_without_pinned_version/query.rego index f5d472adda6..ef4c31d3742 100644 --- a/assets/queries/dockerfile/npm_install_without_pinned_version/query.rego +++ b/assets/queries/dockerfile/npm_install_without_pinned_version/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { indexof(currentCmd, installCmd) > -1 tokens := split(currentCmd, " ") - refactor_tokens := [x | x := tokens[_]; x != ""] + refactor_tokens := [x | x := tokens[_]; x != ""] token := refactor_tokens[_] @@ -45,10 +45,10 @@ valid_match(token) { scopeEnd := indexof(token, "/") packageID := substring(token, scopeEnd + 1, count(token) - scopeEnd) atIndex := indexof(packageID, "@") - atIndex != -1 #package must refer the version or tag + atIndex != -1 # package must refer the version or tag } else { hasScope := re_match("@.+/.*", token) not hasScope atIndex := indexof(token, "@") - atIndex != -1 #package must refer the version or tag + atIndex != -1 # package must refer the version or tag } diff --git a/assets/queries/dockerfile/pip_install_keeping_cached_packages/query.rego b/assets/queries/dockerfile/pip_install_keeping_cached_packages/query.rego index 50eec9a5c4c..e37a9166db3 100644 --- a/assets/queries/dockerfile/pip_install_keeping_cached_packages/query.rego +++ b/assets/queries/dockerfile/pip_install_keeping_cached_packages/query.rego @@ -44,7 +44,7 @@ hasCacheFlag(values) { some i instruction := commands[i] - regex.match("pip(3)? (-(-)?[a-zA-Z]+ *)*install", instruction) == true + regex.match(`pip(3)? (-(-)?[a-zA-Z]+ *)*install`, instruction) == true not contains(instruction, "--no-cache-dir") } diff --git a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/query.rego b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/query.rego index 9a75bbd392b..7bc72b5f360 100644 --- a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/query.rego +++ b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/query.rego @@ -6,9 +6,8 @@ CxPolicy[result] { run_command := resource.Value[_] values := split(run_command, " ") trim_space(values[index]) == "cd" - path := trim_space(values[index+1]) - not is_full_path(path) - + path := trim_space(values[index + 1]) + not is_full_path(path) result := { "documentId": input.document[i].id, @@ -19,9 +18,9 @@ CxPolicy[result] { } } -is_full_path(path){ - regex.match("^[a-zA-Z]:[\\\/]", path) -}else { - startswith( path,"/") - not contains(path, "/.") +is_full_path(path) { + regex.match(`^[a-zA-Z]:[\/]`, path) +} else { + startswith(path, "/") + not contains(path, "/.") } diff --git a/assets/queries/dockerfile/run_using_sudo/query.rego b/assets/queries/dockerfile/run_using_sudo/query.rego index 224e4913438..e6588edcf88 100644 --- a/assets/queries/dockerfile/run_using_sudo/query.rego +++ b/assets/queries/dockerfile/run_using_sudo/query.rego @@ -39,5 +39,5 @@ hasSudo(commands) { some i instruction := commandsList[i] - regex.match("^( )*sudo", instruction) == true + regex.match(`^( )*sudo`, instruction) == true } diff --git a/assets/queries/dockerfile/run_using_wget_and_curl/query.rego b/assets/queries/dockerfile/run_using_wget_and_curl/query.rego index 617376f946c..0f03f16566a 100644 --- a/assets/queries/dockerfile/run_using_wget_and_curl/query.rego +++ b/assets/queries/dockerfile/run_using_wget_and_curl/query.rego @@ -26,7 +26,7 @@ getWget(cmd) = wget { commandsList = dockerLib.getCommands(cmd.Value[0]) - wget := [x | instruction := commandsList[i]; not contains(instruction, "install "); regex.match("^( )*wget", instruction) == true; x := cmd.Original] + wget := [x | instruction := commandsList[i]; not contains(instruction, "install "); regex.match(`^( )*wget`, instruction) == true; x := cmd.Original] } getWget(cmd) = wget { @@ -44,7 +44,7 @@ getCurl(cmd) = curl { commandsList = dockerLib.getCommands(cmd.Value[0]) - curl := [x | instruction := commandsList[i]; not contains(instruction, "install "); regex.match("^( )*curl", instruction) == true; x := cmd.Original] + curl := [x | instruction := commandsList[i]; not contains(instruction, "install "); regex.match(`^( )*curl`, instruction) == true; x := cmd.Original] } getCurl(cmd) = curl { diff --git a/assets/queries/dockerfile/run_utilities_and_posix_commands/query.rego b/assets/queries/dockerfile/run_utilities_and_posix_commands/query.rego index 887ccb0aae6..c65debd3ec0 100644 --- a/assets/queries/dockerfile/run_utilities_and_posix_commands/query.rego +++ b/assets/queries/dockerfile/run_utilities_and_posix_commands/query.rego @@ -28,7 +28,7 @@ hasInstall(cmd) { containsCommand(cmds) { count(cmds.Value) > 1 not hasInstall(cmds.Value) - regex.match("\\b(ps|shutdown|service|free|top|kill|mount|ifconfig|nano|vim)\\b", cmds.Value[_]) + regex.match(`\b(ps|shutdown|service|free|top|kill|mount|ifconfig|nano|vim)\b`, cmds.Value[_]) } containsCommand(cmds) { @@ -38,7 +38,7 @@ containsCommand(cmds) { some i not hasInstall(commandsList[i]) - regex.match("\\b(ps|shutdown|service|free|top|kill|mount|ifconfig|nano|vim)\\b ", commandsList[i]) + regex.match(`\b(ps|shutdown|service|free|top|kill|mount|ifconfig|nano|vim)\b `, commandsList[i]) } containsCommand(cmds) { @@ -48,5 +48,5 @@ containsCommand(cmds) { some i not hasInstall(commandsList[i]) - regex.match("^\\b(ps|shutdown|service|free|top|kill|mount|ifconfig|nano|vim)\\b$", commandsList[i]) + regex.match(`^\b(ps|shutdown|service|free|top|kill|mount|ifconfig|nano|vim)\b$`, commandsList[i]) } diff --git a/assets/queries/dockerfile/same_alias_in_different_froms/query.rego b/assets/queries/dockerfile/same_alias_in_different_froms/query.rego index 933f588f86f..fe572891e8a 100644 --- a/assets/queries/dockerfile/same_alias_in_different_froms/query.rego +++ b/assets/queries/dockerfile/same_alias_in_different_froms/query.rego @@ -17,7 +17,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}", [aliasResource.Value[idx_2]]), - "issueType": "IncorrectValue", + "issueType": "IncorrectValue", "keyExpectedValue": "Different FROM commands don't have the same alias defined", "keyActualValue": sprintf("Different FROM commands with with the same alias '%s' defined", [aliasResource.Value[idx_2]]), } diff --git a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/query.rego b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/query.rego index efbe0457924..41e950ffdee 100644 --- a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/query.rego +++ b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/query.rego @@ -6,7 +6,7 @@ CxPolicy[result] { isRunCmd(runCmd) value := runCmd.Value - count(value) == 1 #command is in a single string + count(value) == 1 # command is in a single string cmd := value[0] @@ -35,7 +35,7 @@ CxPolicy[result] { isRunCmd(runCmd) value := runCmd.Value - count(value) > 1 #command is in several tokens + count(value) > 1 # command is in several tokens shellIdx := getShellIdx(value) shellIdx != -1 @@ -56,45 +56,35 @@ CxPolicy[result] { isRunCmd(com) { com.Cmd == "run" -} else = false { - true -} +} else = false hasPipe(cmd) { splitStr := split(cmd, " ") some i splitStr[i] == "|" not findTermOpBeforeIdx(splitStr, i) -} else = false { - true -} +} else = false findTermOpBeforeIdx(tokens, maxIdx) { termOps := ["&&", "||", "&", ";"] some i tokens[i] == termOps[_] i < maxIdx -} else = false { - true -} +} else = false getShellIdx(value) = idx { shells := ["zsh", "bash", "ash", "/bin/zsh", "/bin/bash", "/bin/ash"] some i value[i] == shells[_] idx := i -} else = -1 { - true -} +} else = -1 hasPipeInArray(arr, initCmdIdx) { some i i > initCmdIdx arr[i] == "|" not findTermOpBetweenIdxs(arr, initCmdIdx, i) -} else = false { - true -} +} else = false findTermOpBetweenIdxs(arr, startIdx, endIdx) { termOps := ["&&", "||", "&", ";"] @@ -102,9 +92,7 @@ findTermOpBetweenIdxs(arr, startIdx, endIdx) { arr[i] == termOps[_] i > startIdx i < endIdx -} else = false { - true -} +} else = false hasPipefail(commands, shellName, idx) { some i @@ -113,17 +101,13 @@ hasPipefail(commands, shellName, idx) { tokens := shell.Value shellIdx := shellMatch(tokens, shellName) shellIdx != -1 - tokens[plus(shellIdx, 1)] == "-o" - tokens[plus(shellIdx, 2)] == "pipefail" + tokens[shellIdx + 1] == "-o" + tokens[shellIdx + 2] == "pipefail" i < idx -} else = false { - true -} +} else = false shellMatch(tokens, shellName) = shellIdx { contains(tokens[shellIdx], shellName) } else = shellIdx { contains(shellName, tokens[shellIdx]) -} else = -1 { - true -} +} else = -1 diff --git a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/query.rego b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/query.rego index 8f29de51d56..b2f7499c48d 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/query.rego +++ b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/query.rego @@ -9,9 +9,9 @@ CxPolicy[result] { count(resource.Value) == 1 commands := resource.Value[0] - virtual := regex.find_n("\\-\\-virtual\\s.?[a-zA-Z\\-]+\\s", commands, -1) - commands_trim = replace(commands, virtual[0],"") - apk := regex.find_n("apk (-(-)?[a-zA-Z]+ *)*add", commands_trim, -1) + virtual := regex.find_n(`\-\-virtual\s.?[a-zA-Z\-]+\s`, commands, -1) + commands_trim = replace(commands, virtual[0], "") + apk := regex.find_n(`apk (-(-)?[a-zA-Z]+ *)*add`, commands_trim, -1) apk != null packages = dockerLib.getPackages(commands_trim, apk) @@ -37,9 +37,9 @@ CxPolicy[result] { count(resource.Value) == 1 commands := resource.Value[0] - virtual := regex.find_n("\\-t\\s.?[a-zA-Z\\-]+\\s", commands, -1) - commands_trim = replace(commands, virtual[0],"") - apk := regex.find_n("apk (-(-)?[a-zA-Z]+ *)*add", commands_trim, -1) + virtual := regex.find_n(`\-t\s.?[a-zA-Z\-]+\s`, commands, -1) + commands_trim = replace(commands, virtual[0], "") + apk := regex.find_n(`apk (-(-)?[a-zA-Z]+ *)*add`, commands_trim, -1) apk != null packages = dockerLib.getPackages(commands_trim, apk) @@ -64,9 +64,9 @@ CxPolicy[result] { count(resource.Value) == 1 commands := resource.Value[0] - not regex.match("\\-\\-virtual\\s.?[a-zA-Z\\-]+\\s", commands) - not regex.match("\\-t\\s.?[a-zA-Z\\-]+\\s", commands) - apk := regex.find_n("apk (-(-)?[a-zA-Z]+ *)*add", commands, -1) + not regex.match(`\-\-virtual\s.?[a-zA-Z\\-]+\s`, commands) + not regex.match(`\-t\s.?[a-zA-Z\\-]+\\s`, commands) + apk := regex.find_n(`apk (-(-)?[a-zA-Z]+ *)*add`, commands, -1) apk != null packages = dockerLib.getPackages(commands, apk) @@ -89,14 +89,14 @@ CxPolicy[result] { resource := input.document[i].command[name][_] resource.Cmd == "run" - count(resource.Value) > 1 + count(resource.Value) > 1 - dockerLib.arrayContains(resource.Value, {"apk", "add"}) + dockerLib.arrayContains(resource.Value, {"apk", "add"}) resource.Value[j] != "apk" resource.Value[j] != "add" - regex.match("^[a-zA-Z]", resource.Value[j]) == true + regex.match(`^[a-zA-Z]`, resource.Value[j]) == true not dockerLib.withVersion(resource.Value[j]) result := { @@ -110,13 +110,13 @@ CxPolicy[result] { analyzePackages(j, currentPackage, packages, length) { j == length - 1 - regex.match("^[a-zA-Z]", currentPackage) == true + regex.match(`^[a-zA-Z]`, currentPackage) == true not dockerLib.withVersion(currentPackage) } analyzePackages(j, currentPackage, packages, length) { j != length - 1 - regex.match("^[a-zA-Z]", currentPackage) == true - packages[plus(j, 1)] != "-v" + regex.match(`^[a-zA-Z]`, currentPackage) == true + packages[j + 1] != "-v" not dockerLib.withVersion(currentPackage) } diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego index 268199179fb..cd97730ac34 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego @@ -11,12 +11,12 @@ CxPolicy[result] { count(resource.Value) == 1 commands := resource.Value[0] - yum := regex.find_n("pip(3)? (-(-)?[a-zA-Z]+ *)*install", commands, -1) + yum := regex.find_n(`pip(3)? (-(-)?[a-zA-Z]+ *)*install`, commands, -1) yum != null packages = dockerLib.getPackages(commands, yum) - refactorPackages = [ x | x := packages[_]; x != ""] - length := count(refactorPackages) + refactorPackages = [x | x := packages[_]; x != ""] + length := count(refactorPackages) count({x | x := refactorPackages[_]; x == flags[_]}) == 0 @@ -44,7 +44,7 @@ CxPolicy[result] { resource.Value[j] != "pip" resource.Value[j] != "pip3" - regex.match("^[a-zA-Z]", resource.Value[j]) == true + regex.match(`^[a-zA-Z]`, resource.Value[j]) == true not dockerLib.withVersion(resource.Value[j]) result := { @@ -64,13 +64,13 @@ isPip(command) { analyzePackages(j, currentPackage, _, length) { j == length - 1 - regex.match("^[a-zA-Z]", currentPackage) == true + regex.match(`^[a-zA-Z]`, currentPackage) == true not dockerLib.withVersion(currentPackage) } analyzePackages(j, currentPackage, packages, length) { j != length - 1 - regex.match("^[a-zA-Z]", currentPackage) == true - packages[plus(j, 1)] != "-v" + regex.match(`^[a-zA-Z]`, currentPackage) == true + packages[j + 1] != "-v" not dockerLib.withVersion(currentPackage) } diff --git a/assets/queries/dockerfile/update_instruction_alone/query.rego b/assets/queries/dockerfile/update_instruction_alone/query.rego index 9bf0c5837c4..914c9da9320 100644 --- a/assets/queries/dockerfile/update_instruction_alone/query.rego +++ b/assets/queries/dockerfile/update_instruction_alone/query.rego @@ -6,20 +6,20 @@ CxPolicy[result] { resource.Cmd == "run" count(resource.Value) == 1 command := resource.Value[0] - commandList := split(command, " ") - commandRefactor := [x | x := commandList[_]; x != ""] - packages := [l | commandRefactor[0] == pkg[l]] - count(packages) > 0 - packageManager := pkg[packages[0]] + commandList := split(command, " ") + commandRefactor := [x | x := commandList[_]; x != ""] + packages := [l | commandRefactor[0] == pkg[l]] + count(packages) > 0 + packageManager := pkg[packages[0]] update := [x | x := getDetail(commandRefactor, pkg_updater[packageManager][_]); count(x) > 0] - count(update) > 0 + count(update) > 0 install := [x | x := getDetail(commandRefactor, pkg_installer[packageManager][_]); count(x) > 0] - count(install) > 0 + count(install) > 0 not checkFollowedBy(update, install) - + result := { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, resource.Value[0]]), @@ -30,35 +30,35 @@ CxPolicy[result] { } CxPolicy[result] { - #Check if there is Update Command without Install Command + # Check if there is Update Command without Install Command resource := input.document[i].command[name][n] commandRefactor := getRunCommand(resource) - packages := [l | commandRefactor[0] == pkg[l]] - count(packages) > 0 - packageManager := pkg[packages[0]] + packages := [l | commandRefactor[0] == pkg[l]] + count(packages) > 0 + packageManager := pkg[packages[0]] update := [x | x := getDetail(commandRefactor, pkg_updater[packageManager][_]); count(x) > 0] - count(update) > 0 + count(update) > 0 install := [x | x := getDetail(commandRefactor, pkg_installer[packageManager][_]); count(x) > 0] - count(install) == 0 - - #Check if any of the next commands is RUN install Command and there is not Update Command - nextResources := array.slice(input.document[i].command[name], n+1, count(input.document[i].command[name])) - nextResource := nextResources[_] + count(install) == 0 + + # Check if any of the next commands is RUN install Command and there is not Update Command + nextResources := array.slice(input.document[i].command[name], n + 1, count(input.document[i].command[name])) + nextResource := nextResources[_] nextCommandRefactor := getRunCommand(nextResource) - nextPackages := [l | nextCommandRefactor[0] == pkg[l]] - count(nextPackages) > 0 - nextPackageManager := pkg[nextPackages[0]] + nextPackages := [l | nextCommandRefactor[0] == pkg[l]] + count(nextPackages) > 0 + nextPackageManager := pkg[nextPackages[0]] nextPackageManager == packageManager - + nextInstall := [x | x := getDetail(nextCommandRefactor, pkg_installer[nextPackageManager][_]); count(x) > 0] - count(nextInstall) > 0 + count(nextInstall) > 0 nextUpdate := [x | x := getDetail(nextCommandRefactor, pkg_updater[nextPackageManager][_]); count(x) > 0] - count(nextUpdate) == 0 - - result := { + count(nextUpdate) == 0 + + result := { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, nextResource.Value[0]]), "issueType": "IncorrectValue", @@ -68,46 +68,45 @@ CxPolicy[result] { } pkg := [ - "apt-get", - "apk", - "yum", - "dnf", - "zypper", - "pacman", - "apt", - "pkg_add" + "apt-get", + "apk", + "yum", + "dnf", + "zypper", + "pacman", + "apt", + "pkg_add", ] pkg_updater := { - "apt-get": ["update"], - "apk": ["update"], - "yum": ["update"], - "dnf": ["update"], - "zypper": ["refresh"], - "pacman": ["-Syu"], - "apt": ["update"], + "apt-get": ["update"], + "apk": ["update"], + "yum": ["update"], + "dnf": ["update"], + "zypper": ["refresh"], + "pacman": ["-Syu"], + "apt": ["update"], } pkg_installer := { - "apt-get": ["install", "source-install", "reinstall"], - "apk": ["add"], - "yum": ["install"], - "dnf": ["install"], - "zypper": ["install"], - "pacman": ["-S"], - "apt": ["install"], + "apt-get": ["install", "source-install", "reinstall"], + "apk": ["add"], + "yum": ["install"], + "dnf": ["install"], + "zypper": ["install"], + "pacman": ["-S"], + "apt": ["install"], } - getRunCommand(resource) = commandRefactor { resource.Cmd == "run" count(resource.Value) == 1 command := resource.Value[0] - commandList := split(command, " ") - commandRefactor := [x | x := commandList[_]; x != ""] + commandList := split(command, " ") + commandRefactor := [x | x := commandList[_]; x != ""] } -getDetail(commandRefactor, value) = list{ +getDetail(commandRefactor, value) = list { list := [u | commandRefactor[u] == value] } diff --git a/assets/queries/dockerfile/using_unnamed_build_stages/query.rego b/assets/queries/dockerfile/using_unnamed_build_stages/query.rego index ff621dc15f8..257e7033b11 100644 --- a/assets/queries/dockerfile/using_unnamed_build_stages/query.rego +++ b/assets/queries/dockerfile/using_unnamed_build_stages/query.rego @@ -1,15 +1,13 @@ package Cx CxPolicy[result] { - commands := input.document[i].command[name][_] - + commands.Cmd == "copy" - flags := commands.Flags - contains(flags[f], "--from=") - flag_split := split(flags[f], "=") - to_number(flag_split[1]) > -1 - + flags := commands.Flags + contains(flags[f], "--from=") + flag_split := split(flags[f], "=") + to_number(flag_split[1]) > -1 result := { "documentId": input.document[i].id, diff --git a/assets/queries/dockerfile/workdir_path_not_absolute/query.rego b/assets/queries/dockerfile/workdir_path_not_absolute/query.rego index a6d8fbeabf3..c5165a2aa65 100644 --- a/assets/queries/dockerfile/workdir_path_not_absolute/query.rego +++ b/assets/queries/dockerfile/workdir_path_not_absolute/query.rego @@ -3,12 +3,12 @@ package Cx CxPolicy[result] { resource := input.document[i].command[name][_] resource.Cmd == "workdir" - not regex.match("(^\"?/[A-z0-9-_+]*)|(^\"?[A-z0-9-_+]:\\\\.*)|(^\"?\\$[{}A-z0-9-_+].*)", resource.Value[0]) + not regex.match(`(^\"?/[A-z0-9-_+]*)|(^\"?[A-z0-9-_+]:\\.*)|(^\"?\$[{}A-z0-9-_+].*)`, resource.Value[0]) result := { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.WORKDIR={{%s}}", [name, resource.Value[0]]), - "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" + "issueType": "IncorrectValue", # "MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "'WORKDIR' Command has absolute path", "keyActualValue": "'WORKDIR' Command doesn't have absolute path", } diff --git a/assets/queries/dockerfile/yum_clean_all_missing/query.rego b/assets/queries/dockerfile/yum_clean_all_missing/query.rego index 556f93f16b5..3b7a346f9ad 100644 --- a/assets/queries/dockerfile/yum_clean_all_missing/query.rego +++ b/assets/queries/dockerfile/yum_clean_all_missing/query.rego @@ -10,7 +10,7 @@ CxPolicy[result] { command := resource.Value[0] - output := regex.match("yum (-[a-zA-Z]+ *)*install", command) + output := regex.match(`yum (-[a-zA-Z]+ *)*install`, command) output == true not containsCleanAfterYum(command) @@ -25,7 +25,7 @@ CxPolicy[result] { } containsCleanAfterYum(command) { - yumInstallCommand := regex.find_n("yum (-[a-zA-Z]+ *)*install", command, -1) + yumInstallCommand := regex.find_n(`yum (-[a-zA-Z]+ *)*install`, command, -1) install := indexof(command, yumInstallCommand[0]) install != -1 diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego index 1c7fb4f21b6..ed8b613399d 100644 --- a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego @@ -26,7 +26,7 @@ CxPolicy[result] { resource.Cmd == "run" count(resource.Value) > 1 - dockerLib.arrayContains(resource.Value, {"yum", "install"}) + dockerLib.arrayContains(resource.Value, {"yum", "install"}) not avoidManualInputInList(resource.Value) @@ -40,19 +40,19 @@ CxPolicy[result] { } isYumInstall(command) { - regex.match("yum (-(-)?[a-zA-Z]+ *)*(group|local)?install", command) + regex.match(`yum (-(-)?[a-zA-Z]+ *)*(group|local)?install`, command) } avoidManualInput(command) { - regex.match("yum (-(-)?[a-zA-Z]+ *)*(-y|-yes|--assumeyes) (-(-)?[a-zA-Z]+ *)*(group|local)?install", command) + regex.match(`yum (-(-)?[a-zA-Z]+ *)*(-y|-yes|--assumeyes) (-(-)?[a-zA-Z]+ *)*(group|local)?install`, command) } avoidManualInput(command) { - regex.match("yum (-(-)?[a-zA-Z]+ *)*(group|local)?install (-(-)?[a-zA-Z]+ *)*(-y|-yes|--assumeyes)", command) + regex.match(`yum (-(-)?[a-zA-Z]+ *)*(group|local)?install (-(-)?[a-zA-Z]+ *)*(-y|-yes|--assumeyes)`, command) } avoidManualInput(command) { - regex.match("yum (-(-)?[a-zA-Z]+ *)*(group|local)?install ([A-Za-z0-9-:=.$_]+ *)*(-y|-yes|--assumeyes)", command) + regex.match(`yum (-(-)?[a-zA-Z]+ *)*(group|local)?install ([A-Za-z0-9-:=.$_]+ *)*(-y|-yes|--assumeyes)`, command) } avoidManualInputInList(command) { diff --git a/assets/queries/dockerfile/yum_install_without_version/query.rego b/assets/queries/dockerfile/yum_install_without_version/query.rego index ba076207c18..2b5f2b97c2b 100644 --- a/assets/queries/dockerfile/yum_install_without_version/query.rego +++ b/assets/queries/dockerfile/yum_install_without_version/query.rego @@ -9,7 +9,7 @@ CxPolicy[result] { count(resource.Value) == 1 commands := resource.Value[0] - yum := regex.find_n("yum (-(-)?[a-zA-Z]+ *)*(group|local)?install", commands, -1) + yum := regex.find_n(`yum (-(-)?[a-zA-Z]+ *)*(group|local)?install`, commands, -1) yum != null packages = dockerLib.getPackages(commands, yum) @@ -33,11 +33,11 @@ CxPolicy[result] { count(resource.Value) > 1 - dockerLib.arrayContains(resource.Value, {"yum", "install"}) + dockerLib.arrayContains(resource.Value, {"yum", "install"}) resource.Value[j] != "install" resource.Value[j] != "yum" - regex.match("^[a-zA-Z]", resource.Value[j]) == true + regex.match(`^[a-zA-Z]`, resource.Value[j]) == true not dockerLib.withVersion(resource.Value[j]) result := { @@ -51,13 +51,13 @@ CxPolicy[result] { analyzePackages(j, currentPackage, packages, length) { j == length - 1 - regex.match("^[a-zA-Z]", currentPackage) == true + regex.match(`^[a-zA-Z]`, currentPackage) == true not dockerLib.withVersion(currentPackage) } analyzePackages(j, currentPackage, packages, length) { j != length - 1 - regex.match("^[a-zA-Z]", currentPackage) == true - packages[plus(j, 1)] != "-v" + regex.match(`^[a-zA-Z]`, currentPackage) == true + packages[j + 1] != "-v" not dockerLib.withVersion(currentPackage) } diff --git a/assets/queries/dockerfile/zypper_install_without_version/query.rego b/assets/queries/dockerfile/zypper_install_without_version/query.rego index b39c9829bdb..e97a65f4ccc 100644 --- a/assets/queries/dockerfile/zypper_install_without_version/query.rego +++ b/assets/queries/dockerfile/zypper_install_without_version/query.rego @@ -9,7 +9,7 @@ CxPolicy[result] { count(resource.Value) == 1 commands := resource.Value[0] - zypper := regex.find_n("zypper (-(-)?[a-zA-Z]+ *)*in(stall)?", commands, -1) + zypper := regex.find_n(`zypper (-(-)?[a-zA-Z]+ *)*in(stall)?`, commands, -1) zypper != null packages = dockerLib.getPackages(commands, zypper) @@ -33,11 +33,11 @@ CxPolicy[result] { count(resource.Value) > 1 - dockerLib.arrayContains(resource.Value, {"zypper", "install"}) + dockerLib.arrayContains(resource.Value, {"zypper", "install"}) resource.Value[j] != "install" resource.Value[j] != "zypper" - regex.match("^[a-zA-Z]", resource.Value[j]) == true + regex.match(`^[a-zA-Z]`, resource.Value[j]) == true not dockerLib.withVersion(resource.Value[j]) result := { @@ -51,13 +51,13 @@ CxPolicy[result] { analyzePackages(j, currentPackage, packages, length) { j == length - 1 - regex.match("^[a-zA-Z]", currentPackage) == true + regex.match(`^[a-zA-Z]`, currentPackage) == true not dockerLib.withVersion(currentPackage) } analyzePackages(j, currentPackage, packages, length) { j != length - 1 - regex.match("^[a-zA-Z]", currentPackage) == true - packages[plus(j, 1)] != "-v" + regex.match(`^[a-zA-Z]`, currentPackage) == true + packages[j + 1] != "-v" not dockerLib.withVersion(currentPackage) } diff --git a/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/query.rego b/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/query.rego index 49e2a05daac..47fb5357c62 100644 --- a/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'versioning' should be defined and not null", - "keyActualValue": "'versioning' is undefined or null", + "keyActualValue": "'versioning' is undefined or null", "searchLine": common_lib.build_search_line(["resources", idx, "properties"], []), } } @@ -33,7 +33,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.versioning", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'versioning.enabled' should be defined and not null", - "keyActualValue": "'versioning.enabled' is undefined or null", + "keyActualValue": "'versioning.enabled' is undefined or null", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "versioning"], []), } } @@ -51,7 +51,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.versioning.enabled", [resource.name]), "issueType": "IncorrectValue", "keyExpectedValue": "'versioning.enabled' should be true", - "keyActualValue": "'versioning.enabled' is false", + "keyActualValue": "'versioning.enabled' is false", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "versioning", "enabled"], []), } } diff --git a/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/query.rego index 32fef3a3709..cdf1973e4eb 100644 --- a/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'masterAuth' should be defined and not null", - "keyActualValue": "'masterAuth' is undefined or null", + "keyActualValue": "'masterAuth' is undefined or null", "searchLine": common_lib.build_search_line(["resources", idx, "properties"], []), } } @@ -33,7 +33,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.masterAuth", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'masterAuth.clientCertificateConfig' should be defined and not null", - "keyActualValue": "'masterAuth.clientCertificateConfig' is undefined or null", + "keyActualValue": "'masterAuth.clientCertificateConfig' is undefined or null", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "masterAuth"], []), } } @@ -51,7 +51,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.masterAuth.clientCertificateConfig.issueClientCertificate", [resource.name]), "issueType": "IncorrectValue", "keyExpectedValue": "'masterAuth.clientCertificateConfig.issueClientCertificate' should be true", - "keyActualValue": "'masterAuth.clientCertificateConfig.issueClientCertificate' is false", + "keyActualValue": "'masterAuth.clientCertificateConfig.issueClientCertificate' is false", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "masterAuth", "clientCertificateConfig", "issueClientCertificate"], []), } } diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/query.rego b/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/query.rego index 20776e97d3f..3a5465df4ae 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/query.rego @@ -75,4 +75,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resources", idx, "properties", "defaultObjectAcl", j, "entity"], []), } } - diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/query.rego index 1a91ddc8eb6..3c7304a02ac 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/query.rego @@ -37,4 +37,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resources", idx, "properties", "versioning", "enabled"], []), } } - diff --git a/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/query.rego index 5c78c613cc2..4821c8a32d1 100644 --- a/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'resourceLabels' should be defined and not null", - "keyActualValue": "'resourceLabels' is undefined or null", + "keyActualValue": "'resourceLabels' is undefined or null", "searchLine": common_lib.build_search_line(["resources", idx, "properties"], []), } } diff --git a/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/query.rego b/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/query.rego index 99266fd1944..af2b35f3bc4 100644 --- a/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.config.imageType", [resource.name]), "issueType": "IncorrectValue", "keyExpectedValue": "'config.imageType' should start with 'cos'", - "keyActualValue": sprintf("'config.imageType' is %s", [resource.properties.config.imageType]), + "keyActualValue": sprintf("'config.imageType' is %s", [resource.properties.config.imageType]), "searchLine": common_lib.build_search_line(["resources", idx, "properties", "config", "imageType"], []), } } diff --git a/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/query.rego index 67beb6c9880..c9ee6510531 100644 --- a/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { resource := input.document[i].resources[idx] @@ -62,11 +63,11 @@ CxPolicy[result] { } } -valid_disk_resources := ["compute.beta.disk","compute.v1.disk"] +valid_disk_resources := ["compute.beta.disk", "compute.v1.disk"] CxPolicy[result] { resource := input.document[i].resources[idx] - resource.type == valid_disk_resources[_] + resource.type in valid_disk_resources disk := resource.properties not common_lib.valid_key(disk, "diskEncryptionKey") @@ -85,7 +86,7 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i].resources[idx] - resource.type == valid_disk_resources[_] + resource.type in valid_disk_resources disk := resource.properties not common_lib.valid_key(disk.diskEncryptionKey, "rawKey") @@ -99,13 +100,13 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "'disk_encryption_key.rawKey' or 'disk_encryption_key.kmsKeyName' should be defined and not null", "keyActualValue": "'disk_encryption_key.rawKey' and 'disk_encryption_key.kmsKeyName' are undefined or null", - "searchLine": common_lib.build_search_line(["resources", idx, "properties","diskEncryptionKey"], []), + "searchLine": common_lib.build_search_line(["resources", idx, "properties", "diskEncryptionKey"], []), } } CxPolicy[result] { resource := input.document[i].resources[idx] - resource.type == valid_disk_resources[_] + resource.type in valid_disk_resources disk := resource.properties disk.diskEncryptionKey[fields[f]] == "" @@ -118,8 +119,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'diskEncryptionKey.%s' should not be empty", [fields[f]]), "keyActualValue": sprintf("'diskEncryptionKey.%s' is empty", [fields[f]]), - "searchLine": common_lib.build_search_line(["resources", idx, "properties","diskEncryptionKey", fields[f]], []), + "searchLine": common_lib.build_search_line(["resources", idx, "properties", "diskEncryptionKey", fields[f]], []), } } - - diff --git a/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/query.rego b/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/query.rego index 0e50ad8456d..d413bc775be 100644 --- a/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.legacyAbac.enabled", [resource.name]), "issueType": "IncorrectValue", "keyExpectedValue": "'legacyAbac.enabled' should be false", - "keyActualValue": "'legacyAbac.enabled' is true", + "keyActualValue": "'legacyAbac.enabled' is true", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "legacyAbac", "enabled"], []), } } diff --git a/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/query.rego index 31251de95cc..99d6e3b1347 100644 --- a/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'masterAuthorizedNetworksConfig' should be defined and not null", - "keyActualValue": "'masterAuthorizedNetworksConfig' is undefined or null", + "keyActualValue": "'masterAuthorizedNetworksConfig' is undefined or null", "searchLine": common_lib.build_search_line(["resources", idx, "properties"], []), } } @@ -33,7 +33,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.masterAuthorizedNetworksConfig", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'masterAuthorizedNetworksConfig.enabled' should be defined and not null", - "keyActualValue": "'masterAuthorizedNetworksConfig.enabled' is undefined or null", + "keyActualValue": "'masterAuthorizedNetworksConfig.enabled' is undefined or null", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "masterAuthorizedNetworksConfig"], []), } } @@ -51,7 +51,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.masterAuthorizedNetworksConfig.enabled", [resource.name]), "issueType": "IncorrectValue", "keyExpectedValue": "'masterAuthorizedNetworksConfig.enabled' should be true", - "keyActualValue": "'masterAuthorizedNetworksConfig.enabled' is false", + "keyActualValue": "'masterAuthorizedNetworksConfig.enabled' is false", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "masterAuthorizedNetworksConfig", "enabled"], []), } } diff --git a/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/query.rego index c93d6773388..9c0b13a94f0 100644 --- a/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'ipAllocationPolicy' should be defined and not null", - "keyActualValue": "'ipAllocationPolicy' is undefined or null", + "keyActualValue": "'ipAllocationPolicy' is undefined or null", "searchLine": common_lib.build_search_line(["resources", idx, "properties"], []), } } @@ -33,7 +33,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.ipAllocationPolicy", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'ipAllocationPolicy.useIpAliases' should be defined and not null", - "keyActualValue": "'ipAllocationPolicy.useIpAliases' is undefined or null", + "keyActualValue": "'ipAllocationPolicy.useIpAliases' is undefined or null", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "ipAllocationPolicy"], []), } } @@ -51,7 +51,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.ipAllocationPolicy.useIpAliases", [resource.name]), "issueType": "IncorrectValue", "keyExpectedValue": "'ipAllocationPolicy.useIpAliases' should be true", - "keyActualValue": "'ipAllocationPolicy.useIpAliases' is false", + "keyActualValue": "'ipAllocationPolicy.useIpAliases' is false", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "ipAllocationPolicy", "useIpAliases"], []), } } diff --git a/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/query.rego b/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/query.rego index 0a217b9a547..8e6f7771128 100644 --- a/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.canIpForward", [resource.name]), "issueType": "IncorrectValue", "keyExpectedValue": "'canIpForward' should not be set to true", - "keyActualValue": "'canIpForward' is set to true", + "keyActualValue": "'canIpForward' is set to true", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "canIpForward"], []), } } diff --git a/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/query.rego b/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/query.rego index 9a6ebe8a2cb..6f3642bf807 100644 --- a/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/query.rego @@ -17,7 +17,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.settings.databaseFlags[%d]", [resource.name, f]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'settings.databaseFlags[%d]' should be 'off'", [f]), - "keyActualValue": sprintf("'settings.databaseFlags[%d]' is equal to 'on'", [f]), + "keyActualValue": sprintf("'settings.databaseFlags[%d]' is equal to 'on'", [f]), "searchLine": common_lib.build_search_line(["resources", idx, "properties", "settings", "databaseFlags", f], []), } } diff --git a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/query.rego index 4b8ebfa3eea..4602375e3ec 100644 --- a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'networkPolicy' should be defined and not null", - "keyActualValue": "'networkPolicy' is undefined or null", + "keyActualValue": "'networkPolicy' is undefined or null", "searchLine": common_lib.build_search_line(["resources", idx, "properties"], []), } } @@ -33,7 +33,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.networkPolicy", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'networkPolicy.enabled' should be defined and not null", - "keyActualValue": "'networkPolicy.enabled' is undefined or null", + "keyActualValue": "'networkPolicy.enabled' is undefined or null", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "networkPolicy"], []), } } @@ -51,7 +51,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.networkPolicy.enabled", [resource.name]), "issueType": "IncorrectValue", "keyExpectedValue": "'networkPolicy.enabled' should be true", - "keyActualValue": "'networkPolicy.enabled' is false", + "keyActualValue": "'networkPolicy.enabled' is false", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "networkPolicy", "enabled"], []), } } @@ -69,7 +69,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'addonsConfig' should be defined and not null", - "keyActualValue": "'addonsConfig' is undefined or null", + "keyActualValue": "'addonsConfig' is undefined or null", "searchLine": common_lib.build_search_line(["resources", idx, "properties"], []), } } @@ -87,7 +87,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.addonsConfig", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'addonsConfig.networkPolicyConfig' should be defined and not null", - "keyActualValue": "'addonsConfig.networkPolicyConfig' is undefined or null", + "keyActualValue": "'addonsConfig.networkPolicyConfig' is undefined or null", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "addonsConfig"], []), } } @@ -105,7 +105,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.addonsConfig.networkPolicyConfig", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'addonsConfig.networkPolicyConfig.disabled' should be defined and not null", - "keyActualValue": "'addonsConfig.networkPolicyConfig.disabled' is undefined or null", + "keyActualValue": "'addonsConfig.networkPolicyConfig.disabled' is undefined or null", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "addonsConfig", "networkPolicyConfig"], []), } } @@ -123,7 +123,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.addonsConfig.networkPolicyConfig.disabled", [resource.name]), "issueType": "IncorrectValue", "keyExpectedValue": "'addonsConfig.networkPolicyConfig.disabled' should be false", - "keyActualValue": "'addonsConfig.networkPolicyConfig.disabled' is true", + "keyActualValue": "'addonsConfig.networkPolicyConfig.disabled' is true", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "addonsConfig", "networkPolicyConfig", "disabled"], []), } } diff --git a/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/query.rego index 2a0b9073f8d..6560c2467a0 100644 --- a/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'nodePools' should be defined and not null", - "keyActualValue": "'nodePools' is undefined or null", + "keyActualValue": "'nodePools' is undefined or null", "searchLine": common_lib.build_search_line(["resources", idx, "properties"], []), } } @@ -33,7 +33,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.nodePools", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'nodePools.management' should be defined and not null", - "keyActualValue": "'nodePools.management' is undefined or null", + "keyActualValue": "'nodePools.management' is undefined or null", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "nodePools"], []), } } @@ -51,7 +51,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.nodePools.management", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'nodePools.management.autoUpgrade' should be defined and not null", - "keyActualValue": "'nodePools.management.autoUpgrade' is undefined or null", + "keyActualValue": "'nodePools.management.autoUpgrade' is undefined or null", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "nodePools", "management"], []), } } @@ -69,7 +69,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.nodePools.management.autoUpgrade", [resource.name]), "issueType": "IncorrectValue", "keyExpectedValue": "'nodePools.management.autoUpgrade' should be true", - "keyActualValue": "'nodePools.management.autoUpgrade' is false", + "keyActualValue": "'nodePools.management.autoUpgrade' is false", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "nodePools", "management", "autoUpgrade"], []), } } diff --git a/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/query.rego b/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/query.rego index cfe5d0748d2..1c925261e48 100644 --- a/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.metadata.items[%d]", [resource.name, j]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'metadata.items[%d]'.value should be true", [j]), - "keyActualValue": sprintf("'metadata.items[%d]'.value is false", [j]), + "keyActualValue": sprintf("'metadata.items[%d]'.value is false", [j]), "searchLine": common_lib.build_search_line(["resources", idx, "properties", "metadata", "items", j, "value"], []), } } diff --git a/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/query.rego index ded50455674..518251d6ebc 100644 --- a/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/query.rego @@ -35,7 +35,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.privateClusterConfig", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'%s' should be defined and not null", [fields[f]]), - "keyActualValue": sprintf("'%s' is undefined or null", [fields[f]]), + "keyActualValue": sprintf("'%s' is undefined or null", [fields[f]]), "searchLine": common_lib.build_search_line(["resources", idx, "properties", "privateClusterConfig"], []), } } @@ -53,7 +53,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.privateClusterConfig.%s", [resource.name, fields[f]]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s' should be set to true", [fields[f]]), - "keyActualValue": sprintf("'%s' is set to false", [fields[f]]), + "keyActualValue": sprintf("'%s' is set to false", [fields[f]]), "searchLine": common_lib.build_search_line(["resources", idx, "properties", "privateClusterConfig", fields[f]], []), } } diff --git a/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/query.rego b/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/query.rego index faa7da8866f..f63c23fdcb8 100644 --- a/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'metadata' should be defined and not null", - "keyActualValue": "'metadata' is undefined or null", + "keyActualValue": "'metadata' is undefined or null", "searchLine": common_lib.build_search_line(["resources", idx, "properties"], []), } } @@ -33,7 +33,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.metadata.items", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'metadata.items' should have 'block-project-ssh-keys'", - "keyActualValue": "'metadata.items' does not have 'block-project-ssh-keys'", + "keyActualValue": "'metadata.items' does not have 'block-project-ssh-keys'", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "metadata", "items"], []), } } @@ -52,7 +52,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.metadata.items[%d].key", [resource.name, j]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'metadata.items[%d].value' should be true", [j]), - "keyActualValue": sprintf("'metadata.items[%d].value' is false", [j]), + "keyActualValue": sprintf("'metadata.items[%d].value' is false", [j]), "searchLine": common_lib.build_search_line(["resources", idx, "properties", "metadata", "items", j, "value"], []), } } diff --git a/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/query.rego b/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/query.rego index e0108f6f05e..e24a695a381 100644 --- a/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.allowed", [resource.name]), "issueType": "IncorrectValue", "keyExpectedValue": "'allowed.ports' to not include RDP port 3389", - "keyActualValue": "'allowed.ports' includes RDP port 3389", + "keyActualValue": "'allowed.ports' includes RDP port 3389", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "allowed", a], []), } } @@ -36,7 +36,7 @@ isRDPport(allow) { to_number(allow.ports[j]) == 3389 } else { not allow.ports - isTCPorUDP(allow.IPProtocol) + isTCPorUDP(allow.IPProtocol) } isInBounds(low, high) { diff --git a/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/query.rego b/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/query.rego index 7957957b2ed..3610b866604 100644 --- a/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.allowed[%d].ports=%s", [resource.name, ports]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'allowed[%d].ports' to not include SSH port 22", [a]), - "keyActualValue": sprintf("'allowed[%d].ports' includes SSH port 22", [a]), + "keyActualValue": sprintf("'allowed[%d].ports' includes SSH port 22", [a]), "searchLine": common_lib.build_search_line(["resources", idx, "properties", "allowed", a, "ports"], []), } } @@ -29,19 +29,19 @@ isSSHport(allow) = ports { low_bound := to_number(port_bounds[0]) high_bound := to_number(port_bounds[1]) isInBounds(low_bound, high_bound) - ports := allow.ports[j] + ports := allow.ports[j] } isSSHport(allow) = ports { contains(allow.ports[j], "-") == false to_number(allow.ports[j]) == 22 - ports := allow.ports[j] + ports := allow.ports[j] } isSSHport(allow) = ports { not allow.ports - isTCPorAll(allow.IPProtocol) - ports := "0-65535" + isTCPorAll(allow.IPProtocol) + ports := "0-65535" } isTCPorAll(protocol) { diff --git a/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/query.rego index 0d7f73d555c..37c6355da94 100644 --- a/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'loggingService' should be defined and not null", - "keyActualValue": "'loggingService' is undefined or null", + "keyActualValue": "'loggingService' is undefined or null", "searchLine": common_lib.build_search_line(["resources", idx, "properties"], []), } } @@ -33,7 +33,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.loggingService", [resource.name]), "issueType": "IncorrectValue", "keyExpectedValue": "'loggingService' to not be none", - "keyActualValue": "'loggingService' is none", + "keyActualValue": "'loggingService' is none", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "loggingService"], []), } } diff --git a/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/query.rego b/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/query.rego index b80d7ad70f0..c4690ba51a4 100644 --- a/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/query.rego +++ b/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties", [resource.name]), "issueType": "MissingAttribute", "keyExpectedValue": "'monitoringService' should be defined and not null", - "keyActualValue": "'monitoringService' is undefined or null", + "keyActualValue": "'monitoringService' is undefined or null", "searchLine": common_lib.build_search_line(["resources", idx, "properties"], []), } } @@ -33,8 +33,7 @@ CxPolicy[result] { "searchKey": sprintf("resources.name={{%s}}.properties.monitoringService", [resource.name]), "issueType": "IncorrectValue", "keyExpectedValue": "'monitoringService' to not be 'none'", - "keyActualValue": "'monitoringService' is 'none'", + "keyActualValue": "'monitoringService' is 'none'", "searchLine": common_lib.build_search_line(["resources", idx, "properties", "monitoringService"], []), } } - diff --git a/assets/queries/googleDeploymentManager/gcp_bom/pd/query.rego b/assets/queries/googleDeploymentManager/gcp_bom/pd/query.rego index 4f11d52dda3..8fc00582c5a 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/pd/query.rego +++ b/assets/queries/googleDeploymentManager/gcp_bom/pd/query.rego @@ -1,12 +1,13 @@ package Cx import data.generic.common as common_lib +import future.keywords.in -valid_disk_resources := {"compute.beta.disk","compute.v1.disk"} +valid_disk_resources := {"compute.beta.disk", "compute.v1.disk"} CxPolicy[result] { gc_disk := input.document[i].resources[idx] - gc_disk.type == valid_disk_resources[_] + gc_disk.type in valid_disk_resources bom_output = { "resource_type": gc_disk.type, @@ -42,7 +43,7 @@ check_encrytion(properties) = enc_status { enc_status := "encrypted" } -check_key_empty(diskEncryptionKey){ +check_key_empty(diskEncryptionKey) { common_lib.valid_key(diskEncryptionKey, "rawKey") common_lib.emptyOrNull(diskEncryptionKey.rawKey) } else { diff --git a/assets/queries/googleDeploymentManager/gcp_bom/pst/query.rego b/assets/queries/googleDeploymentManager/gcp_bom/pst/query.rego index 3225e3455f1..13dbe3533b6 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/pst/query.rego +++ b/assets/queries/googleDeploymentManager/gcp_bom/pst/query.rego @@ -32,4 +32,3 @@ check_encrytion(properties) = enc_status { } else = enc_status { enc_status := "unencrypted" } - diff --git a/assets/queries/googleDeploymentManager/gcp_bom/sb/query.rego b/assets/queries/googleDeploymentManager/gcp_bom/sb/query.rego index b099dbcc37b..3fbcbffa316 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/sb/query.rego +++ b/assets/queries/googleDeploymentManager/gcp_bom/sb/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { s_bucket := input.document[i].resources[idx] @@ -33,24 +34,24 @@ check_encrytion(properties) = enc_status { enc_status := "unencrypted" } -consideredPublicPolicyMembers := {"allUsers","allAuthenticatedUsers"} +consideredPublicPolicyMembers := {"allUsers", "allAuthenticatedUsers"} -get_accessibility(bucket_res) = accessibility_status{ +get_accessibility(bucket_res) = accessibility_status { access_control := input.document[_].resources[_] - type := lower(access_control.type) + type := lower(access_control.type) type == "storage.v1.bucketaccesscontrol" - ac_properties := access_control.properties - ac_properties.bucket == bucket_res.name - ac_properties.entity == consideredPublicPolicyMembers[_] + ac_properties := access_control.properties + ac_properties.bucket == bucket_res.name + ac_properties.entity in consideredPublicPolicyMembers accessibility_status := "public" -} else = accessibility_status{ +} else = accessibility_status { acl_list := bucket_res.properties.acl - acl_list[_].entity == consideredPublicPolicyMembers[_] + acl_list[_].entity == consideredPublicPolicyMembers[_] accessibility_status := "public" -} else = accessibility_status{ +} else = accessibility_status { def_acl_list := bucket_res.properties.defaultObjectAcl - def_acl_list[_].entity == consideredPublicPolicyMembers[_] + def_acl_list[_].entity == consideredPublicPolicyMembers[_] accessibility_status := "public" -} else = accessibility_status{ +} else = accessibility_status { accessibility_status := "unknown" } diff --git a/assets/queries/grpc/enum_name_not_camel_case/query.rego b/assets/queries/grpc/enum_name_not_camel_case/query.rego index 98fefebb469..6c93c00b5b3 100644 --- a/assets/queries/grpc/enum_name_not_camel_case/query.rego +++ b/assets/queries/grpc/enum_name_not_camel_case/query.rego @@ -6,7 +6,7 @@ CxPolicy[result] { value.enum[name] - regex.match("(^[A-Z][a-z0-9]+)+", name) == false + regex.match(`(^[A-Z][a-z0-9]+)+`, name) == false result := { "documentId": doc.id, diff --git a/assets/queries/k8s/always_admit_admission_control_plugin_set/query.rego b/assets/queries/k8s/always_admit_admission_control_plugin_set/query.rego index 13165784ade..99a6f46d7fe 100644 --- a/assets/queries/k8s/always_admit_admission_control_plugin_set/query.rego +++ b/assets/queries/k8s/always_admit_admission_control_plugin_set/query.rego @@ -23,4 +23,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } - diff --git a/assets/queries/k8s/audit_log_path_not_set/query.rego b/assets/queries/k8s/audit_log_path_not_set/query.rego index 81ba28a295f..27311518462 100644 --- a/assets/queries/k8s/audit_log_path_not_set/query.rego +++ b/assets/queries/k8s/audit_log_path_not_set/query.rego @@ -23,4 +23,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } - diff --git a/assets/queries/k8s/audit_policy_file_not_defined/query.rego b/assets/queries/k8s/audit_policy_file_not_defined/query.rego index c22526ae792..ed1f3237aaa 100644 --- a/assets/queries/k8s/audit_policy_file_not_defined/query.rego +++ b/assets/queries/k8s/audit_policy_file_not_defined/query.rego @@ -33,8 +33,7 @@ CxPolicy[result] { common_lib.inArray(container.command, "kube-apiserver") k8sLib.startWithFlag(container, "--audit-policy-file") file := getFlagFile(container, "--audit-policy-file") - not hasPolicyFile(input, file) - + not hasPolicyFile(input, file) result := { "documentId": input.document[i].id, @@ -48,21 +47,21 @@ CxPolicy[result] { } } -getFlagFile(container, flag) = file{ - file:= startsWithGetPath(container.command, flag) -} else = file{ - file:= startsWithGetPath(container.args, flag) +getFlagFile(container, flag) = file { + file := startsWithGetPath(container.command, flag) +} else = file { + file := startsWithGetPath(container.args, flag) } startsWithGetPath(arr, item) = file { - startswith(arr[i], item) + startswith(arr[i], item) path := split(arr[i], "=")[1] - filePath:= split(path, "/") + filePath := split(path, "/") endswith(filePath[j], ".yaml") - file:= filePath[j] + file := filePath[j] } -hasPolicyFile(inputData, file){ +hasPolicyFile(inputData, file) { inputData.document[i].kind == "Policy" - contains(inputData.document[i].file, file) + contains(inputData.document[i].file, file) } diff --git a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/query.rego b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/query.rego index f66ec507ea6..94ff436716b 100644 --- a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/query.rego +++ b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/query.rego @@ -5,40 +5,40 @@ import data.generic.k8s as k8sLib import future.keywords.in resources := { - {"resource": "secrets","levels": ["Metadata"]}, - {"resource": "tokenreviews","levels": ["Metadata"]}, - {"resource": "configmaps","levels": ["Metadata"]}, - {"resource": "pods","levels": ["Metadata"]}, - {"resource": "deployments","levels": ["Metadata"]}, - {"resource": "pods/exec","levels": ["Metadata","Request","RequestResponse"]}, - {"resource": "pods/portforward","levels": ["Metadata","Request","RequestResponse"]}, - {"resource": "pods/proxy","levels": ["Metadata","Request","RequestResponse"]}, - {"resource": "services/proxy","levels": ["Metadata","Request","RequestResponse"]} + {"resource": "secrets", "levels": ["Metadata"]}, + {"resource": "tokenreviews", "levels": ["Metadata"]}, + {"resource": "configmaps", "levels": ["Metadata"]}, + {"resource": "pods", "levels": ["Metadata"]}, + {"resource": "deployments", "levels": ["Metadata"]}, + {"resource": "pods/exec", "levels": ["Metadata", "Request", "RequestResponse"]}, + {"resource": "pods/portforward", "levels": ["Metadata", "Request", "RequestResponse"]}, + {"resource": "pods/proxy", "levels": ["Metadata", "Request", "RequestResponse"]}, + {"resource": "services/proxy", "levels": ["Metadata", "Request", "RequestResponse"]}, } CxPolicy[result] { - resource := input.document[i] - resource.kind == "Policy" - startswith(resource.apiVersion, "audit") - res_rules := {res_rule | rule := resource.rules[_]; rule.resources[_].resources[_] == resources[x].resource; res_rule:= {"resource": resources[x].resource , "level": rule.level}} + resource := input.document[i] + resource.kind == "Policy" + startswith(resource.apiVersion, "audit") + res_rules := {res_rule | rule := resource.rules[_]; rule.resources[_].resources[_] == resources[x].resource; res_rule := {"resource": resources[x].resource, "level": rule.level}} resource_cont := resources[_] - resource_rule := resource_cont.resource - levels := resource_cont.levels - not hasResourceLevel(resource_rule, levels, res_rules) + resource_rule := resource_cont.resource + levels := resource_cont.levels + not hasResourceLevel(resource_rule, levels, res_rules) result := { "documentId": input.document[i].id, - "resourceType": resource.kind, + "resourceType": resource.kind, "resourceName": "n/a", "searchKey": "kind={{Policy}}.rules", "issueType": "MissingAttribute", - "keyExpectedValue":sprintf("Resource '%s' should be defined in the following levels '%s'",[resource_rule, levels]), - "keyActualValue": sprintf("Resource '%s' is not defined in the following levels '%s'",[resource_rule, levels]), + "keyExpectedValue": sprintf("Resource '%s' should be defined in the following levels '%s'", [resource_rule, levels]), + "keyActualValue": sprintf("Resource '%s' is not defined in the following levels '%s'", [resource_rule, levels]), } } -hasResourceLevel(resource, levels, res_rules){ +hasResourceLevel(resource, levels, res_rules) { rule := res_rules[_] - rule.resource == resource - rule.level == levels[_] + rule.resource == resource + rule.level in levels } diff --git a/assets/queries/k8s/authorization_mode_node_not_set/query.rego b/assets/queries/k8s/authorization_mode_node_not_set/query.rego index 5cc5e34b332..bdb865f5d0a 100644 --- a/assets/queries/k8s/authorization_mode_node_not_set/query.rego +++ b/assets/queries/k8s/authorization_mode_node_not_set/query.rego @@ -23,4 +23,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } - diff --git a/assets/queries/k8s/authorization_mode_rbac_not_set/query.rego b/assets/queries/k8s/authorization_mode_rbac_not_set/query.rego index ab11f9f833a..ef9cc2ce2ca 100644 --- a/assets/queries/k8s/authorization_mode_rbac_not_set/query.rego +++ b/assets/queries/k8s/authorization_mode_rbac_not_set/query.rego @@ -23,4 +23,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } - diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/query.rego b/assets/queries/k8s/authorization_mode_set_to_always_allow/query.rego index d0209c3bbcb..4d6c2102c5b 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/query.rego +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/query.rego @@ -41,4 +41,3 @@ CxPolicy[result] { "keyActualValue": "authorization.mode attribute is equal to 'AlwaysAllow'", } } - diff --git a/assets/queries/k8s/basic_auth_file_is_set/query.rego b/assets/queries/k8s/basic_auth_file_is_set/query.rego index cc21ac769e5..6f8deaaa393 100644 --- a/assets/queries/k8s/basic_auth_file_is_set/query.rego +++ b/assets/queries/k8s/basic_auth_file_is_set/query.rego @@ -21,7 +21,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "--basic-auth-file flag should not be set", "keyActualValue": "--basic-auth-file flag is set", - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } - diff --git a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/query.rego b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/query.rego index 64ccd86a3f3..573b7aca629 100644 --- a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/query.rego +++ b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/query.rego @@ -10,7 +10,7 @@ CxPolicy[result] { types := {"initContainers", "containers"} container := specInfo.spec[types[x]][j] common_lib.inArray(container.command, "kube-apiserver") - not k8sLib.startWithFlag(container,"--client-ca-file") + not k8sLib.startWithFlag(container, "--client-ca-file") result := { "documentId": input.document[i].id, @@ -18,9 +18,9 @@ CxPolicy[result] { "resourceName": metadata.name, "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]), "issueType": "MissingAttribute", - "keyExpectedValue": "Client Certification should be set", + "keyExpectedValue": "Client Certification should be set", "keyActualValue": "Client Certification is not set", - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } @@ -32,11 +32,11 @@ CxPolicy[result] { specInfo := k8sLib.getSpecInfo(resource) types := {"initContainers", "containers"} container := specInfo.spec[types[x]][j] - cmd := command[_] + cmd := command[_] common_lib.inArray(container.command, cmd) - k8sLib.startWithFlag(container,"--client-ca-file") - not k8sLib.startAndEndWithFlag(container,"--client-ca-file", ".crt") - not k8sLib.startAndEndWithFlag(container,"--client-ca-file", ".pem") + k8sLib.startWithFlag(container, "--client-ca-file") + not k8sLib.startAndEndWithFlag(container, "--client-ca-file", ".crt") + not k8sLib.startAndEndWithFlag(container, "--client-ca-file", ".pem") result := { "documentId": input.document[i].id, @@ -44,16 +44,16 @@ CxPolicy[result] { "resourceName": metadata.name, "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]), "issueType": "IncorrectValue", - "keyExpectedValue": "Client Certification should have a .pem or .crt file", + "keyExpectedValue": "Client Certification should have a .pem or .crt file", "keyActualValue": "Client Certification is not properly set", - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } CxPolicy[result] { - doc :=input.document[i] - doc.kind == "KubeletConfiguration" - notValidClientCAFile(doc) + doc := input.document[i] + doc.kind == "KubeletConfiguration" + notValidClientCAFile(doc) result := { "documentId": doc.id, @@ -61,32 +61,32 @@ CxPolicy[result] { "resourceName": "n/a", "searchKey": "kind={{KubeletConfiguration}}", "issueType": "MissingAttribute", - "keyExpectedValue": "Client Certification should be set", + "keyExpectedValue": "Client Certification should be set", "keyActualValue": "Client Certification is not set", } } -notValidClientCAFile(doc){ +notValidClientCAFile(doc) { not common_lib.valid_key(doc, "authentication") } else { - not common_lib.valid_key(doc.authentication,"x509") + not common_lib.valid_key(doc.authentication, "x509") } else { - not common_lib.valid_key(doc.authentication.x509,"clientCAFile") + not common_lib.valid_key(doc.authentication.x509, "clientCAFile") } CxPolicy[result] { - doc :=input.document[i] - doc.kind == "KubeletConfiguration" - not endswith(doc.authentication.x509.clientCAFile, ".pem") - not endswith(doc.authentication.x509.clientCAFile, ".crt") - + doc := input.document[i] + doc.kind == "KubeletConfiguration" + not endswith(doc.authentication.x509.clientCAFile, ".pem") + not endswith(doc.authentication.x509.clientCAFile, ".crt") + result := { "documentId": doc.id, "resourceType": doc.kind, "resourceName": "n/a", "searchKey": "kind={{KubeletConfiguration}}", "issueType": "IncorrectValue", - "keyExpectedValue": "Client Certification should have a .pem or .crt file", - "keyActualValue": "Client Certification is not properly set", + "keyExpectedValue": "Client Certification should have a .pem or .crt file", + "keyActualValue": "Client Certification is not properly set", } } diff --git a/assets/queries/k8s/cluster_allows_unsafe_sysctls/query.rego b/assets/queries/k8s/cluster_allows_unsafe_sysctls/query.rego index 6fd7dd9976e..30a5fb8d7b9 100644 --- a/assets/queries/k8s/cluster_allows_unsafe_sysctls/query.rego +++ b/assets/queries/k8s/cluster_allows_unsafe_sysctls/query.rego @@ -47,7 +47,7 @@ check_unsafe(sysctl) { "net.ipv4.ip_local_port_range", "net/ipv4/ip_local_port_range", "net.ipv4.ip_unprivileged_port_start", "net/ipv4/ip_unprivileged_port_start", "net.ipv4.tcp_syncookies", "net/ipv4/tcp_syncookies", - "net.ipv4.ping_group_range", "net/ipv4/tcp_syncookies", + "net.ipv4.ping_group_range", } not safeSysctls[sysctl] } diff --git a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/query.rego b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/query.rego index aff73a0f2ca..b0355c400b0 100644 --- a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/query.rego +++ b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/query.rego @@ -1,11 +1,11 @@ package Cx -import data.generic.k8s as k8sLib import data.generic.common as common_lib +import data.generic.k8s as k8sLib CxPolicy[result] { document := input.document[i] - + common_lib.valid_key(document, "cniVersion") plugin := document.plugins[j] plugin.type == "flannel" @@ -25,10 +25,10 @@ CxPolicy[result] { CxPolicy[result] { document := input.document[i] document.kind == "ConfigMap" - - cni:= json.unmarshal(document.data["cni-conf.json"]) - plugin := cni.plugins[j] - plugin.type == "flannel" + + cni := json.unmarshal(document.data["cni-conf.json"]) + plugin := cni.plugins[j] + plugin.type == "flannel" result := { "documentId": document.id, @@ -41,4 +41,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["data", "cni-conf.json"], []), } } - diff --git a/assets/queries/k8s/container_runs_unmasked/query.rego b/assets/queries/k8s/container_runs_unmasked/query.rego index 232e60ea11e..a351c098cb3 100644 --- a/assets/queries/k8s/container_runs_unmasked/query.rego +++ b/assets/queries/k8s/container_runs_unmasked/query.rego @@ -1,11 +1,13 @@ package Cx +import future.keywords.in + CxPolicy[result] { document := input.document[i] document.kind == "PodSecurityPolicy" spec := document.spec - spec.allowedProcMountTypes[_] == "Unmasked" + "Unmasked" in spec.allowedProcMountTypes result := { "documentId": document.id, diff --git a/assets/queries/k8s/containers_run_with_low_uid/query.rego b/assets/queries/k8s/containers_run_with_low_uid/query.rego index bd17d092ddd..0b489b446ce 100644 --- a/assets/queries/k8s/containers_run_with_low_uid/query.rego +++ b/assets/queries/k8s/containers_run_with_low_uid/query.rego @@ -23,7 +23,6 @@ checkUser(specInfo, container, containerType, document, metadata) = result { # pod defines runAsUser and container inherits this setting checkUser(specInfo, container, containerType, document, metadata) = result { - nested_info := common_lib.get_nested_values_info(container, ["securityContext", "runAsUser"]) nested_info.valid == false diff --git a/assets/queries/k8s/containers_running_as_root/query.rego b/assets/queries/k8s/containers_running_as_root/query.rego index eb3b94ac5de..2aa856278e6 100644 --- a/assets/queries/k8s/containers_running_as_root/query.rego +++ b/assets/queries/k8s/containers_running_as_root/query.rego @@ -1,9 +1,10 @@ package Cx -import data.generic.k8s as k8sLib import data.generic.common as common_lib +import data.generic.k8s as k8sLib types := {"initContainers", "containers"} + options := {"runAsUser", "runAsNonRoot"} runsAsRoot(ctx) { @@ -68,7 +69,7 @@ checkRoot(specInfo, container, containerType, containerId, document, metadata) = "issueType": "MissingAttribute", "keyExpectedValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", [metadata.name, specInfo.path, containerType, container.name]), "keyActualValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false", [metadata.name, specInfo.path, containerType, container.name]), - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [containerType, containerId, "securityContext"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [containerType, containerId, "securityContext"]), } } diff --git a/assets/queries/k8s/containers_with_sys_admin_capabilities/query.rego b/assets/queries/k8s/containers_with_sys_admin_capabilities/query.rego index 19c609b659e..6ecca3172a2 100644 --- a/assets/queries/k8s/containers_with_sys_admin_capabilities/query.rego +++ b/assets/queries/k8s/containers_with_sys_admin_capabilities/query.rego @@ -1,7 +1,8 @@ package Cx -import data.generic.k8s as k8sLib import data.generic.common as common_lib +import data.generic.k8s as k8sLib +import future.keywords.in CxPolicy[result] { document := input.document[i] @@ -11,7 +12,7 @@ CxPolicy[result] { types = {"initContainers", "containers"} containers := specInfo.spec[types[x]] - containers[index].securityContext.capabilities.add[_] == "SYS_ADMIN" + "SYS_ADMIN" in containers[index].securityContext.capabilities.add result := { "documentId": input.document[i].id, diff --git a/assets/queries/k8s/cpu_limits_not_set/query.rego b/assets/queries/k8s/cpu_limits_not_set/query.rego index 7600006f992..e6bfed5fca8 100644 --- a/assets/queries/k8s/cpu_limits_not_set/query.rego +++ b/assets/queries/k8s/cpu_limits_not_set/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.k8s as k8sLib import data.generic.common as common_lib +import data.generic.k8s as k8sLib types := {"initContainers", "containers"} diff --git a/assets/queries/k8s/cpu_requests_not_set/query.rego b/assets/queries/k8s/cpu_requests_not_set/query.rego index 18816acce2a..11a1e7d9471 100644 --- a/assets/queries/k8s/cpu_requests_not_set/query.rego +++ b/assets/queries/k8s/cpu_requests_not_set/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.k8s as k8sLib import data.generic.common as common_lib +import data.generic.k8s as k8sLib types := {"initContainers", "containers"} diff --git a/assets/queries/k8s/deployment_has_no_pod_anti_affinity/query.rego b/assets/queries/k8s/deployment_has_no_pod_anti_affinity/query.rego index c5a869e2a32..e37d0bb7ade 100644 --- a/assets/queries/k8s/deployment_has_no_pod_anti_affinity/query.rego +++ b/assets/queries/k8s/deployment_has_no_pod_anti_affinity/query.rego @@ -199,6 +199,4 @@ CxPolicy[result] { match_labels(templateLabels, selectorLabels) { some Key templateLabels[Key] == selectorLabels[Key] -} else = false { - true -} +} else = false diff --git a/assets/queries/k8s/deployment_without_pod_disruption_budget/query.rego b/assets/queries/k8s/deployment_without_pod_disruption_budget/query.rego index 17c50b04d52..bb9a7be45c0 100644 --- a/assets/queries/k8s/deployment_without_pod_disruption_budget/query.rego +++ b/assets/queries/k8s/deployment_without_pod_disruption_budget/query.rego @@ -25,10 +25,8 @@ hasPodDisruptionBudget(statefulset) = result { pdb := input.document[j] pdb.kind == "PodDisruptionBudget" result := containsLabel(pdb, statefulset.spec.selector.matchLabels) -} else = false { - true -} +} else = false -containsLabel(array, label) { - array.spec.selector.matchLabels[_] == label[_] +containsLabel(array_obj, label_value) { + array_obj.spec.selector.matchLabels[_] == label_value[_] } diff --git a/assets/queries/k8s/encryption_provider_not_properly_configured/query.rego b/assets/queries/k8s/encryption_provider_not_properly_configured/query.rego index b303c30c75f..8b8877421a7 100644 --- a/assets/queries/k8s/encryption_provider_not_properly_configured/query.rego +++ b/assets/queries/k8s/encryption_provider_not_properly_configured/query.rego @@ -21,9 +21,9 @@ CxPolicy[result] { } } -containsProvider(resource){ +containsProvider(resource) { providerToCheck := providerList[_] innerResources := resource.resources[_] - providers_det := innerResources["providers"] + providers_det := innerResources.providers common_lib.valid_key(providers_det[_], providerToCheck) } diff --git a/assets/queries/k8s/ensure_administrative_boundaries_between_resources/query.rego b/assets/queries/k8s/ensure_administrative_boundaries_between_resources/query.rego index 16a32e49515..2b7dd21a46d 100644 --- a/assets/queries/k8s/ensure_administrative_boundaries_between_resources/query.rego +++ b/assets/queries/k8s/ensure_administrative_boundaries_between_resources/query.rego @@ -6,13 +6,15 @@ import data.generic.k8s as k8sLib listKinds := ["Pod", "Deployment", "DaemonSet", "StatefulSet", "ReplicaSet", "ReplicationController", "Job", "CronJob", "Service", "Secret", "ServiceAccount", "Role", "RoleBinding", "ConfigMap", "Ingress"] CxPolicy[result] { - nsSearch := [nsSearch |res = input.document[_]; - res.kind == listKinds[_]; - nspace := res.metadata.namespace; - nsSearch := {"namespace": nspace,"res": res.id, "name": res.metadata.name, "kind": res.kind}] + nsSearch := [nsSearch | + res = input.document[_] + res.kind == listKinds[_] + nspace := res.metadata.namespace + nsSearch := {"namespace": nspace, "res": res.id, "name": res.metadata.name, "kind": res.kind} + ] - namespaces := {ns | ns:=nsSearch[_].namespace } - namespacesContac:= concat(", ",namespaces) + namespaces := {ns | ns := nsSearch[_].namespace} + namespacesContac := concat(", ", namespaces) result := { "documentId": nsSearch[0].res, diff --git a/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/query.rego b/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/query.rego index 0ff2dd34676..77b08ad720d 100644 --- a/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/query.rego +++ b/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/query.rego @@ -21,8 +21,8 @@ CxPolicy[result] { "resourceName": metadata.name, "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("%s flag should be defined",[flag]), - "keyActualValue": sprintf("%s flag is not defined",[flag]), + "keyExpectedValue": sprintf("%s flag should be defined", [flag]), + "keyActualValue": sprintf("%s flag is not defined", [flag]), "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } diff --git a/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/query.rego b/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/query.rego index 3c5342d2a0e..358fc44bc18 100644 --- a/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/query.rego +++ b/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/query.rego @@ -3,7 +3,7 @@ package Cx import data.generic.common as common_lib import data.generic.k8s as k8sLib -flags := {"--cert-file","--key-file"} +flags := {"--cert-file", "--key-file"} CxPolicy[result] { resource := input.document[i] @@ -22,7 +22,7 @@ CxPolicy[result] { "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("%s flag should be defined", [flag]), - "keyActualValue": sprintf("%s flag is not defined",[flag]), + "keyActualValue": sprintf("%s flag is not defined", [flag]), "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } diff --git a/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/query.rego b/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/query.rego index 5dbec30e4b3..6230a55e5df 100644 --- a/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/query.rego +++ b/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/query.rego @@ -21,8 +21,8 @@ CxPolicy[result] { "resourceName": metadata.name, "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("%s flag should be defined",[flag]), - "keyActualValue": sprintf("%s flag is not defined",[flag]), + "keyExpectedValue": sprintf("%s flag should be defined", [flag]), + "keyActualValue": sprintf("%s flag is not defined", [flag]), "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } diff --git a/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/query.rego b/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/query.rego index 673d6783ec1..9bad8385c99 100644 --- a/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/query.rego +++ b/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/query.rego @@ -23,4 +23,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } - diff --git a/assets/queries/k8s/hpa_targets_invalid_object/query.rego b/assets/queries/k8s/hpa_targets_invalid_object/query.rego index e64037696d2..0bba6f60bfc 100644 --- a/assets/queries/k8s/hpa_targets_invalid_object/query.rego +++ b/assets/queries/k8s/hpa_targets_invalid_object/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { } } -checkIsValidObject(resource) { +checkIsValidObject(resource) { resource.object != null resource.object.metric != null resource.object.target != null diff --git a/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/query.rego b/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/query.rego index f4a704a506a..2de480e32ad 100644 --- a/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/query.rego +++ b/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/query.rego @@ -23,4 +23,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } - diff --git a/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/query.rego b/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/query.rego index e9895d8848d..98810d6cc3d 100644 --- a/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/query.rego +++ b/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/query.rego @@ -1,5 +1,7 @@ package Cx +import future.keywords.in + CxPolicy[result] { document := input.document[i] @@ -7,7 +9,7 @@ CxPolicy[result] { volumeClaims := document.spec.volumeClaimTemplates - vClaimsWitReadWriteOnce := [vClaims | contains(volumeClaims[v].spec.accessModes, "ReadWriteOnce") == true; vClaims := volumeClaims[v].metadata.name] + vClaimsWitReadWriteOnce := [vClaims | array_contains(volumeClaims[v].spec.accessModes, "ReadWriteOnce") == true; vClaims := volumeClaims[v].metadata.name] count(vClaimsWitReadWriteOnce) == 0 metadata := document.metadata @@ -30,7 +32,7 @@ CxPolicy[result] { volumeClaims := document.spec.volumeClaimTemplates - vClaimsWitReadWriteOnce := [vClaims | contains(volumeClaims[v].spec.accessModes, "ReadWriteOnce") == true; vClaims := volumeClaims[v].metadata.name] + vClaimsWitReadWriteOnce := [vClaims | array_contains(volumeClaims[v].spec.accessModes, "ReadWriteOnce") == true; vClaims := volumeClaims[v].metadata.name] count(vClaimsWitReadWriteOnce) > 1 metadata := document.metadata @@ -46,6 +48,6 @@ CxPolicy[result] { } } -contains(array, string) { - array[_] == string +array_contains(array_obj, string) { + string in array_obj } diff --git a/assets/queries/k8s/ingress_controller_exposes_workload/query.rego b/assets/queries/k8s/ingress_controller_exposes_workload/query.rego index 895f244eceb..2d612f2dc55 100644 --- a/assets/queries/k8s/ingress_controller_exposes_workload/query.rego +++ b/assets/queries/k8s/ingress_controller_exposes_workload/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.k8s as k8sLib import data.generic.common as common_lib +import data.generic.k8s as k8sLib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/k8s/insecure_bind_address_set/query.rego b/assets/queries/k8s/insecure_bind_address_set/query.rego index 9116331b51b..c03feaea13d 100644 --- a/assets/queries/k8s/insecure_bind_address_set/query.rego +++ b/assets/queries/k8s/insecure_bind_address_set/query.rego @@ -21,7 +21,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "--insecure-bind-address flag should not be set", "keyActualValue": "--insecure-bind-address flag is set", - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } - diff --git a/assets/queries/k8s/insecure_port_not_properly_set/query.rego b/assets/queries/k8s/insecure_port_not_properly_set/query.rego index 37ffa8b7234..b3aff7e3b1e 100644 --- a/assets/queries/k8s/insecure_port_not_properly_set/query.rego +++ b/assets/queries/k8s/insecure_port_not_properly_set/query.rego @@ -22,7 +22,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "--insecure-port flag should be set to 0", "keyActualValue": "--insecure-port flag is not properly set", - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } @@ -44,6 +44,6 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "--insecure-port flag should be defined and set to 0", "keyActualValue": "--insecure-port flag is not defined", - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } diff --git a/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/query.rego b/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/query.rego index 0d99aabaa72..806bf46a431 100644 --- a/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/query.rego +++ b/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/query.rego @@ -5,7 +5,7 @@ import data.generic.k8s as k8sLib flags := { "--kubelet-client-certificate", - "--kubelet-client-key" + "--kubelet-client-key", } CxPolicy[result] { @@ -25,9 +25,8 @@ CxPolicy[result] { "resourceName": metadata.name, "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("%s flag should be set",[flag]), - "keyActualValue": sprintf("%s flag is not set",[flag]), - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) + "keyExpectedValue": sprintf("%s flag should be set", [flag]), + "keyActualValue": sprintf("%s flag is not set", [flag]), + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } - diff --git a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/query.rego b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/query.rego index cded660d79d..ff04fd63fc2 100644 --- a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/query.rego +++ b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/query.rego @@ -22,14 +22,14 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "--rotate-certificates flag should be true", "keyActualValue": "--rotate-certificates flag is false", - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } CxPolicy[result] { resource := input.document[i] - resource.kind == "KubeletConfiguration" - resource.rotateCertificates == false + resource.kind == "KubeletConfiguration" + resource.rotateCertificates == false result := { "documentId": input.document[i].id, @@ -44,8 +44,8 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i] - resource.kind == "KubeletConfiguration" - not common_lib.valid_key(resource, "rotateCertificates") + resource.kind == "KubeletConfiguration" + not common_lib.valid_key(resource, "rotateCertificates") result := { "documentId": input.document[i].id, diff --git a/assets/queries/k8s/kubelet_event_qps_not_properly_set/query.rego b/assets/queries/k8s/kubelet_event_qps_not_properly_set/query.rego index 17d699c0265..6e1e9f5d864 100644 --- a/assets/queries/k8s/kubelet_event_qps_not_properly_set/query.rego +++ b/assets/queries/k8s/kubelet_event_qps_not_properly_set/query.rego @@ -9,9 +9,9 @@ CxPolicy[result] { specInfo := k8sLib.getSpecInfo(resource) types := {"initContainers", "containers"} container := specInfo.spec[types[x]][j] - + common_lib.inArray(container.command, "kubelet") - k8sLib.startWithFlag(container,"--event-qps") + k8sLib.startWithFlag(container, "--event-qps") not k8sLib.hasFlag(container, "--event-qps=0") result := { @@ -22,14 +22,14 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "--event-qps flag should be set to 0", "keyActualValue": "--event-qps flag is not set to 0", - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } CxPolicy[result] { - doc :=input.document[i] - doc.kind == "KubeletConfiguration" - not common_lib.valid_key(doc, "eventRecordQPS") + doc := input.document[i] + doc.kind == "KubeletConfiguration" + not common_lib.valid_key(doc, "eventRecordQPS") result := { "documentId": doc.id, @@ -43,9 +43,9 @@ CxPolicy[result] { } CxPolicy[result] { - doc :=input.document[i] - doc.kind == "KubeletConfiguration" - doc.eventRecordQPS != 0 + doc := input.document[i] + doc.kind == "KubeletConfiguration" + doc.eventRecordQPS != 0 result := { "documentId": doc.id, @@ -57,4 +57,3 @@ CxPolicy[result] { "keyActualValue": "eventRecordQPS flag is not set to 0", } } - diff --git a/assets/queries/k8s/kubelet_hostname_override_is_set/query.rego b/assets/queries/k8s/kubelet_hostname_override_is_set/query.rego index de861865bc3..3e26e63ff72 100644 --- a/assets/queries/k8s/kubelet_hostname_override_is_set/query.rego +++ b/assets/queries/k8s/kubelet_hostname_override_is_set/query.rego @@ -21,6 +21,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "--hostname-override= flag should not be defined", "keyActualValue": "--hostname-override= flag is defined", - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } diff --git a/assets/queries/k8s/kubelet_not_managing_ip_tables/query.rego b/assets/queries/k8s/kubelet_not_managing_ip_tables/query.rego index 35c325c8660..c7c1d70e985 100644 --- a/assets/queries/k8s/kubelet_not_managing_ip_tables/query.rego +++ b/assets/queries/k8s/kubelet_not_managing_ip_tables/query.rego @@ -22,14 +22,14 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "--make-iptables-util-chains flag should be true", "keyActualValue": "--make-iptables-util-chains= flag is false", - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } CxPolicy[result] { resource := input.document[i] - resource.kind == "KubeletConfiguration" - resource.makeIPTablesUtilChains == false + resource.kind == "KubeletConfiguration" + resource.makeIPTablesUtilChains == false result := { "documentId": input.document[i].id, diff --git a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/query.rego b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/query.rego index a6a15e42c2d..cb3c51f47de 100644 --- a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/query.rego +++ b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/query.rego @@ -21,14 +21,14 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "--protect-kernel-defaults flag should not be set to false", "keyActualValue": "--protect-kernel-defaults flag is set to false", - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } CxPolicy[result] { - doc :=input.document[i] - doc.kind == "KubeletConfiguration" - not common_lib.valid_key(doc, "protectKernelDefaults") + doc := input.document[i] + doc.kind == "KubeletConfiguration" + not common_lib.valid_key(doc, "protectKernelDefaults") result := { "documentId": doc.id, @@ -42,9 +42,9 @@ CxPolicy[result] { } CxPolicy[result] { - doc :=input.document[i] - doc.kind == "KubeletConfiguration" - doc.protectKernelDefaults == false + doc := input.document[i] + doc.kind == "KubeletConfiguration" + doc.protectKernelDefaults == false result := { "documentId": doc.id, @@ -56,4 +56,3 @@ CxPolicy[result] { "keyActualValue": "protectKernelDefaults flag is set to false", } } - diff --git a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/query.rego b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/query.rego index ea51a46fcff..5c2bc3e345b 100644 --- a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/query.rego +++ b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/query.rego @@ -11,7 +11,7 @@ CxPolicy[result] { container := specInfo.spec[types[x]][j] common_lib.inArray(container.command, "kubelet") - k8sLib.startWithFlag(container, "--read-only-port") + k8sLib.startWithFlag(container, "--read-only-port") not k8sLib.hasFlag(container, "--read-only-port=0") result := { diff --git a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/query.rego b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/query.rego index 3666a13cabc..d27fa7ee339 100644 --- a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/query.rego +++ b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/query.rego @@ -22,14 +22,14 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "--streaming-connection-idle-timeout flag not should be 0", "keyActualValue": "--streaming-connection-idle-timeout flag is 0", - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } CxPolicy[result] { resource := input.document[i] - resource.kind == "KubeletConfiguration" - resource.streamingConnectionIdleTimeout == "0s" + resource.kind == "KubeletConfiguration" + resource.streamingConnectionIdleTimeout == "0s" result := { "documentId": input.document[i].id, diff --git a/assets/queries/k8s/liveness_probe_is_not_defined/query.rego b/assets/queries/k8s/liveness_probe_is_not_defined/query.rego index ba44cbe8254..93b3092118c 100644 --- a/assets/queries/k8s/liveness_probe_is_not_defined/query.rego +++ b/assets/queries/k8s/liveness_probe_is_not_defined/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.k8s as k8sLib import data.generic.common as common_lib +import data.generic.k8s as k8sLib CxPolicy[result] { document := input.document[i] @@ -9,7 +9,7 @@ CxPolicy[result] { metadata := document.metadata kind := document.kind - listKinds := ["Job", "CronJob"] + listKinds := ["Job", "CronJob"] not k8sLib.checkKind(kind, listKinds) diff --git a/assets/queries/k8s/memory_limits_not_defined/query.rego b/assets/queries/k8s/memory_limits_not_defined/query.rego index ea9d64813a3..57d9250d57b 100644 --- a/assets/queries/k8s/memory_limits_not_defined/query.rego +++ b/assets/queries/k8s/memory_limits_not_defined/query.rego @@ -23,6 +23,6 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.resources.limits.memory should be defined", [metadata.name, specInfo.path, types[t], container.name]), "keyActualValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.resources.limits.memory is undefined", [metadata.name, specInfo.path, types[t], container.name]), - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[t], c, "resources", "limits"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[t], c, "resources", "limits"]), } } diff --git a/assets/queries/k8s/memory_requests_not_defined/query.rego b/assets/queries/k8s/memory_requests_not_defined/query.rego index 2816b41f7ae..48969b47204 100644 --- a/assets/queries/k8s/memory_requests_not_defined/query.rego +++ b/assets/queries/k8s/memory_requests_not_defined/query.rego @@ -23,6 +23,6 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.resources.requests.memory should be defined", [metadata.name, specInfo.path, types[t], container.name]), "keyActualValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.resources.requests.memory is undefined", [metadata.name, specInfo.path, types[t], container.name]), - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[t], c, "resources", "requests"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[t], c, "resources", "requests"]), } } diff --git a/assets/queries/k8s/metadata_label_is_invalid/query.rego b/assets/queries/k8s/metadata_label_is_invalid/query.rego index 8c3bb5e65e0..1ea74f8c404 100644 --- a/assets/queries/k8s/metadata_label_is_invalid/query.rego +++ b/assets/queries/k8s/metadata_label_is_invalid/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { some key value := labels[key] - regex.match("^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", value) == false + regex.match(`^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$`, value) == false result := { "documentId": input.document[i].id, diff --git a/assets/queries/k8s/missing_app_armor_config/query.rego b/assets/queries/k8s/missing_app_armor_config/query.rego index c97221fbdd9..7612c052a84 100644 --- a/assets/queries/k8s/missing_app_armor_config/query.rego +++ b/assets/queries/k8s/missing_app_armor_config/query.rego @@ -70,6 +70,6 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("metadata.name={{%s}}.%s should specify an AppArmor profile for container {{%s}}", [metadata.name, annotationsPath, container]), "keyActualValue": sprintf("metadata.name={{%s}}.%s does not specify an AppArmor profile for container {{%s}}", [metadata.name, annotationsPath, container]), - "searchLine": common_lib.build_search_line(split(annotationsPath, "."), []) + "searchLine": common_lib.build_search_line(split(annotationsPath, "."), []), } } diff --git a/assets/queries/k8s/net_raw_capabilities_not_being_dropped/query.rego b/assets/queries/k8s/net_raw_capabilities_not_being_dropped/query.rego index b285a7c21e9..70af607731b 100644 --- a/assets/queries/k8s/net_raw_capabilities_not_being_dropped/query.rego +++ b/assets/queries/k8s/net_raw_capabilities_not_being_dropped/query.rego @@ -45,6 +45,6 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.securityContext.capabilities.drop should be defined", [metadata.name, specInfo.path, types[x], container.name]), "keyActualValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.securityContext.capabilities.drop is undefined", [metadata.name, specInfo.path, types[x], container.name]), - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], c, "securityContext", "capabilities"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], c, "securityContext", "capabilities"]), } } diff --git a/assets/queries/k8s/network_policy_is_not_targeting_any_pod/query.rego b/assets/queries/k8s/network_policy_is_not_targeting_any_pod/query.rego index 2024405b792..fd3106de9b9 100644 --- a/assets/queries/k8s/network_policy_is_not_targeting_any_pod/query.rego +++ b/assets/queries/k8s/network_policy_is_not_targeting_any_pod/query.rego @@ -29,6 +29,4 @@ findTargettedPod(lValue, lKey) { some key key == lKey labels[key] == lValue -} else = false { - true -} +} else = false diff --git a/assets/queries/k8s/no_drop_capabilities_for_containers/query.rego b/assets/queries/k8s/no_drop_capabilities_for_containers/query.rego index 75d255d45ea..ab704120516 100644 --- a/assets/queries/k8s/no_drop_capabilities_for_containers/query.rego +++ b/assets/queries/k8s/no_drop_capabilities_for_containers/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.k8s as k8sLib import data.generic.common as common_lib +import data.generic.k8s as k8sLib types := {"initContainers", "containers"} diff --git a/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/query.rego b/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/query.rego index 76e7d046976..4dacfaf6f49 100644 --- a/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/query.rego +++ b/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/query.rego @@ -23,4 +23,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } - diff --git a/assets/queries/k8s/non_kube_system_pod_with_host_mount/query.rego b/assets/queries/k8s/non_kube_system_pod_with_host_mount/query.rego index aff339c427b..9a8c832c6d6 100644 --- a/assets/queries/k8s/non_kube_system_pod_with_host_mount/query.rego +++ b/assets/queries/k8s/non_kube_system_pod_with_host_mount/query.rego @@ -2,12 +2,13 @@ package Cx import data.generic.common as common_lib import data.generic.k8s as k8sLib +import future.keywords.in CxPolicy[result] { resource := input.document[i] metadata := resource.metadata not metadata.namespace - resource.kind == k8sLib.valid_pod_spec_kind_list[_] + resource.kind in k8sLib.valid_pod_spec_kind_list specInfo := k8sLib.getSpecInfo(resource) volumes := specInfo.spec.volumes volumes[j].hostPath.path @@ -29,7 +30,7 @@ CxPolicy[result] { "default", volumes[j].hostPath.path, ]), - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), ["volumes", j ,"hostPath", "path"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), ["volumes", j, "hostPath", "path"]), } } @@ -38,7 +39,7 @@ CxPolicy[result] { metadata := resource.metadata namespace := metadata.namespace namespace != "kube-system" - resource.kind == k8sLib.valid_pod_spec_kind_list[_] + resource.kind in k8sLib.valid_pod_spec_kind_list specInfo := k8sLib.getSpecInfo(resource) volumes := specInfo.spec.volumes volumes[j].hostPath.path @@ -46,7 +47,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.kind, "resourceName": metadata.name, - "searchKey": sprintf("metadata.name={{%s}}.%s.volumes.name={{%s}}.hostPath.path", [metadata.name,specInfo.path, volumes[j].name]), + "searchKey": sprintf("metadata.name={{%s}}.%s.volumes.name={{%s}}.hostPath.path", [metadata.name, specInfo.path, volumes[j].name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Resource name '%s' of kind '%s' in non kube-system namespace '%s' should not have hostPath '%s' mounted", [ metadata.name, @@ -60,7 +61,7 @@ CxPolicy[result] { metadata.namespace, volumes[j].hostPath.path, ]), - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), ["volumes", j ,"hostPath", "path"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), ["volumes", j, "hostPath", "path"]), } } diff --git a/assets/queries/k8s/not_unique_certificate_authority/query.rego b/assets/queries/k8s/not_unique_certificate_authority/query.rego index 071d766e61d..6c7669e53b3 100644 --- a/assets/queries/k8s/not_unique_certificate_authority/query.rego +++ b/assets/queries/k8s/not_unique_certificate_authority/query.rego @@ -2,52 +2,51 @@ package Cx import data.generic.common as common_lib import data.generic.k8s as k8s_lib - +import future.keywords.in CxPolicy[result] { resource := input.document[i] metadata := resource.metadata - specInfo := k8s_lib.getSpecInfo(resource) - types := {"initContainers", "containers"} + specInfo := k8s_lib.getSpecInfo(resource) + types := {"initContainers", "containers"} container := specInfo.spec[types[x]][j] - common_lib.inArray(container.command, "etcd") + common_lib.inArray(container.command, "etcd") trusted_path := getTrustedPath(container) - resource_aux := input.document[_] - client_path := getClientPath(resource_aux) - trusted_path == client_path + resource_aux := input.document[_] + client_path := getClientPath(resource_aux) + trusted_path == client_path result := { - "documentId": input.document[i].id, - "resourceType": resource.kind, + "documentId": input.document[i].id, + "resourceType": resource.kind, "resourceName": metadata.name, "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]), "issueType": "IncorrectValue", "keyExpectedValue": "Trusted Certificate Authentication File should not be the same of a Client Certificate Authentication File", "keyActualValue": "Trusted Certificate Authentication File is the same of a Client Certificate Authentication File", - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } -getTrustedPath(container) = path{ - path:= split(flagValue(container, "--trusted-ca-file"),"=")[1] - +getTrustedPath(container) = path { + path := split(flagValue(container, "--trusted-ca-file"), "=")[1] } -flagValue(container, flag) = val{ - val:=getFlag(container.command, flag) -} else = val{ - val:=getFlag(container.args, flag) +flagValue(container, flag) = val { + val := getFlag(container.command, flag) +} else = val { + val := getFlag(container.args, flag) } getFlag(arr, item) = array_item { - array_item = arr[_] - startswith(array_item, item) + some array_item in arr + startswith(array_item, item) } getClientPath(resource) = path { - specInfo := k8s_lib.getSpecInfo(resource) - types := {"initContainers", "containers"} - container := specInfo.spec[types[x]][j] - common_lib.inArray(container.command, "kube-apiserver") - path:= split(flagValue(container, "--client-ca-file"),"=")[1] + specInfo := k8s_lib.getSpecInfo(resource) + types := {"initContainers", "containers"} + container := specInfo.spec[types[x]][j] + common_lib.inArray(container.command, "kube-apiserver") + path := split(flagValue(container, "--client-ca-file"), "=")[1] } diff --git a/assets/queries/k8s/object_is_using_a_deprecated_api_version/query.rego b/assets/queries/k8s/object_is_using_a_deprecated_api_version/query.rego index 5282ea26bbe..ce647b53713 100644 --- a/assets/queries/k8s/object_is_using_a_deprecated_api_version/query.rego +++ b/assets/queries/k8s/object_is_using_a_deprecated_api_version/query.rego @@ -35,12 +35,8 @@ CxPolicy[result] { "Role": "rbac.authorization.k8s.io/v1", "RoleBinding": "rbac.authorization.k8s.io/v1", }, - "batch/v1beta1": { - "CronJob": "batch/v1", - }, - "policy/v1beta1": { - "PodDisruptionBudget": "policy/v1", - } + "batch/v1beta1": {"CronJob": "batch/v1"}, + "policy/v1beta1": {"PodDisruptionBudget": "policy/v1"}, } common_lib.valid_key(recommendedVersions[document.apiVersion], document.kind) @@ -50,7 +46,7 @@ CxPolicy[result] { "resourceName": metadata.name, "searchKey": sprintf("apiVersion={{%s}}", [document.apiVersion]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("metadata.name={{%s}}.apiVersion of %s should be {{%s}}", [metadata.name, document.kind, recommendedVersions[document.apiVersion][document.kind]]), + "keyExpectedValue": sprintf("metadata.name={{%s}}.apiVersion of %s should be {{%s}}", [metadata.name, document.kind, recommendedVersions[document.apiVersion][document.kind]]), "keyActualValue": sprintf("metadata.name={{%s}}.apiVersion of %s is deprecated and is {{%s}}", [metadata.name, document.kind, document.apiVersion]), } } diff --git a/assets/queries/k8s/permissive_access_to_create_pods/query.rego b/assets/queries/k8s/permissive_access_to_create_pods/query.rego index 240ea26b459..764b0121429 100644 --- a/assets/queries/k8s/permissive_access_to_create_pods/query.rego +++ b/assets/queries/k8s/permissive_access_to_create_pods/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.k8s as k8s_lib import data.generic.common as common_lib +import data.generic.k8s as k8s_lib create := "create" @@ -35,9 +35,9 @@ CxPolicy[result] { isRoleKind(document.kind) rules[j].verbs[l] == create - notCustom(rules[j].apiGroups) - isWildCardValue(rules[j].resources[k]) - + notCustom(rules[j].apiGroups) + isWildCardValue(rules[j].resources[k]) + result := { "documentId": input.document[i].id, "resourceType": document.kind, @@ -67,7 +67,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("metadata.name=%s.rules.verbs should not contain a wildcard value when metadata.name=%s.rules.resources contains the value 'pods'", [metadata.name, metadata.name]), "keyActualValue": sprintf("metadata.name=%s.rules.verbs contains a wildcard value and metadata.name=%s.rules.resources contains the value 'pods'", [metadata.name, metadata.name]), - "searchLine": common_lib.build_search_line(["rules", j, "verbs"], []), + "searchLine": common_lib.build_search_line(["rules", j, "verbs"], []), } } @@ -89,7 +89,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("metadata.name=%s.rules.verbs should not contain a wildcard value when metadata.name=%s.rules.resources contains a wildcard value", [metadata.name, metadata.name]), "keyActualValue": sprintf("metadata.name=%s.rules.verbs contains a wildcard value and metadata.name=%s.rules.resources contains a wildcard value", [metadata.name, metadata.name]), - "searchLine": common_lib.build_search_line(["rules", j, "verbs"], []), + "searchLine": common_lib.build_search_line(["rules", j, "verbs"], []), } } @@ -98,11 +98,11 @@ isWildCardValue(val) { } isRoleKind(kind) { - listKinds := ["ClusterRole", "Role"] + listKinds := ["ClusterRole", "Role"] k8s_lib.checkKind(kind, listKinds) } notCustom(apiGroups) { - k8s := {"", "*"} + k8s := {"", "*"} apiGroups[z] == k8s[p] } diff --git a/assets/queries/k8s/pod_misconfigured_network_policy/query.rego b/assets/queries/k8s/pod_misconfigured_network_policy/query.rego index 732d2c9418a..cd914212229 100644 --- a/assets/queries/k8s/pod_misconfigured_network_policy/query.rego +++ b/assets/queries/k8s/pod_misconfigured_network_policy/query.rego @@ -7,25 +7,26 @@ CxPolicy[result] { pod := input.document[i] pod.kind == "Pod" - policyList := [policy | policy := input.document[j]; policy.kind == "NetworkPolicy"] - # if network policies are present - count(policyList) > 0 + policyList := [policy | policy := input.document[j]; policy.kind == "NetworkPolicy"] - netPolicy = policyList[k] - isSameNamespace(pod, netPolicy) + # if network policies are present + count(policyList) > 0 - # if no ingress and no egress policies are defined - not policyHasEgress(netPolicy) - not policyHasIngress(netPolicy) + netPolicy = policyList[k] + isSameNamespace(pod, netPolicy) - result := { + # if no ingress and no egress policies are defined + not policyHasEgress(netPolicy) + not policyHasIngress(netPolicy) + + result := { "documentId": pod.id, "resourceType": pod.kind, "resourceName": pod.metadata.name, "searchKey": sprintf("metadata.name=%s", [pod.metadata.name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("Pod %s should have ingress and egress rules in matching NetworkPolicy", [pod.metadata.name]), - "keyActualValue": sprintf("Pod %s has no ingress or egress rules in matching NetworkPolicy", [pod.metadata.name]) + "keyActualValue": sprintf("Pod %s has no ingress or egress rules in matching NetworkPolicy", [pod.metadata.name]), } } @@ -34,29 +35,31 @@ CxPolicy[result] { pod := input.document[i] pod.kind == "Pod" - policyList := [policy | policy := input.document[j]; policy.kind == "NetworkPolicy"] - # if network policies are present - count(policyList) > 0 + policyList := [policy | policy := input.document[j]; policy.kind == "NetworkPolicy"] + + # if network policies are present + count(policyList) > 0 + + netPolicy = policyList[k] - netPolicy = policyList[k] - # if it's not in the same namespace there should be a matching labels rule - not isSameNamespace(pod, netPolicy) + # if it's not in the same namespace there should be a matching labels rule + not isSameNamespace(pod, netPolicy) - # if there are matching labels + # if there are matching labels pod.metadata.labels[key] == netPolicy.spec.podSelector.matchLabels[key] - # if no ingress and no egress policies are defined - not policyHasIngress(netPolicy) - not policyHasEgress(netPolicy) + # if no ingress and no egress policies are defined + not policyHasIngress(netPolicy) + not policyHasEgress(netPolicy) - result := { + result := { "documentId": pod.id, "resourceType": pod.kind, "resourceName": pod.metadata.name, "searchKey": sprintf("metadata.name=%s", [pod.metadata.name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("Pod %s should have ingress and egress rules in matching NetworkPolicy", [pod.metadata.name]), - "keyActualValue": sprintf("Pod %s has no ingress or egress rules in matching NetworkPolicy", [pod.metadata.name]) + "keyActualValue": sprintf("Pod %s has no ingress or egress rules in matching NetworkPolicy", [pod.metadata.name]), } } @@ -76,7 +79,7 @@ policyHasIngress(netPolicy) { # OR if policyType array contains Egress listed policyHasEgress(netPolicy) { not common_lib.valid_key(netPolicy.spec, "policyTypes") - count(netPolicy.spec.egress) > 0 + count(netPolicy.spec.egress) > 0 } else { lower(netPolicy.spec.policyTypes[_]) == lower("Egress") } diff --git a/assets/queries/k8s/pod_or_container_without_limit_range/query.rego b/assets/queries/k8s/pod_or_container_without_limit_range/query.rego index cb12b838955..b9110140b9e 100644 --- a/assets/queries/k8s/pod_or_container_without_limit_range/query.rego +++ b/assets/queries/k8s/pod_or_container_without_limit_range/query.rego @@ -23,7 +23,7 @@ CxPolicy[result] { "searchKey": sprintf("metadata.name={{%s}}", [metadata.name]), "keyExpectedValue": sprintf("metadata.name={{%s}} has a 'LimitRange' policy associated", [metadata.name]), "keyActualValue": sprintf("metadata.name={{%s}} does not have a 'LimitRange' policy associated", [metadata.name]), - "searchLine": common_lib.build_search_line(["metadata", "namespace"], []) + "searchLine": common_lib.build_search_line(["metadata", "namespace"], []), } } diff --git a/assets/queries/k8s/pod_or_container_without_resource_quota/query.rego b/assets/queries/k8s/pod_or_container_without_resource_quota/query.rego index 7f5909c47e8..b6bf6dd955d 100644 --- a/assets/queries/k8s/pod_or_container_without_resource_quota/query.rego +++ b/assets/queries/k8s/pod_or_container_without_resource_quota/query.rego @@ -23,7 +23,7 @@ CxPolicy[result] { "searchKey": sprintf("metadata.name={{%s}}", [metadata.name]), "keyExpectedValue": sprintf("metadata.name={{%s}} has a 'ResourceQuota' policy associated", [metadata.name]), "keyActualValue": sprintf("metadata.name={{%s}} does not have a 'ResourceQuota' policy associated", [metadata.name]), - "searchLine": common_lib.build_search_line(["metadata", "namespace"], []) + "searchLine": common_lib.build_search_line(["metadata", "namespace"], []), } } diff --git a/assets/queries/k8s/pod_or_container_without_security_context/query.rego b/assets/queries/k8s/pod_or_container_without_security_context/query.rego index a2607b825e6..49458735a58 100644 --- a/assets/queries/k8s/pod_or_container_without_security_context/query.rego +++ b/assets/queries/k8s/pod_or_container_without_security_context/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.k8s as k8sLib import data.generic.common as common_lib +import data.generic.k8s as k8sLib CxPolicy[result] { document := input.document[i] @@ -32,7 +32,7 @@ CxPolicy[result] { metadata := document.metadata - types := {"initContainers", "containers"} + types := {"initContainers", "containers"} containers := specInfo.spec[types[x]] not common_lib.valid_key(containers[index], "securityContext") diff --git a/assets/queries/k8s/privilege_escalation_allowed/query.rego b/assets/queries/k8s/privilege_escalation_allowed/query.rego index ddede05538f..74d9f295ddf 100644 --- a/assets/queries/k8s/privilege_escalation_allowed/query.rego +++ b/assets/queries/k8s/privilege_escalation_allowed/query.rego @@ -43,6 +43,6 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", [metadata.name, specInfo.path, types[x], container.name]), "keyActualValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.securityContext.allowPrivilegeEscalation is undefined", [metadata.name, specInfo.path, types[x], container.name]), - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], c, "securityContext"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], c, "securityContext"]), } } diff --git a/assets/queries/k8s/profiling_not_set_to_false/query.rego b/assets/queries/k8s/profiling_not_set_to_false/query.rego index 5f44f0d081b..cd6c547c1e8 100644 --- a/assets/queries/k8s/profiling_not_set_to_false/query.rego +++ b/assets/queries/k8s/profiling_not_set_to_false/query.rego @@ -4,6 +4,7 @@ import data.generic.common as common_lib import data.generic.k8s as k8sLib kubernetesCommand := {"kube-apiserver", "kube-controller-manager", "kube-scheduler"} + kubernetesCommandWithoutDeprecation := {"kube-apiserver", "kube-controller-manager"} CxPolicy[result] { diff --git a/assets/queries/k8s/psp_allows_privilege_escalation/query.rego b/assets/queries/k8s/psp_allows_privilege_escalation/query.rego index 46d40a1a109..0fe3765a9e4 100644 --- a/assets/queries/k8s/psp_allows_privilege_escalation/query.rego +++ b/assets/queries/k8s/psp_allows_privilege_escalation/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.k8s as k8sLib import data.generic.common as common_lib +import data.generic.k8s as k8sLib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/k8s/psp_with_added_capabilities/query.rego b/assets/queries/k8s/psp_with_added_capabilities/query.rego index f2e28e73805..f636601995c 100644 --- a/assets/queries/k8s/psp_with_added_capabilities/query.rego +++ b/assets/queries/k8s/psp_with_added_capabilities/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.k8s as k8sLib import data.generic.common as common_lib +import data.generic.k8s as k8sLib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/query.rego b/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/query.rego index e30e32036d2..710904fd4a0 100644 --- a/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/query.rego +++ b/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/query.rego @@ -17,7 +17,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "'spec.allowedHostPaths' should be defined and not null", "keyActualValue": "'spec.allowedHostPaths' is undefined or null", - "searchLine": common_lib.build_search_line(["spec"], []) + "searchLine": common_lib.build_search_line(["spec"], []), } } @@ -37,7 +37,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'spec.allowedHostPaths[%d].readOnly' should be set to true", [idx]), "keyActualValue": sprintf("'spec.allowedHostPaths[%d].readOnly' is undefined or null", [idx]), - "searchLine": common_lib.build_search_line(["spec", "allowedHostPaths"], [idx]) + "searchLine": common_lib.build_search_line(["spec", "allowedHostPaths"], [idx]), } } @@ -57,7 +57,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'spec.allowedHostPaths[%d].readOnly' should be set to true", [idx]), "keyActualValue": sprintf("'spec.allowedHostPaths[%d].readOnly' is set to false", [idx]), - "searchLine": common_lib.build_search_line(["spec", "allowedHostPaths", idx], ["readOnly"]) + "searchLine": common_lib.build_search_line(["spec", "allowedHostPaths", idx], ["readOnly"]), } } - diff --git a/assets/queries/k8s/rbac_roles_allow_privilege_escalation/query.rego b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/query.rego index 2a8363178c1..f86f2c3d2e8 100644 --- a/assets/queries/k8s/rbac_roles_allow_privilege_escalation/query.rego +++ b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/query.rego @@ -1,13 +1,14 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { document := input.document[i] metadata := document.metadata kinds := {"Role", "ClusterRole"} - document.kind == kinds[_] + document.kind in kinds verbs := {"bind", "escalate", "*"} resources := {"roles", "clusterroles"} @@ -22,6 +23,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("metadata.name={{%s}}.rules[%d].verbs should not include the 'bind' and/or 'escalate' permission", [metadata.name, j]), "keyActualValue": sprintf("metadata.name={{%s}}.rules[%d].verbs includes the 'bind' and/or 'escalate' permission", [metadata.name, j]), - "searchLine": common_lib.build_search_line(["rules", j], ["verbs"]) + "searchLine": common_lib.build_search_line(["rules", j], ["verbs"]), } } diff --git a/assets/queries/k8s/rbac_roles_with_attach_permission/query.rego b/assets/queries/k8s/rbac_roles_with_attach_permission/query.rego index 30508aadb0d..7b0d7c59784 100644 --- a/assets/queries/k8s/rbac_roles_with_attach_permission/query.rego +++ b/assets/queries/k8s/rbac_roles_with_attach_permission/query.rego @@ -1,13 +1,14 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { document := input.document[i] metadata := document.metadata kinds := {"Role", "ClusterRole"} - document.kind == kinds[_] + document.kind in kinds resources := {"pods/attach", "pods/*"} verbs := {"create", "*"} @@ -22,6 +23,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("metadata.name={{%s}}.rules[%d].resources should not include the 'pods/attach' resource", [metadata.name, j]), "keyActualValue": sprintf("metadata.name={{%s}}.rules[%d].resources includes the 'pods/attach' resource", [metadata.name, j]), - "searchLine": common_lib.build_search_line(["rules", j], ["resources"]) + "searchLine": common_lib.build_search_line(["rules", j], ["resources"]), } } diff --git a/assets/queries/k8s/rbac_roles_with_exec_permission/query.rego b/assets/queries/k8s/rbac_roles_with_exec_permission/query.rego index 66ad986cef8..d6d832feaf2 100644 --- a/assets/queries/k8s/rbac_roles_with_exec_permission/query.rego +++ b/assets/queries/k8s/rbac_roles_with_exec_permission/query.rego @@ -1,13 +1,14 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { document := input.document[i] metadata := document.metadata kinds := {"Role", "ClusterRole"} - document.kind == kinds[_] + document.kind in kinds resources := {"pods/exec", "pods/*"} verbs := {"create", "*"} @@ -22,6 +23,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("metadata.name={{%s}}.rules[%d].resources should not include the 'pods/exec' resource", [metadata.name, j]), "keyActualValue": sprintf("metadata.name={{%s}}.rules[%d].resources includes the 'pods/exec' resource", [metadata.name, j]), - "searchLine": common_lib.build_search_line(["rules", j], ["resources"]) + "searchLine": common_lib.build_search_line(["rules", j], ["resources"]), } } diff --git a/assets/queries/k8s/rbac_roles_with_impersonate_permission/query.rego b/assets/queries/k8s/rbac_roles_with_impersonate_permission/query.rego index 57a0a655f6d..5aee7b5784f 100644 --- a/assets/queries/k8s/rbac_roles_with_impersonate_permission/query.rego +++ b/assets/queries/k8s/rbac_roles_with_impersonate_permission/query.rego @@ -1,15 +1,16 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { document := input.document[i] metadata := document.metadata kinds := {"Role", "ClusterRole"} - document.kind == kinds[_] + document.kind in kinds - document.rules[j].verbs[_] == "impersonate" + "impersonate" in document.rules[j].verbs result := { "documentId": document.id, @@ -19,6 +20,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("metadata.name={{%s}}.rules[%d].verbs should not include the 'impersonate' verb", [metadata.name, j]), "keyActualValue": sprintf("metadata.name={{%s}}.rules[%d].verbs includes the 'impersonate' verb", [metadata.name, j]), - "searchLine": common_lib.build_search_line(["rules", j], ["verbs"]) + "searchLine": common_lib.build_search_line(["rules", j], ["verbs"]), } } diff --git a/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/query.rego b/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/query.rego index 64a7be32ed6..81c7948db9c 100644 --- a/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/query.rego +++ b/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/query.rego @@ -1,16 +1,17 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { document := input.document[i] metadata := document.metadata kinds := {"Role", "ClusterRole"} - document.kind == kinds[_] + document.kind in kinds verbs := {"update", "patch", "create", "*"} - document.rules[j].resources[_] == "pods/portforward" + "pods/portforward" in document.rules[j].resources document.rules[j].verbs[_] == verbs[_] result := { @@ -21,6 +22,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("metadata.name={{%s}}.rules[%d].resources should not include the 'pods/portforward' resource", [metadata.name, j]), "keyActualValue": sprintf("metadata.name={{%s}}.rules[%d].resources includes the 'pods/portforward' resource", [metadata.name, j]), - "searchLine": common_lib.build_search_line(["rules", j], ["resources"]) + "searchLine": common_lib.build_search_line(["rules", j], ["resources"]), } } diff --git a/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/query.rego b/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/query.rego index 41a401eb683..cdd1008dd8e 100644 --- a/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/query.rego +++ b/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/query.rego @@ -1,16 +1,17 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { document := input.document[i] metadata := document.metadata kinds := {"Role", "ClusterRole"} - document.kind == kinds[_] + document.kind in kinds readVerbs := {"get", "watch", "list"} - document.rules[j].resources[_] == "secrets" + "secrets" in document.rules[j].resources document.rules[j].verbs[_] == readVerbs[_] result := { @@ -21,6 +22,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("metadata.name={{%s}}.rules[%d] should not be granted read access to Secrets objects", [metadata.name, j]), "keyActualValue": sprintf("metadata.name={{%s}}.rules[%d] is granted read access (verbs: %v) to Secrets objects", [metadata.name, j, concat(", ", document.rules[j].verbs)]), - "searchLine": common_lib.build_search_line(["rules", j], ["verbs"]) + "searchLine": common_lib.build_search_line(["rules", j], ["verbs"]), } } diff --git a/assets/queries/k8s/rbac_wildcard_in_rule/query.rego b/assets/queries/k8s/rbac_wildcard_in_rule/query.rego index e942d1fce3b..d7fced15438 100644 --- a/assets/queries/k8s/rbac_wildcard_in_rule/query.rego +++ b/assets/queries/k8s/rbac_wildcard_in_rule/query.rego @@ -1,18 +1,19 @@ package Cx import data.generic.common as common_lib +import future.keywords.in CxPolicy[result] { document := input.document[i] metadata := document.metadata kinds := {"Role", "ClusterRole"} - document.kind == kinds[_] + document.kind in kinds attr := {"apiGroups", "resources", "verbs"} common_lib.valid_key(document.rules[j], attr[k]) - document.rules[j][k][_] == "*" + "*" in document.rules[j][k] result := { "documentId": document.id, @@ -22,6 +23,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("metadata.name={{%s}}.rules[%d].%s should list the minimal set of needed objects or actions", [metadata.name, j, k]), "keyActualValue": sprintf("metadata.name={{%s}}.rules[%d].%s uses wildcards to specify objects or actions", [metadata.name, j, k]), - "searchLine": common_lib.build_search_line(["rules", j], [k]) + "searchLine": common_lib.build_search_line(["rules", j], [k]), } } diff --git a/assets/queries/k8s/readiness_probe_is_not_configured/query.rego b/assets/queries/k8s/readiness_probe_is_not_configured/query.rego index b1f40c599c2..febcc49149a 100644 --- a/assets/queries/k8s/readiness_probe_is_not_configured/query.rego +++ b/assets/queries/k8s/readiness_probe_is_not_configured/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.k8s as k8sLib import data.generic.common as common_lib +import data.generic.k8s as k8sLib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/k8s/request_timeout_not_properly_set/query.rego b/assets/queries/k8s/request_timeout_not_properly_set/query.rego index 7a191b0c8b6..37e65405d54 100644 --- a/assets/queries/k8s/request_timeout_not_properly_set/query.rego +++ b/assets/queries/k8s/request_timeout_not_properly_set/query.rego @@ -29,46 +29,46 @@ hasTimeGreaterThanValue(container, flag, value) { command := container.command startswith(command[a], flag) flag_value := split(command[a], "=")[1] - getSeconds(flag_value)> value + getSeconds(flag_value) > value } else { args := container.args startswith(args[a], flag) flag_value := split(args[a], "=")[1] - getSeconds(flag_value)> value + getSeconds(flag_value) > value } -getSeconds(time)=seconds{ - regex.match("^(\\d+[h])$", time) - seconds := to_number(trim_suffix(time, "h") )*3600 -}else = seconds { - regex.match("^(\\d+[h])(\\d+[m])$", time) - hours := replace(time, "h", ",") - minutes := replace(hours, "m", ",") - time_array := split(minutes, ",") - seconds := to_number(time_array[0])*3600 + to_number(time_array[1])*60 -}else = seconds { - regex.match("^(\\d+[h])(\\d+[s])$", time) - hours := replace(time, "h", ",") - secs := replace(hours, "s", ",") - time_array := split(secs, ",") - seconds := to_number(time_array[0])*3600 + to_number(time_array[1]) -}else = seconds { - regex.match("^(\\d+[h])(\\d+[m])(\\d+[s])$", time) - hours := replace(time, "h", ",") - minutes :=replace(hours, "m", ",") - secs :=replace(minutes, "s", ",") - time_array := split(secs, ",") - seconds := to_number(time_array[0])*3600 + to_number(time_array[1])*60 + to_number(time_array[2]) -}else = seconds { - regex.match("^(\\d+[m])$", time) - seconds := to_number(trim_suffix(time, "m") )*60 -}else = seconds { - regex.match("^(\\d+[m])(\\d+[s])$", time) - minutes := replace(time, "m", ",") - secs := replace(minutes, "s", ",") - time_array := split(secs, ",") - seconds := to_number(time_array[0])*60 + to_number(time_array[1]) -}else = seconds { - regex.match("^(\\d+[s])$", time) - seconds := to_number(trim_suffix(time, "s")) +getSeconds(time_period) = seconds { + regex.match(`^(\d+[h])$`, time_period) + seconds := to_number(trim_suffix(time_period, "h")) * 3600 +} else = seconds { + regex.match(`^(\d+[h])(\d+[m])$`, time_period) + hours := replace(time_period, "h", ",") + minutes := replace(hours, "m", ",") + time_array := split(minutes, ",") + seconds := (to_number(time_array[0]) * 3600) + (to_number(time_array[1]) * 60) +} else = seconds { + regex.match(`^(\d+[h])(\d+[s])$`, time_period) + hours := replace(time_period, "h", ",") + secs := replace(hours, "s", ",") + time_array := split(secs, ",") + seconds := (to_number(time_array[0]) * 3600) + to_number(time_array[1]) +} else = seconds { + regex.match(`^(\d+[h])(\d+[m])(\d+[s])$`, time_period) + hours := replace(time_period, "h", ",") + minutes := replace(hours, "m", ",") + secs := replace(minutes, "s", ",") + time_array := split(secs, ",") + seconds := ((to_number(time_array[0]) * 3600) + (to_number(time_array[1]) * 60)) + to_number(time_array[2]) +} else = seconds { + regex.match(`^(\d+[m])$`, time_period) + seconds := to_number(trim_suffix(time_period, "m")) * 60 +} else = seconds { + regex.match(`^(\d+[m])(\d+[s])$`, time_period) + minutes := replace(time_period, "m", ",") + secs := replace(minutes, "s", ",") + time_array := split(secs, ",") + seconds := (to_number(time_array[0]) * 60) + to_number(time_array[1]) +} else = seconds { + regex.match(`^(\d+[s])$`, time_period) + seconds := to_number(trim_suffix(time_period, "s")) } diff --git a/assets/queries/k8s/root_container_not_mounted_as_read_only/query.rego b/assets/queries/k8s/root_container_not_mounted_as_read_only/query.rego index c2eb1e09c75..038773da1e6 100644 --- a/assets/queries/k8s/root_container_not_mounted_as_read_only/query.rego +++ b/assets/queries/k8s/root_container_not_mounted_as_read_only/query.rego @@ -43,6 +43,6 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.securityContext.readOnlyRootFilesystem should be set to true", [metadata.name, specInfo.path, types[x], container.name]), "keyActualValue": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.securityContext.readOnlyRootFilesystem is undefined", [metadata.name, specInfo.path, types[x], container.name]), - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], c, "securityContext"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], c, "securityContext"]), } } diff --git a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/query.rego b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/query.rego index 67e63b230ca..ce3179c2e2b 100644 --- a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/query.rego +++ b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { command := commandList[_] common_lib.inArray(container.command, command) - k8sLib.startWithFlag(container,"--feature-gates=") + k8sLib.startWithFlag(container, "--feature-gates=") contains_feature(container, "RotateKubeletServerCertificate=false") result := { @@ -25,15 +25,15 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "--feature-gates=RotateKubeletServerCertificate flag should be true", "keyActualValue": "--feature-gates=RotateKubeletServerCertificate flag is false", - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } CxPolicy[result] { resource := input.document[i] - resource.kind == "KubeletConfiguration" - featureGates := resource.featureGates - featureGates.RotateKubeletServerCertificate == false + resource.kind == "KubeletConfiguration" + featureGates := resource.featureGates + featureGates.RotateKubeletServerCertificate == false result := { "documentId": input.document[i].id, @@ -46,13 +46,12 @@ CxPolicy[result] { } } - -contains_feature(container, feature){ +contains_feature(container, feature) { contains_in_array(container.command, feature) } else { contains_in_array(container.args, feature) } contains_in_array(arr, item) { - contains(arr[_], item) + contains(arr[_], item) } diff --git a/assets/queries/k8s/secure_port_set_to_zero/query.rego b/assets/queries/k8s/secure_port_set_to_zero/query.rego index 3aff8add8d4..485ee3413e3 100644 --- a/assets/queries/k8s/secure_port_set_to_zero/query.rego +++ b/assets/queries/k8s/secure_port_set_to_zero/query.rego @@ -23,5 +23,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } - - diff --git a/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/query.rego b/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/query.rego index b54607d8659..25b1d421587 100644 --- a/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/query.rego +++ b/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/query.rego @@ -24,4 +24,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } - diff --git a/assets/queries/k8s/service_account_allows_access_secrets/query.rego b/assets/queries/k8s/service_account_allows_access_secrets/query.rego index 76d409494dc..619fb4e1bd0 100644 --- a/assets/queries/k8s/service_account_allows_access_secrets/query.rego +++ b/assets/queries/k8s/service_account_allows_access_secrets/query.rego @@ -1,7 +1,8 @@ package Cx -import data.generic.k8s as k8sLib import data.generic.common as commonLib +import data.generic.k8s as k8sLib +import future.keywords.in CxPolicy[result] { document := input.document[i] @@ -18,7 +19,7 @@ CxPolicy[result] { some resource resources := document.rules[resource].resources - resources[_] == "secrets" + "secrets" in resources rules := document.rules[resource].verbs commonLib.compareArrays(ruleTaint, rules) @@ -31,7 +32,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("The metadata.name={{%s}}.rules.verbs should not contain the following verbs: [%s]", [metadata.name, rules]), "keyActualValue": sprintf("The metadata.name={{%s}}.rules.verbs contain the following verbs: [%s]", [metadata.name, rules]), - "searchLine": commonLib.build_search_line(["rules", resource, "verbs"],[]), + "searchLine": commonLib.build_search_line(["rules", resource, "verbs"], []), } } diff --git a/assets/queries/k8s/service_account_name_undefined_or_empty/query.rego b/assets/queries/k8s/service_account_name_undefined_or_empty/query.rego index 0ed77c63d1a..bc8c938d1c2 100644 --- a/assets/queries/k8s/service_account_name_undefined_or_empty/query.rego +++ b/assets/queries/k8s/service_account_name_undefined_or_empty/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.k8s as k8sLib import data.generic.common as common_lib +import data.generic.k8s as k8sLib CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/k8s/service_account_token_automount_not_disabled/query.rego b/assets/queries/k8s/service_account_token_automount_not_disabled/query.rego index 328d425ea4e..1b1fbafd7ce 100644 --- a/assets/queries/k8s/service_account_token_automount_not_disabled/query.rego +++ b/assets/queries/k8s/service_account_token_automount_not_disabled/query.rego @@ -4,7 +4,8 @@ import data.generic.common as common_lib import data.generic.k8s as k8sLib knativeKinds := ["Configuration", "Service", "Revision", "ContainerSource"] -listKinds := ["Pod", "Deployment", "DaemonSet", "StatefulSet", "ReplicaSet", "ReplicationController", "Job", "CronJob" ] + +listKinds := ["Pod", "Deployment", "DaemonSet", "StatefulSet", "ReplicaSet", "ReplicationController", "Job", "CronJob"] CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/k8s/service_does_not_target_pod/query.rego b/assets/queries/k8s/service_does_not_target_pod/query.rego index dcb4d246e6b..6dc39357974 100644 --- a/assets/queries/k8s/service_does_not_target_pod/query.rego +++ b/assets/queries/k8s/service_does_not_target_pod/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.common as common_lib import data.generic.k8s as k8sLib +import future.keywords.in CxPolicy[result] { service := input.document[i] @@ -50,15 +51,13 @@ CxPolicy[result] { matchResource(resource, serviceSelector) = result { labels := getLabelsToMatch(resource) - count([ x | x := serviceSelector[k]; x == labels[k]]) == count(serviceSelector) + count([x | x := serviceSelector[k]; x == labels[k]]) == count(serviceSelector) result := resource -} else = false { - true -} +} else = false getLabelsToMatch(document) = labels { matchLabelsKinds := {"Deployment", "DaemonSet", "ReplicaSet", "StatefulSet", "Job"} - document.kind == matchLabelsKinds[_] + document.kind in matchLabelsKinds labels := document.spec.selector.matchLabels } else = labels { document.kind == "CronJob" @@ -66,7 +65,7 @@ getLabelsToMatch(document) = labels { labels := document.spec[jobTemplates[t]].spec.selector.matchLabels } else = labels { podTemplateKinds := {"Pod", "ReplicationController"} - document.kind == podTemplateKinds[_] + document.kind in podTemplateKinds labels := document.metadata.labels } @@ -85,6 +84,4 @@ matchPort(port, servicePort) { } else { not servicePort.targetPort port.containerPort == servicePort.port -} else = false { - true -} +} else = false diff --git a/assets/queries/k8s/service_type_is_nodeport/query.rego b/assets/queries/k8s/service_type_is_nodeport/query.rego index 94ddd24e270..cba22c9d7d0 100644 --- a/assets/queries/k8s/service_type_is_nodeport/query.rego +++ b/assets/queries/k8s/service_type_is_nodeport/query.rego @@ -5,8 +5,8 @@ import data.generic.k8s as k8s CxPolicy[result] { document := input.document[i] metadata := document.metadata - kind := document.kind - listKinds := ["Service"] + kind := document.kind + listKinds := ["Service"] k8s.checkKind(kind, listKinds) spec := document.spec lower(spec.type) == "nodeport" diff --git a/assets/queries/k8s/service_with_external_load_balancer/query.rego b/assets/queries/k8s/service_with_external_load_balancer/query.rego index 836a0dac314..6d6174a92c7 100644 --- a/assets/queries/k8s/service_with_external_load_balancer/query.rego +++ b/assets/queries/k8s/service_with_external_load_balancer/query.rego @@ -6,7 +6,7 @@ CxPolicy[result] { document := input.document[i] object.get(document, "kind", "undefined") == "Service" - metadata = document.metadata + metadata = document.metadata document.spec.type == "LoadBalancer" not common_lib.valid_key(metadata, "annotations") @@ -26,13 +26,13 @@ CxPolicy[result] { document := input.document[i] object.get(document, "kind", "undefined") == "Service" - metadata = document.metadata + metadata = document.metadata document.spec.type == "LoadBalancer" common_lib.valid_key(metadata, "annotations") - annotations = metadata.annotations - not checkLoadBalancer(annotations) + annotations = metadata.annotations + not checkLoadBalancer(annotations) result := { "documentId": input.document[i].id, @@ -46,11 +46,11 @@ CxPolicy[result] { } checkLoadBalancer(annotation) { - annotation["networking.gke.io/load-balancer-type"] == "Internal" + annotation["networking.gke.io/load-balancer-type"] == "Internal" } checkLoadBalancer(annotation) { - annotation["cloud.google.com/load-balancer-type"] == "Internal" + annotation["cloud.google.com/load-balancer-type"] == "Internal" } checkLoadBalancer(annotation) { diff --git a/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/query.rego b/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/query.rego index 7e984ac2439..aeb97d05941 100644 --- a/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/query.rego +++ b/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/query.rego @@ -199,6 +199,4 @@ CxPolicy[result] { matchLabels(templateLabels, selectorLabels) { some Key templateLabels[Key] == selectorLabels[Key] -} else = false { - true -} +} else = false diff --git a/assets/queries/k8s/statefulset_without_pod_disruption_budget/query.rego b/assets/queries/k8s/statefulset_without_pod_disruption_budget/query.rego index ff06cfbbcb0..3c7d202228d 100644 --- a/assets/queries/k8s/statefulset_without_pod_disruption_budget/query.rego +++ b/assets/queries/k8s/statefulset_without_pod_disruption_budget/query.rego @@ -23,10 +23,8 @@ hasPodDisruptionBudget(statefulset) = result { pdb := input.document[j] pdb.kind == "PodDisruptionBudget" result := containsLabel(pdb, statefulset.spec.selector.matchLabels) -} else = false { - true -} +} else = false -containsLabel(array, label) { - array.spec.selector.matchLabels[_] == label[_] +containsLabel(array_obj, targetLabel) { + array_obj.spec.selector.matchLabels[_] == targetLabel[_] } diff --git a/assets/queries/k8s/statefulset_without_service_name/query.rego b/assets/queries/k8s/statefulset_without_service_name/query.rego index e4050eebae6..fc32c690ba7 100644 --- a/assets/queries/k8s/statefulset_without_service_name/query.rego +++ b/assets/queries/k8s/statefulset_without_service_name/query.rego @@ -1,4 +1,4 @@ -package Cx +package Cx import data.generic.common as common_lib @@ -6,13 +6,14 @@ CxPolicy[result] { statefulset := input.document[i] statefulset.kind == "StatefulSet" - count({x | resource := input.document[x]; - resource.kind == "Service"; - resource.spec.clusterIP == "None"; - statefulset.metadata.namespace == resource.metadata.namespace; - statefulset.spec.serviceName == resource.metadata.name; - match_labels( resource.spec.selector, statefulset.spec.template.metadata.labels) - }) == 0 + count({x | + resource := input.document[x] + resource.kind == "Service" + resource.spec.clusterIP == "None" + statefulset.metadata.namespace == resource.metadata.namespace + statefulset.spec.serviceName == resource.metadata.name + match_labels(resource.spec.selector, statefulset.spec.template.metadata.labels) + }) == 0 metadata := statefulset.metadata.name @@ -24,10 +25,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("metadata.name=%s.spec.serviceName should refer to a Headless Service", [metadata]), "keyActualValue": sprintf("metadata.name=%s.spec.serviceName doesn't refers to a Headless Service", [metadata]), - "searchLine": common_lib.build_search_line(["spec", "serviceName"], []) + "searchLine": common_lib.build_search_line(["spec", "serviceName"], []), } } match_labels(serviceLabels, statefulsetLabels) { - count({x | label := serviceLabels[x]; label == statefulsetLabels[x]}) == count(serviceLabels) + count({x | label := serviceLabels[x]; label == statefulsetLabels[x]}) == count(serviceLabels) } diff --git a/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/query.rego b/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/query.rego index e828c5fc72e..5da3dd7cd30 100644 --- a/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/query.rego +++ b/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/query.rego @@ -52,7 +52,7 @@ CxPolicy[result] { } } -#template container +# template container CxPolicy[result] { document := input.document[i] diff --git a/assets/queries/k8s/tls_connection_certificate_not_setup/query.rego b/assets/queries/k8s/tls_connection_certificate_not_setup/query.rego index a8ac93f687b..3f1b8cdca0c 100644 --- a/assets/queries/k8s/tls_connection_certificate_not_setup/query.rego +++ b/assets/queries/k8s/tls_connection_certificate_not_setup/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.k8s as k8s_lib import data.generic.common as common_lib +import data.generic.k8s as k8s_lib tlsFlagList := {"--tls-cert-file", "--tls-private-key-file"} @@ -11,9 +11,9 @@ CxPolicy[result] { specInfo := k8s_lib.getSpecInfo(resource) types := {"initContainers", "containers"} container := specInfo.spec[types[x]][j] - tls := tlsFlagList[_] + tls := tlsFlagList[_] common_lib.inArray(container.command, "kube-apiserver") - not k8s_lib.startWithFlag(container,tls) + not k8s_lib.startWithFlag(container, tls) result := { "documentId": input.document[i].id, @@ -21,19 +21,19 @@ CxPolicy[result] { "resourceName": metadata.name, "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf( "TLS %s connection setting should be set", [tls]), + "keyExpectedValue": sprintf("TLS %s connection setting should be set", [tls]), "keyActualValue": sprintf("TLS %s connection not set", [tls]), - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } tlsList := {"tlsCertFile", "tlsPrivateKeyFile"} CxPolicy[result] { - doc :=input.document[i] - doc.kind == "KubeletConfiguration" - tls := tlsList[_] - not common_lib.valid_key(doc, tls) + doc := input.document[i] + doc.kind == "KubeletConfiguration" + tls := tlsList[_] + not common_lib.valid_key(doc, tls) result := { "documentId": doc.id, @@ -41,7 +41,7 @@ CxPolicy[result] { "resourceName": "n/a", "searchKey": sprintf("kind={{%s}}", ["KubeletConfiguration"]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf( "TLS %s connection setting should be set", [tls]), + "keyExpectedValue": sprintf("TLS %s connection setting should be set", [tls]), "keyActualValue": sprintf("TLS %s connection not set", [tls]), } } diff --git a/assets/queries/k8s/token_auth_file_is_set/query.rego b/assets/queries/k8s/token_auth_file_is_set/query.rego index 18c45d32167..9682ebb65b3 100644 --- a/assets/queries/k8s/token_auth_file_is_set/query.rego +++ b/assets/queries/k8s/token_auth_file_is_set/query.rego @@ -21,7 +21,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "--token-auth-file flag should not be set", "keyActualValue": "--token-auth-file flag is set", - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } - diff --git a/assets/queries/k8s/using_kubernetes_native_secret_management/query.rego b/assets/queries/k8s/using_kubernetes_native_secret_management/query.rego index 761861e9014..2c65d7630fd 100644 --- a/assets/queries/k8s/using_kubernetes_native_secret_management/query.rego +++ b/assets/queries/k8s/using_kubernetes_native_secret_management/query.rego @@ -6,8 +6,8 @@ CxPolicy[result] { document := input.document[i] kind := document.kind kind == "Secret" - - not hasExternalStorageSecretProviderClass(input) + + not hasExternalStorageSecretProviderClass(input) result := { "documentId": input.document[i].id, @@ -17,15 +17,13 @@ CxPolicy[result] { "searchKey": sprintf("metadata.name={{%s}}", [document.metadata.name]), "keyExpectedValue": "External secret storage should be used", "keyActualValue": "External secret storage is not in use", - "searchLine": common_lib.build_search_line(["metadata", "name"], []) + "searchLine": common_lib.build_search_line(["metadata", "name"], []), } } -hasExternalStorageSecretProviderClass(input_data){ +hasExternalStorageSecretProviderClass(input_data) { document := input_data.document[i] document.kind == "SecretProviderClass" spec := document.spec common_lib.valid_key(spec, "provider") } - - diff --git a/assets/queries/k8s/weak_tls_cipher_suites/query.rego b/assets/queries/k8s/weak_tls_cipher_suites/query.rego index 1839481be63..5848429d8c3 100644 --- a/assets/queries/k8s/weak_tls_cipher_suites/query.rego +++ b/assets/queries/k8s/weak_tls_cipher_suites/query.rego @@ -1,15 +1,15 @@ package Cx -import data.generic.k8s as k8s_lib import data.generic.common as common_lib +import data.generic.k8s as k8s_lib strongCiphersConfig = [ - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", ] CxPolicy[result] { @@ -19,7 +19,7 @@ CxPolicy[result] { types := {"initContainers", "containers"} container := specInfo.spec[types[x]][j] common_lib.inArray(container.command, "kube-apiserver") - not k8s_lib.startWithFlag(container,"--tls-cipher-suites") + not k8s_lib.startWithFlag(container, "--tls-cipher-suites") result := { "documentId": input.document[i].id, @@ -27,9 +27,9 @@ CxPolicy[result] { "resourceName": metadata.name, "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]), "issueType": "MissingAttribute", - "keyExpectedValue": "'--tls-cipher-suites' flag should be defined and use strong ciphers", + "keyExpectedValue": "'--tls-cipher-suites' flag should be defined and use strong ciphers", "keyActualValue": "'--tls-cipher-suites' flag is not defined", - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } @@ -41,9 +41,9 @@ CxPolicy[result] { specInfo := k8s_lib.getSpecInfo(resource) types := {"initContainers", "containers"} container := specInfo.spec[types[x]][j] - cmd := command[_] + cmd := command[_] common_lib.inArray(container.command, cmd) - hasWeakCipher(container,"--tls-cipher-suites") + hasWeakCipher(container, "--tls-cipher-suites") result := { "documentId": input.document[i].id, @@ -51,16 +51,16 @@ CxPolicy[result] { "resourceName": metadata.name, "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]), "issueType": "IncorrectValue", - "keyExpectedValue": "TLS cipher suites should use strong ciphers", + "keyExpectedValue": "TLS cipher suites should use strong ciphers", "keyActualValue": "TLS cipher suites uses a weak cipher", - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]), } } CxPolicy[result] { - doc :=input.document[i] - doc.kind == "KubeletConfiguration" - not common_lib.valid_key(doc, "tlsCipherSuites") + doc := input.document[i] + doc.kind == "KubeletConfiguration" + not common_lib.valid_key(doc, "tlsCipherSuites") result := { "documentId": doc.id, @@ -74,33 +74,33 @@ CxPolicy[result] { } CxPolicy[result] { - doc :=input.document[i] - doc.kind == "KubeletConfiguration" + doc := input.document[i] + doc.kind == "KubeletConfiguration" cipher := doc.tlsCipherSuites[_] - not common_lib.inArray(strongCiphersConfig,cipher) - + not common_lib.inArray(strongCiphersConfig, cipher) + result := { "documentId": doc.id, "resourceType": doc.kind, "resourceName": "n/a", "searchKey": "kind={{KubeletConfiguration}}.tlsCipherSuites", "issueType": "IncorrectValue", - "keyExpectedValue": "TLS cipher suites should use strong ciphers", + "keyExpectedValue": "TLS cipher suites should use strong ciphers", "keyActualValue": "TLS cipher suites uses a weak cipher", } } -hasWeakCipher(container,flag){ +hasWeakCipher(container, flag) { cipherSplit(container.command, flag) } else { cipherSplit(container.args, flag) } -cipherSplit(arr,item){ +cipherSplit(arr, item) { element := arr[_] startswith(element, item) - options := split(element, "=") - ciphers := split(options[1], ",") - cipher := ciphers[_] - not common_lib.inArray(strongCiphersConfig,cipher) + options := split(element, "=") + ciphers := split(options[1], ",") + cipher := ciphers[_] + not common_lib.inArray(strongCiphersConfig, cipher) } diff --git a/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/query.rego b/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/query.rego index aa0e5a1d267..011f949935d 100644 --- a/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/query.rego +++ b/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/query.rego @@ -2,11 +2,12 @@ package Cx import data.generic.common as common_lib import data.generic.k8s as k8sLib +import future.keywords.in CxPolicy[result] { resource := input.document[i] metadata := resource.metadata - resource.kind == k8sLib.valid_pod_spec_kind_list[_] + resource.kind in k8sLib.valid_pod_spec_kind_list specInfo := k8sLib.getSpecInfo(resource) volumes := specInfo.spec.volumes common_lib.isOSDir(volumes[j].hostPath.path) @@ -26,7 +27,7 @@ CxPolicy[result] { resource.kind, volumes[j].hostPath.path, ]), - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), ["volumes", j ,"hostPath", "path"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), ["volumes", j, "hostPath", "path"]), } } @@ -53,7 +54,7 @@ CxPolicy[result] { resource.kind, volumes[j].hostPath.path, ]), - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), ["volumes", j ,"hostPath", "path"]) + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), ["volumes", j, "hostPath", "path"]), } } @@ -79,6 +80,6 @@ CxPolicy[result] { resource.kind, hostPath.path, ]), - "searchLine": common_lib.build_search_line(["spec"], ["hostPath", "path"]) + "searchLine": common_lib.build_search_line(["spec"], ["hostPath", "path"]), } } diff --git a/assets/queries/openAPI/2.0/basepath_with_wrong_format/query.rego b/assets/queries/openAPI/2.0/basepath_with_wrong_format/query.rego index baec0c41ffc..b9d8ac5bda5 100644 --- a/assets/queries/openAPI/2.0/basepath_with_wrong_format/query.rego +++ b/assets/queries/openAPI/2.0/basepath_with_wrong_format/query.rego @@ -6,7 +6,7 @@ CxPolicy[result] { doc := input.document[i] openapi_lib.check_openapi(doc) == "2.0" - not regex.match("^/", doc.basePath) + not regex.match(`^/`, doc.basePath) result := { "documentId": doc.id, diff --git a/assets/queries/openAPI/2.0/body_parameter_without_schema/query.rego b/assets/queries/openAPI/2.0/body_parameter_without_schema/query.rego index bf82b474e81..0dd1393641b 100644 --- a/assets/queries/openAPI/2.0/body_parameter_without_schema/query.rego +++ b/assets/queries/openAPI/2.0/body_parameter_without_schema/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/2.0/constraining_enum_property/query.rego b/assets/queries/openAPI/2.0/constraining_enum_property/query.rego index ae61570d429..856d2630568 100644 --- a/assets/queries/openAPI/2.0/constraining_enum_property/query.rego +++ b/assets/queries/openAPI/2.0/constraining_enum_property/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.openapi as openapi_lib +import future.keywords.in CxPolicy[result] { doc := input.document[i] @@ -15,7 +16,7 @@ CxPolicy[result] { value.enum count(value.enum) > 0 value[keyword] - keyword == keywords[type][_] + keyword in keywords[type] result := { "documentId": doc.id, diff --git a/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/query.rego b/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/query.rego index 821c9101294..65c95f02aa5 100644 --- a/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/query.rego +++ b/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/2.0/host_with_invalid_pattern/query.rego b/assets/queries/openAPI/2.0/host_with_invalid_pattern/query.rego index fe224655093..817be9f883b 100644 --- a/assets/queries/openAPI/2.0/host_with_invalid_pattern/query.rego +++ b/assets/queries/openAPI/2.0/host_with_invalid_pattern/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { openapi_lib.check_openapi(doc) == "2.0" host := doc.host - not regex.match("^[^{}/ :\\\\]+(?::\\d+)?$", host) + not regex.match(`^[^{}/ :\\]+(?::\d+)?$`, host) result := { "documentId": doc.id, diff --git a/assets/queries/openAPI/2.0/invalid_oauth2_token_url/query.rego b/assets/queries/openAPI/2.0/invalid_oauth2_token_url/query.rego index e84f0ef917e..04095d3c02b 100644 --- a/assets/queries/openAPI/2.0/invalid_oauth2_token_url/query.rego +++ b/assets/queries/openAPI/2.0/invalid_oauth2_token_url/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/query.rego b/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/query.rego index 4bc7bfcc3d1..17e199fc9cf 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/query.rego +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { openapi_lib.check_openapi(doc) == "2.0" [path, value] := walk(doc) - ref := value["RefMetadata"]["$ref"] + ref := value.RefMetadata["$ref"] checkComponents := openapi_lib.check_reference_unexisting_swagger(doc, ref, "parameters") result := { diff --git a/assets/queries/openAPI/2.0/non_body_parameter_with_schema/query.rego b/assets/queries/openAPI/2.0/non_body_parameter_with_schema/query.rego index b64fdd06edb..d8cb8f59e14 100644 --- a/assets/queries/openAPI/2.0/non_body_parameter_with_schema/query.rego +++ b/assets/queries/openAPI/2.0/non_body_parameter_with_schema/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/2.0/object_without_required_property/query.rego b/assets/queries/openAPI/2.0/object_without_required_property/query.rego index cb655761c7f..9582209543b 100644 --- a/assets/queries/openAPI/2.0/object_without_required_property/query.rego +++ b/assets/queries/openAPI/2.0/object_without_required_property/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/2.0/operation_object_without_consumes/query.rego b/assets/queries/openAPI/2.0/operation_object_without_consumes/query.rego index b0b701582a1..b74f44365c5 100644 --- a/assets/queries/openAPI/2.0/operation_object_without_consumes/query.rego +++ b/assets/queries/openAPI/2.0/operation_object_without_consumes/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/2.0/operation_object_without_produces/query.rego b/assets/queries/openAPI/2.0/operation_object_without_produces/query.rego index 312ee3c206d..cf6e80c5e92 100644 --- a/assets/queries/openAPI/2.0/operation_object_without_produces/query.rego +++ b/assets/queries/openAPI/2.0/operation_object_without_produces/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/query.rego b/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/query.rego index 19d2c87f2aa..414326f79c4 100644 --- a/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/query.rego +++ b/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { openapi_lib.check_openapi(doc) == "2.0" [path, value] := walk(doc) - ref := value.parameters[n]["RefMetadata"]["$ref"] + ref := value.parameters[n].RefMetadata["$ref"] count(path) > 0 openapi_lib.incorrect_ref_swagger(ref, "parameters") diff --git a/assets/queries/openAPI/2.0/response_object_incorrect_ref/query.rego b/assets/queries/openAPI/2.0/response_object_incorrect_ref/query.rego index 6cc7e6db0f1..298ad39974f 100644 --- a/assets/queries/openAPI/2.0/response_object_incorrect_ref/query.rego +++ b/assets/queries/openAPI/2.0/response_object_incorrect_ref/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { openapi_lib.check_openapi(doc) == "2.0" [path, value] := walk(doc) - ref := value.responses[code]["RefMetadata"]["$ref"] + ref := value.responses[code].RefMetadata["$ref"] count(path) > 0 openapi_lib.incorrect_ref_swagger(ref, "responses") diff --git a/assets/queries/openAPI/2.0/schema_object_incorrect_ref/query.rego b/assets/queries/openAPI/2.0/schema_object_incorrect_ref/query.rego index edb9c4b9f79..76a169a8d30 100644 --- a/assets/queries/openAPI/2.0/schema_object_incorrect_ref/query.rego +++ b/assets/queries/openAPI/2.0/schema_object_incorrect_ref/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { openapi_lib.check_openapi(doc) == "2.0" [path, value] := walk(doc) - ref := value.schema["RefMetadata"]["$ref"] + ref := value.schema.RefMetadata["$ref"] count(path) > 0 openapi_lib.incorrect_ref_swagger(ref, "schemas") diff --git a/assets/queries/openAPI/2.0/schemes_uses_http copy/query.rego b/assets/queries/openAPI/2.0/schemes_uses_http copy/query.rego index 07df514f4e4..baf62c19115 100644 --- a/assets/queries/openAPI/2.0/schemes_uses_http copy/query.rego +++ b/assets/queries/openAPI/2.0/schemes_uses_http copy/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.openapi as openapi_lib +import future.keywords.in CxPolicy[result] { doc := input.document[i] @@ -9,7 +10,7 @@ CxPolicy[result] { [path, value] := walk(doc) count(path) > 0 - value.schemes[_] == "http" + "http" in value.schemes result := { "documentId": doc.id, diff --git a/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/query.rego b/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/query.rego index e8185ab8a7d..18e9291f8eb 100644 --- a/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/query.rego +++ b/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/query.rego b/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/query.rego index 649ec11b840..82fe459b695 100644 --- a/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/query.rego +++ b/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/2.0/undefined_security_scope_global_security/query.rego b/assets/queries/openAPI/2.0/undefined_security_scope_global_security/query.rego index 24934702ae2..a98a2e58f4c 100644 --- a/assets/queries/openAPI/2.0/undefined_security_scope_global_security/query.rego +++ b/assets/queries/openAPI/2.0/undefined_security_scope_global_security/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/query.rego b/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/query.rego index 882396b56ba..a3b007d3301 100644 --- a/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/query.rego +++ b/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/2.0/unknown_property/query.rego b/assets/queries/openAPI/2.0/unknown_property/query.rego index 6e4c7eafbde..2b90b26cf57 100644 --- a/assets/queries/openAPI/2.0/unknown_property/query.rego +++ b/assets/queries/openAPI/2.0/unknown_property/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.openapi as openapi_lib +import future.keywords.in CxPolicy[result] { doc := input.document[i] @@ -28,10 +29,10 @@ CxPolicy[result] { [path, value] := walk(doc) objectValues := {"array": array_objects, "simple": simple_objects, "map": map_objects} - objValues := objectValues[objType][object] + objValues := objectValues[objType][obj] index := {"array": 1, "simple": 1, "map": 2} - path[minus(count(path), index[objType])] == object + path[count(path) - index[objType]] == obj objType == "array" is_array(value) @@ -42,8 +43,8 @@ CxPolicy[result] { "documentId": doc.id, "searchKey": sprintf("%s.%s", [openapi_lib.concat_path(path), field]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("The field '%s' is known in the %s object", [field, object]), - "keyActualValue": sprintf("The field '%s' is unknown in the %s object", [field, object]), + "keyExpectedValue": sprintf("The field '%s' is known in the %s object", [field, obj]), + "keyActualValue": sprintf("The field '%s' is unknown in the %s object", [field, obj]), } } @@ -54,10 +55,10 @@ CxPolicy[result] { [path, value] := walk(doc) objectValues := {"array": array_objects, "simple": simple_objects, "map": map_objects} - objValues := objectValues[objType][object] + objValues := objectValues[objType][obj] index := {"array": 1, "simple": 1, "map": 2} - path[minus(count(path), index[objType])] == object + path[count(path) - index[objType]] == obj any([objType == "simple", objType == "map"]) value[field] @@ -67,8 +68,8 @@ CxPolicy[result] { "documentId": doc.id, "searchKey": sprintf("%s.%s", [openapi_lib.concat_path(path), field]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("The field '%s' is known in the %s object", [field, object]), - "keyActualValue": sprintf("The field '%s' is unknown in the %s object", [field, object]), + "keyExpectedValue": sprintf("The field '%s' is known in the %s object", [field, obj]), + "keyActualValue": sprintf("The field '%s' is unknown in the %s object", [field, obj]), } } @@ -91,11 +92,11 @@ swagger := { } known_swagger_object_field(field) { - field == swagger[_] + field in swagger } -known_field(object, value) { - object[_] == value +known_field(obj, value) { + value in obj } parameters_properties := { diff --git a/assets/queries/openAPI/3.0/additional_properties_too_permissive/query.rego b/assets/queries/openAPI/3.0/additional_properties_too_permissive/query.rego index 462e36dc4c2..a5ef2c0d8cc 100644 --- a/assets/queries/openAPI/3.0/additional_properties_too_permissive/query.rego +++ b/assets/queries/openAPI/3.0/additional_properties_too_permissive/query.rego @@ -38,7 +38,7 @@ CxPolicy[result] { } } -#This rules verifies anyOf and oneOf +# This rules verifies anyOf and oneOf CxPolicy[result] { doc := input.document[i] openapi_lib.check_openapi(doc) == "3.0" diff --git a/assets/queries/openAPI/3.0/additional_properties_too_restrective/query.rego b/assets/queries/openAPI/3.0/additional_properties_too_restrective/query.rego index 42b7200ac1b..60874767d47 100644 --- a/assets/queries/openAPI/3.0/additional_properties_too_restrective/query.rego +++ b/assets/queries/openAPI/3.0/additional_properties_too_restrective/query.rego @@ -1,9 +1,9 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib -#This rules verifies anyOf and oneOf +# This rules verifies anyOf and oneOf CxPolicy[result] { doc := input.document[i] openapi_lib.check_openapi(doc) == "3.0" @@ -22,7 +22,7 @@ CxPolicy[result] { } } -#This rules verifies allOf +# This rules verifies allOf CxPolicy[result] { doc := input.document[i] openapi_lib.check_openapi(doc) == "3.0" diff --git a/assets/queries/openAPI/3.0/callback_object_incorrect_ref/query.rego b/assets/queries/openAPI/3.0/callback_object_incorrect_ref/query.rego index 1cdd51a256e..25fa9625716 100644 --- a/assets/queries/openAPI/3.0/callback_object_incorrect_ref/query.rego +++ b/assets/queries/openAPI/3.0/callback_object_incorrect_ref/query.rego @@ -8,8 +8,8 @@ CxPolicy[result] { [path, value] := walk(doc) - ref := value.callbacks[c]["RefMetadata"]["$ref"] - path[minus(count(path), 1)] != "components" + ref := value.callbacks[c].RefMetadata["$ref"] + path[count(path) - 1] != "components" openapi_lib.incorrect_ref(ref, "callbacks") result := { diff --git a/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/query.rego b/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/query.rego index 89769acd501..074365cb6d0 100644 --- a/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/query.rego +++ b/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/query.rego b/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/query.rego index 4e163791195..bf229916d31 100644 --- a/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/query.rego +++ b/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/query.rego @@ -7,9 +7,9 @@ CxPolicy[result] { openapi_lib.check_openapi(doc) == "3.0" [path, value] := walk(doc) - ref := value["RefMetadata"]["$ref"] + ref := value.RefMetadata["$ref"] contains(path[j], "examples") - not contains(path[minus(j, 1)], "components") + not contains(path[j - 1], "components") openapi_lib.incorrect_ref(ref, "examples") result := { diff --git a/assets/queries/openAPI/3.0/global_server_uses_http/query.rego b/assets/queries/openAPI/3.0/global_server_uses_http/query.rego index d33bf7a0186..f7c8199ca0d 100644 --- a/assets/queries/openAPI/3.0/global_server_uses_http/query.rego +++ b/assets/queries/openAPI/3.0/global_server_uses_http/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/query.rego b/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/query.rego index cb587afede1..71cd6723f9e 100644 --- a/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/query.rego +++ b/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/query.rego @@ -8,8 +8,8 @@ CxPolicy[result] { [path, value] := walk(doc) - ref := value.headers[h]["RefMetadata"]["$ref"] - path[minus(count(path), 1)] != "components" + ref := value.headers[h].RefMetadata["$ref"] + path[count(path) - 1] != "components" openapi_lib.incorrect_ref(ref, "headers") result := { diff --git a/assets/queries/openAPI/3.0/invalid_media_type_value/query.rego b/assets/queries/openAPI/3.0/invalid_media_type_value/query.rego index dd7cb17f9bf..a385faa788a 100644 --- a/assets/queries/openAPI/3.0/invalid_media_type_value/query.rego +++ b/assets/queries/openAPI/3.0/invalid_media_type_value/query.rego @@ -4,20 +4,20 @@ import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] - openapi_lib.check_openapi(doc) == "3.0" + openapi_lib.check_openapi(doc) == "3.0" - [path, value] := walk(doc) - content = value.content[mime] + [path, value] := walk(doc) + content = value.content[mime] - # Ensure "content" inside "properties" is treated as a field name, not an OpenAPI content spec. - not path[count(path) - 1] == "properties" - not openapi_lib.is_valid_mime(mime) + # Ensure "content" inside "properties" is treated as a field name, not an OpenAPI content spec. + not path[count(path) - 1] == "properties" + not openapi_lib.is_valid_mime(mime) - result := { - "documentId": doc.id, - "searchKey": sprintf("%s.content.%s", [openapi_lib.concat_path(path), mime]), - "issueType": "IncorrectValue", - "keyExpectedValue": "The Media Type should be a valid value", - "keyActualValue": "The Media Type is an invalid value", - } + result := { + "documentId": doc.id, + "searchKey": sprintf("%s.content.%s", [openapi_lib.concat_path(path), mime]), + "issueType": "IncorrectValue", + "keyExpectedValue": "The Media Type should be a valid value", + "keyActualValue": "The Media Type is an invalid value", + } } diff --git a/assets/queries/openAPI/3.0/invalid_oauth2_token_url/query.rego b/assets/queries/openAPI/3.0/invalid_oauth2_token_url/query.rego index 394354d1d62..97afe38f4d3 100644 --- a/assets/queries/openAPI/3.0/invalid_oauth2_token_url/query.rego +++ b/assets/queries/openAPI/3.0/invalid_oauth2_token_url/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/query.rego b/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/query.rego index de0650ddcf4..b99ac659380 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/query.rego +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { openapi_lib.check_openapi(doc) == "3.0" [path, value] := walk(doc) - ref := value["RefMetadata"]["$ref"] + ref := value.RefMetadata["$ref"] checkComponents := openapi_lib.check_reference_unexisting(doc, ref, "callbacks") result := { diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/query.rego b/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/query.rego index 147ab003da1..25f04dcd961 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/query.rego +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { openapi_lib.check_openapi(doc) == "3.0" [path, value] := walk(doc) - ref := value["RefMetadata"]["$ref"] + ref := value.RefMetadata["$ref"] checkComponents := openapi_lib.check_reference_unexisting(doc, ref, "examples") result := { diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/query.rego b/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/query.rego index a5e690777fb..6ab536d1ad8 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/query.rego +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { openapi_lib.check_openapi(doc) == "3.0" [path, value] := walk(doc) - ref := value["RefMetadata"]["$ref"] + ref := value.RefMetadata["$ref"] checkComponents := openapi_lib.check_reference_unexisting(doc, ref, "headers") result := { diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/query.rego b/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/query.rego index 834ce905e5d..4f5705e600b 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/query.rego +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { openapi_lib.check_openapi(doc) == "3.0" [path, value] := walk(doc) - ref := value["RefMetadata"]["$ref"] + ref := value.RefMetadata["$ref"] checkComponents := openapi_lib.check_reference_unexisting(doc, ref, "links") result := { diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/query.rego b/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/query.rego index 591e102f3a0..b30f0630c24 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/query.rego +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { openapi_lib.check_openapi(doc) == "3.0" [path, value] := walk(doc) - ref := value["RefMetadata"]["$ref"] + ref := value.RefMetadata["$ref"] checkComponents := openapi_lib.check_reference_unexisting(doc, ref, "parameters") result := { diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/query.rego b/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/query.rego index fead8627dac..ef597e2d8f1 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/query.rego +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { openapi_lib.check_openapi(doc) == "3.0" [path, value] := walk(doc) - ref := value["RefMetadata"]["$ref"] + ref := value.RefMetadata["$ref"] checkComponents := openapi_lib.check_reference_unexisting(doc, ref, "requestBodies") result := { diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/query.rego b/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/query.rego index a78859c35cf..6d2baa45c69 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/query.rego +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { openapi_lib.check_openapi(doc) == "3.0" [path, value] := walk(doc) - ref := value["RefMetadata"]["$ref"] + ref := value.RefMetadata["$ref"] checkComponents := openapi_lib.check_reference_unexisting(doc, ref, "responses") result := { diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/query.rego b/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/query.rego index c8cba8a1c9e..d1bb936e421 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/query.rego +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { openapi_lib.check_openapi(doc) == "3.0" [path, value] := walk(doc) - ref := value["RefMetadata"]["$ref"] + ref := value.RefMetadata["$ref"] checkComponents := openapi_lib.check_reference_unexisting(doc, ref, "schemas") result := { diff --git a/assets/queries/openAPI/3.0/link_object_incorrect_ref/query.rego b/assets/queries/openAPI/3.0/link_object_incorrect_ref/query.rego index 4496355104e..c3507a09ccc 100644 --- a/assets/queries/openAPI/3.0/link_object_incorrect_ref/query.rego +++ b/assets/queries/openAPI/3.0/link_object_incorrect_ref/query.rego @@ -8,8 +8,8 @@ CxPolicy[result] { [path, value] := walk(doc) - ref := value.links[l]["RefMetadata"]["$ref"] - path[minus(count(path), 1)] != "components" + ref := value.links[l].RefMetadata["$ref"] + path[count(path) - 1] != "components" openapi_lib.incorrect_ref(ref, "links") result := { diff --git a/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/query.rego b/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/query.rego index c7d4baf57d5..045da615578 100644 --- a/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/query.rego +++ b/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/query.rego b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/query.rego index 9525c56cb8b..b9678fac237 100644 --- a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/query.rego +++ b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/3.0/object_without_required_property/query.rego b/assets/queries/openAPI/3.0/object_without_required_property/query.rego index accb3116f92..f0d0609db52 100644 --- a/assets/queries/openAPI/3.0/object_without_required_property/query.rego +++ b/assets/queries/openAPI/3.0/object_without_required_property/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/query.rego b/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/query.rego index 02c6ebde01b..937bb8654cf 100644 --- a/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/query.rego +++ b/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/query.rego @@ -8,8 +8,8 @@ CxPolicy[result] { [path, value] := walk(doc) - ref := value.parameters[n]["RefMetadata"]["$ref"] - path[minus(count(path), 1)] != "components" + ref := value.parameters[n].RefMetadata["$ref"] + path[count(path) - 1] != "components" openapi_lib.incorrect_ref(ref, "parameters") result := { diff --git a/assets/queries/openAPI/3.0/parameter_object_schema_content/query.rego b/assets/queries/openAPI/3.0/parameter_object_schema_content/query.rego index 8925e7416b4..8096ab70f3d 100644 --- a/assets/queries/openAPI/3.0/parameter_object_schema_content/query.rego +++ b/assets/queries/openAPI/3.0/parameter_object_schema_content/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] @@ -55,9 +55,9 @@ CxPolicy[result] { } check_params(params) { - not common_lib.valid_key(params, "schema") + not common_lib.valid_key(params, "schema") } check_params(params) { - not common_lib.valid_key(params, "content") + not common_lib.valid_key(params, "content") } diff --git a/assets/queries/openAPI/3.0/parameter_object_undefined_type/query.rego b/assets/queries/openAPI/3.0/parameter_object_undefined_type/query.rego index 79f4335465b..bcefb9c488e 100644 --- a/assets/queries/openAPI/3.0/parameter_object_undefined_type/query.rego +++ b/assets/queries/openAPI/3.0/parameter_object_undefined_type/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/3.0/path_server_uses_http/query.rego b/assets/queries/openAPI/3.0/path_server_uses_http/query.rego index ca6233d6c41..bb9342886a3 100644 --- a/assets/queries/openAPI/3.0/path_server_uses_http/query.rego +++ b/assets/queries/openAPI/3.0/path_server_uses_http/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { openapi_lib.check_openapi(doc) == "3.0" paths := doc.paths[path][oper].servers[n] - regex.match("^(http:)", paths.url) + regex.match(`^(http:)`, paths.url) result := { "documentId": doc.id, diff --git a/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/query.rego b/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/query.rego index a3b97533cc1..6f8c82a6063 100644 --- a/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/query.rego +++ b/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/query.rego @@ -1,7 +1,8 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib +import future.keywords.in CxPolicy[result] { doc := input.document[i] @@ -25,7 +26,7 @@ check_simple(value) { value.style == "simple" } else { ins := {"path", "header"} - value.in == ins[_] + value["in"] in ins not common_lib.valid_key(value, "style") } @@ -37,7 +38,7 @@ set_to_false(value) { check_delimited(value) { styles := {"spaceDelimited", "pipeDelimited"} - value.style == styles[_] + value.style in styles set_to_false(value) } diff --git a/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/query.rego b/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/query.rego index fc507cbd98a..bbc449c8639 100644 --- a/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/query.rego +++ b/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/query.rego b/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/query.rego index e2f47bac674..573f8f2de45 100644 --- a/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/query.rego +++ b/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/query.rego b/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/query.rego index 8bf88df06ea..58e22e645e5 100644 --- a/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/query.rego +++ b/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/query.rego b/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/query.rego index 200dcc0f4e4..28df86083a6 100644 --- a/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/query.rego +++ b/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/3.0/request_body_incorrect_ref/query.rego b/assets/queries/openAPI/3.0/request_body_incorrect_ref/query.rego index bd46f0280ce..9aca1675b77 100644 --- a/assets/queries/openAPI/3.0/request_body_incorrect_ref/query.rego +++ b/assets/queries/openAPI/3.0/request_body_incorrect_ref/query.rego @@ -8,7 +8,7 @@ CxPolicy[result] { [path, value] := walk(doc) - ref := value.requestBody["RefMetadata"]["$ref"] + ref := value.requestBody.RefMetadata["$ref"] openapi_lib.incorrect_ref(ref, "requestBodies") result := { diff --git a/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/query.rego b/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/query.rego index 4ec90342231..5fa8c161ab4 100644 --- a/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/query.rego +++ b/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/3.0/response_object_incorrect_ref/query.rego b/assets/queries/openAPI/3.0/response_object_incorrect_ref/query.rego index 4e0d6803237..2c3d2927464 100644 --- a/assets/queries/openAPI/3.0/response_object_incorrect_ref/query.rego +++ b/assets/queries/openAPI/3.0/response_object_incorrect_ref/query.rego @@ -8,8 +8,8 @@ CxPolicy[result] { [path, value] := walk(doc) - ref := value.responses[code]["RefMetadata"]["$ref"] - path[minus(count(path), 1)] != "components" + ref := value.responses[code].RefMetadata["$ref"] + path[count(path) - 1] != "components" openapi_lib.incorrect_ref(ref, "responses") result := { diff --git a/assets/queries/openAPI/3.0/schema_object_incorrect_ref/query.rego b/assets/queries/openAPI/3.0/schema_object_incorrect_ref/query.rego index 918e0715fd0..aab6448b48f 100644 --- a/assets/queries/openAPI/3.0/schema_object_incorrect_ref/query.rego +++ b/assets/queries/openAPI/3.0/schema_object_incorrect_ref/query.rego @@ -8,7 +8,7 @@ CxPolicy[result] { [path, value] := walk(doc) - ref := value.schema["RefMetadata"]["$ref"] + ref := value.schema.RefMetadata["$ref"] openapi_lib.incorrect_ref(ref, "schemas") result := { diff --git a/assets/queries/openAPI/3.0/security_field_undefined/query.rego b/assets/queries/openAPI/3.0/security_field_undefined/query.rego index 24e8740a462..df1a034e1ba 100644 --- a/assets/queries/openAPI/3.0/security_field_undefined/query.rego +++ b/assets/queries/openAPI/3.0/security_field_undefined/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/3.0/security_operation_field_undefined/query.rego b/assets/queries/openAPI/3.0/security_operation_field_undefined/query.rego index 67b5a366603..e05a3225c5e 100644 --- a/assets/queries/openAPI/3.0/security_operation_field_undefined/query.rego +++ b/assets/queries/openAPI/3.0/security_operation_field_undefined/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/3.0/security_scheme_undefined/query.rego b/assets/queries/openAPI/3.0/security_scheme_undefined/query.rego index f0af3b2ee3d..d148abef6e4 100644 --- a/assets/queries/openAPI/3.0/security_scheme_undefined/query.rego +++ b/assets/queries/openAPI/3.0/security_scheme_undefined/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/3.0/server_object_variable_not_used/query.rego b/assets/queries/openAPI/3.0/server_object_variable_not_used/query.rego index f8e0bba5935..fd393f9c665 100644 --- a/assets/queries/openAPI/3.0/server_object_variable_not_used/query.rego +++ b/assets/queries/openAPI/3.0/server_object_variable_not_used/query.rego @@ -118,12 +118,12 @@ exists(var, vars) { } variables_not_used(var, url) { - url_variables := regex.find_n("{[a-zA-Z]+}", url, -1) + url_variables := regex.find_n(`{[a-zA-Z]+}`, url, -1) url_variables != [] not exists(var, url_variables) } variables_not_used(var, url) { - url_variables := regex.find_n("{[a-zA-Z]+}", url, -1) + url_variables := regex.find_n(`{[a-zA-Z]+}`, url, -1) url_variables == [] } diff --git a/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/query.rego b/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/query.rego index 56667a697af..39f198bfe85 100644 --- a/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/query.rego +++ b/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] @@ -103,14 +103,14 @@ CxPolicy[result] { variables_undefined(server) { url := server.url - url_variables := regex.find_n("{[a-zA-Z]+}", url, -1) + url_variables := regex.find_n(`{[a-zA-Z]+}`, url, -1) url_variables != [] not common_lib.valid_key(server, "variables") } variables_undefined(server) { url := server.url - url_variables := regex.find_n("{[a-zA-Z]+}", url, -1) + url_variables := regex.find_n(`{[a-zA-Z]+}`, url, -1) url_variables != [] var := replace(url_variables[j], "{", "") clean_var := replace(var, "}", "") diff --git a/assets/queries/openAPI/3.0/servers_undefined/query.rego b/assets/queries/openAPI/3.0/servers_undefined/query.rego index c2aee77eb38..8aabd806115 100644 --- a/assets/queries/openAPI/3.0/servers_undefined/query.rego +++ b/assets/queries/openAPI/3.0/servers_undefined/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/query.rego b/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/query.rego index 4c0f4aa3ae4..24041ad2c7e 100644 --- a/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/query.rego +++ b/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/3.0/undefined_security_scope_global_security/query.rego b/assets/queries/openAPI/3.0/undefined_security_scope_global_security/query.rego index 5eb9b4a0517..52b6d5840b2 100644 --- a/assets/queries/openAPI/3.0/undefined_security_scope_global_security/query.rego +++ b/assets/queries/openAPI/3.0/undefined_security_scope_global_security/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/query.rego b/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/query.rego index f993061d07e..c51b4df661e 100644 --- a/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/query.rego +++ b/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/3.0/unknown_property/query.rego b/assets/queries/openAPI/3.0/unknown_property/query.rego index 2adbf0e268c..0f95b6fe618 100644 --- a/assets/queries/openAPI/3.0/unknown_property/query.rego +++ b/assets/queries/openAPI/3.0/unknown_property/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.openapi as openapi_lib +import future.keywords.in CxPolicy[result] { doc := input.document[i] @@ -28,10 +29,10 @@ CxPolicy[result] { [path, value] := walk(doc) objectValues := {"array": array_objects, "simple": simple_objects, "map": map_objects} - objValues := objectValues[objType][object] + objValues := objectValues[objType][obj] index := {"array": 1, "simple": 1, "map": 2} - path[minus(count(path), index[objType])] == object + path[count(path) - index[objType]] == obj objType == "array" is_array(value) @@ -42,8 +43,8 @@ CxPolicy[result] { "documentId": doc.id, "searchKey": sprintf("%s.%s", [openapi_lib.concat_path(path), field]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("The field '%s' is known in the %s object", [field, object]), - "keyActualValue": sprintf("The field '%s' is unknown in the %s object", [field, object]), + "keyExpectedValue": sprintf("The field '%s' is known in the %s object", [field, obj]), + "keyActualValue": sprintf("The field '%s' is unknown in the %s object", [field, obj]), } } @@ -54,10 +55,10 @@ CxPolicy[result] { [path, value] := walk(doc) objectValues := {"array": array_objects, "simple": simple_objects, "map": map_objects} - objValues := objectValues[objType][object] + objValues := objectValues[objType][obj] index := {"array": 1, "simple": 1, "map": 2} - path[minus(count(path), index[objType])] == object + path[count(path) - index[objType]] == obj any([objType == "simple", objType == "map"]) value[field] @@ -67,8 +68,8 @@ CxPolicy[result] { "documentId": doc.id, "searchKey": sprintf("%s.%s", [openapi_lib.concat_path(path), field]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("The field '%s' is known in the %s object", [field, object]), - "keyActualValue": sprintf("The field '%s' is unknown in the %s object", [field, object]), + "keyExpectedValue": sprintf("The field '%s' is known in the %s object", [field, obj]), + "keyActualValue": sprintf("The field '%s' is unknown in the %s object", [field, obj]), } } @@ -78,7 +79,7 @@ CxPolicy[result] { [path, value] := walk(doc) - path[minus(count(path), 3)] == "callbacks" + path[count(path) - 3] == "callbacks" value[x] not known_field(map_objects.paths, x) @@ -104,11 +105,11 @@ openapi := { } known_openapi_object_field(field) { - field == openapi[_] + field in openapi } -known_field(object, value) { - object[_] == value +known_field(obj, value) { + value in obj } flow := { diff --git a/assets/queries/openAPI/general/array_items_has_no_type/query.rego b/assets/queries/openAPI/general/array_items_has_no_type/query.rego index 4b8031f27e1..e8a315de1c3 100644 --- a/assets/queries/openAPI/general/array_items_has_no_type/query.rego +++ b/assets/queries/openAPI/general/array_items_has_no_type/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/general/array_without_maximum_number_items/query.rego b/assets/queries/openAPI/general/array_without_maximum_number_items/query.rego index b3b3100c2a9..9b0da324acb 100644 --- a/assets/queries/openAPI/general/array_without_maximum_number_items/query.rego +++ b/assets/queries/openAPI/general/array_without_maximum_number_items/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] @@ -19,7 +19,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "Array schema has 'maxItems' set", "keyActualValue": "Array schema has 'maxItems' undefined", - "searchLine": common_lib.build_search_line(path, []) , + "searchLine": common_lib.build_search_line(path, []), "overrideKey": version, } } @@ -39,7 +39,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "Array schema has 'maxItems' set", "keyActualValue": "Array schema has 'maxItems' undefined", - "searchLine": common_lib.build_search_line(path, []) , + "searchLine": common_lib.build_search_line(path, []), "overrideKey": version, } } diff --git a/assets/queries/openAPI/general/default_response_undefined_operations/query.rego b/assets/queries/openAPI/general/default_response_undefined_operations/query.rego index 25875969384..7a16261fabc 100644 --- a/assets/queries/openAPI/general/default_response_undefined_operations/query.rego +++ b/assets/queries/openAPI/general/default_response_undefined_operations/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/general/example_not_compliant_with_schema_type/query.rego b/assets/queries/openAPI/general/example_not_compliant_with_schema_type/query.rego index e086af32db8..de283193c4e 100644 --- a/assets/queries/openAPI/general/example_not_compliant_with_schema_type/query.rego +++ b/assets/queries/openAPI/general/example_not_compliant_with_schema_type/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib # policy for examples CxPolicy[result] { @@ -133,11 +133,11 @@ get_ref(obj, docs, type, version) = example { } else = example { version == "3.0" path := split(substring(obj["$ref"], 2, -1), "/") - example := docs.components[type][path[minus(count(path), 1)]] + example := docs.components[type][path[count(path) - 1]] } else = example { version == "2.0" path := split(substring(obj["$ref"], 2, -1), "/") - example := docs[type][path[minus(count(path), 1)]] + example := docs[type][path[count(path) - 1]] } # get_properties() - returns properties, type, and fields to compare diff --git a/assets/queries/openAPI/general/global_security_field_undefined/query.rego b/assets/queries/openAPI/general/global_security_field_undefined/query.rego index 4b487211216..c554cee23df 100644 --- a/assets/queries/openAPI/general/global_security_field_undefined/query.rego +++ b/assets/queries/openAPI/general/global_security_field_undefined/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/general/json_object_schema_without_properties/query.rego b/assets/queries/openAPI/general/json_object_schema_without_properties/query.rego index 558ee000047..d894e04e1f6 100644 --- a/assets/queries/openAPI/general/json_object_schema_without_properties/query.rego +++ b/assets/queries/openAPI/general/json_object_schema_without_properties/query.rego @@ -8,7 +8,7 @@ CxPolicy[result] { version != "undefined" [path, value] := walk(doc) - schema_ref = value.schema["RefMetadata"]["$ref"] + schema_ref = value.schema.RefMetadata["$ref"] openapi_lib.undefined_field_in_json_object(doc, schema_ref, "properties", version) result := { diff --git a/assets/queries/openAPI/general/json_object_schema_without_type/query.rego b/assets/queries/openAPI/general/json_object_schema_without_type/query.rego index 2313fcf36c0..11c7cf7b8ca 100644 --- a/assets/queries/openAPI/general/json_object_schema_without_type/query.rego +++ b/assets/queries/openAPI/general/json_object_schema_without_type/query.rego @@ -8,7 +8,7 @@ CxPolicy[result] { version != "undefined" [path, value] := walk(doc) - schema_ref = value.schema["RefMetadata"]["$ref"] + schema_ref = value.schema.RefMetadata["$ref"] openapi_lib.undefined_field_in_json_object(doc, schema_ref, "type", version) result := { diff --git a/assets/queries/openAPI/general/json_ref_alongside_properties/query.rego b/assets/queries/openAPI/general/json_ref_alongside_properties/query.rego index 317c00210a0..47f79f99cf1 100644 --- a/assets/queries/openAPI/general/json_ref_alongside_properties/query.rego +++ b/assets/queries/openAPI/general/json_ref_alongside_properties/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] @@ -9,7 +9,7 @@ CxPolicy[result] { version != "undefined" [path, value] := walk(doc) - value["RefMetadata"]["alone"] == false + value.RefMetadata.alone == false result := { "documentId": doc.id, diff --git a/assets/queries/openAPI/general/maximum_length_undefined/query.rego b/assets/queries/openAPI/general/maximum_length_undefined/query.rego index 9b64f246e3a..b6f41911fbd 100644 --- a/assets/queries/openAPI/general/maximum_length_undefined/query.rego +++ b/assets/queries/openAPI/general/maximum_length_undefined/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] @@ -12,7 +12,7 @@ CxPolicy[result] { info := openapi_lib.is_operation(path) openapi_lib.content_allowed(info.operation, info.code) openapi_lib.undefined_field_in_string_type(value, "maxLength") - checkForSecureStringFormats(value) + checkForSecureStringFormats(value) not limited_regex(value) result := { @@ -22,7 +22,7 @@ CxPolicy[result] { "keyExpectedValue": "'maxLength' should be defined", "keyActualValue": "'maxLength' is undefined", "overrideKey": version, - "searchLine": common_lib.build_search_line(path,["type"]), + "searchLine": common_lib.build_search_line(path, ["type"]), } } @@ -44,24 +44,24 @@ CxPolicy[result] { "keyExpectedValue": "'maxLength' should be defined", "keyActualValue": "'maxLength' is undefined", "overrideKey": version, - "searchLine": common_lib.build_search_line(path,["type"]), + "searchLine": common_lib.build_search_line(path, ["type"]), } } -limited_regex(value){ +limited_regex(value) { not contains(value.pattern, "+") not contains(value.pattern, "*") - not regex.match("[^\\\\]{\\d+,}", value.pattern) + not regex.match(`[^\\]{\d+,}`, value.pattern) } checkForSecureStringFormats(value) { - openapi_lib.undefined_field_in_string_type(value, "enum") # enums have the maxLength implicit + openapi_lib.undefined_field_in_string_type(value, "enum") # enums have the maxLength implicit checkStringFormat(value) } checkStringFormat(value) { - openapi_lib.undefined_field_in_string_type(value, "format") + openapi_lib.undefined_field_in_string_type(value, "format") } else { - value["format"] != "date" # date and date-time formats - value["format"] != "date-time" # have the maxLength implicit + value.format != "date" # date and date-time formats + value.format != "date-time" # have the maxLength implicit } diff --git a/assets/queries/openAPI/general/no_global_and_operation_security_defined/query.rego b/assets/queries/openAPI/general/no_global_and_operation_security_defined/query.rego index ab2ca9177dd..06b1b9af799 100644 --- a/assets/queries/openAPI/general/no_global_and_operation_security_defined/query.rego +++ b/assets/queries/openAPI/general/no_global_and_operation_security_defined/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/general/object_using_enum_with_keyword/query.rego b/assets/queries/openAPI/general/object_using_enum_with_keyword/query.rego index e6cbd066a41..403a8ac3de4 100644 --- a/assets/queries/openAPI/general/object_using_enum_with_keyword/query.rego +++ b/assets/queries/openAPI/general/object_using_enum_with_keyword/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { keywords := ["multipleOf", "maximum", "minimum", "exclusiveMaximum", "exclusiveMinimum", "pattern", "minLength", "maxLength", "maxItems", "minItems", "uniqueItems", "required", "maxProperties", "minProperties"] diff --git a/assets/queries/openAPI/general/path_ambiguous/query.rego b/assets/queries/openAPI/general/path_ambiguous/query.rego index 29f0ccb421a..9f9586b4a53 100644 --- a/assets/queries/openAPI/general/path_ambiguous/query.rego +++ b/assets/queries/openAPI/general/path_ambiguous/query.rego @@ -25,6 +25,6 @@ CxPolicy[result] { } clean_name(name) = result { - templates := regex.find_n("\\{.*\\}", name, -1) + templates := regex.find_n(`\{.*\}`, name, -1) result := replace(name, templates[_], "") } diff --git a/assets/queries/openAPI/general/path_parameter_not_required/query.rego b/assets/queries/openAPI/general/path_parameter_not_required/query.rego index b30d5248ff7..b148bd6986a 100644 --- a/assets/queries/openAPI/general/path_parameter_not_required/query.rego +++ b/assets/queries/openAPI/general/path_parameter_not_required/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/general/paths_object_empty/query.rego b/assets/queries/openAPI/general/paths_object_empty/query.rego index 3bff6c25c26..ec51e39051b 100644 --- a/assets/queries/openAPI/general/paths_object_empty/query.rego +++ b/assets/queries/openAPI/general/paths_object_empty/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] @@ -27,6 +27,4 @@ check_paths_object(paths) { } # In yaml an empty object is parsed into null -check_paths_object(paths) { - paths == null -} +check_paths_object(null) = true diff --git a/assets/queries/openAPI/general/pattern_undefined/query.rego b/assets/queries/openAPI/general/pattern_undefined/query.rego index b528de290d2..4b77469bcf8 100644 --- a/assets/queries/openAPI/general/pattern_undefined/query.rego +++ b/assets/queries/openAPI/general/pattern_undefined/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] @@ -47,13 +47,13 @@ CxPolicy[result] { } checkForSecureStringFormats(value) { - openapi_lib.undefined_field_in_string_type(value, "enum") # enums have an implicit pattern + openapi_lib.undefined_field_in_string_type(value, "enum") # enums have an implicit pattern checkStringFormat(value) } checkStringFormat(value) { - openapi_lib.undefined_field_in_string_type(value, "format") + openapi_lib.undefined_field_in_string_type(value, "format") } else { - value["format"] != "date" # date and date-time formats - value["format"] != "date-time" # have an implicit pattern + value.format != "date" # date and date-time formats + value.format != "date-time" # have an implicit pattern } diff --git a/assets/queries/openAPI/general/properties_missing_required_property/query.rego b/assets/queries/openAPI/general/properties_missing_required_property/query.rego index 1a9f3e1b46e..55e788e656a 100644 --- a/assets/queries/openAPI/general/properties_missing_required_property/query.rego +++ b/assets/queries/openAPI/general/properties_missing_required_property/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/query.rego b/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/query.rego index 49e9ba73b51..b226c129de4 100644 --- a/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/query.rego +++ b/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/general/required_property_default_value/query.rego b/assets/queries/openAPI/general/required_property_default_value/query.rego index c209ff697dd..b9e06a042bc 100644 --- a/assets/queries/openAPI/general/required_property_default_value/query.rego +++ b/assets/queries/openAPI/general/required_property_default_value/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/general/response_code_missing/query.rego b/assets/queries/openAPI/general/response_code_missing/query.rego index 768b5754e49..c5c43a17b43 100644 --- a/assets/queries/openAPI/general/response_code_missing/query.rego +++ b/assets/queries/openAPI/general/response_code_missing/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] @@ -20,10 +20,9 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("%s response should be set", [wantedResponses]), "keyActualValue": sprintf("%s response is undefined", [wantedResponses]), - "searchValue": sprintf("%s", [wantedResponses]), - "overrideKey": version, "searchValue": sprintf("%s response", [wantedResponses]), - "searchLine": common_lib.build_search_line(["paths", n, oper, "responses"],[]), + "overrideKey": version, + "searchLine": common_lib.build_search_line(["paths", n, oper, "responses"], []), } } @@ -45,7 +44,7 @@ CxPolicy[result] { "keyActualValue": "415 response is undefined", "overrideKey": version, "searchValue": "415 response", - "searchLine": common_lib.build_search_line(["paths", n, oper, "responses"],[]), + "searchLine": common_lib.build_search_line(["paths", n, oper, "responses"], []), } } @@ -67,7 +66,7 @@ CxPolicy[result] { "keyActualValue": "404 response is undefined", "overrideKey": version, "searchValue": "404 response", - "searchLine": common_lib.build_search_line(["paths", n, oper, "responses"],[]), + "searchLine": common_lib.build_search_line(["paths", n, oper, "responses"], []), } } @@ -88,7 +87,7 @@ CxPolicy[result] { "keyActualValue": "200 response is undefined", "overrideKey": version, "searchValue": "200 response", - "searchLine": common_lib.build_search_line(["paths", n, oper, "responses"],[]), + "searchLine": common_lib.build_search_line(["paths", n, oper, "responses"], []), } } @@ -109,9 +108,8 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("%s response should be set when security field is defined", [wantedResponses]), "keyActualValue": sprintf("%s response is undefined when security field is defined", [wantedResponses]), - "searchValue": sprintf("%s", [wantedResponses]), - "overrideKey": version, "searchValue": sprintf("%s response", [wantedResponses]), - "searchLine": common_lib.build_search_line(["paths", n, oper, "responses"],[]), + "overrideKey": version, + "searchLine": common_lib.build_search_line(["paths", n, oper, "responses"], []), } } diff --git a/assets/queries/openAPI/general/schema_discriminator_not_required/query.rego b/assets/queries/openAPI/general/schema_discriminator_not_required/query.rego index 1ee3dc26140..c0c0febd3f5 100644 --- a/assets/queries/openAPI/general/schema_discriminator_not_required/query.rego +++ b/assets/queries/openAPI/general/schema_discriminator_not_required/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.openapi as openapi_lib +import future.keywords.in CxPolicy[result] { doc := input.document[i] @@ -44,5 +45,5 @@ CxPolicy[result] { } required(schema, discriminator) { - schema.required[_] == discriminator + discriminator in schema.required } diff --git a/assets/queries/openAPI/general/schema_object_with_circular_ref/query.rego b/assets/queries/openAPI/general/schema_object_with_circular_ref/query.rego index cb9be06597d..6746a92691b 100644 --- a/assets/queries/openAPI/general/schema_object_with_circular_ref/query.rego +++ b/assets/queries/openAPI/general/schema_object_with_circular_ref/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] @@ -17,11 +17,11 @@ CxPolicy[result] { "3.0": "#/components/schemas/", } - trim_prefix(properties["RefMetadata"]["$ref"], refPaths[version]) == path[minus(count(path), 1)] + trim_prefix(properties.RefMetadata["$ref"], refPaths[version]) == path[count(path) - 1] result := { "documentId": doc.id, - "searchKey": sprintf("%s.%s.$ref=%s", [openapi_lib.concat_path(path), types[prop], properties["RefMetadata"]["$ref"]]), + "searchKey": sprintf("%s.%s.$ref=%s", [openapi_lib.concat_path(path), types[prop], properties.RefMetadata["$ref"]]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s.%s should not reference own schema", [concat(".", path), types[prop]]), "keyActualValue": sprintf("%s.%s reference own schema", [concat(".", path), types[prop]]), diff --git a/assets/queries/openAPI/general/security_empty_array/query.rego b/assets/queries/openAPI/general/security_empty_array/query.rego index 0f98eb98584..d7461961fec 100644 --- a/assets/queries/openAPI/general/security_empty_array/query.rego +++ b/assets/queries/openAPI/general/security_empty_array/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/general/security_empty_object_definition/query.rego b/assets/queries/openAPI/general/security_empty_object_definition/query.rego index 10942cc67df..9fcc3515899 100644 --- a/assets/queries/openAPI/general/security_empty_object_definition/query.rego +++ b/assets/queries/openAPI/general/security_empty_object_definition/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/general/security_operations_empty_array/query.rego b/assets/queries/openAPI/general/security_operations_empty_array/query.rego index e6bc6457a6a..022f0849dca 100644 --- a/assets/queries/openAPI/general/security_operations_empty_array/query.rego +++ b/assets/queries/openAPI/general/security_operations_empty_array/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/general/security_operations_empty_object_definition/query.rego b/assets/queries/openAPI/general/security_operations_empty_object_definition/query.rego index ba070c1c626..949a1b53f28 100644 --- a/assets/queries/openAPI/general/security_operations_empty_object_definition/query.rego +++ b/assets/queries/openAPI/general/security_operations_empty_object_definition/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/query.rego b/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/query.rego index 6157057785a..8929268a26d 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/query.rego +++ b/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_get_operation/query.rego b/assets/queries/openAPI/general/success_response_code_undefined_get_operation/query.rego index a287bd90f17..0ca05c3c1d9 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_get_operation/query.rego +++ b/assets/queries/openAPI/general/success_response_code_undefined_get_operation/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_head_operation/query.rego b/assets/queries/openAPI/general/success_response_code_undefined_head_operation/query.rego index f260a1590b8..cb6ce4990be 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_head_operation/query.rego +++ b/assets/queries/openAPI/general/success_response_code_undefined_head_operation/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/query.rego b/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/query.rego index d4bf989b057..1446362f147 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/query.rego +++ b/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/query.rego b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/query.rego index 8073dad613f..8c5afff20e9 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/query.rego +++ b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_put_operation/query.rego b/assets/queries/openAPI/general/success_response_code_undefined_put_operation/query.rego index a731b9a6316..f9f05d8473e 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_put_operation/query.rego +++ b/assets/queries/openAPI/general/success_response_code_undefined_put_operation/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.openapi as openapi_lib import data.generic.common as common_lib +import data.generic.openapi as openapi_lib CxPolicy[result] { doc := input.document[i] diff --git a/assets/queries/openAPI/general/type_has_invalid_keyword/query.rego b/assets/queries/openAPI/general/type_has_invalid_keyword/query.rego index 75d4a933f66..b6e9fc1c464 100644 --- a/assets/queries/openAPI/general/type_has_invalid_keyword/query.rego +++ b/assets/queries/openAPI/general/type_has_invalid_keyword/query.rego @@ -29,14 +29,14 @@ CxPolicy[result] { } check_keywords(value) = invalidKeys { - invalidKeys := { invalidKeyword | - keywords := specificKeywords[type] + invalidKeys := {invalidKeyword | + keywords := specificKeywords[type] typeName := get_value_type(value.type) type != typeName value[key] common_lib.inArray(keywords, key) invalidKeyword := key - } + } } get_value_type(type) = typeName { @@ -45,4 +45,3 @@ get_value_type(type) = typeName { } else = typeName { typeName := type } - diff --git a/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/query.rego b/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/query.rego index 8f5d43ca429..6dd37ef779d 100644 --- a/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/query.rego +++ b/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/query.rego @@ -21,7 +21,6 @@ CxPolicy[result] { } } - CxPolicy[result] { resource := input.document[i].resources[name] resource.type == "aws:dms:ReplicationInstance" @@ -38,4 +37,4 @@ CxPolicy[result] { "keyActualValue": "Attribute 'publiclyAccessible' is not defined", "searchLine": common_lib.build_search_line(["resources", name, "properties"], []), } -} \ No newline at end of file +} diff --git a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/query.rego b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/query.rego index 95fe06edad4..855089dcfce 100644 --- a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/query.rego +++ b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/query.rego @@ -2,12 +2,13 @@ package Cx import data.generic.common as common_lib import data.generic.pulumi as plm_lib +import future.keywords.in -valid_types := ["aws:apigateway:Stage","aws:apigatewayv2:Stage"] +valid_types := ["aws:apigateway:Stage", "aws:apigatewayv2:Stage"] CxPolicy[result] { resource := input.document[i].resources[name] - resource.type == valid_types[_] + resource.type in valid_types not common_lib.valid_key(resource.properties, "accessLogSettings") diff --git a/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/query.rego b/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/query.rego index cc07e37e6c2..eff67a11cda 100644 --- a/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/query.rego +++ b/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/query.rego @@ -2,12 +2,13 @@ package Cx import data.generic.common as common_lib import data.generic.pulumi as plm_lib +import future.keywords.in -valid_types := ["aws:apigateway:Stage","aws:apigatewayv2:Stage"] +valid_types := ["aws:apigateway:Stage", "aws:apigatewayv2:Stage"] CxPolicy[result] { resource := input.document[i].resources[name] - resource.type == valid_types[_] + resource.type in valid_types not common_lib.valid_key(resource.properties, "clientCertificateId") diff --git a/assets/queries/pulumi/aws/docdb_logging_disabled/query.rego b/assets/queries/pulumi/aws/docdb_logging_disabled/query.rego index 9096089b002..677cbdaaf8a 100644 --- a/assets/queries/pulumi/aws/docdb_logging_disabled/query.rego +++ b/assets/queries/pulumi/aws/docdb_logging_disabled/query.rego @@ -17,14 +17,13 @@ CxPolicy[result] { "resourceType": resource.type, "resourceName": name, "searchKey": sprintf("resources[%s].properties", [name]), - "searchLine": common_lib.build_search_line(["resources", name, "properties"],[]), + "searchLine": common_lib.build_search_line(["resources", name, "properties"], []), "issueType": "MissingAttribute", "keyExpectedValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports should be defined", "keyActualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports is undefined", } } - CxPolicy[result] { resource := input.document[i].resources[name] resource.type == "aws:docdb:Cluster" @@ -41,7 +40,7 @@ CxPolicy[result] { "resourceType": resource.type, "resourceName": name, "searchKey": sprintf("resources[%s].properties.enabledCloudwatchLogsExports", [name]), - "searchLine": common_lib.build_search_line(["resources", name, "properties", "enabledCloudwatchLogsExports"],[]), + "searchLine": common_lib.build_search_line(["resources", name, "properties", "enabledCloudwatchLogsExports"], []), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("aws:docdb:Cluster.enabledCloudwatchLogsExports should have all following values: %s", [validTypeConcat]), "keyActualValue": sprintf("aws:docdb:Cluster.enabledCloudwatchLogsExports has the following missing values: %s", [concat(", ", missingTypes)]), diff --git a/assets/queries/pulumi/aws/ec2_not_ebs_optimized/query.rego b/assets/queries/pulumi/aws/ec2_not_ebs_optimized/query.rego index 2860ab7071d..8b683a32b7b 100644 --- a/assets/queries/pulumi/aws/ec2_not_ebs_optimized/query.rego +++ b/assets/queries/pulumi/aws/ec2_not_ebs_optimized/query.rego @@ -1,4 +1,4 @@ - package Cx +package Cx import data.generic.common as common_lib import data.generic.pulumi as plm_lib @@ -7,11 +7,9 @@ CxPolicy[result] { resource := input.document[i].resources[name] resource.type == "aws:ec2:Instance" - not common_lib.is_aws_ebs_optimized_by_default(resource.properties.instanceType) not common_lib.valid_key(resource.properties, "ebsOptimized") - result := { "documentId": input.document[i].id, "resourceType": resource.type, diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/query.rego b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/query.rego index 89f03888651..fc664e9aad0 100644 --- a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/query.rego +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/query.rego @@ -35,11 +35,11 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'settings' should have a ClusterSetting named 'containerInsights' which value is 'enabled'", "keyActualValue": "Attribute 'settings' doesn't have a ClusterSetting named 'containerInsights' which value is 'enabled'", - "searchLine": common_lib.build_search_line(["resources", name, "properties","settings"], []), + "searchLine": common_lib.build_search_line(["resources", name, "properties", "settings"], []), } } -containerInsights(settings){ +containerInsights(settings) { settings[0].name == "containerInsights" settings[0].value == "enabled" -} \ No newline at end of file +} diff --git a/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/query.rego b/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/query.rego index ce97c6c8ce7..2e2224efaee 100644 --- a/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/query.rego +++ b/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/query.rego @@ -8,10 +8,9 @@ CxPolicy[result] { resource.type == "aws:elasticache:Cluster" resource.properties.engine == "memcached" - resource.properties.numCacheNodes >1 + resource.properties.numCacheNodes > 1 not common_lib.valid_key(resource.properties, "azMode") - result := { "documentId": input.document[i].id, "resourceType": resource.type, @@ -29,7 +28,7 @@ CxPolicy[result] { resource.type == "aws:elasticache:Cluster" resource.properties.engine == "memcached" - resource.properties.numCacheNodes >1 + resource.properties.numCacheNodes > 1 resource.properties.azMode != "cross-az" result := { diff --git a/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/query.rego b/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/query.rego index 26f53b94a32..e8d543d441a 100644 --- a/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/query.rego +++ b/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/query.rego @@ -10,7 +10,6 @@ CxPolicy[result] { resource.properties.engine == "redis" not common_lib.valid_key(resource.properties, "snapshotRetentionLimit") - result := { "documentId": input.document[i].id, "resourceType": resource.type, diff --git a/assets/queries/pulumi/aws/elasticsearch_logs_disabled/query.rego b/assets/queries/pulumi/aws/elasticsearch_logs_disabled/query.rego index bd1cac7e7af..385ea9ef71d 100644 --- a/assets/queries/pulumi/aws/elasticsearch_logs_disabled/query.rego +++ b/assets/queries/pulumi/aws/elasticsearch_logs_disabled/query.rego @@ -37,7 +37,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'enabled' should be defined and set to 'true'", "keyActualValue": "Attribute 'enabled' is not defined", - "searchLine": common_lib.build_search_line(["resources", name, "properties","logPublishingOptions", index, "logType"], []), + "searchLine": common_lib.build_search_line(["resources", name, "properties", "logPublishingOptions", index, "logType"], []), } } @@ -58,4 +58,4 @@ CxPolicy[result] { "keyActualValue": "Attribute 'enabled' is set to 'false'", "searchLine": common_lib.build_search_line(["resources", name, "properties", "logPublishingOptions", index, "enabled"], []), } -} \ No newline at end of file +} diff --git a/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/query.rego b/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/query.rego index f60652d3bb4..693d9e12deb 100644 --- a/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/query.rego +++ b/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/query.rego @@ -17,6 +17,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("resources[%s].properties.domainEndpointOptions.enforceHTTPS should be set to 'true'", [name]), "keyActualValue": sprintf("resources[%s].properties.domainEndpointOptions.enforceHTTPS is set to 'false'", [name]), - "searchLine": common_lib.build_search_line(["resources", name, "properties","domainEndpointOptions","enforceHTTPS"], []), + "searchLine": common_lib.build_search_line(["resources", name, "properties", "domainEndpointOptions", "enforceHTTPS"], []), } } diff --git a/assets/queries/pulumi/aws/iam_password_without_minimum_length/query.rego b/assets/queries/pulumi/aws/iam_password_without_minimum_length/query.rego index 65272e2e745..73eb0f88eea 100644 --- a/assets/queries/pulumi/aws/iam_password_without_minimum_length/query.rego +++ b/assets/queries/pulumi/aws/iam_password_without_minimum_length/query.rego @@ -9,7 +9,6 @@ CxPolicy[result] { not common_lib.valid_key(resource.properties, "minimumPasswordLength") - result := { "documentId": input.document[i].id, "resourceType": resource.type, diff --git a/assets/queries/pulumi/kubernetes/missing_app_armor_config/query.rego b/assets/queries/pulumi/kubernetes/missing_app_armor_config/query.rego index 73657cecee7..6ca0f87a720 100644 --- a/assets/queries/pulumi/kubernetes/missing_app_armor_config/query.rego +++ b/assets/queries/pulumi/kubernetes/missing_app_armor_config/query.rego @@ -8,7 +8,7 @@ CxPolicy[result] { resource.type == "kubernetes:core/v1:Pod" metadata := resource.properties.metadata - annotations := metadata.annotations + annotations := metadata.annotations annotations != null not hasExpectedKey(annotations) @@ -24,7 +24,7 @@ CxPolicy[result] { } } -hasExpectedKey(annotations){ +hasExpectedKey(annotations) { annotations[key] expectedKey := "container.apparmor.security.beta.kubernetes.io" startswith(key, expectedKey) @@ -35,7 +35,7 @@ CxPolicy[result] { resource.type == "kubernetes:core/v1:Pod" metadata := resource.properties.metadata - not common_lib.valid_key(metadata , "annotations") + not common_lib.valid_key(metadata, "annotations") result := { "documentId": input.document[i].id, diff --git a/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/query.rego b/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/query.rego index 9b9f879ab33..650ff2a6236 100644 --- a/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/query.rego +++ b/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/query.rego @@ -11,7 +11,6 @@ CxPolicy[result] { common_lib.valid_key(function, "environment") not common_lib.valid_key(function, "kmsKeyArn") - result := { "documentId": input.document[i].id, "resourceType": sfw_lib.resourceTypeMapping("function", document.provider.name), @@ -29,7 +28,6 @@ CxPolicy[result] { common_lib.valid_key(document.provider, "environment") not hasKMSarnAtProvider(document) - result := { "documentId": input.document[i].id, @@ -41,6 +39,6 @@ CxPolicy[result] { } } -hasKMSarnAtProvider(doc){ +hasKMSarnAtProvider(doc) { common_lib.valid_key(doc.provider, "kmsKeyArn") } diff --git a/assets/queries/serverlessFW/serverless_function_without_tags/query.rego b/assets/queries/serverlessFW/serverless_function_without_tags/query.rego index ad0fddc149c..e89982f7f2c 100644 --- a/assets/queries/serverlessFW/serverless_function_without_tags/query.rego +++ b/assets/queries/serverlessFW/serverless_function_without_tags/query.rego @@ -23,7 +23,7 @@ CxPolicy[result] { } } -hasNoStackTags(document){ +hasNoStackTags(document) { provider := document.provider not common_lib.valid_key(provider, "stackTags") } diff --git a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/query.rego b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/query.rego index a7aefe3f136..fc51de02f6a 100644 --- a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/query.rego +++ b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/query.rego @@ -35,10 +35,10 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": sfw_lib.resourceTypeMapping("function", document.provider.name), "resourceName": fname, - "searchKey": sprintf("functions[%s].%s", [k,fname]), + "searchKey": sprintf("functions[%s].%s", [k, fname]), "issueType": "MissingAttribute", "keyExpectedValue": "'role' should be defined inside the function", "keyActualValue": "'role' is not defined", - "searchLine": common_lib.build_search_line(["functions",k ,fname], []), + "searchLine": common_lib.build_search_line(["functions", k, fname], []), } } diff --git a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/query.rego b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/query.rego index c3ad6778443..b4866820ab5 100644 --- a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/query.rego +++ b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/query.rego @@ -6,8 +6,7 @@ import data.generic.terraform as tf_lib CxPolicy[result] { some i resource := input.document[i].resource.alicloud_actiontrail_trail[name] - not common_lib.valid_key(resource, "oss_bucket_name") - + not common_lib.valid_key(resource, "oss_bucket_name") result := { "documentId": input.document[i].id, @@ -17,7 +16,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "oss_bucket_name should be set.", "keyActualValue": "oss_bucket_name is not set.", - "searchLine": common_lib.build_search_line(["resource", "alicloud_actiontrail_trail", name], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_actiontrail_trail", name], []), } } @@ -25,9 +24,8 @@ CxPolicy[result] { some i resource := input.document[i].resource.alicloud_actiontrail_trail[name] - possibilities := {"event_rw", "trail_region"} - not common_lib.valid_key(resource, possibilities[p]) - + possibilities := {"event_rw", "trail_region"} + not common_lib.valid_key(resource, possibilities[p]) result := { "documentId": input.document[i].id, @@ -35,9 +33,9 @@ CxPolicy[result] { "resourceName": tf_lib.get_specific_resource_name(resource, "alicloud_actiontrail_trail", name), "searchKey": sprintf("alicloud_actiontrail_trail[%s]", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'%s' should be set.",[possibilities[p]]), - "keyActualValue": sprintf("'%s' is not set.",[possibilities[p]]), - "searchLine": common_lib.build_search_line(["resource", "alicloud_actiontrail_trail", name], []), + "keyExpectedValue": sprintf("'%s' should be set.", [possibilities[p]]), + "keyActualValue": sprintf("'%s' is not set.", [possibilities[p]]), + "searchLine": common_lib.build_search_line(["resource", "alicloud_actiontrail_trail", name], []), "remediation": sprintf("%s= \"ALL\"", [p]), "remediationType": "addition", } @@ -47,10 +45,10 @@ CxPolicy[result] { some i resource := input.document[i].resource.alicloud_actiontrail_trail[name] - p := {"event_rw", "trail_region"} - resource[p[f]] != "All" + p := {"event_rw", "trail_region"} + resource[p[f]] != "All" - remediation := {"before":resource[p[f]] , "after": "All" } + remediation := {"before": resource[p[f]], "after": "All"} result := { "documentId": input.document[i].id, "resourceType": "alicloud_actiontrail_trail", @@ -59,7 +57,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s' should be set to All", [p[f]]), "keyActualValue": sprintf("'%s' is not set to All", [p[f]]), - "searchLine": common_lib.build_search_line(["resource", "alicloud_actiontrail_trail", name, p[f]], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_actiontrail_trail", name, p[f]], []), "remediation": json.marshal(remediation), "remediationType": "replacement", } diff --git a/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/query.rego b/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/query.rego index f94123a6551..b49f5db526c 100644 --- a/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/query.rego +++ b/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/query.rego @@ -4,27 +4,27 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - some i - actiontrail := input.document[i].resource.alicloud_actiontrail_trail[name] - bucket_name := actiontrail.oss_bucket_name - bucket := input.document[_].resource.alicloud_oss_bucket[_] - possibilities:={"public-read", "public-read-write"} - bucket.bucket == bucket_name - bucket.acl == possibilities[p] - - result := { - "documentId": input.document[i].id, - "resourceType": "alicloud_oss_bucket", + some i + actiontrail := input.document[i].resource.alicloud_actiontrail_trail[name] + bucket_name := actiontrail.oss_bucket_name + bucket := input.document[_].resource.alicloud_oss_bucket[_] + possibilities := {"public-read", "public-read-write"} + bucket.bucket == bucket_name + bucket.acl == possibilities[p] + + result := { + "documentId": input.document[i].id, + "resourceType": "alicloud_oss_bucket", "resourceName": tf_lib.get_specific_resource_name(actiontrail, "alicloud_oss_bucket", name), - "searchKey": sprintf("alicloud_oss_bucket[%s].acl", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'alicloud_oss_bucket[%s].oss_bucket_name' is private", [name]), - "keyActualValue": sprintf("'alicloud_oss_bucket[%s].oss_bucket_name' is %s", [name, possibilities[p]]), - "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "acl"], []), - "remediation": json.marshal({ - "before": p, - "after": "private" - }), - "remediationType": "replacement", - } + "searchKey": sprintf("alicloud_oss_bucket[%s].acl", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'alicloud_oss_bucket[%s].oss_bucket_name' is private", [name]), + "keyActualValue": sprintf("'alicloud_oss_bucket[%s].oss_bucket_name' is %s", [name, possibilities[p]]), + "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "acl"], []), + "remediation": json.marshal({ + "before": p, + "after": "private", + }), + "remediationType": "replacement", + } } diff --git a/assets/queries/terraform/alicloud/alb_listening_on_http/query.rego b/assets/queries/terraform/alicloud/alb_listening_on_http/query.rego index e68cad6f295..8db81602aaa 100644 --- a/assets/queries/terraform/alicloud/alb_listening_on_http/query.rego +++ b/assets/queries/terraform/alicloud/alb_listening_on_http/query.rego @@ -18,8 +18,8 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "alicloud_alb_listener", name, "listener_protocol"], []), "remediation": json.marshal({ "before": "HTTP", - "after": "HTTPS" + "after": "HTTPS", }), - "remediationType": "replacement" + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/query.rego b/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/query.rego index cf3a70dcc44..932031787a7 100644 --- a/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/query.rego +++ b/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/query.rego @@ -6,7 +6,7 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.alicloud_api_gateway_api[name] request_config := resource.request_config - request_config.protocol != "HTTPS" + request_config.protocol != "HTTPS" result := { "documentId": input.document[i].id, @@ -16,14 +16,14 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "'protocol' value should be 'HTTPS'", "keyActualValue": "'protocol' value is 'HTTP' or 'HTTP,HTTPS'", - "searchLine": common_lib.build_search_line(["resource", "alicloud_api_gateway_api", name, "request_config","protocol"], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_api_gateway_api", name, "request_config", "protocol"], []), } } CxPolicy[result] { resource := input.document[i].resource.alicloud_api_gateway_api[name] request_config := resource.request_config[index] - request_config.protocol != "HTTPS" + request_config.protocol != "HTTPS" result := { "documentId": input.document[i].id, @@ -32,7 +32,7 @@ CxPolicy[result] { "searchKey": sprintf("alicloud_api_gateway_api[%s].request_config.protocol", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "'protocol' value should be 'HTTPS'", - "keyActualValue": "'protocol' value is 'HTTP' or 'HTTP,HTTPS'", - "searchLine": common_lib.build_search_line(["resource", "alicloud_api_gateway_api", name, "request_config", index, "protocol" ], []), + "keyActualValue": "'protocol' value is 'HTTP' or 'HTTP,HTTPS'", + "searchLine": common_lib.build_search_line(["resource", "alicloud_api_gateway_api", name, "request_config", index, "protocol"], []), } } diff --git a/assets/queries/terraform/alicloud/cmk_is_unusable/query.rego b/assets/queries/terraform/alicloud/cmk_is_unusable/query.rego index 2b20a3fbb0a..fb7d473f4ef 100644 --- a/assets/queries/terraform/alicloud/cmk_is_unusable/query.rego +++ b/assets/queries/terraform/alicloud/cmk_is_unusable/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("alicloud_kms_key[%s].is_enabled should be set to true", [name]), "keyActualValue": sprintf("alicloud_kms_key[%s].is_enabled is set to false", [name]), - "searchLine": common_lib.build_search_line(["resource", "alicloud_kms_key", name, "is_enabled"], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_kms_key", name, "is_enabled"], []), "remediation": json.marshal(remediation), "remediationType": "replacement", } @@ -37,7 +37,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("alicloud_kms_key[%s].is_enabled should be set to true", [name]), "keyActualValue": sprintf("alicloud_kms_key[%s].is_enabled is not set", [name]), - "searchLine": common_lib.build_search_line(["resource", "alicloud_kms_key", name], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_kms_key", name], []), "remediation": "is_enabled = true", "remediationType": "addition", } diff --git a/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/query.rego b/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/query.rego index 47f9e8e8b01..a1f873be165 100644 --- a/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/query.rego +++ b/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/query.rego @@ -4,60 +4,57 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - resource := input.document[i].resource.alicloud_cs_kubernetes_node_pool[name] - - auto_repair := resource.management.auto_repair - auto_repair == false + + auto_repair := resource.management.auto_repair + auto_repair == false result := { "documentId": input.document[i].id, "resourceType": "alicloud_cs_kubernetes_node_pool", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("alicloud_cs_kubernetes_node_pool[%s].resource.management.auto_repair ",[name]), + "searchKey": sprintf("alicloud_cs_kubernetes_node_pool[%s].resource.management.auto_repair ", [name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("For the resource alicloud_cs_kubernetes_node_pool[%s] to have 'auto_repair' set to true.", [name]), "keyActualValue": sprintf("The resource alicloud_cs_kubernetes_node_pool[%s] has 'auto_repair' set to false.", [name]), - "searchLine":common_lib.build_search_line(["resource", "alicloud_cs_kubernetes_node_pool", name, "management", "auto_repair"], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_cs_kubernetes_node_pool", name, "management", "auto_repair"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } } CxPolicy[result] { - resource := input.document[i].resource.alicloud_cs_kubernetes_node_pool[name] - not common_lib.valid_key(resource, "management") - + not common_lib.valid_key(resource, "management") + result := { "documentId": input.document[i].id, "resourceType": "alicloud_cs_kubernetes_node_pool", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("alicloud_cs_kubernetes_node_pool[%s]",[name]), + "searchKey": sprintf("alicloud_cs_kubernetes_node_pool[%s]", [name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("For the resource alicloud_cs_kubernetes_node_pool[%s] to have a 'management' block containing 'auto_repair' set to true.", [name]), "keyActualValue": sprintf("The resource alicloud_cs_kubernetes_node_pool[%s] does not have a 'management' block.", [name]), - "searchLine":common_lib.build_search_line(["resource", "alicloud_cs_kubernetes_node_pool", name], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_cs_kubernetes_node_pool", name], []), } } CxPolicy[result] { - resource := input.document[i].resource.alicloud_cs_kubernetes_node_pool[name] - not common_lib.valid_key(resource.management, "auto_repair") - + not common_lib.valid_key(resource.management, "auto_repair") + result := { "documentId": input.document[i].id, "resourceType": "alicloud_cs_kubernetes_node_pool", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("alicloud_cs_kubernetes_node_pool[%s].management",[name]), + "searchKey": sprintf("alicloud_cs_kubernetes_node_pool[%s].management", [name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("For the resource alicloud_cs_kubernetes_node_pool[%s] to have a 'management' block containing 'auto_repair' set to true.", [name]), "keyActualValue": sprintf("The resource alicloud_cs_kubernetes_node_pool[%s] has a 'management' block but it doesn't contain 'auto_repair' ", [name]), - "searchLine":common_lib.build_search_line(["resource", "alicloud_cs_kubernetes_node_pool", name, "management"], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_cs_kubernetes_node_pool", name, "management"], []), "remediation": "auto_repair = true", "remediationType": "addition", } diff --git a/assets/queries/terraform/alicloud/disk_encryption_disabled/query.rego b/assets/queries/terraform/alicloud/disk_encryption_disabled/query.rego index e3d81215f83..de52a3d157f 100644 --- a/assets/queries/terraform/alicloud/disk_encryption_disabled/query.rego +++ b/assets/queries/terraform/alicloud/disk_encryption_disabled/query.rego @@ -4,10 +4,9 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - resource := input.document[i].resource.alicloud_disk[name] - resource.encrypted == false - + resource.encrypted == false + result := { "documentId": input.document[i].id, "resourceType": "alicloud_disk", @@ -16,32 +15,30 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("[%s] has encryption set to true", [name]), "keyActualValue": sprintf("[%s] has encryption set to false", [name]), - "searchLine":common_lib.build_search_line(["resource", "alicloud_disk", name, "encrypted"], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_disk", name, "encrypted"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } } CxPolicy[result] { - resource := input.document[i].resource.alicloud_disk[name] - not common_lib.valid_key(resource, "encrypted") + not common_lib.valid_key(resource, "encrypted") not common_lib.valid_key(resource, "snapshot_id") - + result := { "documentId": input.document[i].id, "resourceType": "alicloud_disk", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("alicloud_disk[%s]",[name]), + "searchKey": sprintf("alicloud_disk[%s]", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("[%s] has encryption enabled",[name]), - "keyActualValue": sprintf("[%s] does not have encryption enabled",[name]), - "searchLine":common_lib.build_search_line(["resource", "alicloud_disk", name], []), + "keyExpectedValue": sprintf("[%s] has encryption enabled", [name]), + "keyActualValue": sprintf("[%s] does not have encryption enabled", [name]), + "searchLine": common_lib.build_search_line(["resource", "alicloud_disk", name], []), "remediation": "encrypted = true", - "remediationType": "addition", + "remediationType": "addition", } } - diff --git a/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/query.rego b/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/query.rego index 2e80b849ee1..b9641e7fdf1 100644 --- a/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/query.rego +++ b/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/query.rego @@ -4,9 +4,8 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - resource := input.document[i].resource.alicloud_disk[name] - not common_lib.valid_key(resource, "kms_key_id") + not common_lib.valid_key(resource, "kms_key_id") result := { "documentId": input.document[i].id, @@ -16,6 +15,6 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("[%s] has kms key id defined", [name]), "keyActualValue": sprintf("[%s] does not have kms key id defined", [name]), - "searchLine":common_lib.build_search_line(["resource", "alicloud_disk", name], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_disk", name], []), } } diff --git a/assets/queries/terraform/alicloud/high_kms_key_rotation_period/query.rego b/assets/queries/terraform/alicloud/high_kms_key_rotation_period/query.rego index 57b339d84c9..684bae1aa26 100644 --- a/assets/queries/terraform/alicloud/high_kms_key_rotation_period/query.rego +++ b/assets/queries/terraform/alicloud/high_kms_key_rotation_period/query.rego @@ -20,7 +20,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "alicloud_kms_key", name, "rotation_interval"], []), "remediation": json.marshal({ "before": resource.rotation_interval, - "after": "365d" + "after": "365d", }), "remediationType": "replacement", } @@ -29,7 +29,7 @@ CxPolicy[result] { CxPolicy[result] { some i resource := input.document[i].resource.alicloud_kms_key[name] - not common_lib.valid_key(resource, "automatic_rotation") + not common_lib.valid_key(resource, "automatic_rotation") result := { "documentId": input.document[i].id, @@ -48,7 +48,7 @@ CxPolicy[result] { CxPolicy[result] { some i resource := input.document[i].resource.alicloud_kms_key[name] - resource.automatic_rotation == "Disabled" + resource.automatic_rotation == "Disabled" result := { "documentId": input.document[i].id, @@ -61,22 +61,22 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "alicloud_kms_key", name, "automatic_rotation"], []), "remediation": json.marshal({ "before": "Disabled", - "after": "Enabled" + "after": "Enabled", }), "remediationType": "replacement", } } -getSeconds(resource) = value{ +getSeconds(resource) = value { contains(resource.rotation_interval, "s") - value := to_number(trim_suffix(resource.rotation_interval, "s")) -}else = value { + value := to_number(trim_suffix(resource.rotation_interval, "s")) +} else = value { contains(resource.rotation_interval, "m") - value := to_number(trim_suffix(resource.rotation_interval, "m"))*60 -}else = value { + value := to_number(trim_suffix(resource.rotation_interval, "m")) * 60 +} else = value { contains(resource.rotation_interval, "h") - value := to_number(trim_suffix(resource.rotation_interval, "h"))*3600 -}else = value { + value := to_number(trim_suffix(resource.rotation_interval, "h")) * 3600 +} else = value { contains(resource.rotation_interval, "d") - value := to_number(trim_suffix(resource.rotation_interval, "d"))*86400 + value := to_number(trim_suffix(resource.rotation_interval, "d")) * 86400 } diff --git a/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/query.rego b/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/query.rego index 8c133f7d4f4..b6caada651b 100644 --- a/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/query.rego +++ b/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/query.rego @@ -6,7 +6,7 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.alicloud_cs_kubernetes[name] - not common_lib.valid_key(resource, "pod_vswitch_ids") + not common_lib.valid_key(resource, "pod_vswitch_ids") result := { "documentId": input.document[i].id, @@ -14,16 +14,16 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("alicloud_cs_kubernetes[%s]", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("alicloud_cs_kubernetes[%s].pod_vswitch_ids should be defined and not null",[name]), - "keyActualValue": sprintf("alicloud_cs_kubernetes[%s].pod_vswitch_ids is undefined or null",[name]), - "searchLine": common_lib.build_search_line(["resource", "alicloud_cs_kubernetes", name], []), + "keyExpectedValue": sprintf("alicloud_cs_kubernetes[%s].pod_vswitch_ids should be defined and not null", [name]), + "keyActualValue": sprintf("alicloud_cs_kubernetes[%s].pod_vswitch_ids is undefined or null", [name]), + "searchLine": common_lib.build_search_line(["resource", "alicloud_cs_kubernetes", name], []), } } CxPolicy[result] { resource := input.document[i].resource.alicloud_cs_kubernetes[name] - not addons_with_terway(resource) + not addons_with_terway(resource) result := { "documentId": input.document[i].id, @@ -31,13 +31,12 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("alicloud_cs_kubernetes[%s]", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("alicloud_cs_kubernetes[%s].addons specifies the terway-eniip",[name]), - "keyActualValue": sprintf("alicloud_cs_kubernetes[%s].addons does not specify the terway-eniip",[name]), - "searchLine": common_lib.build_search_line(["resource", "alicloud_cs_kubernetes", name], []), + "keyExpectedValue": sprintf("alicloud_cs_kubernetes[%s].addons specifies the terway-eniip", [name]), + "keyActualValue": sprintf("alicloud_cs_kubernetes[%s].addons does not specify the terway-eniip", [name]), + "searchLine": common_lib.build_search_line(["resource", "alicloud_cs_kubernetes", name], []), } } - addons_with_terway(resource) { resource.addons[_].name == "terway-eniip" } else { diff --git a/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/query.rego b/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/query.rego index a11e53f41ae..0153464f879 100644 --- a/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/query.rego +++ b/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "alicloud_launch_template", name, "encrypted"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/query.rego b/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/query.rego index a3112814af7..c9fb7a09536 100644 --- a/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/query.rego +++ b/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/query.rego @@ -4,10 +4,9 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - resource := input.document[i].resource.alicloud_log_store[name] - not common_lib.valid_key(resource, "retention_period") - + not common_lib.valid_key(resource, "retention_period") + result := { "documentId": input.document[i].id, "resourceType": "alicloud_log_store", @@ -16,18 +15,17 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "For attribute 'retention_period' should be set and over 90 days.", "keyActualValue": "The attribute 'retention_period' is undefined. The default duration when undefined is 30 days, which is too short.", - "searchLine": common_lib.build_search_line(["resource", "alicloud_log_store", name], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_log_store", name], []), "remediation": "retention_period = 100", "remediationType": "addition", } } CxPolicy[result] { - resource := input.document[i].resource.alicloud_log_store[name] - rperiod := resource.retention_period - to_number(rperiod) < 90 - + rperiod := resource.retention_period + to_number(rperiod) < 90 + result := { "documentId": input.document[i].id, "resourceType": "alicloud_log_store", @@ -36,10 +34,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "For the attribite 'retention_period' should be set to 90+ days", "keyActualValue": "The attribute 'retention_period' is not set to 90+ days", - "searchLine": common_lib.build_search_line(["resource", "alicloud_log_store", name, "retention_period"], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_log_store", name, "retention_period"], []), "remediation": json.marshal({ "before": sprintf("%d", [rperiod]), - "after": "100" + "after": "100", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/query.rego b/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/query.rego index 8dcc8f8339a..0f387822884 100644 --- a/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/query.rego +++ b/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/query.rego @@ -15,10 +15,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("alicloud_nas_file_system[%s].encrypt_type' should not be 0", [name]), "keyActualValue": sprintf("alicloud_nas_file_system[%s].encrypt_type' is 0", [name]), - "searchLine":common_lib.build_search_line(["resource", "alicloud_nas_file_system", name, "encrypt_type"], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_nas_file_system", name, "encrypt_type"], []), "remediation": json.marshal({ "before": "0", - "after": "2" + "after": "2", }), "remediationType": "replacement", } @@ -36,7 +36,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("alicloud_nas_file_system[%s].encrypt_type' should be defined and the value different from 0 ", [name]), "keyActualValue": sprintf("alicloud_nas_file_system[%s].encrypt_type' is undefined", [name]), - "searchLine":common_lib.build_search_line(["resource", "alicloud_nas_file_system", name], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_nas_file_system", name], []), "remediation": "encrypt_type = \"2\"", "remediationType": "addition", } diff --git a/assets/queries/terraform/alicloud/nas_file_system_without_kms/query.rego b/assets/queries/terraform/alicloud/nas_file_system_without_kms/query.rego index c89aed01f50..5097b1d86f7 100644 --- a/assets/queries/terraform/alicloud/nas_file_system_without_kms/query.rego +++ b/assets/queries/terraform/alicloud/nas_file_system_without_kms/query.rego @@ -6,7 +6,7 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.alicloud_nas_file_system[name] not common_lib.valid_key(resource, "encrypt_type") - + result := { "documentId": input.document[i].id, "resourceType": "alicloud_nas_file_system", @@ -36,7 +36,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "alicloud_nas_file_system", name, "encrypt_type"], []), "remediation": json.marshal({ "before": resource.encrypt_type, - "after": "2" + "after": "2", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/alicloud/no_ros_stack_policy/query.rego b/assets/queries/terraform/alicloud/no_ros_stack_policy/query.rego index b64218850cb..66555b80e9a 100644 --- a/assets/queries/terraform/alicloud/no_ros_stack_policy/query.rego +++ b/assets/queries/terraform/alicloud/no_ros_stack_policy/query.rego @@ -5,7 +5,7 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.alicloud_ros_stack[name] - + not hasPolicy(resource) result := { @@ -22,7 +22,7 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i].resource.alicloud_ros_stack[name] - + not hasPolicyDuringUpdate(resource) result := { @@ -37,14 +37,14 @@ CxPolicy[result] { } } -hasPolicy(resource){ +hasPolicy(resource) { common_lib.valid_key(resource, "stack_policy_body") -}else{ +} else { common_lib.valid_key(resource, "stack_policy_url") } -hasPolicyDuringUpdate(resource){ +hasPolicyDuringUpdate(resource) { common_lib.valid_key(resource, "stack_policy_during_update_body") -}else{ +} else { common_lib.valid_key(resource, "stack_policy_during_update_url") } diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/query.rego b/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/query.rego index 272a1fac1a9..c1cfc13f62e 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/query.rego +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/query.rego @@ -7,16 +7,16 @@ CxPolicy[result] { resource := input.document[i].resource.alicloud_oss_bucket[name] json_policy := resource.policy - tf_lib.allows_action_from_all_principals(json_policy, "*") + tf_lib.allows_action_from_all_principals(json_policy, "*") result := { "documentId": input.document[i].id, "resourceType": "alicloud_oss_bucket", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("alicloud_oss_bucket[%s].policy",[name]), + "searchKey": sprintf("alicloud_oss_bucket[%s].policy", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("alicloud_oss_bucket[%s].policy to not accept delete action from all principals",[name]), - "keyActualValue": sprintf("alicloud_oss_bucket[%s].policy accepts delete action from all principals",[name]), - "searchLine":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "policy"], []), + "keyExpectedValue": sprintf("alicloud_oss_bucket[%s].policy to not accept delete action from all principals", [name]), + "keyActualValue": sprintf("alicloud_oss_bucket[%s].policy accepts delete action from all principals", [name]), + "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "policy"], []), } } diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/query.rego b/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/query.rego index f6522aa8b83..aeb1afdaf59 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/query.rego +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/query.rego @@ -6,17 +6,17 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.alicloud_oss_bucket[name] json_policy := resource.policy - - tf_lib.allows_action_from_all_principals(json_policy, "delete") - + + tf_lib.allows_action_from_all_principals(json_policy, "delete") + result := { "documentId": input.document[i].id, "resourceType": "alicloud_oss_bucket", "resourceName": tf_lib.get_specific_resource_name(resource, "alicloud_oss_bucket", name), - "searchKey": sprintf("alicloud_oss_bucket[%s].policy",[name]), + "searchKey": sprintf("alicloud_oss_bucket[%s].policy", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("alicloud_oss_bucket[%s].policy to not accept delete action from all principals",[name]), - "keyActualValue": sprintf("alicloud_oss_bucket[%s].policy accepts delete action from all principals",[name]), - "searchLine":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "policy"], []), + "keyExpectedValue": sprintf("alicloud_oss_bucket[%s].policy to not accept delete action from all principals", [name]), + "keyActualValue": sprintf("alicloud_oss_bucket[%s].policy accepts delete action from all principals", [name]), + "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "policy"], []), } } diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/query.rego b/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/query.rego index 771e8a553cb..4fced711ee8 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/query.rego +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/query.rego @@ -7,16 +7,16 @@ CxPolicy[result] { resource := input.document[i].resource.alicloud_oss_bucket[name] json_policy := resource.policy - tf_lib.allows_action_from_all_principals(json_policy, "list") + tf_lib.allows_action_from_all_principals(json_policy, "list") result := { "documentId": input.document[i].id, "resourceType": "alicloud_oss_bucket", "resourceName": tf_lib.get_specific_resource_name(resource, "alicloud_oss_bucket", name), - "searchKey": sprintf("alicloud_oss_bucket[%s].policy",[name]), + "searchKey": sprintf("alicloud_oss_bucket[%s].policy", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("alicloud_oss_bucket[%s].policy to not accept list action from all principals",[name]), - "keyActualValue": sprintf("alicloud_oss_bucket[%s].policy accepts list action from all principals",[name]), - "searchLine":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "policy"], []), + "keyExpectedValue": sprintf("alicloud_oss_bucket[%s].policy to not accept list action from all principals", [name]), + "keyActualValue": sprintf("alicloud_oss_bucket[%s].policy accepts list action from all principals", [name]), + "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "policy"], []), } } diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/query.rego b/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/query.rego index 2f002196681..a988404724e 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/query.rego +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/query.rego @@ -7,16 +7,16 @@ CxPolicy[result] { resource := input.document[i].resource.alicloud_oss_bucket[name] json_policy := resource.policy - tf_lib.allows_action_from_all_principals(json_policy, "put") + tf_lib.allows_action_from_all_principals(json_policy, "put") result := { "documentId": input.document[i].id, "resourceType": "alicloud_oss_bucket", "resourceName": tf_lib.get_specific_resource_name(resource, "alicloud_oss_bucket", name), - "searchKey": sprintf("alicloud_oss_bucket[%s].policy",[name]), + "searchKey": sprintf("alicloud_oss_bucket[%s].policy", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("alicloud_oss_bucket[%s].policy to not accept put action from all principals",[name]), - "keyActualValue": sprintf("alicloud_oss_bucket[%s].policy accepts put action from all principals",[name]), - "searchLine":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "policy"], []), + "keyExpectedValue": sprintf("alicloud_oss_bucket[%s].policy to not accept put action from all principals", [name]), + "keyActualValue": sprintf("alicloud_oss_bucket[%s].policy accepts put action from all principals", [name]), + "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "policy"], []), } } diff --git a/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/query.rego b/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/query.rego index 4d1857a959d..163202b3b67 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/query.rego +++ b/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/query.rego @@ -4,38 +4,34 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - resource := input.document[i].resource.alicloud_oss_bucket[name] - sser := resource.server_side_encryption_rule + sser := resource.server_side_encryption_rule not common_lib.valid_key(sser, "kms_master_key_id") - result := { "documentId": input.document[i].id, "resourceType": "alicloud_oss_bucket", "resourceName": tf_lib.get_specific_resource_name(resource, "alicloud_oss_bucket", name), - "searchKey": sprintf("alicloud_oss_bucket[%s].server_side_encryption_rule",[name]), + "searchKey": sprintf("alicloud_oss_bucket[%s].server_side_encryption_rule", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("[%s].policy has kms master key id defined",[name]), - "keyActualValue": sprintf("[%s].policy does not kms master key id defined",[name]), - "searchLine":common_lib.build_search_line(["resource", "alicloud_oss_bucket", "server_side_encryption_rule", name], []), + "keyExpectedValue": sprintf("[%s].policy has kms master key id defined", [name]), + "keyActualValue": sprintf("[%s].policy does not kms master key id defined", [name]), + "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", "server_side_encryption_rule", name], []), } } CxPolicy[result] { - resource := input.document[i].resource.alicloud_oss_bucket[name] - not common_lib.valid_key(resource, "server_side_encryption_rule") - - + not common_lib.valid_key(resource, "server_side_encryption_rule") + result := { "documentId": input.document[i].id, "resourceType": "alicloud_oss_bucket", "resourceName": tf_lib.get_specific_resource_name(resource, "alicloud_oss_bucket", name), - "searchKey": sprintf("alicloud_oss_bucket[%s]",[name]), + "searchKey": sprintf("alicloud_oss_bucket[%s]", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("[%s].policy has server side encryption rule and kms master key id defined",[name]), - "keyActualValue": sprintf("[%s].policy does not have server side encryption rule and kms master key id defined",[name]), - "searchLine":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name], []), + "keyExpectedValue": sprintf("[%s].policy has server side encryption rule and kms master key id defined", [name]), + "keyActualValue": sprintf("[%s].policy does not have server side encryption rule and kms master key id defined", [name]), + "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name], []), } } diff --git a/assets/queries/terraform/alicloud/oss_bucket_has_static_website/query.rego b/assets/queries/terraform/alicloud/oss_bucket_has_static_website/query.rego index 096275e1e91..2ceea7d96e4 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_has_static_website/query.rego +++ b/assets/queries/terraform/alicloud/oss_bucket_has_static_website/query.rego @@ -6,8 +6,8 @@ import data.generic.terraform as tf_lib CxPolicy[result] { some i resource := input.document[i].resource.alicloud_oss_bucket[name] - - common_lib.valid_key(resource, "website") + + common_lib.valid_key(resource, "website") result := { "documentId": input.document[i].id, @@ -17,6 +17,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "'website' to not be used.", "keyActualValue": "'website' is being used.", - "searchLine":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "website"], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "website"], []), } } diff --git a/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/query.rego b/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/query.rego index 89c28312205..4883d2f86a3 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/query.rego +++ b/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/query.rego @@ -6,26 +6,25 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.alicloud_oss_bucket[name] policy := resource.policy - - not ip_restricted(policy) + + not ip_restricted(policy) result := { "documentId": input.document[i].id, "resourceType": "alicloud_oss_bucket", "resourceName": tf_lib.get_specific_resource_name(resource, "alicloud_oss_bucket", name), - "searchKey": sprintf("alicloud_oss_bucket[%s].policy",[name]), + "searchKey": sprintf("alicloud_oss_bucket[%s].policy", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("[%s].policy has restricted ip access",[name]), - "keyActualValue": sprintf("[%s].policy does not restrict access via ip",[name]), - "searchLine":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "policy"], []), + "keyExpectedValue": sprintf("[%s].policy has restricted ip access", [name]), + "keyActualValue": sprintf("[%s].policy does not restrict access via ip", [name]), + "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "policy"], []), } } -ip_restricted(policy) -{ +ip_restricted(policy) { u_policy := common_lib.json_unmarshal(policy) statement := common_lib.get_statement(u_policy) - st:=statement[_] - possibilities := {"IpAdress", "NotIpAdress"} - common_lib.valid_key(st.Condition[possibilities[_]], "acs:SourceIp") + st := statement[_] + possibilities := {"IpAdress", "NotIpAdress"} + common_lib.valid_key(st.Condition[possibilities[_]], "acs:SourceIp") } diff --git a/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/query.rego b/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/query.rego index 30d08c70793..11bb86e24cf 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/query.rego +++ b/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { some i resource := input.document[i].resource.alicloud_oss_bucket[name].lifecycle_rule[_] - resource["enabled"] == false + resource.enabled == false result := { "documentId": input.document[i].id, @@ -17,10 +17,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "'lifecycle_rule' should be set and enabled", "keyActualValue": "'lifecycle_rule' is set but disabled", - "searchLine":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "lifecycle_rule", "enabled"], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "lifecycle_rule", "enabled"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -30,7 +30,7 @@ CxPolicy[result] { some i resource := input.document[i].resource.alicloud_oss_bucket[name] - not common_lib.valid_key(resource, "lifecycle_rule") + not common_lib.valid_key(resource, "lifecycle_rule") result := { "documentId": input.document[i].id, @@ -40,6 +40,6 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "'lifecycle_rule' should be set and enabled", "keyActualValue": "'lifecycle_rule' is not set", - "searchLine":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name], []), } } diff --git a/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/query.rego b/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/query.rego index b980753e03f..5101c34793a 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/query.rego +++ b/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/query.rego @@ -4,39 +4,37 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - resource := input.document[i].resource.alicloud_oss_bucket[name] - not common_lib.valid_key(resource,"logging") - + not common_lib.valid_key(resource, "logging") + result := { "documentId": input.document[i].id, "resourceType": "alicloud_oss_bucket", "resourceName": tf_lib.get_specific_resource_name(resource, "alicloud_oss_bucket", name), "searchKey": sprintf("alicloud_oss_bucket[%s]", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("%s has logging enabled",[name]), - "keyActualValue": sprintf("%s does not have logging enabled",[name]), - "searchLine":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name], []), + "keyExpectedValue": sprintf("%s has logging enabled", [name]), + "keyActualValue": sprintf("%s does not have logging enabled", [name]), + "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name], []), } } CxPolicy[result] { - resource := input.document[i].resource.alicloud_oss_bucket[name] - resource.logging_isenable == false - + resource.logging_isenable == false + result := { "documentId": input.document[i].id, "resourceType": "alicloud_oss_bucket", "resourceName": tf_lib.get_specific_resource_name(resource, "alicloud_oss_bucket", name), "searchKey": sprintf("alicloud_oss_bucket[%s].logging_isenable", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("%s 'logging_isenable' argument should be set to true",[name]), - "keyActualValue": sprintf("%s 'logging_isenable' argument is set to false",[name]), - "searchLine":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "logging_isenable"], []), + "keyExpectedValue": sprintf("%s 'logging_isenable' argument should be set to true", [name]), + "keyActualValue": sprintf("%s 'logging_isenable' argument is set to false", [name]), + "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "logging_isenable"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/query.rego b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/query.rego index fc438ff5291..7a5880f7818 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/query.rego +++ b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/query.rego @@ -6,9 +6,9 @@ import data.generic.terraform as tf_lib CxPolicy[result] { some i resource := input.document[i].resource.alicloud_oss_bucket[name] - - possibilities:={"public-read", "public-read-write"} - resource.acl == possibilities[p] + + possibilities := {"public-read", "public-read-write"} + resource.acl == possibilities[p] result := { "documentId": input.document[i].id, @@ -18,11 +18,11 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "'acl' should be set to private or not set", "keyActualValue": sprintf("'acl' is %s", [possibilities[p]]), - "searchLine":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "acl"], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "acl"], []), "remediation": json.marshal({ - "before": p, - "after": "private" - }), - "remediationType": "replacement", + "before": p, + "after": "private", + }), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/query.rego b/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/query.rego index 284ae944d2f..98b04df6e70 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/query.rego +++ b/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { some i resource := input.document[i].resource.alicloud_oss_bucket[name] - resource.transfer_acceleration.enabled == false + resource.transfer_acceleration.enabled == false result := { "documentId": input.document[i].id, @@ -20,7 +20,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "transfer_acceleration", "enabled"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -30,7 +30,7 @@ CxPolicy[result] { some i resource := input.document[i].resource.alicloud_oss_bucket[name] - not common_lib.valid_key(resource, "transfer_acceleration") + not common_lib.valid_key(resource, "transfer_acceleration") result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/query.rego b/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/query.rego index 5af3dabc35a..f36782d24d2 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/query.rego +++ b/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { some i resource := input.document[i].resource.alicloud_oss_bucket[name] - resource.versioning.status == "Suspended" + resource.versioning.status == "Suspended" result := { "documentId": input.document[i].id, @@ -19,10 +19,10 @@ CxPolicy[result] { "keyActualValue": "'versioning.status' is suspended", "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "versioning", "status"], []), "remediation": json.marshal({ - "before": "Suspended", - "after": "Enabled" - }), - "remediationType": "replacement", + "before": "Suspended", + "after": "Enabled", + }), + "remediationType": "replacement", } } @@ -30,7 +30,7 @@ CxPolicy[result] { some i resource := input.document[i].resource.alicloud_oss_bucket[name] - not common_lib.valid_key(resource, "versioning") + not common_lib.valid_key(resource, "versioning") result := { "documentId": input.document[i].id, @@ -42,6 +42,6 @@ CxPolicy[result] { "keyActualValue": "'versioning' is missing", "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name], []), "remediation": "versioning {\n\t\tstatus = \"Enabled\"\n\t}", - "remediationType": "addition", + "remediationType": "addition", } } diff --git a/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/query.rego b/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/query.rego index 01a282307eb..bfda6800dd4 100644 --- a/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/query.rego +++ b/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/query.rego @@ -9,24 +9,22 @@ CxPolicy[result] { not is_secure_transport(policy) - result := { "documentId": input.document[i].id, "resourceType": "alicloud_oss_bucket", "resourceName": tf_lib.get_specific_resource_name(resource, "alicloud_oss_bucket", name), - "searchKey": sprintf("alicloud_oss_bucket[%s].policy",[name]), + "searchKey": sprintf("alicloud_oss_bucket[%s].policy", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("%s[%s].policy should not accept HTTP Requests",[name]), - "keyActualValue": sprintf("%s[%s].policy accepts HTTP Requests",[name]), - "searchLine":common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "policy"], []), + "keyExpectedValue": sprintf("%s[%s].policy should not accept HTTP Requests", [name]), + "keyActualValue": sprintf("%s[%s].policy accepts HTTP Requests", [name]), + "searchLine": common_lib.build_search_line(["resource", "alicloud_oss_bucket", name, "policy"], []), } } -is_equal(secure, target) -{ - secure == target -}else { - secure[_]==target +is_equal(secure, target) { + secure == target +} else { + secure[_] == target } is_secure_transport(policyValue) { @@ -35,15 +33,12 @@ is_secure_transport(policyValue) { statement := st[_] statement.Effect == "Deny" is_equal(statement.Condition.Bool["acs:SecureTransport"], "false") - tf_lib.anyPrincipal(statement) -}else { - policy := common_lib.json_unmarshal(policyValue) + tf_lib.anyPrincipal(statement) +} else { + policy := common_lib.json_unmarshal(policyValue) st := common_lib.get_statement(policy) statement := st[_] statement.Effect == "Allow" is_equal(statement.Condition.Bool["acs:SecureTransport"], "true") - tf_lib.anyPrincipal(statement) + tf_lib.anyPrincipal(statement) } - - - diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/query.rego b/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/query.rego index 715bf6534f4..8b25fa12a2d 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/query.rego +++ b/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/query.rego @@ -9,7 +9,7 @@ CxPolicy[result] { resource.type == "ingress" resource.cidr_ip == "0.0.0.0/0" isTCPorUDP(resource.ip_protocol) - resource.port_range == "1/65535" + resource.port_range == "1/65535" result := { "documentId": input.document[i].id, "resourceType": "alicloud_security_group_rule", @@ -32,7 +32,7 @@ CxPolicy[result] { resource.type == "ingress" resource.cidr_ip == "0.0.0.0/0" isGREorICMP(resource.ip_protocol) - resource.port_range == "-1/-1" + resource.port_range == "-1/-1" result := { "documentId": input.document[i].id, "resourceType": "alicloud_security_group_rule", @@ -49,7 +49,6 @@ isGREorICMP("icmp") = true isGREorICMP("gre") = true - CxPolicy[result] { some i resource := input.document[i].resource.alicloud_security_group_rule[name] diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/query.rego b/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/query.rego index 97b481a95c4..0a0000698bc 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/query.rego +++ b/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/query.rego @@ -8,7 +8,7 @@ CxPolicy[result] { resource.type == "ingress" resource.cidr_ip == "0.0.0.0/0" isTCPorUDP(resource.ip_protocol) - containsUnknownPort(resource) + containsUnknownPort(resource) result := { "documentId": input.document[i].id, @@ -26,14 +26,13 @@ isTCPorUDP("tcp") = true isTCPorUDP("udp") = true - CxPolicy[result] { resource := input.document[i].resource.alicloud_security_group_rule[name] resource.type == "ingress" resource.cidr_ip == "0.0.0.0/0" resource.ip_protocol == "all" resource.port_range == "-1/-1" - containsUnknownPortForAll(resource) + containsUnknownPortForAll(resource) result := { "documentId": input.document[i].id, @@ -47,19 +46,18 @@ CxPolicy[result] { } } - -containsUnknownPort(rule){ - sublist := split(rule.port_range, "/") - from_port := to_number(sublist[0]) - to_port := to_number(sublist[1]) - port := numbers.range(from_port, to_port)[i] - not common_lib.valid_key(common_lib.tcpPortsMap,port) +containsUnknownPort(rule) { + sublist := split(rule.port_range, "/") + from_port := to_number(sublist[0]) + to_port := to_number(sublist[1]) + port := numbers.range(from_port, to_port)[i] + not common_lib.valid_key(common_lib.tcpPortsMap, port) } -containsUnknownPortForAll(rule){ - rule.port_range == "-1/-1" - from_port := 1 - to_port := 65535 - port := numbers.range(from_port, to_port)[i] - not common_lib.valid_key(common_lib.tcpPortsMap,port) +containsUnknownPortForAll(rule) { + rule.port_range == "-1/-1" + from_port := 1 + to_port := 65535 + port := numbers.range(from_port, to_port)[i] + not common_lib.valid_key(common_lib.tcpPortsMap, port) } diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/query.rego b/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/query.rego index 9c32564c3d1..bbd96669d93 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/query.rego +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/query.rego @@ -6,9 +6,9 @@ import data.generic.terraform as tf_lib CxPolicy[result] { some i resource := input.document[i].resource.alicloud_ram_account_password_policy[name] - resource.max_login_attempts > 5 - - result := { + resource.max_login_attempts > 5 + + result := { "documentId": input.document[i].id, "resourceType": "alicloud_ram_account_password_policy", "resourceName": tf_lib.get_resource_name(resource, name), @@ -16,11 +16,11 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "'max_login_attempts' should be set to 5 or less", "keyActualValue": "'max_login_attempts' is above than 5", - "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "max_login_attempts"], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "max_login_attempts"], []), "remediation": json.marshal({ - "before": sprintf("%d", [resource.max_login_attempts]), - "after": "5" - }), - "remediationType": "replacement", + "before": sprintf("%d", [resource.max_login_attempts]), + "after": "5", + }), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/query.rego b/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/query.rego index 662a3b36721..c82d19a2b5e 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/query.rego +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/query.rego @@ -6,9 +6,9 @@ import data.generic.terraform as tf_lib CxPolicy[result] { some i resource := input.document[i].resource.alicloud_ram_account_password_policy[name] - not common_lib.valid_key(resource, "max_password_age") - - result := { + not common_lib.valid_key(resource, "max_password_age") + + result := { "documentId": input.document[i].id, "resourceType": "alicloud_ram_account_password_policy", "resourceName": tf_lib.get_resource_name(resource, name), @@ -16,8 +16,8 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "'max_password_age' should be higher than 0 and lower than 91", "keyActualValue": "'max_password_age' is not defined", - "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name], []), - "remediation": "max_password_age = 12", + "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name], []), + "remediation": "max_password_age = 12", "remediationType": "addition", } } @@ -25,9 +25,9 @@ CxPolicy[result] { CxPolicy[result] { some i resource := input.document[i].resource.alicloud_ram_account_password_policy[name] - resource.max_password_age > 90 - - result := { + resource.max_password_age > 90 + + result := { "documentId": input.document[i].id, "resourceType": "alicloud_ram_account_password_policy", "resourceName": tf_lib.get_resource_name(resource, name), @@ -35,22 +35,21 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "'max_password_age' should be higher than 0 and lower than 91", "keyActualValue": "'max_password_age' is higher than 90", - "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "max_password_age"], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "max_password_age"], []), "remediation": json.marshal({ - "before": sprintf("%d", [resource.max_password_age]), - "after": "12" - }), - "remediationType": "replacement", - + "before": sprintf("%d", [resource.max_password_age]), + "after": "12", + }), + "remediationType": "replacement", } } CxPolicy[result] { some i resource := input.document[i].resource.alicloud_ram_account_password_policy[name] - resource.max_password_age == 0 - - result := { + resource.max_password_age == 0 + + result := { "documentId": input.document[i].id, "resourceType": "alicloud_ram_account_password_policy", "resourceName": tf_lib.get_resource_name(resource, name), @@ -58,11 +57,11 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "'max_password_age' should be higher than 0 and lower than 91", "keyActualValue": "'max_password_age' is equal to 0", - "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "max_password_age"], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "max_password_age"], []), "remediation": json.marshal({ - "before": sprintf("%d", [resource.max_password_age]), - "after": "12" - }), - "remediationType": "replacement", + "before": sprintf("%d", [resource.max_password_age]), + "after": "12", + }), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/query.rego b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/query.rego index 82a04ad9ce7..d11bbde93d4 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/query.rego +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/query.rego @@ -6,11 +6,11 @@ import data.generic.terraform as tf_lib CxPolicy[result] { some i resource := input.document[i].resource.alicloud_ram_account_password_policy[name] - resource.minimum_password_length < 14 + resource.minimum_password_length < 14 remediation := {"before": format_int(resource.minimum_password_length, 10), "after": "14"} - result := { + result := { "documentId": input.document[i].id, "resourceType": "alicloud_ram_account_password_policy", "resourceName": tf_lib.get_resource_name(resource, name), @@ -24,13 +24,12 @@ CxPolicy[result] { } } - CxPolicy[result] { some i resource := input.document[i].resource.alicloud_ram_account_password_policy[name] - not common_lib.valid_key(resource, "minimum_password_length") + not common_lib.valid_key(resource, "minimum_password_length") - result := { + result := { "documentId": input.document[i].id, "resourceType": "alicloud_ram_account_password_policy", "resourceName": tf_lib.get_resource_name(resource, name), diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/query.rego b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/query.rego index 3c7aeab2092..4e9472057de 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/query.rego +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/query.rego @@ -6,9 +6,9 @@ import data.generic.terraform as tf_lib CxPolicy[result] { some i resource := input.document[i].resource.alicloud_ram_account_password_policy[name] - resource.require_numbers == false + resource.require_numbers == false - result := { + result := { "documentId": input.document[i].id, "resourceType": "alicloud_ram_account_password_policy", "resourceName": tf_lib.get_resource_name(resource, name), @@ -19,7 +19,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "require_numbers"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/query.rego b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/query.rego index 2b2d6dfbd2a..5426aaa2110 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/query.rego +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/query.rego @@ -6,7 +6,7 @@ import data.generic.terraform as tf_lib CxPolicy[result] { document := input.document[i] resource := document.resource.alicloud_ram_account_password_policy[name] - resource["require_symbols"] == false + resource.require_symbols == false remediation := {"before": "false", "after": "true"} diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/query.rego b/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/query.rego index 44aa10a7b84..22d5479af94 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/query.rego +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/query.rego @@ -6,9 +6,9 @@ import data.generic.terraform as tf_lib CxPolicy[result] { some i resource := input.document[i].resource.alicloud_ram_account_password_policy[name] - not common_lib.valid_key(resource, "password_reuse_prevention") + not common_lib.valid_key(resource, "password_reuse_prevention") - result := { + result := { "documentId": input.document[i].id, "resourceType": "alicloud_ram_account_password_policy", "resourceName": tf_lib.get_resource_name(resource, name), @@ -16,18 +16,18 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "'password_reuse_prevention' should be defined and equal or lower than 24", "keyActualValue": "'password_reuse_prevention' is not defined", - "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name], []), "remediation": "password_reuse_prevention = 24", - "remediationType": "addition", + "remediationType": "addition", } } CxPolicy[result] { some i resource := input.document[i].resource.alicloud_ram_account_password_policy[name] - resource.password_reuse_prevention > 24 + resource.password_reuse_prevention > 24 - result := { + result := { "documentId": input.document[i].id, "resourceType": "alicloud_ram_account_password_policy", "resourceName": tf_lib.get_resource_name(resource, name), @@ -35,11 +35,11 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "'password_reuse_prevention' should be equal or less 24", "keyActualValue": "'password_reuse_prevention' is higher than 24", - "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "password_reuse_prevention"], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "password_reuse_prevention"], []), "remediation": json.marshal({ - "before": sprintf("%d", [resource.password_reuse_prevention]), - "after": "24" - }), - "remediationType": "replacement", + "before": sprintf("%d", [resource.password_reuse_prevention]), + "after": "24", + }), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/query.rego b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/query.rego index bda7114d386..b35e13292ad 100644 --- a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/query.rego +++ b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/query.rego @@ -6,9 +6,9 @@ import data.generic.terraform as tf_lib CxPolicy[result] { some i resource := input.document[i].resource.alicloud_ram_account_password_policy[name] - resource.require_lowercase_characters == false + resource.require_lowercase_characters == false - result := { + result := { "documentId": input.document[i].id, "resourceType": "alicloud_ram_account_password_policy", "resourceName": tf_lib.get_resource_name(resource, name), @@ -19,8 +19,8 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "require_lowercase_characters"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), - "remediationType": "replacement" + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/query.rego b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/query.rego index 4ea935a362f..eb01e0690ab 100644 --- a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/query.rego +++ b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/query.rego @@ -6,9 +6,9 @@ import data.generic.terraform as tf_lib CxPolicy[result] { some i resource := input.document[i].resource.alicloud_ram_account_password_policy[name] - resource.require_uppercase_characters == false + resource.require_uppercase_characters == false - result := { + result := { "documentId": input.document[i].id, "resourceType": "alicloud_ram_account_password_policy", "resourceName": tf_lib.get_resource_name(resource, name), @@ -19,7 +19,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_account_password_policy", name, "require_uppercase_characters"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/query.rego b/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/query.rego index 0e35d1b18a3..96ecf1e8b0d 100644 --- a/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/query.rego +++ b/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/query.rego @@ -4,39 +4,35 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { + ram_policy := input.document[i].resource.alicloud_ram_policy[name] - ram_policy := input.document[i].resource.alicloud_ram_policy[name] + is_admin_policy(ram_policy.document) - is_admin_policy(ram_policy.document) + policy_attachment_possibilities := {"alicloud_ram_user_policy_attachment", "alicloud_ram_group_policy_attachment", "alicloud_ram_role_policy_attachment"} + attachment := policy_attachment_possibilities[pap] + attach := input.document[_].resource[attachment][n] - policy_attachment_possibilities := {"alicloud_ram_user_policy_attachment", "alicloud_ram_group_policy_attachment", "alicloud_ram_role_policy_attachment"} - attachment := policy_attachment_possibilities[pap] - attach := input.document[_].resource[attachment][n] - - target_policy_name := split(attach.policy_name, ".")[1] - - target_policy_name == name + target_policy_name := split(attach.policy_name, ".")[1] + target_policy_name == name result := { "documentId": input.document[i].id, - "resourceType": attachment, + "resourceType": attachment, "resourceName": tf_lib.get_resource_name(attachment, n), - "searchKey": sprintf("%s[%s].policy_name",[attachment, n]), + "searchKey": sprintf("%s[%s].policy_name", [attachment, n]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("alicloud_ram_policy[%s] should not give admin access to any user, group or role",[name]), - "keyActualValue": sprintf("alicloud_ram_policy[%s] is attached to a user, group or role and gives admin access",[name]), - "searchline":common_lib.build_search_line(["resource", attachment, n ,"policy_name"], []), + "keyExpectedValue": sprintf("alicloud_ram_policy[%s] should not give admin access to any user, group or role", [name]), + "keyActualValue": sprintf("alicloud_ram_policy[%s] is attached to a user, group or role and gives admin access", [name]), + "searchline": common_lib.build_search_line(["resource", attachment, n, "policy_name"], []), } } - -is_admin_policy(ram_policy) -{ +is_admin_policy(ram_policy) { u_policy := common_lib.json_unmarshal(ram_policy) statement := common_lib.get_statement(u_policy) - st:=statement[_] + st := statement[_] st.Effect == "Allow" - common_lib.containsOrInArrayContains(st.Resource, "*") - common_lib.containsOrInArrayContains(st.Action, "*") + common_lib.containsOrInArrayContains(st.Resource, "*") + common_lib.containsOrInArrayContains(st.Action, "*") } diff --git a/assets/queries/terraform/alicloud/ram_policy_attached_to_user/query.rego b/assets/queries/terraform/alicloud/ram_policy_attached_to_user/query.rego index 5e8e9be0621..852b78acde6 100644 --- a/assets/queries/terraform/alicloud/ram_policy_attached_to_user/query.rego +++ b/assets/queries/terraform/alicloud/ram_policy_attached_to_user/query.rego @@ -4,17 +4,16 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - - resource := input.document[i].resource.alicloud_ram_user_policy_attachment[a] + resource := input.document[i].resource.alicloud_ram_user_policy_attachment[a] result := { "documentId": input.document[i].id, "resourceType": "alicloud_ram_user_policy_attachment", "resourceName": tf_lib.get_resource_name(resource, a), - "searchKey": sprintf("alicloud_ram_user_policy_attachment[%s]",[a]), + "searchKey": sprintf("alicloud_ram_user_policy_attachment[%s]", [a]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("alicloud_ram_user_policy_attachment[%s] should be undefined",[a]), - "keyActualValue": sprintf("alicloud_ram_user_policy_attachment[%s] is defined",[a]), - "searchline":common_lib.build_search_line(["resource", "alicloud_ram_user_policy_attachment", a], []), + "keyExpectedValue": sprintf("alicloud_ram_user_policy_attachment[%s] should be undefined", [a]), + "keyActualValue": sprintf("alicloud_ram_user_policy_attachment[%s] is defined", [a]), + "searchline": common_lib.build_search_line(["resource", "alicloud_ram_user_policy_attachment", a], []), } } diff --git a/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/query.rego b/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/query.rego index e0976c4c4db..b7e2103da95 100644 --- a/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/query.rego +++ b/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/query.rego @@ -6,37 +6,36 @@ import data.generic.terraform as tf_lib CxPolicy[result] { ram_users := [ram_users | docs := input.document; resource := docs[i].resource.alicloud_ram_user[name]; ram_users := {"id": docs[i].id, "name": name, "resource": resource}] count(ram_users) > 0 - ram_user := ram_users[0] - not has_preference(input.document) + ram_user := ram_users[0] + not has_preference(input.document) result := { - "documentId": ram_user.id, + "documentId": ram_user.id, "resourceType": "alicloud_ram_user", - "resourceName": ram_user.name, "resourceName": tf_lib.get_resource_name(ram_user.resource, ram_user.name), "searchKey": sprintf("alicloud_ram_user[%s]", [ram_user.name]), "issueType": "MissingAttribute", "keyExpectedValue": "alicloud_ram_security_preference resource should be defined", - "keyActualValue": "alicloud_ram_security_preference resource is not defined", + "keyActualValue": "alicloud_ram_security_preference resource is not defined", "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_user", ram_user.name], []), } } -has_preference(doc){ - doc[_].resource["alicloud_ram_security_preference"] +has_preference(doc) { + doc[_].resource.alicloud_ram_security_preference } -has_ram_user(doc){ - doc[_].resource["alicloud_ram_user"] +has_ram_user(doc) { + doc[_].resource.alicloud_ram_user } CxPolicy[result] { has_ram_user(input.document) resource := input.document[id].resource.alicloud_ram_security_preference[name] - not common_lib.valid_key(resource,"enforce_mfa_for_login") + not common_lib.valid_key(resource, "enforce_mfa_for_login") result := { - "documentId": input.document[id].id, + "documentId": input.document[id].id, "resourceType": "alicloud_ram_security_preference", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("alicloud_ram_security_preference[%s]", [name]), @@ -45,28 +44,28 @@ CxPolicy[result] { "keyActualValue": "'enforce_mfa_for_login' is not defined", "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_security_preference", name], []), "remediation": "enforce_mfa_for_login = true", - "remediationType": "addition", + "remediationType": "addition", } } CxPolicy[result] { has_ram_user(input.document) resource := input.document[id].resource.alicloud_ram_security_preference[name] - resource.enforce_mfa_for_login == false - + resource.enforce_mfa_for_login == false + result := { - "documentId": input.document[id].id, + "documentId": input.document[id].id, "resourceType": "alicloud_ram_security_preference", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("alicloud_ram_security_preference[%s]", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "'enforce_mfa_for_login' should be set to true", "keyActualValue": "'enforce_mfa_for_login' is set to 'false'", - "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_security_preference", name, "enforce_mfa_for_login" ], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_ram_security_preference", name, "enforce_mfa_for_login"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), - "remediationType": "replacement", + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/rds_instance_events_not_logged/query.rego b/assets/queries/terraform/alicloud/rds_instance_events_not_logged/query.rego index 527b327272f..1fd033e5823 100644 --- a/assets/queries/terraform/alicloud/rds_instance_events_not_logged/query.rego +++ b/assets/queries/terraform/alicloud/rds_instance_events_not_logged/query.rego @@ -3,9 +3,7 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib -logs_list = { - "rds_enabled", "rds_ti_enabled", "rds_slow_enabled", "rds_perf_enabled", -} +logs_list = {"rds_enabled", "rds_ti_enabled", "rds_slow_enabled", "rds_perf_enabled"} CxPolicy[result] { resource := input.document[i].resource.alicloud_log_audit[name] @@ -22,8 +20,8 @@ CxPolicy[result] { "keyExpectedValue": sprintf("'%s' parameter value should be 'true'", [log]), "keyActualValue": sprintf("'%s' parameter is not defined", [log]), "searchLine": common_lib.build_search_line(["resource", "alicloud_log_audit", name, "variable_map"], []), - "remediation": sprintf("%s = true",[log]), - "remediationType": "addition", + "remediation": sprintf("%s = true", [log]), + "remediationType": "addition", } } @@ -44,9 +42,8 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "alicloud_log_audit", name, "variable_map", log], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), - "remediationType": "replacement", + "remediationType": "replacement", } } - diff --git a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/query.rego b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/query.rego index 7165fb699e7..4192a0b9bc5 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/query.rego +++ b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/query.rego @@ -6,8 +6,8 @@ import data.generic.terraform as tf_lib CxPolicy[result] { some i resource := input.document[i].resource.alicloud_db_instance[name].parameters - resource[parameter].name == "log_connections" - resource[parameter].value == "OFF" + resource[parameter].name == "log_connections" + resource[parameter].value == "OFF" result := { "documentId": input.document[i].id, @@ -20,7 +20,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name, "parameters", parameter, "value"], []), "remediation": json.marshal({ "before": "OFF", - "after": "ON" + "after": "ON", }), "remediationType": "replacement", } @@ -44,7 +44,7 @@ CxPolicy[result] { } } -has_log_conn(resource){ +has_log_conn(resource) { parameter := resource.parameters[j] parameter.name == "log_connections" } diff --git a/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/query.rego b/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/query.rego index 6a6d567c7cc..ca35a7b50a1 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/query.rego +++ b/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/query.rego @@ -6,8 +6,8 @@ import data.generic.terraform as tf_lib CxPolicy[result] { some i resource := input.document[i].resource.alicloud_db_instance[name].parameters - resource[parameter].name == "log_disconnections" - resource[parameter].value == "OFF" + resource[parameter].name == "log_disconnections" + resource[parameter].value == "OFF" result := { "documentId": input.document[i].id, @@ -20,7 +20,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name, "parameters", parameter, "value"], []), "remediation": json.marshal({ "before": "OFF", - "after": "ON" + "after": "ON", }), "remediationType": "replacement", } @@ -44,7 +44,7 @@ CxPolicy[result] { } } -has_log_disconn(resource){ +has_log_disconn(resource) { parameter := resource.parameters[j] parameter.name == "log_disconnections" } diff --git a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/query.rego b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/query.rego index 760bc704a9c..e6b762cc70c 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/query.rego +++ b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/query.rego @@ -6,8 +6,8 @@ import data.generic.terraform as tf_lib CxPolicy[result] { some i resource := input.document[i].resource.alicloud_db_instance[name].parameters - resource[parameter].name == "log_duration" - resource[parameter].value == "OFF" + resource[parameter].name == "log_duration" + resource[parameter].value == "OFF" result := { "documentId": input.document[i].id, @@ -20,7 +20,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name, "parameters", parameter, "value"], []), "remediation": json.marshal({ "before": "OFF", - "after": "ON" + "after": "ON", }), "remediationType": "replacement", } @@ -44,7 +44,7 @@ CxPolicy[result] { } } -has_log_duration(resource){ +has_log_duration(resource) { parameter := resource.parameters[j] parameter.name == "log_duration" } diff --git a/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/query.rego b/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/query.rego index 60d2b99183f..968a91aa59e 100644 --- a/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/query.rego +++ b/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/query.rego @@ -3,25 +3,23 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib -public_ips = ["0.0.0.0/0","0.0.0.0"] +public_ips = ["0.0.0.0/0", "0.0.0.0"] CxPolicy[result] { resource := input.document[i].resource.alicloud_db_instance[name] - security_ips := resource.security_ips - sec_ip := security_ips[x] - pub_ip := public_ips[_] - sec_ip == pub_ip - + security_ips := resource.security_ips + sec_ip := security_ips[x] + pub_ip := public_ips[_] + sec_ip == pub_ip result := { "documentId": input.document[i].id, "resourceType": "alicloud_db_instance", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("alicloud_db_instance[%s].security_ips[%v]", [name,x]), + "searchKey": sprintf("alicloud_db_instance[%s].security_ips[%v]", [name, x]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s' should not be in 'security_ips' list", [sec_ip]), "keyActualValue": sprintf("'%s' is in 'security_ips' list", [sec_ip]), "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name, "security_ips", x], []), } } - diff --git a/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/query.rego b/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/query.rego index a29b514837f..437e4f8e9b7 100644 --- a/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/query.rego +++ b/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/query.rego @@ -17,7 +17,7 @@ CxPolicy[result] { "keyActualValue": "'sql_collector_status' is not defined", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name], []), "remediation": "sql_collector_status = \"Enabled\"", - "remediationType": "addition", + "remediationType": "addition", } } @@ -33,12 +33,12 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", "keyActualValue": "'sql_collector_status' is set to 'Disabled'", - "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name,"sql_collector_status" ], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name, "sql_collector_status"], []), "remediation": json.marshal({ - "before": "Disabled", - "after": "Enabled" - }), - "remediationType": "replacement", + "before": "Disabled", + "after": "Enabled", + }), + "remediationType": "replacement", } } @@ -46,7 +46,6 @@ CxPolicy[result] { resource := input.document[i].resource.alicloud_db_instance[name] not common_lib.valid_key(resource, "sql_collector_config_value") - result := { "documentId": input.document[i].id, "resourceType": "alicloud_db_instance", @@ -57,7 +56,7 @@ CxPolicy[result] { "keyActualValue": "'sql_collector_config_value' is not defined", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name], []), "remediation": "sql_collector_config_value = 180", - "remediationType": "addition", + "remediationType": "addition", } } @@ -73,11 +72,11 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", "keyActualValue": "'sql_collector_config_value' is set to 30", - "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name,"sql_collector_config_value" ], []), + "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name, "sql_collector_config_value"], []), "remediation": json.marshal({ - "before": "30", - "after": "180" - }), - "remediationType": "replacement", + "before": "30", + "after": "180", + }), + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/query.rego b/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/query.rego index fe7543bb6d7..dc9c8562462 100644 --- a/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/query.rego +++ b/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/query.rego @@ -8,7 +8,6 @@ CxPolicy[result] { resource := input.document[i].resource.alicloud_db_instance[name] resource.ssl_action == "Close" - result := { "documentId": input.document[i].id, "resourceType": "alicloud_db_instance", @@ -19,10 +18,10 @@ CxPolicy[result] { "keyActualValue": "'ssl_action' value is 'Close'", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name, "ssl_action"], []), "remediation": json.marshal({ - "before": "Close", - "after": "Open" - }), - "remediationType": "replacement", + "before": "Close", + "after": "Open", + }), + "remediationType": "replacement", } } @@ -41,6 +40,6 @@ CxPolicy[result] { "keyActualValue": "'ssl_action' is not defined", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name], []), "remediation": "ssl_action = \"Open\"", - "remediationType": "addition", + "remediationType": "addition", } } diff --git a/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/query.rego b/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/query.rego index f41d9f6ab82..c300c2d0b19 100644 --- a/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/query.rego +++ b/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/query.rego @@ -2,15 +2,17 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in supported_mysql_engines := {"5.6", "5.7", "8"} -supported_sql_engines := { "08r2_ent_ha", "2012_ent_ha", "2016_ent_ha", "2017_ent", "2019_std_ha", "2019_ent"} + +supported_sql_engines := {"08r2_ent_ha", "2012_ent_ha", "2016_ent_ha", "2017_ent", "2019_std_ha", "2019_ent"} CxPolicy[result] { some i resource := input.document[i].resource.alicloud_db_instance[name] resource.engine == "MySQL" - resource.engine_version == supported_mysql_engines[_] + resource.engine_version in supported_mysql_engines resource.tde_status == "Disabled" result := { @@ -23,10 +25,10 @@ CxPolicy[result] { "keyActualValue": "'tde_status' value is set to 'Disabled'", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name, "tde_status"], []), "remediation": json.marshal({ - "before": "Disabled", - "after": "Enabled" - }), - "remediationType": "replacement", + "before": "Disabled", + "after": "Enabled", + }), + "remediationType": "replacement", } } @@ -34,8 +36,8 @@ CxPolicy[result] { some i resource := input.document[i].resource.alicloud_db_instance[name] resource.engine == "MySQL" - resource.engine_version == supported_mysql_engines[_] - not common_lib.valid_key(resource,"tde_status") + resource.engine_version in supported_mysql_engines + not common_lib.valid_key(resource, "tde_status") result := { "documentId": input.document[i].id, @@ -47,7 +49,7 @@ CxPolicy[result] { "keyActualValue": "'tde_status' is not declared", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name], []), "remediation": "tde_status = \"Enabled\"", - "remediationType": "addition", + "remediationType": "addition", } } @@ -55,7 +57,7 @@ CxPolicy[result] { some i resource := input.document[i].resource.alicloud_db_instance[name] resource.engine == "SQLServer" - resource.engine_version == supported_sql_engines[_] + resource.engine_version in supported_sql_engines resource.tde_status == "Disabled" result := { @@ -68,10 +70,10 @@ CxPolicy[result] { "keyActualValue": "'tde_status' value is set to 'Disabled'", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name, "tde_status"], []), "remediation": json.marshal({ - "before": "Disabled", - "after": "Enabled" - }), - "remediationType": "replacement", + "before": "Disabled", + "after": "Enabled", + }), + "remediationType": "replacement", } } @@ -79,8 +81,8 @@ CxPolicy[result] { some i resource := input.document[i].resource.alicloud_db_instance[name] resource.engine == "SQLServer" - resource.engine_version == supported_sql_engines[_] - not common_lib.valid_key(resource,"tde_status") + resource.engine_version in supported_sql_engines + not common_lib.valid_key(resource, "tde_status") result := { "documentId": input.document[i].id, @@ -92,8 +94,6 @@ CxPolicy[result] { "keyActualValue": "'tde_status' is not declared", "searchLine": common_lib.build_search_line(["resource", "alicloud_db_instance", name], []), "remediation": "tde_status = \"Enabled\"", - "remediationType": "addition", + "remediationType": "addition", } } - - diff --git a/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/query.rego b/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/query.rego index e64ed906fab..e0b0a71f4fb 100644 --- a/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/query.rego +++ b/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/query.rego @@ -22,7 +22,7 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i].resource.alicloud_ros_stack[name] - count(resource.notification_urls)==0 + count(resource.notification_urls) == 0 result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/alicloud/ros_stack_retention_disabled/query.rego b/assets/queries/terraform/alicloud/ros_stack_retention_disabled/query.rego index 7e8a1913ffd..daaff49d5c5 100644 --- a/assets/queries/terraform/alicloud/ros_stack_retention_disabled/query.rego +++ b/assets/queries/terraform/alicloud/ros_stack_retention_disabled/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { "keyActualValue": sprintf("alicloud_ros_stack_instance[%s].retain_stacks is undefined", [name]), "searchLine": common_lib.build_search_line(["resource", "alicloud_ros_stack_instance", name], []), "remediation": "retain_stacks = true", - "remediationType": "addition", + "remediationType": "addition", } } @@ -38,8 +38,8 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "alicloud_ros_stack_instance", name, "retain_stacks"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), - "remediationType": "replacement", + "remediationType": "replacement", } } diff --git a/assets/queries/terraform/alicloud/ros_stack_without_template/query.rego b/assets/queries/terraform/alicloud/ros_stack_without_template/query.rego index 43d26dfdf61..de3be161a2c 100644 --- a/assets/queries/terraform/alicloud/ros_stack_without_template/query.rego +++ b/assets/queries/terraform/alicloud/ros_stack_without_template/query.rego @@ -6,8 +6,8 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.alicloud_ros_stack[name] - not common_lib.valid_key(resource, "template_body") - not common_lib.valid_key(resource, "template_url") + not common_lib.valid_key(resource, "template_body") + not common_lib.valid_key(resource, "template_url") result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/query.rego b/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/query.rego index 1409501b0a8..d9ece8de4bb 100644 --- a/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/query.rego +++ b/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/query.rego @@ -2,13 +2,14 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in insecureVersions := {"TLSv1.0", "TLSv1.1"} CxPolicy[result] { resource := input.document[i].resource.alicloud_slb_tls_cipher_policy[name] tls_version := insecureVersions[_] - resource.tls_versions[_] == tls_version + tls_version in resource.tls_versions result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/query.rego b/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/query.rego index 3456ab3cf59..d3a0e8945a0 100644 --- a/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/query.rego +++ b/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "resourceType": "alicloud_vpc", "resourceName": name_vpc, "searchKey": sprintf("alicloud_vpc[%s]", [name_vpc]), - "issueType": "IncorrectValue", + "issueType": "IncorrectValue", "keyActualValue": sprintf("alicloud_vpc[%s] is not associated with an 'alicloud_vpc_flow_log'", [name_vpc]), "keyExpectedValue": sprintf("alicloud_vpc[%s] is associated with an 'alicloud_vpc_flow_log'", [name_vpc]), "searchLine": common_lib.build_search_line(["resource", "alicloud_vpc", name_vpc], []), diff --git a/assets/queries/terraform/aws/alb_deletion_protection_disabled/query.rego b/assets/queries/terraform/aws/alb_deletion_protection_disabled/query.rego index d3dac6f5cf3..d89c860764e 100644 --- a/assets/queries/terraform/aws/alb_deletion_protection_disabled/query.rego +++ b/assets/queries/terraform/aws/alb_deletion_protection_disabled/query.rego @@ -42,7 +42,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", loadBalancer, name, "enable_deletion_protection"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -85,7 +85,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["module", name, "enable_deletion_protection"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego index bca984dcf86..08648d0fb9d 100644 --- a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego +++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego @@ -3,8 +3,8 @@ package Cx import data.generic.terraform as tf_lib waf_resources := [ - "aws_wafv2_web_acl_association", - "aws_wafregional_web_acl_association", + "aws_wafv2_web_acl_association", + "aws_wafregional_web_acl_association", ] CxPolicy[result] { diff --git a/assets/queries/terraform/aws/alb_listening_on_http/query.rego b/assets/queries/terraform/aws/alb_listening_on_http/query.rego index 3fd9520a44e..8161a47126c 100644 --- a/assets/queries/terraform/aws/alb_listening_on_http/query.rego +++ b/assets/queries/terraform/aws/alb_listening_on_http/query.rego @@ -66,7 +66,7 @@ CxPolicy[result] { "keyActualValue": sprintf("'default_action.redirect.protocol' is equal '%s'", [resource.default_action.redirect.protocol]), "remediation": json.marshal({ "before": sprintf("%s", [resource.default_action.redirect.protocol]), - "after": "HTTPS" + "after": "HTTPS", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/query.rego b/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/query.rego index 5680842a911..a317c461d40 100644 --- a/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/query.rego +++ b/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/query.rego @@ -22,7 +22,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", types[x], m, "drop_invalid_header_fields"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -70,7 +70,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["module", name, keyToCheckDihf], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -103,6 +103,4 @@ check_load_balancer_type(res, lbt) { res[lbt] == "application" } else { not common_lib.valid_key(res, lbt) -} else = false { - true -} +} else = false diff --git a/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/query.rego b/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/query.rego index b5d42201a6d..0f8f51064e5 100644 --- a/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/query.rego +++ b/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/query.rego @@ -17,4 +17,4 @@ CxPolicy[result] { "keyExpectedValue": sprintf("aws_dms_replication_instance[%s].publicly_accessible should be set to false", [name]), "keyActualValue": sprintf("aws_dms_replication_instance[%s].publicly_accessible is set to true", [name]), } -} \ No newline at end of file +} diff --git a/assets/queries/terraform/aws/ami_not_encrypted/query.rego b/assets/queries/terraform/aws/ami_not_encrypted/query.rego index 755e533d771..51dcbbb6b4f 100644 --- a/assets/queries/terraform/aws/ami_not_encrypted/query.rego +++ b/assets/queries/terraform/aws/ami_not_encrypted/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { ami := input.document[i].resource.aws_ami[name] @@ -12,13 +12,13 @@ CxPolicy[result] { "resourceType": "aws_ami", "resourceName": tf_lib.get_resource_name(ami, name), "searchKey": sprintf("aws_ami[%s].ebs_block_device.encrypted", [name]), - "searchLine": common_lib.build_search_line(["resource", "aws_ami", name,"ebs_block_device","encrypted"], []), + "searchLine": common_lib.build_search_line(["resource", "aws_ami", name, "ebs_block_device", "encrypted"], []), "issueType": "IncorrectValue", "keyExpectedValue": "One of 'rule.ebs_block_device.encrypted' should be 'true'", "keyActualValue": "One of 'rule.ebs_block_device.encrypted' is not 'true'", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -33,7 +33,7 @@ CxPolicy[result] { "resourceType": "aws_ami", "resourceName": tf_lib.get_resource_name(ami, name), "searchKey": sprintf("aws_ami[%s].ebs_block_device", [name]), - "searchLine": common_lib.build_search_line(["resource", "aws_ami", name,"ebs_block_device"], []), + "searchLine": common_lib.build_search_line(["resource", "aws_ami", name, "ebs_block_device"], []), "issueType": "MissingAttribute", "keyExpectedValue": "One of 'rule.ebs_block_device.encrypted' should be 'true'", "keyActualValue": "'rule.ebs_block_device' is undefined", diff --git a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/query.rego b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/query.rego index 91807c2d1e9..2fca6686903 100644 --- a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/query.rego +++ b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/query.rego @@ -57,14 +57,16 @@ CxPolicy[result] { CxPolicy[result] { api := input.document[i].resource.aws_api_gateway_stage[name] - x := [methodSettings | methodSettings := input.document[i].resource.aws_api_gateway_method_settings[_]; - split(methodSettings.stage_name,".")[1]==name] + x := [methodSettings | + methodSettings := input.document[i].resource.aws_api_gateway_method_settings[_] + split(methodSettings.stage_name, ".")[1] == name + ] count(x) == 0 result := { "documentId": input.document[i].id, "resourceType": "aws_api_gateway_stage", - "resourceName": tf_lib.get_resource_name(api, name), + "resourceName": tf_lib.get_resource_name(api, name), "searchKey": sprintf("aws_api_gateway_stage[%s]", [name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("aws_api_gateway_stage[%s]'s corresponding aws_api_gateway_method_settings should be defined and not null", [name]), @@ -72,15 +74,14 @@ CxPolicy[result] { } } - CxPolicy[result] { - resource := input.document[i].resource + resource := input.document[i].resource api := resource.aws_api_gateway_stage[name] methodSettings := resource.aws_api_gateway_method_settings[settingsId] - settingName := split(methodSettings.stage_name,".")[1] - settingName == name + settingName := split(methodSettings.stage_name, ".")[1] + settingName == name searchKeyValid := common_lib.valid_non_empty_key(methodSettings, "settings") result := { @@ -95,13 +96,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource + resource := input.document[i].resource api := resource.aws_api_gateway_stage[name] methodSettings := resource.aws_api_gateway_method_settings[settingsId] - settingName := split(methodSettings.stage_name,".")[1] - settingName == name + settingName := split(methodSettings.stage_name, ".")[1] + settingName == name settings := methodSettings.settings searchKeyValid := common_lib.valid_non_empty_key(settings, "logging_level") @@ -117,13 +118,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource + resource := input.document[i].resource api := resource.aws_api_gateway_stage[name] methodSettings := resource.aws_api_gateway_method_settings[settingsId] - settingName := split(methodSettings.stage_name,".")[1] - settingName == name + settingName := split(methodSettings.stage_name, ".")[1] + settingName == name settings := methodSettings.settings loggingLevel := settings.logging_level diff --git a/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/query.rego b/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/query.rego index 31f73242649..e61126ffbbd 100644 --- a/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/query.rego +++ b/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.aws_api_gateway_rest_api[name].endpoint_configuration @@ -11,14 +11,14 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": "aws_api_gateway_rest_api", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("aws_api_gateway_rest_api[%s].endpoint_configuration.types[%s]", [name,index]), + "searchKey": sprintf("aws_api_gateway_rest_api[%s].endpoint_configuration.types[%s]", [name, index]), "searchLine": common_lib.build_search_line(["resource", "aws_api_gateway_rest_api", name, "endpoint_configuration", "types", index], []), "issueType": "IncorrectValue", "keyExpectedValue": "'aws_api_gateway_rest_api.aws_api_gateway_rest_api.types' should be 'PRIVATE'.", "keyActualValue": "'aws_api_gateway_rest_api.aws_api_gateway_rest_api.types' is not 'PRIVATE'.", "remediation": json.marshal({ - "before": sprintf("%s",[resource.types[index]]), - "after": "PRIVATE" + "before": sprintf("%s", [resource.types[index]]), + "after": "PRIVATE", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/query.rego b/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/query.rego index 38cb693e8fb..abc065e09c8 100644 --- a/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/query.rego +++ b/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/query.rego @@ -40,7 +40,7 @@ CxPolicy[result] { "keyActualValue": sprintf("resource.aws_api_gateway_method[%s].api_key_required is 'false'", [name]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/query.rego b/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/query.rego index c5b65a9992a..7df49877d46 100644 --- a/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/query.rego +++ b/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/query.rego @@ -13,13 +13,13 @@ CxPolicy[result] { "resourceType": "aws_api_gateway_method_settings", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("aws_api_gateway_method_settings[{{%s}}].settings.cache_data_encrypted", [name]), - "searchLine": common_lib.build_search_line(["resource", "aws_api_gateway_method_settings", name,"settings","cache_data_encrypted" ], []), + "searchLine": common_lib.build_search_line(["resource", "aws_api_gateway_method_settings", name, "settings", "cache_data_encrypted"], []), "issueType": "IncorrectValue", "keyExpectedValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted should be set to true", "keyActualValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted is set to false", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -35,7 +35,7 @@ CxPolicy[result] { "resourceType": "aws_api_gateway_method_settings", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("aws_api_gateway_method_settings[{{%s}}].settings", [name]), - "searchLine": common_lib.build_search_line(["resource", "aws_api_gateway_method_settings", name,"settings" ], []), + "searchLine": common_lib.build_search_line(["resource", "aws_api_gateway_method_settings", name, "settings"], []), "issueType": "MissingAttribute", "keyExpectedValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted should be set to true", "keyActualValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted is missing", diff --git a/assets/queries/terraform/aws/api_gateway_with_invalid_compression/query.rego b/assets/queries/terraform/aws/api_gateway_with_invalid_compression/query.rego index 0b6093506b7..6bd90147991 100644 --- a/assets/queries/terraform/aws/api_gateway_with_invalid_compression/query.rego +++ b/assets/queries/terraform/aws/api_gateway_with_invalid_compression/query.rego @@ -38,7 +38,7 @@ CxPolicy[result] { "keyActualValue": sprintf("Attribute 'minimum_compression_size' is %d", [resource.minimum_compression_size]), "remediation": json.marshal({ "before": sprintf("%d", [resource.minimum_compression_size]), - "after": "0" + "after": "0", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/api_gateway_with_open_access/query.rego b/assets/queries/terraform/aws/api_gateway_with_open_access/query.rego index b285d2e039d..148c75160aa 100644 --- a/assets/queries/terraform/aws/api_gateway_with_open_access/query.rego +++ b/assets/queries/terraform/aws/api_gateway_with_open_access/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { document := input.document[i] @@ -21,7 +21,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_api_gateway_method", name, "http_method"], []), "remediation": json.marshal({ "before": sprintf("%s", [resource.http_method]), - "after": "OPTIONS" + "after": "OPTIONS", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/api_gateway_without_security_policy/query.rego b/assets/queries/terraform/aws/api_gateway_without_security_policy/query.rego index 22a03de450b..3c01ce7a07b 100644 --- a/assets/queries/terraform/aws/api_gateway_without_security_policy/query.rego +++ b/assets/queries/terraform/aws/api_gateway_without_security_policy/query.rego @@ -37,8 +37,8 @@ CxPolicy[result] { "keyExpectedValue": sprintf("aws_api_gateway_domain_name[%s].security_policy should be set to TLS_1_2", [name]), "keyActualValue": sprintf("aws_api_gateway_domain_name[%s].security_policy is set to %s", [name, resource.security_policy]), "remediation": json.marshal({ - "before": sprintf("%s",[resource.security_policy]), - "after": "TLS_1_2" + "before": sprintf("%s", [resource.security_policy]), + "after": "TLS_1_2", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/api_gateway_without_waf/query.rego b/assets/queries/terraform/aws/api_gateway_without_waf/query.rego index 99c7d2497c9..cd00eee9dbd 100644 --- a/assets/queries/terraform/aws/api_gateway_without_waf/query.rego +++ b/assets/queries/terraform/aws/api_gateway_without_waf/query.rego @@ -4,32 +4,31 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { + apiGateway := input.document[i].resource.aws_api_gateway_stage[name] - apiGateway := input.document[i].resource.aws_api_gateway_stage[name] + not has_waf_associated(name) - not has_waf_associated(name) - - result := { + result := { "documentId": input.document[i].id, - "resourceType": "aws_api_gateway_stage", + "resourceType": "aws_api_gateway_stage", "resourceName": tf_lib.get_resource_name(apiGateway, name), "searchKey": sprintf("aws_api_gateway_stage[%s]", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "API Gateway Stage should be associated with a Web Application Firewall", "keyActualValue": "API Gateway Stage is not associated with a Web Application Firewall", - "searchLine": common_lib.build_search_line(["resource", "aws_api_gateway_stage", name], []), + "searchLine": common_lib.build_search_line(["resource", "aws_api_gateway_stage", name], []), } } has_waf_associated(apiGatewayName) { - targetResources := {"aws_wafregional_web_acl_association", "aws_wafv2_web_acl_association"} + targetResources := {"aws_wafregional_web_acl_association", "aws_wafv2_web_acl_association"} - waf := targetResources[_] + waf := targetResources[_] - resource := input.document[_].resource[waf][_] + resource := input.document[_].resource[waf][_] - associatedResource := split(resource.resource_arn, ".") + associatedResource := split(resource.resource_arn, ".") - associatedResource[0] == "${aws_api_gateway_stage" - associatedResource[1] == apiGatewayName + associatedResource[0] == "${aws_api_gateway_stage" + associatedResource[1] == apiGatewayName } diff --git a/assets/queries/terraform/aws/api_gateway_xray_disabled/query.rego b/assets/queries/terraform/aws/api_gateway_xray_disabled/query.rego index 6410f2547db..ff9e5d5a4fb 100644 --- a/assets/queries/terraform/aws/api_gateway_xray_disabled/query.rego +++ b/assets/queries/terraform/aws/api_gateway_xray_disabled/query.rego @@ -12,13 +12,13 @@ CxPolicy[result] { "resourceType": "aws_api_gateway_stage", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("aws_api_gateway_stage[%s].xray_tracing_enabled", [name]), - "searchLine": common_lib.build_search_line(["resource", "aws_api_gateway_stage", name,"xray_tracing_enabled"], []), + "searchLine": common_lib.build_search_line(["resource", "aws_api_gateway_stage", name, "xray_tracing_enabled"], []), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'aws_api_gateway_stage[%s].xray_tracing_enabled' should be true", [name]), "keyActualValue": sprintf("'aws_api_gateway_stage[%s].xray_tracing_enabled' is false", [name]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/query.rego b/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/query.rego index 06f5bb07f75..22652f69ddf 100644 --- a/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/query.rego +++ b/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/query.rego @@ -32,4 +32,3 @@ CxPolicy[result] { "keyActualValue": "aws_rds_cluster.storage_encrypted is undefined", } } - diff --git a/assets/queries/terraform/aws/authentication_without_mfa/query.rego b/assets/queries/terraform/aws/authentication_without_mfa/query.rego index f09e7fa0617..b63e48ef4b4 100644 --- a/assets/queries/terraform/aws/authentication_without_mfa/query.rego +++ b/assets/queries/terraform/aws/authentication_without_mfa/query.rego @@ -43,13 +43,12 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("aws_iam_user_policy[%s].policy", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": "'policy.Statement.Principal.AWS' should contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' should be set to true", + "keyExpectedValue": "'policy.Statement.Principal.AWS' should contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' should be set to true", "keyActualValue": "'policy.Statement.Principal.AWS' doesn't contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' is set to false", "searchLine": common_lib.build_search_line(["resource", "aws_iam_user_policy", name, "policy"], []), } } - not_exists_mfa(statement) = mfa { not common_lib.valid_key(statement.Condition.BoolIfExists, "aws:MultiFactorAuthPresent") @@ -74,4 +73,3 @@ not_exists_mfa(statement) = mfa { not contains(user, ":mfa/") mfa := "false" } - diff --git a/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/query.rego b/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/query.rego index 10161512c26..28a67685dc5 100644 --- a/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/query.rego +++ b/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/query.rego @@ -81,10 +81,10 @@ CxPolicy[result] { } } -has_target_group_arns(resource, key){ +has_target_group_arns(resource, key) { not is_array(resource[key]) resource[key] != "" -} else{ +} else { is_array(resource[key]) count(resource[key]) > 0 } diff --git a/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/query.rego b/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/query.rego index 89090599985..05fac04bc3f 100644 --- a/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/query.rego +++ b/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/query.rego @@ -12,13 +12,13 @@ CxPolicy[result] { "resourceType": "aws_db_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("aws_db_instance[%s].auto_minor_version_upgrade", [name]), - "searchLine": common_lib.build_search_line(["resource", "aws_db_instance", name,"auto_minor_version_upgrade"], []), + "searchLine": common_lib.build_search_line(["resource", "aws_db_instance", name, "auto_minor_version_upgrade"], []), "issueType": "IncorrectValue", "keyExpectedValue": "'auto_minor_version_upgrade' should be set to true", "keyActualValue": "'auto_minor_version_upgrade' is set to false", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -41,7 +41,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["module", name, "auto_minor_version_upgrade"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/query.rego b/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/query.rego index d5a9575c0a3..7b3c65b2f65 100644 --- a/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/query.rego +++ b/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/query.rego @@ -1,9 +1,9 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib -#allow_users_to_change_password default is true +# allow_users_to_change_password default is true CxPolicy[result] { pol := input.document[i].resource.aws_iam_account_password_policy[name] pol.allow_users_to_change_password == false @@ -13,13 +13,13 @@ CxPolicy[result] { "resourceType": "aws_iam_account_password_policy", "resourceName": tf_lib.get_resource_name(pol, name), "searchKey": sprintf("aws_iam_account_password_policy[%s].allow_users_to_change_password", [name]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_account_password_policy", name,"allow_users_to_change_password"], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_account_password_policy", name, "allow_users_to_change_password"], []), "issueType": "IncorrectValue", "keyExpectedValue": "'allow_users_to_change_password' should equal 'true'", "keyActualValue": "'allow_users_to_change_password' is equal 'false'", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/query.rego b/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/query.rego index f6865f63502..25213227b57 100644 --- a/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/query.rego +++ b/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { document := input.document[i] @@ -20,7 +20,7 @@ CxPolicy[result] { "keyActualValue": sprintf("aws_batch_job_definition[%s].container_properties.privileged is 'true'", [name]), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/query.rego b/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/query.rego index 22438f48300..7e34a25c436 100644 --- a/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/query.rego +++ b/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/query.rego @@ -6,7 +6,7 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.aws_db_instance[name] allowed := ["rds-ca-2019", "rds-ca-rsa2048-g1", "rds-ca-rsa4096-g1", "rds-ca-ecc384-g1"] - not common_lib.inArray(allowed, resource.ca_cert_identifier) + not common_lib.inArray(allowed, resource.ca_cert_identifier) result := { "documentId": input.document[i].id, @@ -24,7 +24,7 @@ CxPolicy[result] { module := input.document[i].module[name] keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_db_instance", "ca_cert_identifier") allowed := ["rds-ca-2019", "rds-ca-rsa2048-g1", "rds-ca-rsa4096-g1", "rds-ca-ecc384-g1"] - not common_lib.inArray(allowed, module[keyToCheck]) + not common_lib.inArray(allowed, module[keyToCheck]) result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/aws/cdn_configuration_is_missing/query.rego b/assets/queries/terraform/aws/cdn_configuration_is_missing/query.rego index 82bfd712c56..699a9c0e220 100644 --- a/assets/queries/terraform/aws/cdn_configuration_is_missing/query.rego +++ b/assets/queries/terraform/aws/cdn_configuration_is_missing/query.rego @@ -40,7 +40,7 @@ CxPolicy[result] { "keyActualValue": sprintf("resource.aws_cloudfront_distribution[%s].enabled is configured as 'false'", [name]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/certificate_has_expired/query.rego b/assets/queries/terraform/aws/certificate_has_expired/query.rego index c5fcc41f03a..c1ab8eed274 100644 --- a/assets/queries/terraform/aws/certificate_has_expired/query.rego +++ b/assets/queries/terraform/aws/certificate_has_expired/query.rego @@ -2,11 +2,12 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { resource := input.document[i].resource[resourceType] services := {"aws_api_gateway_domain_name", "aws_iam_server_certificate", "aws_acm_certificate"} - resourceType == services[_] + resourceType in services expiration_date := resource[name].certificate_body.expiration_date diff --git a/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/query.rego b/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/query.rego index 90b1608d8c9..c9e014e9536 100644 --- a/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/query.rego +++ b/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/query.rego @@ -1,13 +1,14 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { resource := input.document[i].resource[resourceType] services := {"aws_api_gateway_domain_name", "aws_iam_server_certificate", "aws_acm_certificate"} - resourceType == services[_] + resourceType in services resource[name].certificate_body.rsa_key_bytes < 256 diff --git a/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego b/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego index 2f486b20ddc..71bd0edd993 100644 --- a/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego +++ b/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/query.rego @@ -42,7 +42,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_cloudfront_distribution", name, "viewer_certificate", "cloudfront_default_certificate"], []), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } @@ -69,7 +69,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_cloudfront_distribution", name, "viewer_certificate", "minimum_protocol_version"], []), "remediation": json.marshal({ "before": sprintf("%s", [protocol_version]), - "after": "TLSv1.2_2021" + "after": "TLSv1.2_2021", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/query.rego b/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/query.rego index 2ee4848f288..22df1cb8198 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/query.rego +++ b/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { "keyActualValue": sprintf("'aws_cloudtrail[%s].enable_log_file_validation' is false", [name]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/query.rego b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/query.rego index 07719f60a5d..c5b55fd22d8 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/query.rego +++ b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/query.rego @@ -2,16 +2,16 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in publicAcl := {"public-read", "public-read-write"} # version before TF AWS 4.0 CxPolicy[result] { - cloudtrail := input.document[_].resource.aws_cloudtrail[name] s3BucketName := split(cloudtrail.s3_bucket_name, ".")[1] bucket := input.document[i].resource.aws_s3_bucket[s3BucketName] - bucket.acl == publicAcl[_] + bucket.acl in publicAcl result := { "documentId": input.document[i].id, @@ -28,7 +28,7 @@ CxPolicy[result] { module := input.document[i].module[name] keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "acl") - module[keyToCheck] == publicAcl[_] + module[keyToCheck] in publicAcl result := { "documentId": input.document[i].id, "resourceType": "n/a", @@ -42,13 +42,12 @@ CxPolicy[result] { # version after TF AWS 4.0 CxPolicy[result] { - cloudtrail := input.document[_].resource.aws_cloudtrail[name] s3BucketName := split(cloudtrail.s3_bucket_name, ".")[1] input.document[_].resource.aws_s3_bucket[s3BucketName] acl := input.document[i].resource.aws_s3_bucket_acl[name] split(acl.bucket, ".")[1] == s3BucketName - acl.acl == publicAcl[_] + acl.acl in publicAcl result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/query.rego b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/query.rego index 214d505e609..c83daff9d34 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/query.rego +++ b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/query.rego @@ -4,7 +4,6 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - cloudtrail := input.document[_].resource.aws_cloudtrail[name] s3BucketName := split(cloudtrail.s3_bucket_name, ".")[1] bucket := input.document[i].resource.aws_s3_bucket[s3BucketName] @@ -24,7 +23,6 @@ CxPolicy[result] { } CxPolicy[result] { - logs := input.document[_].resource.aws_cloudtrail[name] s3BucketName := split(logs.s3_bucket_name, ".")[1] doc := input.document[i].module[moduleName] diff --git a/assets/queries/terraform/aws/cloudtrail_logging_disabled/query.rego b/assets/queries/terraform/aws/cloudtrail_logging_disabled/query.rego index 723af503f53..e11ae067f27 100644 --- a/assets/queries/terraform/aws/cloudtrail_logging_disabled/query.rego +++ b/assets/queries/terraform/aws/cloudtrail_logging_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.aws_cloudtrail[name] @@ -18,7 +18,7 @@ CxPolicy[result] { "keyActualValue": sprintf("aws_cloudtrail.%s.enable_logging is false", [name]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/query.rego b/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/query.rego index 42f642d27d9..817a286d46e 100644 --- a/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/query.rego +++ b/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/query.rego @@ -38,7 +38,7 @@ CxPolicy[result] { "keyActualValue": sprintf("aws_cloudtrail[%s].is_multi_region_trail is set to false", [name]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -60,7 +60,7 @@ CxPolicy[result] { "keyActualValue": sprintf("aws_cloudtrail[%s].include_global_service_events is set to false", [name]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/query.rego b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/query.rego index f2b35cb3cc0..00aa050524a 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/query.rego +++ b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/query.rego @@ -122,14 +122,14 @@ check_expression_missing(resName, filter, doc) { CxPolicy[result] { doc := input.document[i] resources := doc.resource.aws_cloudwatch_log_metric_filter - + allPatternsCount := count([x | [path, value] := walk(resources); filter := common_lib.json_unmarshal(value.pattern); x = filter]) count([x | [path, value] := walk(resources); filter := common_lib.json_unmarshal(value.pattern); not check_expression_missing(path[0], filter, doc); x = filter]) == allPatternsCount result := { "documentId": input.document[i].id, "resourceType": "aws_cloudwatch_log_metric_filter", - "resourceName": "unknown", + "resourceName": "unknown", "searchKey": "resource", "issueType": "MissingAttribute", "keyExpectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) } and be associated an aws_cloudwatch_metric_alarm", diff --git a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/query.rego b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/query.rego index 7c00773e9cb..4e77d6ddafa 100644 --- a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/query.rego +++ b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/query.rego @@ -52,7 +52,7 @@ check_expression_missing(resName, filter, doc) { CxPolicy[result] { doc := input.document[i] resources := doc.resource.aws_cloudwatch_log_metric_filter - + allPatternsCount := count([x | [path, value] := walk(resources); filter := common_lib.json_unmarshal(value.pattern); x = filter]) count([x | [path, value] := walk(resources); filter := common_lib.json_unmarshal(value.pattern); not check_expression_missing(path[0], filter, doc); x = filter]) == allPatternsCount diff --git a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/query.rego b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/query.rego index f9c0a446173..2ef826332d4 100644 --- a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/query.rego +++ b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/query.rego @@ -34,7 +34,7 @@ expressionArr := [ CxPolicy[result] { doc := input.document[i] resources := doc.resource.aws_cloudwatch_log_metric_filter - + allPatternsCount := count([x | [path, value] := walk(resources); filter := commonLib.json_unmarshal(value.pattern); x = filter]) count([x | [path, value] := walk(resources); filter := commonLib.json_unmarshal(value.pattern); not check_expression_missing(path[0], filter, doc); x = filter]) == allPatternsCount diff --git a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/query.rego b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/query.rego index b13c443c7c8..3a354035886 100644 --- a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/query.rego +++ b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/query.rego @@ -38,7 +38,7 @@ check_expression_missing(resName, filter, doc) { CxPolicy[result] { doc := input.document[i] resources := doc.resource.aws_cloudwatch_log_metric_filter - + allPatternsCount := count([x | [path, value] := walk(resources); filter := common_lib.json_unmarshal(value.pattern); x = filter]) count([x | [path, value] := walk(resources); filter := common_lib.json_unmarshal(value.pattern); not check_expression_missing(path[0], filter, doc); x = filter]) == allPatternsCount diff --git a/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/query.rego b/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/query.rego index a8ea3a3db66..3a2ad9369f8 100644 --- a/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/query.rego +++ b/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/query.rego @@ -102,7 +102,7 @@ check_expression_missing(resName, filter, doc) { CxPolicy[result] { doc := input.document[i] resources := doc.resource.aws_cloudwatch_log_metric_filter - + allPatternsCount := count([x | [path, value] := walk(resources); filter := common_lib.json_unmarshal(value.pattern); x = filter]) count([x | [path, value] := walk(resources); filter := common_lib.json_unmarshal(value.pattern); not check_expression_missing(path[0], filter, doc); x = filter]) == allPatternsCount diff --git a/assets/queries/terraform/aws/cloudwatch_metrics_disabled/query.rego b/assets/queries/terraform/aws/cloudwatch_metrics_disabled/query.rego index 90cce5ef8ca..92247698b7f 100644 --- a/assets/queries/terraform/aws/cloudwatch_metrics_disabled/query.rego +++ b/assets/queries/terraform/aws/cloudwatch_metrics_disabled/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { "keyActualValue": sprintf("aws_api_gateway_method_settings[%s].settings.metrics_enabled is false", [name]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/query.rego b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/query.rego index 3ab90ee52f0..21cee6fa938 100644 --- a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/query.rego +++ b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/query.rego @@ -55,14 +55,13 @@ expressionArr := [ }, ] -#{ ($.eventSource = \"s3.amazonaws.com\") && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) } +# { ($.eventSource = \"s3.amazonaws.com\") && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) } CxPolicy[result] { doc := input.document[i] _ := doc.resource.aws_cloudwatch_log_metric_filter[name] - - count([alarm | alarm := doc.resource.aws_cloudwatch_metric_alarm[_]; contains(alarm.metric_name, name)]) == 0 - + count([alarm | alarm := doc.resource.aws_cloudwatch_metric_alarm[_]; contains(alarm.metric_name, name)]) == 0 + result := { "documentId": input.document[i].id, "resourceType": "aws_cloudwatch_log_metric_filter", @@ -71,17 +70,17 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "aws_cloudwatch_log_metric_filter should be associated an aws_cloudwatch_metric_alarm", "keyActualValue": "aws_cloudwatch_log_metric_filter not associated with any aws_cloudwatch_metric_alarm", - "searchLine": common_lib.build_search_line(["resource","aws_cloudwatch_log_metric_filter", name], []), + "searchLine": common_lib.build_search_line(["resource", "aws_cloudwatch_log_metric_filter", name], []), } } - check_expression_missing(filter) { filter._kics_filter_expr._op == "&&" - count({x | exp := expressionArr[n]; - common_lib.check_selector(filter, exp.value, exp.op, exp.name) == false; - x := exp + count({x | + exp := expressionArr[n] + common_lib.check_selector(filter, exp.value, exp.op, exp.name) == false + x := exp }) == 0 } @@ -89,22 +88,23 @@ CxPolicy[result] { doc := input.document[i] resources := doc.resource.aws_cloudwatch_log_metric_filter - resourceNames := [resourceName | [path, value] := walk(resources); - filter := common_lib.json_unmarshal(value.pattern); - not check_expression_missing(filter); - resourceName := path[count(path)-1] + resourceNames := [resourceName | + [path, value] := walk(resources) + filter := common_lib.json_unmarshal(value.pattern) + not check_expression_missing(filter) + resourceName := path[count(path) - 1] ] - - resourceName := resourceNames[_] - + + resourceName := resourceNames[_] + result := { "documentId": input.document[i].id, "resourceType": "aws_cloudwatch_log_metric_filter", "resourceName": resourceName, - "searchKey": sprintf("aws_cloudwatch_log_metric_filter.%s",[resourceName]), + "searchKey": sprintf("aws_cloudwatch_log_metric_filter.%s", [resourceName]), "issueType": "MissingAttribute", "keyExpectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", "keyActualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", - "searchLine": common_lib.build_search_line(["resource","aws_cloudwatch_log_metric_filter", resourceName, "pattern"], []), + "searchLine": common_lib.build_search_line(["resource", "aws_cloudwatch_log_metric_filter", resourceName, "pattern"], []), } -} \ No newline at end of file +} diff --git a/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/query.rego b/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/query.rego index 94a07052d6b..cdfe98d4c67 100644 --- a/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/query.rego +++ b/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.aws_cloudwatch_log_group[name] @@ -37,8 +37,8 @@ CxPolicy[result] { "keyExpectedValue": "Attribute 'retention_in_days' should be set and valid", "keyActualValue": "Attribute 'retention_in_days' is set but invalid", "remediation": json.marshal({ - "before": sprintf("%d",[value]), - "after": "7" + "before": sprintf("%d", [value]), + "after": "7", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/cmk_is_unusable/query.rego b/assets/queries/terraform/aws/cmk_is_unusable/query.rego index 84cefba6e51..c854be66142 100644 --- a/assets/queries/terraform/aws/cmk_is_unusable/query.rego +++ b/assets/queries/terraform/aws/cmk_is_unusable/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.aws_kms_key[name] @@ -19,7 +19,7 @@ CxPolicy[result] { "keyActualValue": sprintf("aws_kms_key[%s].is_enabled is set to false", [name]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/cmk_rotation_disabled/query.rego b/assets/queries/terraform/aws/cmk_rotation_disabled/query.rego index ce73a351f00..0cae3317197 100644 --- a/assets/queries/terraform/aws/cmk_rotation_disabled/query.rego +++ b/assets/queries/terraform/aws/cmk_rotation_disabled/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { resource := input.document[i].resource.aws_kms_key[name] not key_set_to_false(resource) - not common_lib.valid_key(resource, "enable_key_rotation") - customer_master_key_spec_set_to_symmetric(resource) + not common_lib.valid_key(resource, "enable_key_rotation") + customer_master_key_spec_set_to_symmetric(resource) result := { "documentId": input.document[i].id, @@ -21,49 +21,46 @@ CxPolicy[result] { } } - CxPolicy[result] { resource := input.document[i].resource.aws_kms_key[name] not key_set_to_false(resource) - resource.enable_key_rotation == true - not customer_master_key_spec_set_to_symmetric(resource) + resource.enable_key_rotation == true + not customer_master_key_spec_set_to_symmetric(resource) result := { "documentId": input.document[i].id, "resourceType": "aws_kms_key", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("aws_kms_key[%s]", [name]), - "issueType": "IncorrectValue", + "issueType": "IncorrectValue", "keyExpectedValue": sprintf("aws_kms_key[%s].enable_key_rotation should be set to false", [name]), "keyActualValue": sprintf("aws_kms_key[%s].enable_key_rotation is true", [name]), } } - CxPolicy[result] { resource := input.document[i].resource.aws_kms_key[name] not key_set_to_false(resource) - resource.enable_key_rotation == false - customer_master_key_spec_set_to_symmetric(resource) + resource.enable_key_rotation == false + customer_master_key_spec_set_to_symmetric(resource) result := { "documentId": input.document[i].id, "resourceType": "aws_kms_key", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("aws_kms_key[%s]", [name]), - "issueType": "IncorrectValue", + "issueType": "IncorrectValue", "keyExpectedValue": sprintf("aws_kms_key[%s].enable_key_rotation should be set to true", [name]), "keyActualValue": sprintf("aws_kms_key[%s].enable_key_rotation is false", [name]), } } - customer_master_key_spec_set_to_symmetric(resource) { - resource.customer_master_key_spec == "SYMMETRIC_DEFAULT" + resource.customer_master_key_spec == "SYMMETRIC_DEFAULT" } else { - not common_lib.valid_key(resource, "customer_master_key_spec") + not common_lib.valid_key(resource, "customer_master_key_spec") } key_set_to_false(resource) { diff --git a/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/query.rego b/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/query.rego index 96c4af56e77..2f000cc8c3e 100644 --- a/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/query.rego +++ b/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_config_configuration_aggregator", name, type, "all_regions"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -27,7 +27,7 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i].resource.aws_config_configuration_aggregator[name] options := {"account_aggregation_source", "organization_aggregation_source"} - type := options[o] + type := options[o] resourceElement := resource[type] not common_lib.valid_key(resourceElement, "all_regions") diff --git a/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/query.rego b/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/query.rego index 0c180e6e6c8..4dd9e3cb603 100644 --- a/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/query.rego +++ b/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/query.rego @@ -10,7 +10,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": "aws_config_config_rule", "resourceName": "unknown", - "searchKey": "aws_config_config_rule", #refer to the first rule + "searchKey": "aws_config_config_rule", # refer to the first rule "issueType": "MissingAttribute", "keyExpectedValue": "There should be a 'aws_config_config_rule' resource with source id: 'ENCRYPTED_VOLUMES'", "keyActualValue": "No 'aws_config_config_rule' resource has source id: 'ENCRYPTED_VOLUMES'", @@ -20,6 +20,4 @@ CxPolicy[result] { checkSource(config_rules, expected_source) { source := config_rules[_].source source.source_identifier == expected_source -} else = false { - true -} +} else = false diff --git a/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/query.rego b/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/query.rego index 396f0c4183f..6198943f2cb 100644 --- a/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/query.rego +++ b/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/query.rego @@ -30,4 +30,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", name, "assume_role_policy"], []), } } - diff --git a/assets/queries/terraform/aws/dax_cluster_not_encrypted/query.rego b/assets/queries/terraform/aws/dax_cluster_not_encrypted/query.rego index f45d3f5f335..24d096d63c5 100644 --- a/assets/queries/terraform/aws/dax_cluster_not_encrypted/query.rego +++ b/assets/queries/terraform/aws/dax_cluster_not_encrypted/query.rego @@ -12,13 +12,13 @@ CxPolicy[result] { "resourceType": "aws_dax_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("aws_dax_cluster[{{%s}}].server_side_encryption.enabled", [name]), - "searchLine": common_lib.build_search_line(["resource", "aws_dax_cluster", name,"server_side_encryption","enabled"], []), + "searchLine": common_lib.build_search_line(["resource", "aws_dax_cluster", name, "server_side_encryption", "enabled"], []), "issueType": "IncorrectValue", "keyExpectedValue": "aws_dax_cluster.server_side_encryption.enabled should be set to true", "keyActualValue": "aws_dax_cluster.server_side_encryption.enabled is set to false", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/db_instance_storage_not_encrypted/query.rego b/assets/queries/terraform/aws/db_instance_storage_not_encrypted/query.rego index 54179198b24..8e08433b115 100644 --- a/assets/queries/terraform/aws/db_instance_storage_not_encrypted/query.rego +++ b/assets/queries/terraform/aws/db_instance_storage_not_encrypted/query.rego @@ -42,7 +42,6 @@ CxPolicy[result] { } } - CxPolicy[result] { resource := input.document[i].resource.aws_db_instance[name] @@ -61,7 +60,6 @@ CxPolicy[result] { } } - CxPolicy[result] { module := input.document[i].module[name] keyToCheck1 := common_lib.get_module_equivalent_key("aws", module.source, "aws_db_instance", "storage_encrypted") diff --git a/assets/queries/terraform/aws/docdb_cluster_not_encrypted/query.rego b/assets/queries/terraform/aws/docdb_cluster_not_encrypted/query.rego index 1fbb16ade2b..b13692655dd 100644 --- a/assets/queries/terraform/aws/docdb_cluster_not_encrypted/query.rego +++ b/assets/queries/terraform/aws/docdb_cluster_not_encrypted/query.rego @@ -30,13 +30,13 @@ CxPolicy[result] { "resourceType": "aws_docdb_cluster", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("aws_docdb_cluster[{{%s}}].storage_encrypted", [name]), - "searchLine": common_lib.build_search_line(["resource", "aws_docdb_cluster", name,"storage_encrypted"], []), + "searchLine": common_lib.build_search_line(["resource", "aws_docdb_cluster", name, "storage_encrypted"], []), "issueType": "IncorrectValue", "keyExpectedValue": "aws_docdb_cluster.storage_encrypted should be set to true", "keyActualValue": "aws_docdb_cluster.storage_encrypted is set to false", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/docdb_logging_disabled/query.rego b/assets/queries/terraform/aws/docdb_logging_disabled/query.rego index f7c46197685..899206a077d 100644 --- a/assets/queries/terraform/aws/docdb_logging_disabled/query.rego +++ b/assets/queries/terraform/aws/docdb_logging_disabled/query.rego @@ -1,7 +1,8 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib +import future.keywords.in validTypes := {"profiler", "audit"} @@ -9,7 +10,7 @@ validTypeConcat := concat(", ", validTypes) CxPolicy[result] { resource := input.document[i].resource.aws_docdb_cluster[name] - not exist(resource, "enabled_cloudwatch_logs_exports") + not "enabled_cloudwatch_logs_exports" in object.keys(resource) result := { "documentId": input.document[i].id, @@ -56,7 +57,3 @@ CxPolicy[result] { "keyActualValue": sprintf("aws_docdb_cluster.enabled_cloudwatch_logs_exports has the following missing values: %s", [concat(", ", missingTypes)]), } } - -exist(obj, key) { - _ = obj[key] -} diff --git a/assets/queries/terraform/aws/dynamodb_table_not_encrypted/query.rego b/assets/queries/terraform/aws/dynamodb_table_not_encrypted/query.rego index 1bd9b88fee0..09552dae028 100644 --- a/assets/queries/terraform/aws/dynamodb_table_not_encrypted/query.rego +++ b/assets/queries/terraform/aws/dynamodb_table_not_encrypted/query.rego @@ -12,13 +12,13 @@ CxPolicy[result] { "resourceType": "aws_dynamodb_table", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("aws_dynamodb_table[{{%s}}].server_side_encryption.enabled", [name]), - "searchLine": common_lib.build_search_line(["resource", "aws_dynamodb_table", name,"server_side_encryption","enabled"], []), + "searchLine": common_lib.build_search_line(["resource", "aws_dynamodb_table", name, "server_side_encryption", "enabled"], []), "issueType": "IncorrectValue", "keyExpectedValue": "aws_dynamodb_table.server_side_encryption.enabled should be set to true", "keyActualValue": "aws_dynamodb_table.server_side_encryption.enabled is set to false", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/query.rego b/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/query.rego index 139bdaa76d1..d2ca2c9cad7 100644 --- a/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/query.rego +++ b/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/query.rego @@ -14,13 +14,13 @@ CxPolicy[result] { "resourceType": "aws_dynamodb_table", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("aws_dynamodb_table[{{%s}}].point_in_time_recovery.enabled", [m]), - "searchLine": common_lib.build_search_line(["resource", "aws_dynamodb_table", name, "point_in_time_recovery","enabled"], []), - "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" + "searchLine": common_lib.build_search_line(["resource", "aws_dynamodb_table", name, "point_in_time_recovery", "enabled"], []), + "issueType": "IncorrectValue", # "MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "aws_dynamodb_table.point_in_time_recovery.enabled should be set to true", "keyActualValue": "aws_dynamodb_table.point_in_time_recovery.enabled is set to false", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/query.rego b/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/query.rego index 307f02a428c..e29dd7622a5 100644 --- a/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/query.rego +++ b/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/query.rego @@ -6,7 +6,7 @@ CxPolicy[result] { resource := input.document[i].resource.aws_vpc_endpoint[name] serviceNameSplit := split(resource.service_name, ".") - serviceNameSplit[minus(count(serviceNameSplit), 1)] == "dynamodb" + serviceNameSplit[count(serviceNameSplit) - 1] == "dynamodb" vpcNameRef := split(resource.vpc_id, ".")[1] not has_route_association(vpcNameRef) diff --git a/assets/queries/terraform/aws/ebs_default_encryption_disabled/query.rego b/assets/queries/terraform/aws/ebs_default_encryption_disabled/query.rego index f6d052b0327..64189c65d79 100644 --- a/assets/queries/terraform/aws/ebs_default_encryption_disabled/query.rego +++ b/assets/queries/terraform/aws/ebs_default_encryption_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.aws_ebs_encryption_by_default[name] @@ -18,7 +18,7 @@ CxPolicy[result] { "keyActualValue": "'aws_ebs_encryption_by_default.encrypted' is false", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/ebs_volume_encryption_disabled/query.rego b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/query.rego index 7a91fb498ed..5a6564d4ae0 100644 --- a/assets/queries/terraform/aws/ebs_volume_encryption_disabled/query.rego +++ b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/query.rego @@ -38,7 +38,7 @@ CxPolicy[result] { "keyActualValue": "One of 'aws_ebs_volume.encrypted' is 'false'", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/query.rego b/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/query.rego index 94a5c133cf7..e0b54fdf227 100644 --- a/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/query.rego +++ b/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/query.rego @@ -15,7 +15,6 @@ CxPolicy[result] { result := { "documentId": doc.id, "resourceType": "aws_ebs_volume", - "resourceName": tf_lib.get_resource_name(bucket, s3BucketName), "resourceName": snapName, "searchKey": sprintf("aws_ebs_volume[%s].encrypted", [snapName]), "issueType": "IncorrectValue", diff --git a/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/query.rego b/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/query.rego index cee81171566..ecc08236d94 100644 --- a/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/query.rego +++ b/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/query.rego @@ -37,7 +37,7 @@ CxPolicy[result] { "keyExpectedValue": "'monitoring' should be defined and not null", "keyActualValue": "'monitoring' is undefined or null", "searchLine": common_lib.build_search_line(["module", name], []), - "remediation": sprintf("%s = true",[keyToCheck]), + "remediation": sprintf("%s = true", [keyToCheck]), "remediationType": "addition", } } @@ -58,7 +58,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_instance", name, "monitoring"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -74,16 +74,15 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": "n/a", "resourceName": "n/a", - "searchKey": sprintf("module[%s].%s", [name,keyToCheck]), + "searchKey": sprintf("module[%s].%s", [name, keyToCheck]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s.'monitoring' should be set to true", [name]), "keyActualValue": sprintf("%s.'monitoring' is set to false", [name]), "searchLine": common_lib.build_search_line(["module", name, keyToCheck], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } } - diff --git a/assets/queries/terraform/aws/ec2_not_ebs_optimized/query.rego b/assets/queries/terraform/aws/ec2_not_ebs_optimized/query.rego index e8269ddf7dd..adf82c53f3d 100644 --- a/assets/queries/terraform/aws/ec2_not_ebs_optimized/query.rego +++ b/assets/queries/terraform/aws/ec2_not_ebs_optimized/query.rego @@ -21,7 +21,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_instance", name, "ebs_optimized"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -47,7 +47,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["module", name, "ebs_optimized"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/ecr_image_tag_not_immutable/query.rego b/assets/queries/terraform/aws/ecr_image_tag_not_immutable/query.rego index a55ca90966c..a5f38573f5d 100644 --- a/assets/queries/terraform/aws/ecr_image_tag_not_immutable/query.rego +++ b/assets/queries/terraform/aws/ecr_image_tag_not_immutable/query.rego @@ -38,7 +38,7 @@ CxPolicy[result] { "keyActualValue": sprintf("aws_ecr_repository.%s.image_tag_mutability is 'MUTABLE'", [name]), "remediation": json.marshal({ "before": "MUTABLE", - "after": "IMMUTABLE" + "after": "IMMUTABLE", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/query.rego b/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/query.rego index ec48d8aff58..d3c98b56a33 100644 --- a/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/query.rego +++ b/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.aws_ecs_task_definition[name] @@ -17,8 +17,8 @@ CxPolicy[result] { "keyExpectedValue": "'network_mode' should equal to 'awsvpc'", "keyActualValue": sprintf("'network_mode' is equal to '%s'", [resource.network_mode]), "remediation": json.marshal({ - "before": sprintf("%s",[resource.network_mode]), - "after": "awsvpc" + "before": sprintf("%s", [resource.network_mode]), + "after": "awsvpc", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/ecs_task_definition_volume_not_encrypted/query.rego b/assets/queries/terraform/aws/ecs_task_definition_volume_not_encrypted/query.rego index 83c25dee5e2..70b00b0dc98 100644 --- a/assets/queries/terraform/aws/ecs_task_definition_volume_not_encrypted/query.rego +++ b/assets/queries/terraform/aws/ecs_task_definition_volume_not_encrypted/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { "keyActualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value is 'DISABLED'", "remediation": json.marshal({ "before": "DISABLED", - "after": "ENABLED" + "after": "ENABLED", }), "remediationType": "replacement", } @@ -58,4 +58,4 @@ CxPolicy[result] { "keyExpectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration value should be defined", "keyActualValue": "aws_ecs_task_definition.volume.efs_volume_configuration is not set", } -} \ No newline at end of file +} diff --git a/assets/queries/terraform/aws/efs_not_encrypted/query.rego b/assets/queries/terraform/aws/efs_not_encrypted/query.rego index b17f88aef96..669e0afa915 100644 --- a/assets/queries/terraform/aws/efs_not_encrypted/query.rego +++ b/assets/queries/terraform/aws/efs_not_encrypted/query.rego @@ -12,13 +12,13 @@ CxPolicy[result] { "resourceType": "aws_efs_file_system", "resourceName": tf_lib.get_resource_name(efs, name), "searchKey": sprintf("aws_efs_file_system[%s].encrypted", [name]), - "searchLine": common_lib.build_search_line(["resource", "aws_efs_file_system", name ,"encrypted"], []), + "searchLine": common_lib.build_search_line(["resource", "aws_efs_file_system", name, "encrypted"], []), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("aws_efs_file_system[%s].encrypted' should be true", [name]), "keyActualValue": sprintf("aws_efs_file_system[%s].encrypted' is false", [name]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -33,7 +33,7 @@ CxPolicy[result] { "resourceType": "aws_efs_file_system", "resourceName": tf_lib.get_resource_name(efs, name), "searchKey": sprintf("aws_efs_file_system[%s]", [name]), - "searchLine": common_lib.build_search_line(["resource", "aws_efs_file_system", name ,"encrypted"], []), + "searchLine": common_lib.build_search_line(["resource", "aws_efs_file_system", name, "encrypted"], []), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("aws_efs_file_system[%s].encrypted' should be defined and not null", [name]), "keyActualValue": sprintf("aws_efs_file_system[%s].encrypted' is undefined or null", [name]), diff --git a/assets/queries/terraform/aws/eks_cluster_encryption_disabled/query.rego b/assets/queries/terraform/aws/eks_cluster_encryption_disabled/query.rego index dec3c075683..039c53303e6 100644 --- a/assets/queries/terraform/aws/eks_cluster_encryption_disabled/query.rego +++ b/assets/queries/terraform/aws/eks_cluster_encryption_disabled/query.rego @@ -38,4 +38,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_eks_cluster", name, "resources"], []), } } - diff --git a/assets/queries/terraform/aws/eks_cluster_has_public_access/query.rego b/assets/queries/terraform/aws/eks_cluster_has_public_access/query.rego index da27f67dc53..e76aefb4a65 100644 --- a/assets/queries/terraform/aws/eks_cluster_has_public_access/query.rego +++ b/assets/queries/terraform/aws/eks_cluster_has_public_access/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.aws_eks_cluster[name] @@ -18,7 +18,7 @@ CxPolicy[result] { "keyActualValue": "'vpc_config.endpoint_public_access' is equal 'true'", "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/query.rego b/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/query.rego index c8223807924..dede27ad64d 100644 --- a/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/query.rego +++ b/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/query.rego @@ -1,12 +1,13 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { resource := input.document[i].resource.aws_eks_cluster[name] resource.vpc_config.endpoint_public_access == true - resource.vpc_config.public_access_cidrs[_] == "0.0.0.0/0" + "0.0.0.0/0" in resource.vpc_config.public_access_cidrs result := { "documentId": input.document[i].id, @@ -19,7 +20,7 @@ CxPolicy[result] { } } -#default vaule of cidrs is "0.0.0.0/0" +# default value of cidrs is "0.0.0.0/0" CxPolicy[result] { resource := input.document[i].resource.aws_eks_cluster[name] diff --git a/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/query.rego b/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/query.rego index 4f634eb72e8..37bd707836c 100644 --- a/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/query.rego +++ b/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { cluster := input.document[i].resource.aws_elasticache_cluster[name] @@ -42,7 +42,7 @@ CxPolicy[result] { "keyActualValue": sprintf("'az_mode' is '%s'", [cluster.az_mode]), "remediation": json.marshal({ "before": sprintf("%s", [cluster.az_mode]), - "after": "cross-az" + "after": "cross-az", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/query.rego b/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/query.rego index b57d3fe05a7..ef7f4602f62 100644 --- a/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/query.rego +++ b/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/query.rego @@ -40,7 +40,7 @@ CxPolicy[result] { "keyActualValue": "'snapshot_retention_limit' is 0", "remediation": json.marshal({ "before": "0", - "after": "5" + "after": "5", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/query.rego b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/query.rego index 3151c863db9..68210d1ff5d 100644 --- a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/query.rego +++ b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/query.rego @@ -38,7 +38,7 @@ CxPolicy[result] { "keyActualValue": "The attribute 'at_rest_encryption_enabled' is not set to true", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/elasticache_using_default_port/query.rego b/assets/queries/terraform/aws/elasticache_using_default_port/query.rego index 4ee4ac469b6..23e9772c5dd 100644 --- a/assets/queries/terraform/aws/elasticache_using_default_port/query.rego +++ b/assets/queries/terraform/aws/elasticache_using_default_port/query.rego @@ -39,4 +39,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_elasticache_cluster", name, "port"], []), } } - diff --git a/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/query.rego b/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/query.rego index ca304a0ff86..48007995db9 100644 --- a/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/query.rego +++ b/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/query.rego @@ -38,7 +38,7 @@ CxPolicy[result] { "keyActualValue": "The attribute 'node_to_node_encryption' is not set to true", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/elasticsearch_logs_disabled/query.rego b/assets/queries/terraform/aws/elasticsearch_logs_disabled/query.rego index 10925331ab2..41f54eebfbf 100644 --- a/assets/queries/terraform/aws/elasticsearch_logs_disabled/query.rego +++ b/assets/queries/terraform/aws/elasticsearch_logs_disabled/query.rego @@ -36,7 +36,7 @@ CxPolicy[result] { "keyActualValue": "'log_publishing_options.enabled' is false", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/query.rego b/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/query.rego index 6b796db399d..bdfe8af5ee7 100644 --- a/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/query.rego +++ b/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { domain := input.document[i].resource.aws_elasticsearch_domain[name] @@ -39,7 +39,7 @@ CxPolicy[result] { "keyActualValue": "'encrypt_at_rest.enabled' is false", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/elasticsearch_without_slow_logs/query.rego b/assets/queries/terraform/aws/elasticsearch_without_slow_logs/query.rego index 2370853e0be..9dbe4aa6adf 100644 --- a/assets/queries/terraform/aws/elasticsearch_without_slow_logs/query.rego +++ b/assets/queries/terraform/aws/elasticsearch_without_slow_logs/query.rego @@ -19,8 +19,8 @@ CxPolicy[result] { "keyExpectedValue": "'log_publishing_options.log_type' should not be INDEX_SLOW_LOGS or SEARCH_SLOW_LOGS ", "keyActualValue": "'log_publishing_options.enabled' is ES_APPLICATION_LOGS or AUDIT_LOGS", "remediation": json.marshal({ - "before": sprintf("%s",[logType]), - "after": "INDEX_SLOW_LOGS" + "before": sprintf("%s", [logType]), + "after": "INDEX_SLOW_LOGS", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/elb_access_logging_disabled/query.rego b/assets/queries/terraform/aws/elb_access_logging_disabled/query.rego index 3928013814c..ced70b9a66b 100644 --- a/assets/queries/terraform/aws/elb_access_logging_disabled/query.rego +++ b/assets/queries/terraform/aws/elb_access_logging_disabled/query.rego @@ -37,7 +37,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_elb", name, "access_logs", "enabled"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -79,7 +79,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["module", name, keyToCheck, "enabled"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/elb_using_insecure_protocols/query.rego b/assets/queries/terraform/aws/elb_using_insecure_protocols/query.rego index 615cecd4f4d..408c3bc2bd9 100644 --- a/assets/queries/terraform/aws/elb_using_insecure_protocols/query.rego +++ b/assets/queries/terraform/aws/elb_using_insecure_protocols/query.rego @@ -16,13 +16,13 @@ CxPolicy[result] { "resourceType": "aws_load_balancer_policy", "resourceName": tf_lib.get_resource_name(policy, name), "searchKey": sprintf("aws_load_balancer_policy[%s].policy_attribute.name", [name]), - "searchLine": commonLib.build_search_line(["resource", "aws_load_balancer_policy", name, "policy_attribute", "name" ], []), + "searchLine": commonLib.build_search_line(["resource", "aws_load_balancer_policy", name, "policy_attribute", "name"], []), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'aws_load_balancer_policy[%s].policy_attribute[%s]' should not be an insecure protocol", [name, protocol]), "keyActualValue": sprintf("'aws_load_balancer_policy[%s].policy_attribute[%s]' is an insecure protocol", [name, protocol]), "remediation": json.marshal({ "before": sprintf("%s", [protocol]), - "after": "Protocol-TLSv1.2" + "after": "Protocol-TLSv1.2", }), "remediationType": "replacement", } @@ -39,14 +39,14 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": "aws_load_balancer_policy", "resourceName": tf_lib.get_resource_name(policy, name), - "searchKey": sprintf("aws_load_balancer_policy[%s].policy_attribute[%d].name", [name,j]), - "searchLine": commonLib.build_search_line(["resource", "aws_load_balancer_policy", name, "policy_attribute", j, "name" ], []), + "searchKey": sprintf("aws_load_balancer_policy[%s].policy_attribute[%d].name", [name, j]), + "searchLine": commonLib.build_search_line(["resource", "aws_load_balancer_policy", name, "policy_attribute", j, "name"], []), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'aws_load_balancer_policy[%s].policy_attribute[%s]' should not be an insecure protocol", [name, protocol]), "keyActualValue": sprintf("'aws_load_balancer_policy[%s].policy_attribute[%s]' is an insecure protocol", [name, protocol]), "remediation": json.marshal({ "before": sprintf("%s", [protocol]), - "after": "Protocol-TLSv1.2" + "after": "Protocol-TLSv1.2", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/elb_using_weak_ciphers/query.rego b/assets/queries/terraform/aws/elb_using_weak_ciphers/query.rego index 48d0eebfea7..1f212eebbc9 100644 --- a/assets/queries/terraform/aws/elb_using_weak_ciphers/query.rego +++ b/assets/queries/terraform/aws/elb_using_weak_ciphers/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.aws_load_balancer_policy[name] diff --git a/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/query.rego b/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/query.rego index 5a48d588407..db7565bd5aa 100644 --- a/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/query.rego +++ b/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/query.rego @@ -60,7 +60,7 @@ CxPolicy[result] { "keyActualValue": sprintf("aws_globalaccelerator_accelerator[{{%s}}].flow_logs_enabled is false", [name]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/query.rego b/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/query.rego index 7134418da5e..a59c1f79874 100644 --- a/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/query.rego +++ b/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "'catalog_encryption_mode' should be set to 'SSE-KMS'", "keyActualValue": "'catalog_encryption_mode' is not set to 'SSE-KMS'", - "searchLine": common_lib.build_search_line(["resource", "aws_glue_data_catalog_encryption_settings", name, "data_catalog_encryption_settings","encryption_at_rest", "catalog_encryption_mode"], []), + "searchLine": common_lib.build_search_line(["resource", "aws_glue_data_catalog_encryption_settings", name, "data_catalog_encryption_settings", "encryption_at_rest", "catalog_encryption_mode"], []), } } @@ -33,7 +33,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "'sse_aws_kms_key_id' should be defined and not null", "keyActualValue": "'sse_aws_kms_key_id' is undefined or null", - "searchLine": common_lib.build_search_line(["resource", "aws_glue_data_catalog_encryption_settings", name, "data_catalog_encryption_settings","encryption_at_rest"], []), + "searchLine": common_lib.build_search_line(["resource", "aws_glue_data_catalog_encryption_settings", name, "data_catalog_encryption_settings", "encryption_at_rest"], []), } } @@ -50,10 +50,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "'return_connection_password_encrypted' should be set to true", "keyActualValue": "'return_connection_password_encrypted' is not set to true", - "searchLine": common_lib.build_search_line(["resource", "aws_glue_data_catalog_encryption_settings", name, "data_catalog_encryption_settings","connection_password_encryption", "return_connection_password_encrypted"], []), + "searchLine": common_lib.build_search_line(["resource", "aws_glue_data_catalog_encryption_settings", name, "data_catalog_encryption_settings", "connection_password_encryption", "return_connection_password_encrypted"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -72,7 +72,6 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "'aws_kms_key_id' should be defined and not null", "keyActualValue": "'aws_kms_key_id' is undefined or null", - "searchLine": common_lib.build_search_line(["resource", "aws_glue_data_catalog_encryption_settings", name, "data_catalog_encryption_settings","connection_password_encryption"], []), - + "searchLine": common_lib.build_search_line(["resource", "aws_glue_data_catalog_encryption_settings", name, "data_catalog_encryption_settings", "connection_password_encryption"], []), } } diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego index 44de50aba51..d80d2ef2f03 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego @@ -4,12 +4,10 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM group group := input.document[i].resource.aws_iam_group[targetGroup] - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "glue:UpdateDevEndpoint") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "glue:UpdateDevEndpoint") result := { "documentId": input.document[i].id, @@ -17,8 +15,8 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetGroup]), + "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetGroup]), "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetGroup]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego index 0a75a989bd1..287917489ec 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM group group := input.document[i].resource.aws_iam_group[targetGroup] - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:AddUserToGroup") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:AddUserToGroup") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_group", - "resourceName": tf_lib.get_resource_name(group, targetGroup), + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("group %s should not be associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetGroup]), + "keyExpectedValue": sprintf("group %s should not be associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetGroup]), "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetGroup]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego index 32a9b43fed6..de4c6004c01 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM group group := input.document[i].resource.aws_iam_group[targetGroup] - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachGroupPolicy") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachGroupPolicy") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_group", - "resourceName": tf_lib.get_resource_name(group, targetGroup), + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetGroup]), + "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetGroup]), "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetGroup]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego index b7eb2c9a517..6550b22415f 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM group group := input.document[i].resource.aws_iam_group[targetGroup] - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachRolePolicy") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachRolePolicy") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_group", - "resourceName": tf_lib.get_resource_name(group, targetGroup), + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("group %s should not be associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetGroup]), + "keyExpectedValue": sprintf("group %s should not be associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetGroup]), "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetGroup]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego index 4dae2f1a2ce..1a0acaedc39 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM group group := input.document[i].resource.aws_iam_group[targetGroup] - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachUserPolicy") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachUserPolicy") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_group", - "resourceName": tf_lib.get_resource_name(group, targetGroup), + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetGroup]), + "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetGroup]), "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetGroup]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego index a094bce68c1..d32a3980748 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM group group := input.document[i].resource.aws_iam_group[targetGroup] - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:CreateAccessKey") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:CreateAccessKey") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_group", - "resourceName": tf_lib.get_resource_name(group, targetGroup), + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("group %s should not be associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetGroup]), + "keyExpectedValue": sprintf("group %s should not be associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetGroup]), "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetGroup]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego index 135a3c26a5c..feaab8c0772 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM group group := input.document[i].resource.aws_iam_group[targetGroup] - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:CreateLoginProfile") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:CreateLoginProfile") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_group", - "resourceName": tf_lib.get_resource_name(group, targetGroup), + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetGroup]), + "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetGroup]), "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetGroup]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego index ac3ea0dbbad..52a93787792 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM group group := input.document[i].resource.aws_iam_group[targetGroup] - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:CreatePolicyVersion") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:CreatePolicyVersion") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_group", - "resourceName": tf_lib.get_resource_name(group, targetGroup), + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetGroup]), + "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetGroup]), "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetGroup]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego index 9c7ca06c9c8..568d6713626 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego @@ -4,22 +4,20 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM group group := input.document[i].resource.aws_iam_group[targetGroup] - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "cloudformation:CreateStack") - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "cloudformation:CreateStack") + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_group", - "resourceName": tf_lib.get_resource_name(group, targetGroup), + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), + "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego index fb26d4d38a6..324ab3a3ad5 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego @@ -4,22 +4,20 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM group group := input.document[i].resource.aws_iam_group[targetGroup] - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "ec2:RunInstances") - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "ec2:RunInstances") + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_group", - "resourceName": tf_lib.get_resource_name(group, targetGroup), + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), + "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego index f0d0d541a5d..8228e86438e 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego @@ -4,22 +4,20 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM group group := input.document[i].resource.aws_iam_group[targetGroup] - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "glue:CreateDevEndpoint") - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "glue:CreateDevEndpoint") + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_group", - "resourceName": tf_lib.get_resource_name(group, targetGroup), + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), + "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/query.rego index a72a5941739..fe3dfb2529d 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/query.rego @@ -4,23 +4,21 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM group group := input.document[i].resource.aws_iam_group[targetGroup] - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "lambda:CreateFunction") - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "lambda:InvokeFunction") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "lambda:CreateFunction") + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "lambda:InvokeFunction") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_group", - "resourceName": tf_lib.get_resource_name(group, targetGroup), + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetGroup]), + "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetGroup]), "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetGroup]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego index fe78cd50597..56023d65a0b 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM group group := input.document[i].resource.aws_iam_group[targetGroup] - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PutGroupPolicy") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PutGroupPolicy") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_group", - "resourceName": tf_lib.get_resource_name(group, targetGroup), + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetGroup]), + "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetGroup]), "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetGroup]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego index bc9feba0c3a..97d939d7cc9 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM group group := input.document[i].resource.aws_iam_group[targetGroup] - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PutRolePolicy") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PutRolePolicy") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_group", - "resourceName": tf_lib.get_resource_name(group, targetGroup), + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("group %s should not be associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetGroup]), + "keyExpectedValue": sprintf("group %s should not be associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetGroup]), "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetGroup]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego index 37ce97916ee..4cf5bd1d816 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM group group := input.document[i].resource.aws_iam_group[targetGroup] - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PutUserPolicy") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PutUserPolicy") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_group", - "resourceName": tf_lib.get_resource_name(group, targetGroup), + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("group %s should not be associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetGroup]), + "keyExpectedValue": sprintf("group %s should not be associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetGroup]), "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetGroup]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego index 6aad22cf318..08548399c34 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM group group := input.document[i].resource.aws_iam_group[targetGroup] - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:SetDefaultPolicyVersion") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:SetDefaultPolicyVersion") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_group", - "resourceName": tf_lib.get_resource_name(group, targetGroup), + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetGroup]), + "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetGroup]), "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetGroup]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego index dcc9daf11ae..8021c819534 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego @@ -4,22 +4,20 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM group group := input.document[i].resource.aws_iam_group[targetGroup] - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:UpdateAssumeRolePolicy") - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "sts:AssumeRole") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:UpdateAssumeRolePolicy") + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "sts:AssumeRole") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_group", - "resourceName": tf_lib.get_resource_name(group, targetGroup), + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetGroup]), + "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetGroup]), "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetGroup]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego index aeba03e85e7..ef91cfbf059 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM group group := input.document[i].resource.aws_iam_group[targetGroup] - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:UpdateLoginProfile") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:UpdateLoginProfile") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_group", - "resourceName": tf_lib.get_resource_name(group, targetGroup), + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetGroup]), + "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetGroup]), "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetGroup]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego index 943656acffb..251983c1a82 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM group group := input.document[i].resource.aws_iam_group[targetGroup] - common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "lambda:UpdateFunctionCode") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "lambda:UpdateFunctionCode") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_group", - "resourceName": tf_lib.get_resource_name(group, targetGroup), + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetGroup]), + "keyExpectedValue": sprintf("group %s shouldn't be associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetGroup]), "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetGroup]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } diff --git a/assets/queries/terraform/aws/guardduty_detector_disabled/query.rego b/assets/queries/terraform/aws/guardduty_detector_disabled/query.rego index 7d558511451..d26c8287985 100644 --- a/assets/queries/terraform/aws/guardduty_detector_disabled/query.rego +++ b/assets/queries/terraform/aws/guardduty_detector_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { awsGuardDuty := input.document[i].resource.aws_guardduty_detector[name] @@ -20,7 +20,7 @@ CxPolicy[result] { "keyActualValue": "GuardDuty Detector is not Enabled", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/query.rego b/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/query.rego index cacd4de4581..0103b895d3d 100644 --- a/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/query.rego +++ b/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/query.rego @@ -1,7 +1,7 @@ package Cx -import input as tf import data.generic.common as common_lib +import input as tf CxPolicy[result] { paths := [p | diff --git a/assets/queries/terraform/aws/iam_password_without_minimum_length/query.rego b/assets/queries/terraform/aws/iam_password_without_minimum_length/query.rego index 1e3f8d61ceb..6b16949ccca 100644 --- a/assets/queries/terraform/aws/iam_password_without_minimum_length/query.rego +++ b/assets/queries/terraform/aws/iam_password_without_minimum_length/query.rego @@ -37,7 +37,7 @@ CxPolicy[result] { "keyActualValue": "'minimum_password_length' is less than 14", "remediation": json.marshal({ "before": sprintf("%d", [min_length]), - "after": "14" + "after": "14", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/iam_policies_with_full_privileges/query.rego b/assets/queries/terraform/aws/iam_policies_with_full_privileges/query.rego index 43de017d919..459c460c18a 100644 --- a/assets/queries/terraform/aws/iam_policies_with_full_privileges/query.rego +++ b/assets/queries/terraform/aws/iam_policies_with_full_privileges/query.rego @@ -31,7 +31,7 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i].data.aws_iam_policy_document[name] - policy := {"Statement": resource.statement} + policy := {"Statement": resource.statement} st := common_lib.get_statement(policy) statement := st[_] diff --git a/assets/queries/terraform/aws/iam_role_with_full_privileges/query.rego b/assets/queries/terraform/aws/iam_role_with_full_privileges/query.rego index db89e101517..33787c7d0fb 100644 --- a/assets/queries/terraform/aws/iam_role_with_full_privileges/query.rego +++ b/assets/queries/terraform/aws/iam_role_with_full_privileges/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { resource := input.document[i].resource.aws_iam_role[name] policy := common_lib.json_unmarshal(resource.assume_role_policy) - st := common_lib.get_statement(policy) + st := common_lib.get_statement(policy) statement := st[_] common_lib.is_allow_effect(statement) diff --git a/assets/queries/terraform/aws/iam_user_with_access_to_console/query.rego b/assets/queries/terraform/aws/iam_user_with_access_to_console/query.rego index 0651f184cf2..52e47ace4d8 100644 --- a/assets/queries/terraform/aws/iam_user_with_access_to_console/query.rego +++ b/assets/queries/terraform/aws/iam_user_with_access_to_console/query.rego @@ -19,5 +19,5 @@ CxPolicy[result] { } clean_user(user) = search { - search := regex.find_all_string_submatch_n("\\${(.*?)\\}", user, -1) + search := regex.find_all_string_submatch_n(`\${(.*?)\}`, user, -1) } diff --git a/assets/queries/terraform/aws/instance_with_no_vpc/query.rego b/assets/queries/terraform/aws/instance_with_no_vpc/query.rego index 31ce90dbe59..6f8963d1863 100644 --- a/assets/queries/terraform/aws/instance_with_no_vpc/query.rego +++ b/assets/queries/terraform/aws/instance_with_no_vpc/query.rego @@ -20,7 +20,6 @@ CxPolicy[result] { } } - CxPolicy[result] { module := input.document[i].module[name] keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_instance", "vpc_security_group_ids") diff --git a/assets/queries/terraform/aws/kms_key_with_full_permissions/query.rego b/assets/queries/terraform/aws/kms_key_with_full_permissions/query.rego index cb1bed1d8ad..926cbb4d448 100644 --- a/assets/queries/terraform/aws/kms_key_with_full_permissions/query.rego +++ b/assets/queries/terraform/aws/kms_key_with_full_permissions/query.rego @@ -42,4 +42,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_kms_key", name], []), } } - diff --git a/assets/queries/terraform/aws/kms_key_with_no_deletion_window/query.rego b/assets/queries/terraform/aws/kms_key_with_no_deletion_window/query.rego index b0dba3bf7d5..91466d91e83 100644 --- a/assets/queries/terraform/aws/kms_key_with_no_deletion_window/query.rego +++ b/assets/queries/terraform/aws/kms_key_with_no_deletion_window/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.aws_kms_key[name] @@ -40,13 +40,13 @@ CxPolicy[result] { "resourceType": "aws_kms_key", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("aws_kms_key[%s].deletion_window_in_days", [name]), - "searchLine": common_lib.build_search_line(["resource", "aws_kms_key", name ,"deletion_window_in_days"], []), + "searchLine": common_lib.build_search_line(["resource", "aws_kms_key", name, "deletion_window_in_days"], []), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("aws_kms_key[%s].deletion_window_in_days should be set and valid", [name]), "keyActualValue": sprintf("aws_kms_key[%s].deletion_window_in_days is set but invalid", [name]), "remediation": json.marshal({ "before": sprintf("%d", [resource.deletion_window_in_days]), - "after": "30" + "after": "30", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/lambda_function_with_privileged_role/query.rego b/assets/queries/terraform/aws/lambda_function_with_privileged_role/query.rego index 9ca09716194..cf79470cb19 100644 --- a/assets/queries/terraform/aws/lambda_function_with_privileged_role/query.rego +++ b/assets/queries/terraform/aws/lambda_function_with_privileged_role/query.rego @@ -19,18 +19,16 @@ CxPolicy[result] { document[r].resource.aws_iam_role[role_id] split(lambda.role, ".")[1] == role_id - # Checking for role's reference in inline policy inline_policy := document[p].resource.aws_iam_role_policy[inline_policy_id] split(inline_policy.role, ".")[1] == role_id - policy := common_lib.json_unmarshal(inline_policy.policy) + policy := common_lib.json_unmarshal(inline_policy.policy) statements := tf_lib.getStatement(policy) - statement := statements[_] + statement := statements[_] matching_actions := hasPrivilegedPermissions(statement) count(matching_actions) > 0 - result := { "documentId": document[l].id, "resourceType": "aws_lambda_function", @@ -42,35 +40,32 @@ CxPolicy[result] { } } - CxPolicy[result] { document = input.document + # For Customer Managed Policy Attachment (i.e defined within the current terraform template) lambda = document[l].resource.aws_lambda_function[function_id] + # Checking for role whose id matches in the role of lambda arn reference role = document[r].resource.aws_iam_role[role_id] split(lambda.role, ".")[1] == role_id - attachments := ["aws_iam_policy_attachment", "aws_iam_role_policy_attachment"] - attachment := document[_].resource[attachments[_]][attachment_id] - is_attachment(attachment, role_id) + attachment := document[_].resource[attachments[_]][attachment_id] + is_attachment(attachment, role_id) - - not regex.match("arn:aws.*:iam::.*", attachment.policy_arn) + not regex.match(`arn:aws.*:iam::.*`, attachment.policy_arn) attached_customer_managed_policy_id := split(attachment.policy_arn, ".")[1] customer_managed_policy = document[p].resource.aws_iam_policy[attached_customer_managed_policy_id] - policy := common_lib.json_unmarshal(customer_managed_policy.policy) statements := tf_lib.getStatement(policy) - statement := statements[_] + statement := statements[_] matching_actions := hasPrivilegedPermissions(statement) count(matching_actions) > 0 - result := { "documentId": document[l].id, "resourceType": "aws_lambda_function", @@ -78,24 +73,24 @@ CxPolicy[result] { "searchKey": sprintf("aws_lambda_function[%s].role", [function_id]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("aws_lambda_function[%s].role shouldn't have privileged permissions through attached managed policy", [function_id]), - "keyActualValue": sprintf("aws_lambda_function[%s].role has been provided privileged permissions through attached managed policy '%v'. Provided privileged permissions: '%v'. List of privileged permissions '%v'", [function_id, attached_customer_managed_policy_id, concat("' , '",matching_actions), privilegeEscalationActions]), + "keyActualValue": sprintf("aws_lambda_function[%s].role has been provided privileged permissions through attached managed policy '%v'. Provided privileged permissions: '%v'. List of privileged permissions '%v'", [function_id, attached_customer_managed_policy_id, concat("' , '", matching_actions), privilegeEscalationActions]), } } - CxPolicy[result] { document = input.document + # For Pre-existing Managed Policy Attachment (i.e not defined within the current terraform template and hard coded as just policy arn) lambda = document[l].resource.aws_lambda_function[function_id] + # Checking for role whose id matches in the role of lambda arn reference role = document[r].resource.aws_iam_role[role_id] split(lambda.role, ".")[1] == role_id - attachments := ["aws_iam_policy_attachment", "aws_iam_role_policy_attachment"] - attachment := document[_].resource[attachments[_]][attachment_id] - is_attachment(attachment, role_id) + attachment := document[_].resource[attachments[_]][attachment_id] + is_attachment(attachment, role_id) # Looking up of privileged policy_arns regex.match(sprintf("arn:aws.*:iam::policy/%s", [data.common_lib.aws_privilege_escalation_policy_names[_]]), attachment.policy_arn) @@ -111,18 +106,15 @@ CxPolicy[result] { } } - is_attachment(attachment, role_id) { - split(attachment.roles[_], ".")[1] == role_id + split(attachment.roles[_], ".")[1] == role_id } else { - split(attachment.role, ".")[1] == role_id + split(attachment.role, ".")[1] == role_id } - hasPrivilegedPermissions(statement) = matching_actions { statement.Effect == "Allow" matching_actions := [matching_actions | action := privilegeEscalationActions[x]; common_lib.check_actions(statement, action); matching_actions := action] } else = matching_actions { matching_actions := [] } - diff --git a/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/query.rego b/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/query.rego index 784dbed93a4..ccda21d223b 100644 --- a/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/query.rego +++ b/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/query.rego @@ -6,20 +6,20 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource = input.document[i].resource.aws_lambda_function[name] - resource.tracing_config.mode == "PassThrough" + resource.tracing_config.mode == "PassThrough" result := { "documentId": input.document[i].id, "resourceType": "aws_lambda_function", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("aws_lambda_function[%s].tracing_config.mode", [name]), - "searchLine": common_lib.build_search_line(["resource", "aws_lambda_function", name ,"tracing_config", "mode"], []), + "searchLine": common_lib.build_search_line(["resource", "aws_lambda_function", name, "tracing_config", "mode"], []), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("aws_lambda_function[%s].tracing_config.mode should be set to 'Active'", [name]), - "keyActualValue":sprintf("aws_lambda_function[%s].tracing_config.mode is set to 'PassThrough'", [name]), + "keyActualValue": sprintf("aws_lambda_function[%s].tracing_config.mode is set to 'PassThrough'", [name]), "remediation": json.marshal({ "before": "PassThrough", - "after": "Active" + "after": "Active", }), "remediationType": "replacement", } @@ -35,7 +35,7 @@ CxPolicy[result] { "resourceType": "aws_lambda_function", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("aws_lambda_function[%s]", [name]), - "searchLine": common_lib.build_search_line(["resource", "aws_lambda_function", name ], []), + "searchLine": common_lib.build_search_line(["resource", "aws_lambda_function", name], []), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("aws_lambda_function[%s].tracing_config should be defined and not null", [name]), "keyActualValue": sprintf("aws_lambda_function[%s].tracing_config is undefined or null", [name]), diff --git a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/query.rego b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/query.rego index 22001ef6636..452af660a76 100644 --- a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/query.rego +++ b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/query.rego @@ -3,51 +3,50 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib -#CxPolicy for resource iam policy +# CxPolicy for resource iam policy CxPolicy[result] { resourceType := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} resource := input.document[i].resource[resourceType[idx]][name] policy := common_lib.json_unmarshal(resource.policy) st := common_lib.get_statement(policy) statement := st[_] - check_iam_action(statement) == true not check_iam_resource(statement) - result := { + result := { "documentId": input.document[i].id, "resourceType": resourceType[idx], "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].policy", [resourceType[idx], name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("[%s].policy should be misconfigured", [name]), - "keyActualValue": sprintf("[%s].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", [name]) + "keyActualValue": sprintf("[%s].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", [name]), } } check_iam_resource(statement) { is_string(statement.Resource) - regex.match("(^arn:aws:lambda:.*:.*:function:[a-zA-Z0-9_-]+:[*]$)", statement.Resource) - regex.match("(^arn:aws:lambda:.*:.*:function:[a-zA-Z0-9_-]+$)", statement.Resource) + regex.match(`(^arn:aws:lambda:.*:.*:function:[a-zA-Z0-9_-]+:[*]$)`, statement.Resource) + regex.match(`(^arn:aws:lambda:.*:.*:function:[a-zA-Z0-9_-]+$)`, statement.Resource) } else { is_array(statement.Resource) - regex.match("(^arn:aws:lambda:.*:.*:function:[a-zA-Z0-9_-]+:[*]$)", statement.Resource[_]) - regex.match("(^arn:aws:lambda:.*:.*:function:[a-zA-Z0-9_-]+$)", statement.Resource[_]) + regex.match(`(^arn:aws:lambda:.*:.*:function:[a-zA-Z0-9_-]+:[*]$)`, statement.Resource[_]) + regex.match(`(^arn:aws:lambda:.*:.*:function:[a-zA-Z0-9_-]+$)`, statement.Resource[_]) } else { - is_array(statement.resources) - regex.match("(^aws_lambda_function\\.[^.]\\.arn:[*]$)", statement.resources[_]) - regex.match("(^aws_lambda_function\\.[^.]\\.arn$)", statement.resources[_]) + is_array(statement.resources) + regex.match(`(^aws_lambda_function\.[^.]\.arn:[*]$)`, statement.resources[_]) + regex.match(`(^aws_lambda_function\.[^.]\.arn$)`, statement.resources[_]) } check_iam_action(statement) { - any([regex.match("(^lambda:InvokeFunction$|^lambda:[*]$)", statement.actions[_]), statement.actions[_] == "*"]) + any([regex.match(`(^lambda:InvokeFunction$|^lambda:[*]$)`, statement.actions[_]), statement.actions[_] == "*"]) } else { - any([regex.match("(^lambda:InvokeFunction$|^lambda:[*]$)", statement.Actions[_]), statement.Actions[_] == "*"]) + any([regex.match(`(^lambda:InvokeFunction$|^lambda:[*]$)`, statement.Actions[_]), statement.Actions[_] == "*"]) } else { is_array(statement.Action) - any([regex.match("(^lambda:InvokeFunction$|^lambda:[*]$)", statement.Action[_]), statement.Action[_] == "*"]) + any([regex.match(`(^lambda:InvokeFunction$|^lambda:[*]$)`, statement.Action[_]), statement.Action[_] == "*"]) } else { is_string(statement.Action) - any([regex.match("(^lambda:InvokeFunction$|^lambda:[*]$)", statement.Action), statement.Action == "*"]) + any([regex.match(`(^lambda:InvokeFunction$|^lambda:[*]$)`, statement.Action), statement.Action == "*"]) } diff --git a/assets/queries/terraform/aws/lambda_permission_misconfigured/query.rego b/assets/queries/terraform/aws/lambda_permission_misconfigured/query.rego index 1aeaf8cf6d7..cf185ee7da1 100644 --- a/assets/queries/terraform/aws/lambda_permission_misconfigured/query.rego +++ b/assets/queries/terraform/aws/lambda_permission_misconfigured/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { document := input.document[i] @@ -20,7 +20,7 @@ CxPolicy[result] { "keyActualValue": sprintf("aws_lambda_permission[name].action is %s", [name, resource.action]), "remediation": json.marshal({ "before": sprintf("%s", [resource.action]), - "after": "lambda:InvokeFunction" + "after": "lambda:InvokeFunction", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/launch_configuration_is_not_encrypted/query.rego b/assets/queries/terraform/aws/launch_configuration_is_not_encrypted/query.rego index 24158697a34..f4d8b388360 100644 --- a/assets/queries/terraform/aws/launch_configuration_is_not_encrypted/query.rego +++ b/assets/queries/terraform/aws/launch_configuration_is_not_encrypted/query.rego @@ -44,7 +44,7 @@ CxPolicy[result] { module := input.document[i].module[name] [path, value] := walk(module) - value[block][idx].encrypted == false + value[block][idx].encrypted == false common_lib.get_module_equivalent_key("aws", module.source, "aws_launch_configuration", block) @@ -86,7 +86,6 @@ CxPolicy[result] { } } - valid_block(block) { not contains(block, "ephemeral") contains(block, "block_device") diff --git a/assets/queries/terraform/aws/misconfigured_password_policy_expiration/query.rego b/assets/queries/terraform/aws/misconfigured_password_policy_expiration/query.rego index 7053e4545e6..9079ba46cf9 100644 --- a/assets/queries/terraform/aws/misconfigured_password_policy_expiration/query.rego +++ b/assets/queries/terraform/aws/misconfigured_password_policy_expiration/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { expr := input.document[i].resource.aws_iam_account_password_policy[name] @@ -36,7 +36,7 @@ CxPolicy[result] { "keyActualValue": "'max_password_age' is higher than 90", "remediation": json.marshal({ "before": sprintf("%d", [expr.max_password_age]), - "after": "90" + "after": "90", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/query.rego b/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/query.rego index 43f8f6822a1..75f78055c49 100644 --- a/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/query.rego +++ b/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { broker := input.document[i].resource.aws_mq_broker[name] @@ -18,7 +18,7 @@ CxPolicy[result] { "keyActualValue": "'publicly_accessible' is set to true", "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/mq_broker_logging_disabled/query.rego b/assets/queries/terraform/aws/mq_broker_logging_disabled/query.rego index 69d0802df91..bbdac6cd4b4 100644 --- a/assets/queries/terraform/aws/mq_broker_logging_disabled/query.rego +++ b/assets/queries/terraform/aws/mq_broker_logging_disabled/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { broker := input.document[i].resource.aws_mq_broker[name] @@ -31,7 +32,7 @@ CxPolicy[result] { some j type := categories[j] - not has_key(logs, type) + not type in object.keys(logs) result := { "documentId": input.document[i].id, @@ -59,7 +60,3 @@ CxPolicy[result] { "keyActualValue": "'logs' is undefined", } } - -has_key(obj, key) { - _ = obj[key] -} diff --git a/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/query.rego b/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/query.rego index 538289bfa28..0d09b92b6cf 100644 --- a/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/query.rego +++ b/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { msk_cluster := input.document[i].resource.aws_msk_cluster[name] diff --git a/assets/queries/terraform/aws/msk_cluster_encryption_disabled/query.rego b/assets/queries/terraform/aws/msk_cluster_encryption_disabled/query.rego index c9888c9b8f8..243c992d2fe 100644 --- a/assets/queries/terraform/aws/msk_cluster_encryption_disabled/query.rego +++ b/assets/queries/terraform/aws/msk_cluster_encryption_disabled/query.rego @@ -30,9 +30,7 @@ checkEncryption(msk_cluster) = ".encryption_in_transit.in_cluster,encryption_in_ encryptionInTransit.in_cluster == false } else = "" { not msk_cluster.encryption_info -} else = "none" { - true -} +} else = "none" getSearchKey(problems, name) = str { problemsSplited := split(problems, ",") @@ -46,6 +44,4 @@ getSearchKey(problems, name) = str { getIssueType(problems) = "MissingAttribute" { problems == "" -} else = "IncorrectValue" { - true -} +} else = "IncorrectValue" diff --git a/assets/queries/terraform/aws/msk_cluster_logging_disabled/query.rego b/assets/queries/terraform/aws/msk_cluster_logging_disabled/query.rego index 303bfe32f86..613355c88fa 100644 --- a/assets/queries/terraform/aws/msk_cluster_logging_disabled/query.rego +++ b/assets/queries/terraform/aws/msk_cluster_logging_disabled/query.rego @@ -54,18 +54,12 @@ CxPolicy[result] { getSearchKey(msk_cluster, instanceType) = "aws_msk_cluster[%s].logging_info.broker_logs.%s.enabled" { _ = msk_cluster.logging_info.broker_logs[instanceType].enabled -} else = "aws_msk_cluster[%s].logging_info.broker_logs.%s" { - true -} +} else = "aws_msk_cluster[%s].logging_info.broker_logs.%s" getIssueType(msk_cluster, instanceType) = "IncorrectValue" { _ = msk_cluster.logging_info.broker_logs[instanceType].enabled -} else = "MissingAttribute" { - true -} +} else = "MissingAttribute" getActualValue(msk_cluster, instanceType) = "false" { _ = msk_cluster.logging_info.broker_logs[instanceType].enabled -} else = "missing" { - true -} +} else = "missing" diff --git a/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/query.rego b/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/query.rego index 8b6fc34f8e1..39589216977 100644 --- a/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/query.rego +++ b/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { neptuneClusterInstance := input.document[i].resource.aws_neptune_cluster_instance[name] @@ -19,7 +19,7 @@ CxPolicy[result] { "keyActualValue": sprintf("aws_neptune_cluster_instance[%s].publicly_accessible is set to true", [name]), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/query.rego b/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/query.rego index 12b56cbc96a..56ba3792f4d 100644 --- a/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/query.rego +++ b/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/query.rego @@ -36,7 +36,7 @@ CxPolicy[result] { "keyActualValue": "'iam_database_authentication_enabled' is set to false", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/query.rego b/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/query.rego index 2ecc940f460..3f706cd6f68 100644 --- a/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/query.rego +++ b/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/query.rego @@ -36,7 +36,7 @@ CxPolicy[result] { "keyActualValue": "'storage_encrypted' is false", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/neptune_logging_disabled/query.rego b/assets/queries/terraform/aws/neptune_logging_disabled/query.rego index f8e3c6bc655..831d16c616f 100644 --- a/assets/queries/terraform/aws/neptune_logging_disabled/query.rego +++ b/assets/queries/terraform/aws/neptune_logging_disabled/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in validTypes := {"audit"} @@ -8,8 +9,7 @@ validTypeConcat := concat(", ", validTypes) CxPolicy[result] { resource := input.document[i].resource.aws_neptune_cluster[name] - not exist(resource, "enable_cloudwatch_logs_exports") - + not "enable_cloudwatch_logs_exports" in object.keys(resource) result := { "documentId": input.document[i].id, @@ -56,7 +56,3 @@ CxPolicy[result] { "keyActualValue": sprintf("aws_neptune_cluster.enable_cloudwatch_logs_exports has the following missing values: %s", [concat(", ", missingTypes)]), } } - -exist(obj, key) { - _ = obj[key] -} diff --git a/assets/queries/terraform/aws/no_password_policy_enabled/query.rego b/assets/queries/terraform/aws/no_password_policy_enabled/query.rego index 6a7ee2a2f18..d0f0aa50864 100644 --- a/assets/queries/terraform/aws/no_password_policy_enabled/query.rego +++ b/assets/queries/terraform/aws/no_password_policy_enabled/query.rego @@ -17,7 +17,7 @@ CxPolicy[result] { "keyActualValue": "Attribute 'password_reset_required' is false", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -38,7 +38,7 @@ CxPolicy[result] { "keyActualValue": "Attribute 'password_length' is smaller than 14", "remediation": json.marshal({ "before": sprintf("%d", [resource.password_length]), - "after": "15" + "after": "15", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/password_without_reuse_prevention/query.rego b/assets/queries/terraform/aws/password_without_reuse_prevention/query.rego index 61c7f1b5c47..3bc8ade17b2 100644 --- a/assets/queries/terraform/aws/password_without_reuse_prevention/query.rego +++ b/assets/queries/terraform/aws/password_without_reuse_prevention/query.rego @@ -37,7 +37,7 @@ CxPolicy[result] { "keyActualValue": "'password_reuse_prevention' is lower than 24", "remediation": json.marshal({ "before": sprintf("%d", [rp]), - "after": "24" + "after": "24", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/policy_without_principal/query.rego b/assets/queries/terraform/aws/policy_without_principal/query.rego index 07b58da3cf7..1de94a8c9e9 100644 --- a/assets/queries/terraform/aws/policy_without_principal/query.rego +++ b/assets/queries/terraform/aws/policy_without_principal/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { doc := input.document[i].resource @@ -28,7 +29,7 @@ CxPolicy[result] { is_iam_identity_based_policy(resource) { iam_identity_based_policy := {"aws_iam_group_policy", "aws_iam_policy", "aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_role"} - resource == iam_identity_based_policy[_] + resource in iam_identity_based_policy } has_principal(statement) { diff --git a/assets/queries/terraform/aws/rds_associated_with_public_subnet/query.rego b/assets/queries/terraform/aws/rds_associated_with_public_subnet/query.rego index 3ed2e44d3de..74dc8a81fd8 100644 --- a/assets/queries/terraform/aws/rds_associated_with_public_subnet/query.rego +++ b/assets/queries/terraform/aws/rds_associated_with_public_subnet/query.rego @@ -30,7 +30,7 @@ CxPolicy[result] { } } -options := { "${aws_db_subnet_group", "${aws_subnet" } +options := {"${aws_db_subnet_group", "${aws_subnet"} get_name(nameValue) = name { contains(nameValue, options[_]) diff --git a/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/query.rego b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/query.rego index 8c3772c5730..d6dab914417 100644 --- a/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/query.rego +++ b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/query.rego @@ -18,13 +18,12 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_db_instance", name, "publicly_accessibled"], []), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } } - CxPolicy[result] { module := input.document[i].module[name] keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_db_instance", "publicly_accessible") @@ -41,7 +40,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["module", name, "publicly_accessible"], []), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/rds_storage_not_encrypted/query.rego b/assets/queries/terraform/aws/rds_storage_not_encrypted/query.rego index e037a8539c3..3c09f593906 100644 --- a/assets/queries/terraform/aws/rds_storage_not_encrypted/query.rego +++ b/assets/queries/terraform/aws/rds_storage_not_encrypted/query.rego @@ -39,7 +39,7 @@ CxPolicy[result] { "keyActualValue": "aws_rds_cluster.storage_encrypted is set to false", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/rds_with_backup_disabled/query.rego b/assets/queries/terraform/aws/rds_with_backup_disabled/query.rego index 26be478f117..b6a3d0d82f1 100644 --- a/assets/queries/terraform/aws/rds_with_backup_disabled/query.rego +++ b/assets/queries/terraform/aws/rds_with_backup_disabled/query.rego @@ -4,21 +4,21 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - db := input.document[i].resource.aws_db_instance[name] - not common_lib.valid_key(db, "backup_retention_period") + db := input.document[i].resource.aws_db_instance[name] + not common_lib.valid_key(db, "backup_retention_period") - result := { - "documentId": input.document[i].id, - "resourceType": "aws_db_instance", - "resourceName": tf_lib.get_resource_name(db, name), - "searchKey": sprintf("aws_db_instance[%s]", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": "'backup_retention_period' should be defined, and bigger than '0'", - "keyActualValue": "'backup_retention_period' is not defined", - "searchLine": common_lib.build_search_line(["resource", "aws_db_instance", name], []), - "remediation": "backup_retention_period = 12", - "remediationType": "addition", - } + result := { + "documentId": input.document[i].id, + "resourceType": "aws_db_instance", + "resourceName": tf_lib.get_resource_name(db, name), + "searchKey": sprintf("aws_db_instance[%s]", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "'backup_retention_period' should be defined, and bigger than '0'", + "keyActualValue": "'backup_retention_period' is not defined", + "searchLine": common_lib.build_search_line(["resource", "aws_db_instance", name], []), + "remediation": "backup_retention_period = 12", + "remediationType": "addition", + } } CxPolicy[result] { @@ -36,7 +36,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_db_instance", name, "backup_retention_period"], []), "remediation": json.marshal({ "before": "0", - "after": "12" + "after": "12", }), "remediationType": "replacement", } @@ -59,7 +59,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["module", name, "backup_retention_period"], []), "remediation": json.marshal({ "before": "0", - "after": "12" + "after": "12", }), "remediationType": "replacement", } @@ -80,8 +80,6 @@ CxPolicy[result] { "keyActualValue": "'backup_retention_period' is not defined", "searchLine": common_lib.build_search_line(["module", name], []), "remediation": "backup_retention_period = 12", - "remediationType": "addition", + "remediationType": "addition", } } - - diff --git a/assets/queries/terraform/aws/redis_disabled/query.rego b/assets/queries/terraform/aws/redis_disabled/query.rego index 2e2d81b0a58..c7743b16cfc 100644 --- a/assets/queries/terraform/aws/redis_disabled/query.rego +++ b/assets/queries/terraform/aws/redis_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.aws_elasticache_cluster[name] @@ -18,7 +18,7 @@ CxPolicy[result] { "keyActualValue": sprintf("resource.aws_elasticache_cluster[%s].engine doesn't enable Redis", [name]), "remediation": json.marshal({ "before": "memcached", - "after": "redis" + "after": "redis", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/redshift_cluster_logging_disabled/query.rego b/assets/queries/terraform/aws/redshift_cluster_logging_disabled/query.rego index 149196b9051..d2611049e8f 100644 --- a/assets/queries/terraform/aws/redshift_cluster_logging_disabled/query.rego +++ b/assets/queries/terraform/aws/redshift_cluster_logging_disabled/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { "keyActualValue": "'aws_redshift_cluster.logging' is false", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/redshift_not_encrypted/query.rego b/assets/queries/terraform/aws/redshift_not_encrypted/query.rego index 6ab5032b38e..3b6e50bb50a 100644 --- a/assets/queries/terraform/aws/redshift_not_encrypted/query.rego +++ b/assets/queries/terraform/aws/redshift_not_encrypted/query.rego @@ -36,7 +36,7 @@ CxPolicy[result] { "keyActualValue": "aws_redshift_cluster.encrypted is true", "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/redshift_publicly_accessible/query.rego b/assets/queries/terraform/aws/redshift_publicly_accessible/query.rego index e5c55962e85..3a169860bc5 100644 --- a/assets/queries/terraform/aws/redshift_publicly_accessible/query.rego +++ b/assets/queries/terraform/aws/redshift_publicly_accessible/query.rego @@ -34,7 +34,7 @@ CxPolicy[result] { "keyActualValue": "aws_redshift_cluster.publicly_accessible is true", "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/resource_not_using_tags/query.rego b/assets/queries/terraform/aws/resource_not_using_tags/query.rego index 7d496c6bd2d..93dedabd8ad 100644 --- a/assets/queries/terraform/aws/resource_not_using_tags/query.rego +++ b/assets/queries/terraform/aws/resource_not_using_tags/query.rego @@ -45,9 +45,7 @@ check_different_tag(tags) { } check_default_tags { - common_lib.valid_key(input.document[_].provider["aws"].default_tags, "tags") + common_lib.valid_key(input.document[_].provider.aws.default_tags, "tags") } else { - common_lib.valid_key(input.document[_].provider["aws"][_].default_tags, "tags") -} else = false { - true -} + common_lib.valid_key(input.document[_].provider.aws[_].default_tags, "tags") +} else = false diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego index eae8018f248..ec182fb2085 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM role role := input.document[i].resource.aws_iam_role[targetRole] - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "glue:UpdateDevEndpoint") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "glue:UpdateDevEndpoint") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_role", - "resourceName": tf_lib.get_resource_name(role, targetRole), + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetRole]), + "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetRole]), "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetRole]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego index 9763e3ed127..1ec5add7e17 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM role role := input.document[i].resource.aws_iam_role[targetRole] - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:AddUserToGroup") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:AddUserToGroup") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_role", - "resourceName": tf_lib.get_resource_name(role, targetRole), + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetRole]), + "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetRole]), "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetRole]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego index 528dbe01994..919fb8a0829 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM role role := input.document[i].resource.aws_iam_role[targetRole] - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:AttachGroupPolicy") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:AttachGroupPolicy") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_role", - "resourceName": tf_lib.get_resource_name(role, targetRole), + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetRole]), + "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetRole]), "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetRole]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego index 83a35a79fee..cff341c0b7d 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM role role := input.document[i].resource.aws_iam_role[targetRole] - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:AttachRolePolicy") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:AttachRolePolicy") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_role", - "resourceName": tf_lib.get_resource_name(role, targetRole), + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetRole]), + "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetRole]), "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetRole]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego index c87e001771f..c12e42714bb 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM role role := input.document[i].resource.aws_iam_role[targetRole] - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:AttachUserPolicy") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:AttachUserPolicy") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_role", - "resourceName": tf_lib.get_resource_name(role, targetRole), + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetRole]), + "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetRole]), "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetRole]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego index 82ac3783416..beb741d30c4 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM role role := input.document[i].resource.aws_iam_role[targetRole] - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:CreateAccessKey") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:CreateAccessKey") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_role", - "resourceName": tf_lib.get_resource_name(role, targetRole), + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetRole]), + "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetRole]), "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetRole]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego index db7937fd160..5570a0f1d43 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM role role := input.document[i].resource.aws_iam_role[targetRole] - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:CreateLoginProfile") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:CreateLoginProfile") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_role", - "resourceName": tf_lib.get_resource_name(role, targetRole), + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetRole]), + "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetRole]), "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetRole]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego index 70f8b94e14e..d62fbcfb09a 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM role role := input.document[i].resource.aws_iam_role[targetRole] - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:CreatePolicyVersion") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:CreatePolicyVersion") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_role", - "resourceName": tf_lib.get_resource_name(role, targetRole), + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetRole]), + "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetRole]), "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetRole]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego index 8b12ef4493a..1899f2bb679 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego @@ -4,22 +4,20 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM role role := input.document[i].resource.aws_iam_role[targetRole] - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "cloudformation:CreateStack") - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "cloudformation:CreateStack") + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_role", - "resourceName": tf_lib.get_resource_name(role, targetRole), + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetRole]), + "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetRole]), "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetRole]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego index bac98e508a5..6b63265a9c6 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego @@ -4,22 +4,20 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM role role := input.document[i].resource.aws_iam_role[targetRole] - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "ec2:RunInstances") - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "ec2:RunInstances") + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_role", - "resourceName": tf_lib.get_resource_name(role, targetRole), + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetRole]), + "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetRole]), "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetRole]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego index 58d8f95be9b..21febae2f98 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego @@ -4,22 +4,20 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM role role := input.document[i].resource.aws_iam_role[targetRole] - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "glue:CreateDevEndpoint") - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "glue:CreateDevEndpoint") + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_role", - "resourceName": tf_lib.get_resource_name(role, targetRole), + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetRole]), + "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetRole]), "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetRole]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/query.rego index 53beb66adfa..ece76f2eed4 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/query.rego @@ -4,23 +4,21 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM role role := input.document[i].resource.aws_iam_role[targetRole] - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "lambda:CreateFunction") - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "lambda:InvokeFunction") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "lambda:CreateFunction") + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "lambda:InvokeFunction") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_role", - "resourceName": tf_lib.get_resource_name(role, targetRole), + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetRole]), + "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetRole]), "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetRole]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego index 9b4f7fd9f40..06d52d73018 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM role role := input.document[i].resource.aws_iam_role[targetRole] - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PutGroupPolicy") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PutGroupPolicy") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_role", - "resourceName": tf_lib.get_resource_name(role, targetRole), + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetRole]), + "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetRole]), "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetRole]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego index f2add4e62f5..d7f74377347 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM role role := input.document[i].resource.aws_iam_role[targetRole] - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PutRolePolicy") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PutRolePolicy") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_role", - "resourceName": tf_lib.get_resource_name(role, targetRole), + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("role %s should not be associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetRole]), + "keyExpectedValue": sprintf("role %s should not be associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetRole]), "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetRole]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego index 16f44d13072..9de7ae99b95 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM role role := input.document[i].resource.aws_iam_role[targetRole] - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PutUserPolicy") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PutUserPolicy") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_role", - "resourceName": tf_lib.get_resource_name(role, targetRole), + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("role %s should not be associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetRole]), + "keyExpectedValue": sprintf("role %s should not be associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetRole]), "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetRole]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego index 21e500dff94..3c9abbf4eee 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM role role := input.document[i].resource.aws_iam_role[targetRole] - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:SetDefaultPolicyVersion") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:SetDefaultPolicyVersion") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_role", - "resourceName": tf_lib.get_resource_name(role, targetRole), + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetRole]), + "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetRole]), "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetRole]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego index 7f4174535f5..b3dece871e3 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego @@ -4,22 +4,20 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM role role := input.document[i].resource.aws_iam_role[targetRole] - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:UpdateAssumeRolePolicy") - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "sts:AssumeRole") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:UpdateAssumeRolePolicy") + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "sts:AssumeRole") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_role", - "resourceName": tf_lib.get_resource_name(role, targetRole), + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetRole]), + "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetRole]), "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetRole]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego index d31d70139d1..478eb852baa 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM role role := input.document[i].resource.aws_iam_role[targetRole] - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:UpdateLoginProfile") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:UpdateLoginProfile") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_role", - "resourceName": tf_lib.get_resource_name(role, targetRole), + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetRole]), + "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetRole]), "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetRole]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego index 48038877ea9..03ec186fc51 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM role role := input.document[i].resource.aws_iam_role[targetRole] - common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "lambda:UpdateFunctionCode") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "lambda:UpdateFunctionCode") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_role", - "resourceName": tf_lib.get_resource_name(role, targetRole), + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetRole]), + "keyExpectedValue": sprintf("role %s shouldn't be associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetRole]), "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetRole]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } diff --git a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/query.rego b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/query.rego index 0bf4e518d3e..aea9c46d5f7 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/query.rego +++ b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/query.rego @@ -5,7 +5,6 @@ import data.generic.terraform as tf_lib # version before TF AWS 4.0 CxPolicy[result] { - resource := input.document[i].resource.aws_s3_bucket[name] publicAccessACL(resource.acl) @@ -41,7 +40,6 @@ CxPolicy[result] { # version after TF AWS 4.0 CxPolicy[result] { - input.document[_].resource.aws_s3_bucket[bucketName] acl := input.document[i].resource.aws_s3_bucket_acl[name] split(acl.bucket, ".")[1] == bucketName @@ -59,7 +57,6 @@ CxPolicy[result] { } } - publicAccessACL("public-read") = true publicAccessACL("public-read-write") = true diff --git a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/query.rego b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/query.rego index 041d8ca306e..b97f130a2ae 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/query.rego +++ b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/query.rego @@ -5,7 +5,6 @@ import data.generic.terraform as tf_lib # version before TF AWS 4.0 CxPolicy[result] { - resource := input.document[i].resource.aws_s3_bucket[name] resource.acl == "authenticated-read" @@ -41,7 +40,6 @@ CxPolicy[result] { # version after TF AWS 4.0 CxPolicy[result] { - input.document[_].resource.aws_s3_bucket[bucketName] acl := input.document[i].resource.aws_s3_bucket_acl[name] split(acl.bucket, ".")[1] == bucketName diff --git a/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/query.rego b/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/query.rego index 58a1a5fb175..7e5eb583536 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/query.rego +++ b/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/query.rego @@ -4,7 +4,7 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - resource := input.document[i].resource["aws_s3_bucket_acl"][name] + resource := input.document[i].resource.aws_s3_bucket_acl[name] acl_policy := resource.access_control_policy is_array(acl_policy.grant) grant := acl_policy.grant[grant_index] @@ -14,16 +14,16 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": "aws_s3_bucket_acl", "resourceName": tf_lib.get_specific_resource_name(resource, "aws_s3_bucket_acl", name), - "searchKey": sprintf("aws_s3_bucket_acl[%s].access_control_policy.grant[%d].permission", [name, grant_index ]), + "searchKey": sprintf("aws_s3_bucket_acl[%s].access_control_policy.grant[%d].permission", [name, grant_index]), "issueType": "IncorrectValue", "keyExpectedValue": "Should not be granted Write_ACP permission to the aws_s3_bucket_acl", "keyActualValue": "Write_ACP permission is granted to the aws_s3_bucket_acl", - "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket_acl", name, "access_control_policy","grant",grant_index,"permission" ], []), + "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket_acl", name, "access_control_policy", "grant", grant_index, "permission"], []), } } CxPolicy[result] { - resource := input.document[i].resource["aws_s3_bucket_acl"][name] + resource := input.document[i].resource.aws_s3_bucket_acl[name] acl_policy := resource.access_control_policy not is_array(acl_policy.grant) grant := acl_policy.grant @@ -33,10 +33,10 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": "aws_s3_bucket_acl", "resourceName": tf_lib.get_specific_resource_name(resource, "aws_s3_bucket_acl", name), - "searchKey": sprintf("aws_s3_bucket_acl[%s].access_control_policy.grant.permission", [name ]), + "searchKey": sprintf("aws_s3_bucket_acl[%s].access_control_policy.grant.permission", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Should not be granted Write_ACP permission to the aws_s3_bucket_acl", "keyActualValue": "Write_ACP permission is granted to the aws_s3_bucket_acl", - "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket_acl", name, "access_control_policy","grant","permission" ], []), + "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket_acl", name, "access_control_policy", "grant", "permission"], []), } } diff --git a/assets/queries/terraform/aws/s3_bucket_allows_public_acl/query.rego b/assets/queries/terraform/aws/s3_bucket_allows_public_acl/query.rego index ef6a7fb10f0..d0f08c9d8bc 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_public_acl/query.rego +++ b/assets/queries/terraform/aws/s3_bucket_allows_public_acl/query.rego @@ -3,7 +3,7 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib -#default of block_public_acls is false +# default of block_public_acls is false CxPolicy[result] { pubACL := input.document[i].resource.aws_s3_bucket_public_access_block[name] not common_lib.valid_key(pubACL, "block_public_acls") @@ -37,7 +37,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket_public_access_block", name, "block_public_acls"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -78,7 +78,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["module", name, keyToCheck], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/s3_bucket_logging_disabled/query.rego b/assets/queries/terraform/aws/s3_bucket_logging_disabled/query.rego index c3ebcf05c7d..3a336abaf9e 100644 --- a/assets/queries/terraform/aws/s3_bucket_logging_disabled/query.rego +++ b/assets/queries/terraform/aws/s3_bucket_logging_disabled/query.rego @@ -4,37 +4,36 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - s3 := input.document[i].resource.aws_s3_bucket[bucketName] + s3 := input.document[i].resource.aws_s3_bucket[bucketName] - not common_lib.valid_key(s3, "logging") # version before TF AWS 4.0 - not tf_lib.has_target_resource(bucketName, "aws_s3_bucket_logging") # version after TF AWS 4.0 + not common_lib.valid_key(s3, "logging") # version before TF AWS 4.0 + not tf_lib.has_target_resource(bucketName, "aws_s3_bucket_logging") # version after TF AWS 4.0 - result := { - "documentId": input.document[i].id, - "resourceType": "aws_s3_bucket", + result := { + "documentId": input.document[i].id, + "resourceType": "aws_s3_bucket", "resourceName": tf_lib.get_specific_resource_name(s3, "aws_s3_bucket", bucketName), - "searchKey": sprintf("aws_s3_bucket[%s]", [bucketName]), - "issueType": "MissingAttribute", - "keyExpectedValue": "'logging' should be defined and not null", - "keyActualValue": "'logging' is undefined or null", - "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket", bucketName], []), - } + "searchKey": sprintf("aws_s3_bucket[%s]", [bucketName]), + "issueType": "MissingAttribute", + "keyExpectedValue": "'logging' should be defined and not null", + "keyActualValue": "'logging' is undefined or null", + "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket", bucketName], []), + } } CxPolicy[result] { + module := input.document[i].module[name] + keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "logging") + not common_lib.valid_key(module, keyToCheck) - module := input.document[i].module[name] - keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "logging") - not common_lib.valid_key(module, keyToCheck) - - result := { - "documentId": input.document[i].id, - "resourceType": "n/a", + result := { + "documentId": input.document[i].id, + "resourceType": "n/a", "resourceName": "n/a", - "searchKey": sprintf("module[%s]", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": "'logging' should be defined and not null", - "keyActualValue": "'logging' is undefined or null", - "searchLine": common_lib.build_search_line(["module", name], []), - } + "searchKey": sprintf("module[%s]", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "'logging' should be defined and not null", + "keyActualValue": "'logging' is undefined or null", + "searchLine": common_lib.build_search_line(["module", name], []), + } } diff --git a/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/query.rego b/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/query.rego index d5bb99ad84e..44540e9934e 100644 --- a/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/query.rego +++ b/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/query.rego @@ -49,6 +49,7 @@ CxPolicy[result] { any_s3_action(action) { any([action == "*", startswith(action, "s3:")]) } + check_action(st) { is_string(st.Action) any_s3_action(st.Action) @@ -61,23 +62,22 @@ check_action(st) { any_s3_action(st.Actions[a]) } -is_equal(secure, target) -{ - secure == target -}else { - secure[_]==target +is_equal(secure, target) { + secure == target +} else { + secure[_] == target } deny_http_requests(policyValue) { - st := common_lib.get_statement(policyValue) - statement := st[_] - check_action(statement) - statement.Effect == "Deny" - is_equal(statement.Condition.Bool["aws:SecureTransport"], "false") + st := common_lib.get_statement(policyValue) + statement := st[_] + check_action(statement) + statement.Effect == "Deny" + is_equal(statement.Condition.Bool["aws:SecureTransport"], "false") } else { - st := common_lib.get_statement(policyValue) - statement := st[_] - check_action(statement) - statement.Effect == "Allow" - is_equal(statement.Condition.Bool["aws:SecureTransport"], "true") + st := common_lib.get_statement(policyValue) + statement := st[_] + check_action(statement) + statement.Effect == "Allow" + is_equal(statement.Condition.Bool["aws:SecureTransport"], "true") } diff --git a/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/query.rego b/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/query.rego index 9ba51bce73a..e27272c221d 100644 --- a/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/query.rego +++ b/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/query.rego @@ -4,7 +4,6 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # version before TF AWS 4.0 resource := input.document[i].resource.aws_s3_bucket[name] publicAccessACL(resource.acl) @@ -36,8 +35,10 @@ CxPolicy[result] { options = {"block_public_acls", "block_public_policy", "ignore_public_acls", "restrict_public_buckets"} - count({x | keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket_public_access_block", options[x]); - module[keyToCheck] == true }) == 4 + count({x | + keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket_public_access_block", options[x]) + module[keyToCheck] == true + }) == 4 result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/aws/s3_bucket_with_all_permissions/query.rego b/assets/queries/terraform/aws/s3_bucket_with_all_permissions/query.rego index ff5008c52e0..78dea7a84db 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_all_permissions/query.rego +++ b/assets/queries/terraform/aws/s3_bucket_with_all_permissions/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": res_type, "resourceName": tf_lib.get_specific_resource_name(resource, res_type, name), - "searchKey": sprintf("%s[%s].policy", [res_type,name]), + "searchKey": sprintf("%s[%s].policy", [res_type, name]), "issueType": "IncorrectValue", "keyExpectedValue": "'policy.Statement' should not allow all actions to all principal", "keyActualValue": "'policy.Statement' allows all actions to all principal", diff --git a/assets/queries/terraform/aws/s3_bucket_with_public_policy/query.rego b/assets/queries/terraform/aws/s3_bucket_with_public_policy/query.rego index d630f178e9e..53c5cafd872 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_public_policy/query.rego +++ b/assets/queries/terraform/aws/s3_bucket_with_public_policy/query.rego @@ -3,7 +3,7 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib -#default of block_public_policy is false +# default of block_public_policy is false CxPolicy[result] { pubACL := input.document[i].resource.aws_s3_bucket_public_access_block[name] not common_lib.valid_key(pubACL, "block_public_policy") diff --git a/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/query.rego b/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/query.rego index 8a61d2dec24..4b47d2f9d14 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/query.rego +++ b/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/query.rego @@ -60,9 +60,9 @@ CxPolicy[result] { } # version after TF AWS 4.0 -CxPolicy[result] { +CxPolicy[result] { input.document[_].resource.aws_s3_bucket[bucketName] - + cors_configuration := input.document[i].resource.aws_s3_bucket_cors_configuration[name] split(cors_configuration.bucket, ".")[1] == bucketName rule := cors_configuration.cors_rule @@ -83,7 +83,7 @@ CxPolicy[result] { # version after TF AWS 4.0 CxPolicy[result] { input.document[_].resource.aws_s3_bucket[bucketName] - + cors_configuration := input.document[i].resource.aws_s3_bucket_cors_configuration[name] split(cors_configuration.bucket, ".")[1] == bucketName rule := cors_configuration.cors_rule[idx] diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/query.rego b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/query.rego index d024ecc086c..823d8fd366d 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/query.rego +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/query.rego @@ -5,7 +5,7 @@ import data.generic.terraform as tf_lib checkedFields = { "enabled", - "mfa_delete" + "mfa_delete", } # version before TF AWS 4.0 @@ -49,7 +49,7 @@ CxPolicy[result] { keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "versioning") not common_lib.valid_key(module, "lifecycle_rule") - not common_lib.valid_key(module[keyToCheck], checkedFields[c]) + not common_lib.valid_key(module[keyToCheck], checkedFields[c]) result := { "documentId": input.document[i].id, @@ -128,7 +128,6 @@ CxPolicy[result] { # version after TF AWS 4.0 CxPolicy[result] { - input.document[_].resource.aws_s3_bucket[bucketName] not tf_lib.has_target_resource(bucketName, "aws_s3_bucket_lifecycle_configuration") diff --git a/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/query.rego b/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/query.rego index b163c580a25..6df2356bd32 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/query.rego +++ b/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket_public_access_block", name, "ignore_public_acls"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -57,7 +57,7 @@ CxPolicy[result] { "keyExpectedValue": "'ignore_public_acls' should equal 'true'", "keyActualValue": "'ignore_public_acls' is missing", "searchLine": common_lib.build_search_line(["module", name], []), - "remediation": sprintf("%s = true",[keyToCheck]), + "remediation": sprintf("%s = true", [keyToCheck]), "remediationType": "addition", } } @@ -79,7 +79,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["module", name, "ignore_public_acls"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/query.rego b/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/query.rego index 6b36d33cac5..e88909a9d00 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/query.rego +++ b/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/query.rego @@ -3,7 +3,7 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib -#default of restrict_public_buckets is false +# default of restrict_public_buckets is false CxPolicy[result] { pubACL := input.document[i].resource.aws_s3_bucket_public_access_block[name] not common_lib.valid_key(pubACL, "restrict_public_buckets") @@ -37,7 +37,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket_public_access_block", name, "restrict_public_buckets"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -57,9 +57,8 @@ CxPolicy[result] { "keyExpectedValue": "'restrict_public_buckets' should equal 'true'", "keyActualValue": "'restrict_public_buckets' is missing", "searchLine": common_lib.build_search_line(["module", name], []), - "remediation": sprintf("%s = true",[keyToCheck]), + "remediation": sprintf("%s = true", [keyToCheck]), "remediationType": "addition", - } } @@ -79,7 +78,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["module", name, keyToCheck], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/s3_bucket_without_versioning/query.rego b/assets/queries/terraform/aws/s3_bucket_without_versioning/query.rego index 33649fe52b8..4bca0179652 100644 --- a/assets/queries/terraform/aws/s3_bucket_without_versioning/query.rego +++ b/assets/queries/terraform/aws/s3_bucket_without_versioning/query.rego @@ -3,153 +3,146 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib -#default of versioning is false +# default of versioning is false CxPolicy[result] { + bucket := input.document[i].resource.aws_s3_bucket[bucketName] + not common_lib.valid_key(bucket, "versioning") # version before TF AWS 4.0 + not tf_lib.has_target_resource(bucketName, "aws_s3_bucket_versioning") # version after TF AWS 4.0 - bucket := input.document[i].resource.aws_s3_bucket[bucketName] - not common_lib.valid_key(bucket, "versioning") # version before TF AWS 4.0 - not tf_lib.has_target_resource(bucketName, "aws_s3_bucket_versioning") # version after TF AWS 4.0 - - result := { - "documentId": input.document[i].id, - "resourceType": "aws_s3_bucket", + result := { + "documentId": input.document[i].id, + "resourceType": "aws_s3_bucket", "resourceName": tf_lib.get_specific_resource_name(bucket, "aws_s3_bucket", bucketName), - "searchKey": sprintf("aws_s3_bucket[%s]", [bucketName]), - "issueType": "MissingAttribute", - "keyExpectedValue": "'versioning' should be true", - "keyActualValue": "'versioning' is undefined or null", - "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket", bucketName], []), - } + "searchKey": sprintf("aws_s3_bucket[%s]", [bucketName]), + "issueType": "MissingAttribute", + "keyExpectedValue": "'versioning' should be true", + "keyActualValue": "'versioning' is undefined or null", + "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket", bucketName], []), + } } CxPolicy[result] { + module := input.document[i].module[name] + keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "versioning") + not common_lib.valid_key(module, keyToCheck) - module := input.document[i].module[name] - keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "versioning") - not common_lib.valid_key(module, keyToCheck) - - result := { - "documentId": input.document[i].id, - "resourceType": "n/a", + result := { + "documentId": input.document[i].id, + "resourceType": "n/a", "resourceName": "n/a", - "searchKey": sprintf("module[%s]", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": "'versioning' should be true", - "keyActualValue": "'versioning' is undefined or null", - "searchLine": common_lib.build_search_line(["module", name], []), - "remediation": sprintf("%s {\n\t\t enabled = true\n\t}",[keyToCheck]), + "searchKey": sprintf("module[%s]", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "'versioning' should be true", + "keyActualValue": "'versioning' is undefined or null", + "searchLine": common_lib.build_search_line(["module", name], []), + "remediation": sprintf("%s {\n\t\t enabled = true\n\t}", [keyToCheck]), "remediationType": "addition", - } + } } -#default of enabled is false +# default of enabled is false # version before TF AWS 4.0 CxPolicy[result] { + bucket := input.document[i].resource.aws_s3_bucket[name] + not common_lib.valid_key(bucket.versioning, "enabled") - bucket := input.document[i].resource.aws_s3_bucket[name] - not common_lib.valid_key(bucket.versioning, "enabled") - - result := { - "documentId": input.document[i].id, - "resourceType": "aws_s3_bucket", + result := { + "documentId": input.document[i].id, + "resourceType": "aws_s3_bucket", "resourceName": tf_lib.get_specific_resource_name(bucket, "aws_s3_bucket", name), - "searchKey": sprintf("aws_s3_bucket[%s].versioning", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": "'versioning.enabled' should be true", - "keyActualValue": "'versioning.enabled' is undefined or null", - "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket", name, "versioning"], []), - "remediation": "enabled = true", + "searchKey": sprintf("aws_s3_bucket[%s].versioning", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "'versioning.enabled' should be true", + "keyActualValue": "'versioning.enabled' is undefined or null", + "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket", name, "versioning"], []), + "remediation": "enabled = true", "remediationType": "addition", - } + } } CxPolicy[result] { + module := input.document[i].module[name] + keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "versioning") + not common_lib.valid_key(module[keyToCheck], "enabled") - module := input.document[i].module[name] - keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "versioning") - not common_lib.valid_key(module[keyToCheck], "enabled") - - result := { - "documentId": input.document[i].id, - "resourceType": "n/a", + result := { + "documentId": input.document[i].id, + "resourceType": "n/a", "resourceName": "n/a", - "searchKey": sprintf("module[%s].versioning", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": "'versioning.enabled' should be true", - "keyActualValue": "'versioning.enabled' is undefined or null", - "searchLine": common_lib.build_search_line(["module", name, "versioning"], []), - "remediation": "enabled = true", + "searchKey": sprintf("module[%s].versioning", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "'versioning.enabled' should be true", + "keyActualValue": "'versioning.enabled' is undefined or null", + "searchLine": common_lib.build_search_line(["module", name, "versioning"], []), + "remediation": "enabled = true", "remediationType": "addition", - } + } } # version before TF AWS 4.0 CxPolicy[result] { + bucket := input.document[i].resource.aws_s3_bucket[name] + bucket.versioning.enabled != true - bucket := input.document[i].resource.aws_s3_bucket[name] - bucket.versioning.enabled != true - - result := { - "documentId": input.document[i].id, - "resourceType": "aws_s3_bucket", + result := { + "documentId": input.document[i].id, + "resourceType": "aws_s3_bucket", "resourceName": tf_lib.get_specific_resource_name(bucket, "aws_s3_bucket", name), - "searchKey": sprintf("aws_s3_bucket[%s].versioning.enabled", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": "'versioning.enabled' should be true", - "keyActualValue": "'versioning.enabled' is set to false", - "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket", name, "versioning", "enabled"], []), - "remediation": json.marshal({ + "searchKey": sprintf("aws_s3_bucket[%s].versioning.enabled", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "'versioning.enabled' should be true", + "keyActualValue": "'versioning.enabled' is set to false", + "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket", name, "versioning", "enabled"], []), + "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", - } + } } CxPolicy[result] { + module := input.document[i].module[name] + keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "versioning") + module[keyToCheck].enabled != true - module := input.document[i].module[name] - keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "versioning") - module[keyToCheck].enabled != true - - result := { - "documentId": input.document[i].id, - "resourceType": "n/a", + result := { + "documentId": input.document[i].id, + "resourceType": "n/a", "resourceName": "n/a", - "searchKey": sprintf("module[%s].versioning.enabled", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": "'versioning.enabled' should be true", - "keyActualValue": "'versioning.enabled' is set to false", - "searchLine": common_lib.build_search_line(["module", name, "versioning", "enabled"], []), - "remediation": json.marshal({ + "searchKey": sprintf("module[%s].versioning.enabled", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "'versioning.enabled' should be true", + "keyActualValue": "'versioning.enabled' is set to false", + "searchLine": common_lib.build_search_line(["module", name, "versioning", "enabled"], []), + "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", - } + } } # version after TF AWS 4.0 CxPolicy[result] { - - input.document[_].resource.aws_s3_bucket[bucketName] - bucket_versioning := input.document[i].resource.aws_s3_bucket_versioning[name] - split(bucket_versioning.bucket, ".")[1] == bucketName - bucket_versioning.versioning_configuration.status == "Suspended" - - result := { - "documentId": input.document[i].id, - "resourceType": "aws_s3_bucket_versioning", + input.document[_].resource.aws_s3_bucket[bucketName] + bucket_versioning := input.document[i].resource.aws_s3_bucket_versioning[name] + split(bucket_versioning.bucket, ".")[1] == bucketName + bucket_versioning.versioning_configuration.status == "Suspended" + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_s3_bucket_versioning", "resourceName": tf_lib.get_resource_name(bucket_versioning, name), - "searchKey": sprintf("aws_s3_bucket_versioning[%s].versioning_configuration.status", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": "'versioning_configuration.status' should be set to 'Enabled'", - "keyActualValue": "'versioning_configuration.status' is set to 'Suspended'", - "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket_versioning", name, "versioning_configuration", "status"], []), - "remediation": json.marshal({ + "searchKey": sprintf("aws_s3_bucket_versioning[%s].versioning_configuration.status", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "'versioning_configuration.status' should be set to 'Enabled'", + "keyActualValue": "'versioning_configuration.status' is set to 'Suspended'", + "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket_versioning", name, "versioning_configuration", "status"], []), + "remediation": json.marshal({ "before": "Suspended", - "after": "Enabled" + "after": "Enabled", }), "remediationType": "replacement", - } + } } diff --git a/assets/queries/terraform/aws/s3_static_website_host_enabled/query.rego b/assets/queries/terraform/aws/s3_static_website_host_enabled/query.rego index 7277fb4ec53..8cadde6e6f5 100644 --- a/assets/queries/terraform/aws/s3_static_website_host_enabled/query.rego +++ b/assets/queries/terraform/aws/s3_static_website_host_enabled/query.rego @@ -5,7 +5,6 @@ import data.generic.terraform as tf_lib # version before TF AWS 4.0 CxPolicy[result] { - resource := input.document[i].resource.aws_s3_bucket[name] count(resource.website) > 0 @@ -24,7 +23,7 @@ CxPolicy[result] { CxPolicy[result] { module := input.document[i].module[name] keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "website") - + count(module[keyToCheck]) > 0 result := { @@ -40,9 +39,9 @@ CxPolicy[result] { } # version after TF AWS 4.0 -CxPolicy[result] { +CxPolicy[result] { resource := input.document[i].resource.aws_s3_bucket[bucketName] - + tf_lib.has_target_resource(bucketName, "aws_s3_bucket_website_configuration") result := { diff --git a/assets/queries/terraform/aws/secure_ciphers_disabled/query.rego b/assets/queries/terraform/aws/secure_ciphers_disabled/query.rego index c0ff85a5478..d36a4ac53cc 100644 --- a/assets/queries/terraform/aws/secure_ciphers_disabled/query.rego +++ b/assets/queries/terraform/aws/secure_ciphers_disabled/query.rego @@ -17,13 +17,12 @@ CxPolicy[result] { "keyActualValue": sprintf("resource.aws_cloudfront_distribution[%s].viewer_certificate.minimum_protocol_version doesn't start with TLSv1.1 or TLSv1.2", [name]), "remediation": json.marshal({ "before": sprintf("%s", [resource.viewer_certificate.minimum_protocol_version]), - "after": "TLSv1.2" + "after": "TLSv1.2", }), "remediationType": "replacement", } } - checkMinProtocolVersion(protocolVersion) { startswith(protocolVersion, "TLSv1.1") } else { diff --git a/assets/queries/terraform/aws/security_group_rules_without_description/query.rego b/assets/queries/terraform/aws/security_group_rules_without_description/query.rego index 03e15ecca72..555c0acf065 100644 --- a/assets/queries/terraform/aws/security_group_rules_without_description/query.rego +++ b/assets/queries/terraform/aws/security_group_rules_without_description/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { resource := input.document[i].resource.aws_security_group[name] types := {"ingress", "egress"} resourceType := resource[types[y]] - not is_array(resourceType) + not is_array(resourceType) not common_lib.valid_key(resourceType, "description") result := { @@ -26,8 +26,8 @@ CxPolicy[result] { resource := input.document[i].resource.aws_security_group[name] types := {"ingress", "egress"} resourceType := resource[types[y]] - is_array(resourceType) - currentResource := resourceType[resourceIndex] + is_array(resourceType) + currentResource := resourceType[resourceIndex] not common_lib.valid_key(currentResource, "description") result := { diff --git a/assets/queries/terraform/aws/security_groups_not_used/query.rego b/assets/queries/terraform/aws/security_groups_not_used/query.rego index ca3c3ca9bad..1407edc287a 100644 --- a/assets/queries/terraform/aws/security_groups_not_used/query.rego +++ b/assets/queries/terraform/aws/security_groups_not_used/query.rego @@ -55,7 +55,7 @@ is_used(securityGroupName, doc, resource) { is_used(securityGroupName, doc, resource) { sec_group_used := resource.name - [path, value] := walk(doc) + [path, value] := walk(doc) securityGroupUsed := value.security_groups[_] sec_group_used == securityGroupUsed } diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/query.rego b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/query.rego index 3f776e91f5f..ead961873fe 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/query.rego +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as commonLib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.aws_security_group[name] @@ -33,7 +33,7 @@ CxPolicy[result] { portContent := commonLib.tcpPortsMap[port] portNumber = port portName = portContent - ingress := resource.ingress[j] + ingress := resource.ingress[j] protocol := tf_lib.getProtocolList(ingress.protocol)[_] endswith(ingress.cidr_blocks[_], "/0") diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/query.rego b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/query.rego index 96cf574255d..41f7bbac930 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/query.rego +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as commonLib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.aws_security_group[name] diff --git a/assets/queries/terraform/aws/service_control_policies_disabled/query.rego b/assets/queries/terraform/aws/service_control_policies_disabled/query.rego index 3afe7df4ac9..1673d215fc2 100644 --- a/assets/queries/terraform/aws/service_control_policies_disabled/query.rego +++ b/assets/queries/terraform/aws/service_control_policies_disabled/query.rego @@ -19,7 +19,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_organizations_organization", name, "feature_set"], []), "remediation": json.marshal({ "before": "CONSOLIDATED_BILLING", - "after": "ALL" + "after": "ALL", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/shield_advanced_not_in_use/query.rego b/assets/queries/terraform/aws/shield_advanced_not_in_use/query.rego index f20ed990888..3afb10cf3db 100644 --- a/assets/queries/terraform/aws/shield_advanced_not_in_use/query.rego +++ b/assets/queries/terraform/aws/shield_advanced_not_in_use/query.rego @@ -8,10 +8,9 @@ resources := { "aws_lb", "aws_globalaccelerator_accelerator", "aws_eip", - "aws_route53_zone" + "aws_route53_zone", } - CxPolicy[result] { target := input.document[i].resource[resources[idx]][name] @@ -35,8 +34,8 @@ has_shield_advanced(name) { } matches(shield, name) { - split(shield.resource_arn,".")[1] == name + split(shield.resource_arn, ".")[1] == name } else { - target := split(shield.resource_arn,"/")[1] - split(target,".")[1] == name + target := split(shield.resource_arn, "/")[1] + split(target, ".")[1] == name } diff --git a/assets/queries/terraform/aws/sns_topic_not_encrypted/query.rego b/assets/queries/terraform/aws/sns_topic_not_encrypted/query.rego index 5d279ac4036..b83b1530bf9 100644 --- a/assets/queries/terraform/aws/sns_topic_not_encrypted/query.rego +++ b/assets/queries/terraform/aws/sns_topic_not_encrypted/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.aws_sns_topic[name] diff --git a/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/query.rego b/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/query.rego index 29a8d7cb4e1..e66686e0abf 100644 --- a/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/query.rego +++ b/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { resource := input.document[i].resource.aws_vpc_endpoint[name] serviceNameSplit := split(resource.service_name, ".") - serviceNameSplit[minus(count(serviceNameSplit), 1)] == "sqs" + serviceNameSplit[count(serviceNameSplit) - 1] == "sqs" vpcNameRef := split(resource.vpc_id, ".")[1] vpc := input.document[j].resource.aws_vpc[vpcNameRef] @@ -25,13 +25,12 @@ CxPolicy[result] { } } - CxPolicy[result] { module := input.document[i].module[name] keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_vpc", "enable_dns_support") module[keyToCheck] == false - + result := { "documentId": input.document[i].id, "resourceType": "n/a", diff --git a/assets/queries/terraform/aws/sqs_with_sse_disabled/query.rego b/assets/queries/terraform/aws/sqs_with_sse_disabled/query.rego index 958586e958f..8affbc64128 100644 --- a/assets/queries/terraform/aws/sqs_with_sse_disabled/query.rego +++ b/assets/queries/terraform/aws/sqs_with_sse_disabled/query.rego @@ -6,12 +6,10 @@ import data.generic.terraform as tf_lib ## two ways to activated SSE : kms_master_key_id OR sqs_managed_sse_enabled ## https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue#server-side-encryption-sse sse_activated(obj) { - common_lib.valid_key(obj, "kms_master_key_id") + common_lib.valid_key(obj, "kms_master_key_id") } else { - common_lib.valid_key(obj, "sqs_managed_sse_enabled") -} else = false { - true -} + common_lib.valid_key(obj, "sqs_managed_sse_enabled") +} else = false CxPolicy[result] { resource := input.document[i].resource.aws_sqs_queue[name] diff --git a/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/query.rego b/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/query.rego index ba45cfbddd9..1e73ce59ba0 100644 --- a/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/query.rego +++ b/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/query.rego @@ -9,7 +9,7 @@ CxPolicy[result] { resource.document_type == "Session" content := common_lib.json_unmarshal(resource.content) - not common_lib.valid_key(content, "inputs") + not common_lib.valid_key(content, "inputs") result := { "documentId": input.document[i].id, @@ -29,7 +29,7 @@ CxPolicy[result] { resource.document_type == "Session" content := common_lib.json_unmarshal(resource.content) - not common_lib.valid_key(content.inputs, "kmsKeyId") + not common_lib.valid_key(content.inputs, "kmsKeyId") result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/query.rego b/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/query.rego index 1b78d54678e..dc268303cb1 100644 --- a/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/query.rego +++ b/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/query.rego @@ -5,8 +5,8 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.aws_ssoadmin_permission_set[name] - session_duration := resource.session_duration - + session_duration := resource.session_duration + more_than_one_hour(session_duration) result := { @@ -22,21 +22,21 @@ CxPolicy[result] { } more_than_one_hour(session_duration) { - time := get_hours_value(session_duration) + get_minutes_value(session_duration) + get_seconds_value(session_duration) - time > 3600 + time_period := (get_hours_value(session_duration) + get_minutes_value(session_duration)) + get_seconds_value(session_duration) + time_period > 3600 } get_hours_value(session_duration) := duration { hours_value := trim_suffix(regex.find_all_string_submatch_n(`\d{1,2}H`, session_duration, 1)[0][0], "H") - duration := 3600 * to_number(hours_value) + duration := 3600 * to_number(hours_value) } else := 0 get_minutes_value(session_duration) := duration { minutes_value := trim_suffix(regex.find_all_string_submatch_n(`\d{1,2}M`, session_duration, 1)[0][0], "M") - duration := 60 * to_number(minutes_value) + duration := 60 * to_number(minutes_value) } else := 0 get_seconds_value(session_duration) := duration { seconds_value := trim_suffix(regex.find_all_string_submatch_n(`\d{1,2}S`, session_duration, 1)[0][0], "S") - duration := to_number(seconds_value) + duration := to_number(seconds_value) } else := 0 diff --git a/assets/queries/terraform/aws/sso_policy_with_full_priveleges/query.rego b/assets/queries/terraform/aws/sso_policy_with_full_priveleges/query.rego index 0e7b7e1bd5e..4ceb903c926 100644 --- a/assets/queries/terraform/aws/sso_policy_with_full_priveleges/query.rego +++ b/assets/queries/terraform/aws/sso_policy_with_full_priveleges/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { resource := input.document[i].resource.aws_ssoadmin_permission_set_inline_policy[name] policy := common_lib.json_unmarshal(resource.inline_policy) - st := common_lib.get_statement(policy) + st := common_lib.get_statement(policy) statement := st[_] common_lib.is_allow_effect(statement) diff --git a/assets/queries/terraform/aws/stack_retention_disabled/query.rego b/assets/queries/terraform/aws/stack_retention_disabled/query.rego index 88d0cb8a78c..d49fac8bfe3 100644 --- a/assets/queries/terraform/aws/stack_retention_disabled/query.rego +++ b/assets/queries/terraform/aws/stack_retention_disabled/query.rego @@ -38,7 +38,7 @@ CxPolicy[result] { "keyActualValue": sprintf("aws_cloudformation_stack_set_instance[%s].retain_stack is false", [name]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/stack_without_template/query.rego b/assets/queries/terraform/aws/stack_without_template/query.rego index 637038d550f..5ae460c2f73 100644 --- a/assets/queries/terraform/aws/stack_without_template/query.rego +++ b/assets/queries/terraform/aws/stack_without_template/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { resource := input.document[i].resource.aws_cloudformation_stack[name] not common_lib.valid_key(resource, "template_body") - not common_lib.valid_key(resource, "template_url") + not common_lib.valid_key(resource, "template_url") result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/aws/unknown_port_exposed_to_internet/query.rego b/assets/queries/terraform/aws/unknown_port_exposed_to_internet/query.rego index 0b55d86f91a..93553de911b 100644 --- a/assets/queries/terraform/aws/unknown_port_exposed_to_internet/query.rego +++ b/assets/queries/terraform/aws/unknown_port_exposed_to_internet/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as commonLib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.aws_security_group[name] @@ -29,11 +29,9 @@ getIngressList(ingress) = list { } else = list { is_object(ingress) list := [ingress] -} else = null { - true -} +} else = null -unknownPort(from_port,to_port) { +unknownPort(from_port, to_port) { port := numbers.range(from_port, to_port)[i] not commonLib.valid_key(commonLib.tcpPortsMap, port) } diff --git a/assets/queries/terraform/aws/unscanned_ecr_image/query.rego b/assets/queries/terraform/aws/unscanned_ecr_image/query.rego index 122309f164e..61f291d6088 100644 --- a/assets/queries/terraform/aws/unscanned_ecr_image/query.rego +++ b/assets/queries/terraform/aws/unscanned_ecr_image/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.aws_ecr_repository[name] @@ -20,7 +20,7 @@ CxPolicy[result] { "enabled": imageScan.scan_on_push, "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego index 5c613a9f944..4f91563e794 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM user user := input.document[i].resource.aws_iam_user[targetUser] - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "glue:UpdateDevEndpoint") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "glue:UpdateDevEndpoint") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_user", - "resourceName": tf_lib.get_resource_name(user, targetUser), + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetUser]), + "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetUser]), "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetUser]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego index 19397dd7c05..94cf67a53b0 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM user user := input.document[i].resource.aws_iam_user[targetUser] - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:AddUserToGroup") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:AddUserToGroup") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_user", - "resourceName": tf_lib.get_resource_name(user, targetUser), + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("user %s should not be associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetUser]), + "keyExpectedValue": sprintf("user %s should not be associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetUser]), "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetUser]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego index 503714ed388..e65c9a4f862 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM user user := input.document[i].resource.aws_iam_user[targetUser] - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:AttachGroupPolicy") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:AttachGroupPolicy") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_user", - "resourceName": tf_lib.get_resource_name(user, targetUser), + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetUser]), + "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetUser]), "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetUser]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego index 8f36a5e30ea..020710c4885 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM user user := input.document[i].resource.aws_iam_user[targetUser] - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:AttachRolePolicy") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:AttachRolePolicy") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_user", - "resourceName": tf_lib.get_resource_name(user, targetUser), + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetUser]), + "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetUser]), "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetUser]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego index b2eb5ad6963..24092464522 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM user user := input.document[i].resource.aws_iam_user[targetUser] - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:AttachUserPolicy") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:AttachUserPolicy") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_user", - "resourceName": tf_lib.get_resource_name(user, targetUser), + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetUser]), + "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetUser]), "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetUser]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego index 8d4e07fef03..f0dc018deeb 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM user user := input.document[i].resource.aws_iam_user[targetUser] - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:CreateAccessKey") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:CreateAccessKey") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_user", - "resourceName": tf_lib.get_resource_name(user, targetUser), + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetUser]), + "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetUser]), "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetUser]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego index ef385ec3130..3117c102982 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM user user := input.document[i].resource.aws_iam_user[targetUser] - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:CreateLoginProfile") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:CreateLoginProfile") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_user", - "resourceName": tf_lib.get_resource_name(user, targetUser), + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetUser]), + "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetUser]), "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetUser]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego index 996f9b77cc6..e313cae77c6 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM user user := input.document[i].resource.aws_iam_user[targetUser] - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:CreatePolicyVersion") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:CreatePolicyVersion") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_user", - "resourceName": tf_lib.get_resource_name(user, targetUser), + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetUser]), + "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetUser]), "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetUser]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego index 14d3a30ef4c..c94fd771e5d 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego @@ -4,22 +4,20 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM user user := input.document[i].resource.aws_iam_user[targetUser] - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "cloudformation:CreateStack") - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "cloudformation:CreateStack") + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_user", - "resourceName": tf_lib.get_resource_name(user, targetUser), + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetUser]), + "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetUser]), "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetUser]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego index d27213e4a9e..42ce12bedf6 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego @@ -4,22 +4,20 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM user user := input.document[i].resource.aws_iam_user[targetUser] - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "ec2:RunInstances") - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "ec2:RunInstances") + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_user", - "resourceName": tf_lib.get_resource_name(user, targetUser), + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetUser]), + "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetUser]), "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetUser]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego index 32b4ae44d71..477d77a3909 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego @@ -4,22 +4,20 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM user user := input.document[i].resource.aws_iam_user[targetUser] - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "glue:CreateDevEndpoint") - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "glue:CreateDevEndpoint") + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_user", - "resourceName": tf_lib.get_resource_name(user, targetUser), + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetUser]), + "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetUser]), "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetUser]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/query.rego index bf2572aba9e..1fd3a5388b6 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/query.rego @@ -4,23 +4,21 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM user user := input.document[i].resource.aws_iam_user[targetUser] - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "lambda:CreateFunction") - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "lambda:InvokeFunction") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "lambda:CreateFunction") + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "lambda:InvokeFunction") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_user", - "resourceName": tf_lib.get_resource_name(user, targetUser), + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetUser]), + "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetUser]), "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetUser]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego index 267b6137084..9ef1a11cab1 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM user user := input.document[i].resource.aws_iam_user[targetUser] - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PutGroupPolicy") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PutGroupPolicy") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_user", - "resourceName": tf_lib.get_resource_name(user, targetUser), + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("user %s should not be associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetUser]), + "keyExpectedValue": sprintf("user %s should not be associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetUser]), "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetUser]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego index 1f1659ef27e..9c82a9051e0 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM user user := input.document[i].resource.aws_iam_user[targetUser] - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PutRolePolicy") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PutRolePolicy") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_user", - "resourceName": tf_lib.get_resource_name(user, targetUser), + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("user %s should not be associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetUser]), + "keyExpectedValue": sprintf("user %s should not be associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetUser]), "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetUser]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego index e2fc865b949..b7f207b79ed 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM user user := input.document[i].resource.aws_iam_user[targetUser] - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PutUserPolicy") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PutUserPolicy") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_user", - "resourceName": tf_lib.get_resource_name(user, targetUser), + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("user %s should not be associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetUser]), + "keyExpectedValue": sprintf("user %s should not be associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetUser]), "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetUser]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego index ba05e7c5f79..f5a5c80a7ec 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM user user := input.document[i].resource.aws_iam_user[targetUser] - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:SetDefaultPolicyVersion") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:SetDefaultPolicyVersion") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_user", - "resourceName": tf_lib.get_resource_name(user, targetUser), + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetUser]), + "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetUser]), "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetUser]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego index 53d9d9c5eca..5de5c6f2689 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego @@ -4,22 +4,20 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM user user := input.document[i].resource.aws_iam_user[targetUser] - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:UpdateAssumeRolePolicy") - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "sts:AssumeRole") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:UpdateAssumeRolePolicy") + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "sts:AssumeRole") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_user", - "resourceName": tf_lib.get_resource_name(user, targetUser), + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetUser]), + "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetUser]), "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetUser]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego index 8ba44dc6a01..4fb8df997e8 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM user user := input.document[i].resource.aws_iam_user[targetUser] - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:UpdateLoginProfile") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:UpdateLoginProfile") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_user", - "resourceName": tf_lib.get_resource_name(user, targetUser), + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetUser]), + "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetUser]), "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetUser]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego index 59fa2e86ca8..1c858c596d9 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego @@ -4,21 +4,19 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - # get a AWS IAM user user := input.document[i].resource.aws_iam_user[targetUser] - common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "lambda:UpdateFunctionCode") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "lambda:UpdateFunctionCode") result := { "documentId": input.document[i].id, "resourceType": "aws_iam_user", - "resourceName": tf_lib.get_resource_name(user, targetUser), + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetUser]), + "keyExpectedValue": sprintf("user %s shouldn't be associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetUser]), "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetUser]), - "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } diff --git a/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/query.rego b/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/query.rego index 9978749eba1..465260efa25 100644 --- a/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/query.rego +++ b/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/query.rego @@ -19,7 +19,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_subnet", name, "map_public_ip_on_launch"], []), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } @@ -42,7 +42,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["module", name, keyToCheck], []), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/aws_bom/dynamo/query.rego b/assets/queries/terraform/aws_bom/dynamo/query.rego index b2f5f4666b0..a8f5d30d300 100644 --- a/assets/queries/terraform/aws_bom/dynamo/query.rego +++ b/assets/queries/terraform/aws_bom/dynamo/query.rego @@ -30,14 +30,15 @@ CxPolicy[result] { } } -get_accessibility(resource, name) = info{ - values := [x | - vpc_endpoint_policy := input.document[_].resource.aws_vpc_endpoint_policy[_] - policy := common_lib.json_unmarshal(vpc_endpoint_policy.policy) - x := policy_accessibility(policy, resource.name)] - info := get_info(values) +get_accessibility(resource, name) = info { + values := [x | + vpc_endpoint_policy := input.document[_].resource.aws_vpc_endpoint_policy[_] + policy := common_lib.json_unmarshal(vpc_endpoint_policy.policy) + x := policy_accessibility(policy, resource.name) + ] + info := get_info(values) } else = info { - info := {"accessibility":"private", "policy": ""} + info := {"accessibility": "private", "policy": ""} } policy_accessibility(policy, table_name) = info { @@ -49,21 +50,21 @@ policy_accessibility(policy, table_name) = info { check_actions(statement.Action) resources_arn := get_resource_arn(statement.Resource) - has_all_or_dynamob_arn(resources_arn, table_name) + has_all_or_dynamob_arn(resources_arn, table_name) - info := {"accessibility":"public", "policy": policy} -} else = info { + info := {"accessibility": "public", "policy": policy} +} else = info { common_lib.get_statement(policy) - info := {"accessibility":"private", "policy": policy} + info := {"accessibility": "private", "policy": policy} } else = info { - info := {"accessibility":"hasPolicy", "policy": policy} + info := {"accessibility": "hasPolicy", "policy": policy} } -has_all_or_dynamob_arn(arn, table_name){ +has_all_or_dynamob_arn(arn, table_name) { arn == "*" } else { startswith(arn, "arn:aws:dynamodb:") - suffix := concat( "", [":table/", table_name]) + suffix := concat("", [":table/", table_name]) endswith(arn, suffix) } @@ -74,11 +75,11 @@ get_resource_arn(resources) = val { val := resources } -get_encryption(resource) = encryption{ +get_encryption(resource) = encryption { sse := resource.server_side_encryption sse.enabled == true encryption := "encrypted" -} else = encryption{ +} else = encryption { encryption := "unencrypted" } @@ -146,7 +147,7 @@ dynamo_actions := { "dynamodb:RestoreTableFromBackup", "dynamodb:DeleteBackup", "dynamodb:PartiQLDelete", - "dynamodb:*" + "dynamodb:*", } check_actions(actions) { @@ -155,12 +156,9 @@ check_actions(actions) { common_lib.equalsOrInArray(actions, "*") } -get_info(info_arr)= info{ - val := [ x | info_arr[x].accessibility == "public" ] +get_info(info_arr) = info { + val := [x | info_arr[x].accessibility == "public"] info := info_arr[val[0]] -} else = info{ +} else = info { info := info_arr[0] } - - - diff --git a/assets/queries/terraform/aws_bom/efs/query.rego b/assets/queries/terraform/aws_bom/efs/query.rego index 680ef21da76..aeee4137056 100644 --- a/assets/queries/terraform/aws_bom/efs/query.rego +++ b/assets/queries/terraform/aws_bom/efs/query.rego @@ -11,7 +11,7 @@ CxPolicy[result] { bom_output = { "resource_type": "aws_efs_file_system", "resource_name": tf_lib.get_resource_name(efs_file_system, name), - "resource_accessibility": info.accessibility, + "resource_accessibility": info.accessibility, "resource_encryption": common_lib.get_encryption_if_exists(efs_file_system), "resource_vendor": "AWS", "resource_category": "Storage", diff --git a/assets/queries/terraform/aws_bom/elasticache/query.rego b/assets/queries/terraform/aws_bom/elasticache/query.rego index 80917b6699b..6fc6136f97c 100644 --- a/assets/queries/terraform/aws_bom/elasticache/query.rego +++ b/assets/queries/terraform/aws_bom/elasticache/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { elasticache := input.document[i].resource.aws_elasticache_cluster[name] @@ -36,9 +37,9 @@ get_engine_type(aws_elasticache_cluster) = engine_type { } unrestricted_cidr(ingress) { - ingress.cidr_blocks[_] == "0.0.0.0/0" + "0.0.0.0/0" in ingress.cidr_blocks } else { - ingress.ipv6_cidr_blocks[_] == "::/0" + "::/0" in ingress.ipv6_cidr_blocks } unrestricted(sg) { @@ -69,14 +70,16 @@ options := {"security_group_names", "security_group_ids"} get_accessibility(elasticache) = accessibility { count({ - x | securityGroupInfo := elasticache[options[_]][x]; + x | + securityGroupInfo := elasticache[options[_]][x] is_unrestricted(securityGroupInfo) }) > 0 accessibility := "at least one security group associated with the elasticache is unrestricted" } else = accessibility { count({ - x | securityGroupInfo := elasticache[options[_]][x]; + x | + securityGroupInfo := elasticache[options[_]][x] not is_unrestricted(securityGroupInfo) }) == count(elasticache[options[_]]) diff --git a/assets/queries/terraform/aws_bom/kinesis/query.rego b/assets/queries/terraform/aws_bom/kinesis/query.rego index d8b5566c0e2..d4acf070aad 100644 --- a/assets/queries/terraform/aws_bom/kinesis/query.rego +++ b/assets/queries/terraform/aws_bom/kinesis/query.rego @@ -28,8 +28,6 @@ CxPolicy[result] { } } - - get_encryption(resource) = encryption { common_lib.valid_key(resource, "kms_key_id") encryption := "encrypted" diff --git a/assets/queries/terraform/aws_bom/msk/query.rego b/assets/queries/terraform/aws_bom/msk/query.rego index adae4efc827..2035a20eddc 100644 --- a/assets/queries/terraform/aws_bom/msk/query.rego +++ b/assets/queries/terraform/aws_bom/msk/query.rego @@ -8,7 +8,6 @@ CxPolicy[result] { bom_output = { "resource_type": "aws_msk_cluster", - "resource_name": tf_lib.get_specific_resource_name(aws_msk_cluster_resource, "aws_msk_cluster", name), "resource_name": aws_msk_cluster_resource.cluster_name, "resource_accessibility": get_accessibility(aws_msk_cluster_resource), "resource_encryption": common_lib.get_encryption_if_exists(aws_msk_cluster_resource), diff --git a/assets/queries/terraform/aws_bom/rds/query.rego b/assets/queries/terraform/aws_bom/rds/query.rego index add02d68719..3a0ffe433e9 100644 --- a/assets/queries/terraform/aws_bom/rds/query.rego +++ b/assets/queries/terraform/aws_bom/rds/query.rego @@ -57,43 +57,43 @@ CxPolicy[result] { } } -get_accessibility(resource) = info{ +get_accessibility(resource) = info { resource.publicly_accessible == true info := "public" -} else = info{ +} else = info { info := "private" } -get_db_instance_encryption(resource)=encryption{ +get_db_instance_encryption(resource) = encryption { resource.storage_encrypted == true encryption := "encrypted" -} else = encryption{ +} else = encryption { encryption := "unencrypted" } -get_rds_cluster_encryption(resource)=encryption{ +get_rds_cluster_encryption(resource) = encryption { resource.storage_encrypted == true encryption := "encrypted" -} else = encryption{ +} else = encryption { resource.engine_mode == "serverless" not common_lib.valid_key(resource, "storage_encrypted") encryption := "encrypted" -} else = encryption{ +} else = encryption { encryption := "unencrypted" } -get_rds_cluster_instance_encryption(resource)=encryption{ - cluster_name := split(resource.cluster_identifier, ".")[1] +get_rds_cluster_instance_encryption(resource) = encryption { + cluster_name := split(resource.cluster_identifier, ".")[1] cluster_resource := input.document[_].resource.aws_rds_cluster[cluster_name] encryption := get_rds_cluster_encryption(resource) } -get_rds_cluster_instance_engine(resource) = engine{ - cluster_name := split(resource.engine, ".")[1] +get_rds_cluster_instance_engine(resource) = engine { + cluster_name := split(resource.engine, ".")[1] cluster_resource := input.document[_].resource.aws_rds_cluster[cluster_name] engine := cluster_resource.engine -} else = engine{ - cluster_name := split(resource.engine, ".")[1] +} else = engine { + cluster_name := split(resource.engine, ".")[1] cluster_resource := input.document[_].resource.aws_rds_cluster[cluster_name] not common_lib.valid_key(cluster_resource, "engine") engine := "unknown" @@ -104,7 +104,7 @@ get_engine(resource) = engine { } else = engine { not common_lib.valid_key(resource, "snapshot_identifier") replicate_source_db := resource.replicate_source_db - source_db_name := split(replicate_source_db, ".")[1] + source_db_name := split(replicate_source_db, ".")[1] source_db := input.document[_].resource.aws_db_instance[source_db_name] engine := source_db.engine } else = engine { diff --git a/assets/queries/terraform/aws_bom/s3_bucket/query.rego b/assets/queries/terraform/aws_bom/s3_bucket/query.rego index cebd2722ffe..da7cb9d2e26 100644 --- a/assets/queries/terraform/aws_bom/s3_bucket/query.rego +++ b/assets/queries/terraform/aws_bom/s3_bucket/query.rego @@ -34,19 +34,19 @@ CxPolicy[result] { get_bucket_acl(bucket_resource, s3BucketName) = acl { # version before TF AWS 4.0 acl := bucket_resource.acl -} else = acl { +} else = acl { # version after TF AWS 4.0 bucketAcl := input.document[_].resource.aws_s3_bucket_acl[_] split(bucketAcl.bucket, ".")[1] == s3BucketName acl := bucketAcl.acl -} else = acl { +} else = acl { # version after TF AWS 4.0 bucketAcl := input.document[_].resource.aws_s3_bucket_acl[_] split(bucketAcl.bucket, ".")[1] == s3BucketName not common_lib.valid_key(bucketAcl, "acl") not common_lib.valid_key(bucketAcl, "access_control_policy") acl := "unknown" -} else = acl { +} else = acl { # version after TF AWS 4.0 bucketAcl := input.document[_].resource.aws_s3_bucket_acl[_] split(bucketAcl.bucket, ".")[1] == s3BucketName @@ -61,7 +61,7 @@ get_bucket_acl(bucket_resource, s3BucketName) = acl { is_public_access_blocked(s3BucketPublicAccessBlock) { s3BucketPublicAccessBlock.block_public_acls == true - s3BucketPublicAccessBlock.block_public_policy == true + s3BucketPublicAccessBlock.block_public_policy == true } get_accessibility(bucket, bucketName) = accessibility { @@ -73,28 +73,30 @@ get_accessibility(bucket, bucketName) = accessibility { accessibility = {"accessibility": "private", "policy": acc.policy} } else = accessibility { # cases when there is a unrestriced policy - acc := tf_lib.get_accessibility(bucket, bucketName, "aws_s3_bucket_policy", "bucket") - # last cases: acl definition - acl:= get_bucket_acl(bucket, bucketName) + acc := tf_lib.get_accessibility(bucket, bucketName, "aws_s3_bucket_policy", "bucket") + + # last cases: acl definition + acl := get_bucket_acl(bucket, bucketName) acl == "private" - accessibility = {"accessibility": "private", "policy": acc.policy} + accessibility = {"accessibility": "private", "policy": acc.policy} } else = accessibility { # cases when there is a unrestriced policy - acc := tf_lib.get_accessibility(bucket, bucketName, "aws_s3_bucket_policy", "bucket") - acc.accessibility == "hasPolicy" - accessibility = {"accessibility": acc.accessibility, "policy": acc.policy} + acc := tf_lib.get_accessibility(bucket, bucketName, "aws_s3_bucket_policy", "bucket") + acc.accessibility == "hasPolicy" + accessibility = {"accessibility": acc.accessibility, "policy": acc.policy} } else = accessibility { # cases when there is a unrestriced policy - acc := tf_lib.get_accessibility(bucket, bucketName, "aws_s3_bucket_policy", "bucket") - # last cases: acl definition - acl:= get_bucket_acl(bucket, bucketName) + acc := tf_lib.get_accessibility(bucket, bucketName, "aws_s3_bucket_policy", "bucket") + + # last cases: acl definition + acl := get_bucket_acl(bucket, bucketName) acl != "private" - accessibility = {"accessibility": "public", "policy": acc.policy} + accessibility = {"accessibility": "public", "policy": acc.policy} } else = accessibility { # cases when there is a unrestriced policy - acc := tf_lib.get_accessibility(bucket, bucketName, "aws_s3_bucket_policy", "bucket") - acc.accessibility != "hasPolicy" - accessibility = {"accessibility": acc.accessibility, "policy": acc.policy} + acc := tf_lib.get_accessibility(bucket, bucketName, "aws_s3_bucket_policy", "bucket") + acc.accessibility != "hasPolicy" + accessibility = {"accessibility": acc.accessibility, "policy": acc.policy} } get_encryption_if_exists(bucket_resource, s3BucketName) = encryption { diff --git a/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/query.rego b/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/query.rego index 8deeea2733f..609d4bb2520 100644 --- a/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/query.rego +++ b/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/query.rego @@ -22,6 +22,4 @@ adAdminExists(server_name, resource_group, n) { } else { ad_admin := input.document[i].resource.azurerm_sql_active_directory_administrator[name] ad_admin.server_name == sprintf("${azurerm_sql_server.%s.name}", [n]) -} else = false { - true -} +} else = false diff --git a/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/query.rego b/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/query.rego index 08388c64dbc..6b854ce5fba 100644 --- a/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/query.rego +++ b/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.azurerm_container_registry[name] @@ -13,13 +13,13 @@ CxPolicy[result] { "resourceType": "azurerm_container_registry", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_container_registry[%s].admin_enabled", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_container_registry", name, "admin_enabled"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_container_registry", name, "admin_enabled"], []), "issueType": "IncorrectValue", "keyExpectedValue": "'admin_enabled' equal 'false'", "keyActualValue": "'admin_enabled' equal 'true'", "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/query.rego b/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/query.rego index 691ae8604a4..5cb88e1d4da 100644 --- a/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/query.rego +++ b/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/query.rego @@ -21,9 +21,8 @@ CxPolicy[result] { } } - -is_not_ephemeral(cluster){ - not common_lib.valid_key(cluster.default_node_pool, "os_disk_type") +is_not_ephemeral(cluster) { + not common_lib.valid_key(cluster.default_node_pool, "os_disk_type") } else { disk_type := cluster.default_node_pool.os_disk_type disk_type != "Ephemeral" diff --git a/assets/queries/terraform/azure/aks_network_policy_misconfigured/query.rego b/assets/queries/terraform/azure/aks_network_policy_misconfigured/query.rego index 281dade1e69..bc5479fbc30 100644 --- a/assets/queries/terraform/azure/aks_network_policy_misconfigured/query.rego +++ b/assets/queries/terraform/azure/aks_network_policy_misconfigured/query.rego @@ -15,13 +15,13 @@ CxPolicy[result] { "resourceType": "azurerm_kubernetes_cluster", "resourceName": tf_lib.get_resource_name(cluster, name), "searchKey": sprintf("azurerm_kubernetes_cluster[%s].network_profile.network_policy", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_kubernetes_cluster", name, "network_profile", "network_policy"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_kubernetes_cluster", name, "network_profile", "network_policy"], []), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_kubernetes_cluster[%s].network_profile.network_policy' should be either 'azure' or 'calico'", [name]), "keyActualValue": sprintf("'azurerm_kubernetes_cluster[%s].network_profile.network_policy' is %s", [name, policy]), "remediation": json.marshal({ "before": sprintf("%s", [policy]), - "after": "azure" + "after": "azure", }), "remediationType": "replacement", } @@ -37,7 +37,7 @@ CxPolicy[result] { "resourceType": "azurerm_kubernetes_cluster", "resourceName": tf_lib.get_resource_name(cluster, name), "searchKey": sprintf("azurerm_kubernetes_cluster[%s].network_profile", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_kubernetes_cluster", name, "network_profile"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_kubernetes_cluster", name, "network_profile"], []), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'azurerm_kubernetes_cluster[%s].network_profile.network_policy' should be set to either 'azure' or 'calico'", [name]), "keyActualValue": sprintf("'azurerm_kubernetes_cluster[%s].network_profile.network_policy' is undefined", [name]), @@ -55,7 +55,7 @@ CxPolicy[result] { "resourceType": "azurerm_kubernetes_cluster", "resourceName": tf_lib.get_resource_name(cluster, name), "searchKey": sprintf("azurerm_kubernetes_cluster[%s]", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_kubernetes_cluster", name], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_kubernetes_cluster", name], []), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'azurerm_kubernetes_cluster[%s].network_profile' should be set", [name]), "keyActualValue": sprintf("'azurerm_kubernetes_cluster[%s].network_profile' is undefined", [name]), diff --git a/assets/queries/terraform/azure/aks_private_cluster_disabled/query.rego b/assets/queries/terraform/azure/aks_private_cluster_disabled/query.rego index 7bc9c6c6b62..f99acd9f74d 100644 --- a/assets/queries/terraform/azure/aks_private_cluster_disabled/query.rego +++ b/assets/queries/terraform/azure/aks_private_cluster_disabled/query.rego @@ -38,7 +38,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_kubernetes_cluster", name, "private_cluster_enabled"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/aks_rbac_disabled/query.rego b/assets/queries/terraform/azure/aks_rbac_disabled/query.rego index d1e1845c0cf..32a74fc75c4 100644 --- a/assets/queries/terraform/azure/aks_rbac_disabled/query.rego +++ b/assets/queries/terraform/azure/aks_rbac_disabled/query.rego @@ -16,13 +16,13 @@ CxPolicy[result] { "resourceType": "azurerm_kubernetes_cluster", "resourceName": tf_lib.get_resource_name(cluster, name), "searchKey": sprintf("azurerm_kubernetes_cluster[%s].role_based_access_control.enabled", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_kubernetes_cluster", name ,"role_based_access_control", "enabled"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_kubernetes_cluster", name, "role_based_access_control", "enabled"], []), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_kubernetes_cluster[%s].role_based_access_control.enabled' should be set to true", [name]), "keyActualValue": sprintf("'azurerm_kubernetes_cluster[%s].role_based_access_control.enabled' is not set to true", [name]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -31,7 +31,7 @@ CxPolicy[result] { CxPolicy[result] { cluster := input.document[i].resource.azurerm_kubernetes_cluster[name] - # after azurerm 3.0 + # after azurerm 3.0 cluster.role_based_access_control_enabled != true result := { @@ -39,15 +39,14 @@ CxPolicy[result] { "resourceType": "azurerm_kubernetes_cluster", "resourceName": tf_lib.get_resource_name(cluster, name), "searchKey": sprintf("azurerm_kubernetes_cluster[%s].role_based_access_control_enabled", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_kubernetes_cluster", name ,"role_based_access_control_enabled"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_kubernetes_cluster", name, "role_based_access_control_enabled"], []), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_kubernetes_cluster[%s].role_based_access_control_enabled' should be set to true", [name]), "keyActualValue": sprintf("'azurerm_kubernetes_cluster[%s].role_based_access_control_enabled' is not set to true", [name]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } } - diff --git a/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/query.rego b/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/query.rego index 582e116642f..f972de2ab8b 100644 --- a/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/query.rego +++ b/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/query.rego @@ -22,7 +22,6 @@ CxPolicy[result] { } CxPolicy[result] { - # before azurerm 3.0 cluster := input.document[i].resource.azurerm_kubernetes_cluster[name].addon_profile.azure_policy @@ -39,14 +38,13 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_kubernetes_cluster", name, "addon_profile", "azure_policy", "enabled"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } } CxPolicy[result] { - # after azurerm 3.0 cluster := input.document[i].resource.azurerm_kubernetes_cluster[name] @@ -63,7 +61,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_kubernetes_cluster", name, "azure_policy_enabled"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/app_service_authentication_disabled/query.rego b/assets/queries/terraform/azure/app_service_authentication_disabled/query.rego index 03d7f51a1e1..495eff8d646 100644 --- a/assets/queries/terraform/azure/app_service_authentication_disabled/query.rego +++ b/assets/queries/terraform/azure/app_service_authentication_disabled/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { "resourceType": "azurerm_app_service", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_app_service[%s]", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_app_service", name], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_app_service", name], []), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'azurerm_app_service[%s].auth_settings' should be defined", [name]), "keyActualValue": sprintf("'azurerm_app_service[%s].auth_settings' is undefined", [name]), @@ -34,13 +34,13 @@ CxPolicy[result] { "resourceType": "azurerm_app_service", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_app_service[%s].auth_settings.enabled", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_app_service", name, "auth_settings", "enabled"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_app_service", name, "auth_settings", "enabled"], []), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_app_service[%s].auth_settings.enabled' should be true", [name]), "keyActualValue": sprintf("'azurerm_app_service[%s].auth_settings.enabled' is false", [name]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/app_service_http2_disabled/query.rego b/assets/queries/terraform/azure/app_service_http2_disabled/query.rego index 07e39fefa97..8ca01f6263e 100644 --- a/assets/queries/terraform/azure/app_service_http2_disabled/query.rego +++ b/assets/queries/terraform/azure/app_service_http2_disabled/query.rego @@ -57,7 +57,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_app_service", name, "site_config", "http2_enabled"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/app_service_managed_identity_disabled/query.rego b/assets/queries/terraform/azure/app_service_managed_identity_disabled/query.rego index 93b52a99b10..c188601a05e 100644 --- a/assets/queries/terraform/azure/app_service_managed_identity_disabled/query.rego +++ b/assets/queries/terraform/azure/app_service_managed_identity_disabled/query.rego @@ -19,4 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_app_service", name], []), } } - diff --git a/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/query.rego b/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/query.rego index 9c312229f34..9775de18b1e 100644 --- a/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/query.rego +++ b/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/query.rego @@ -20,7 +20,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_app_service", name, "site_config", "min_tls_version"], []), "remediation": json.marshal({ "before": sprintf("%.1f", [app.site_config.min_tls_version]), - "after": "1.3" + "after": "1.3", }), "remediationType": "replacement", } @@ -43,7 +43,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_app_service", name, "site_config", "min_tls_version"], []), "remediation": json.marshal({ "before": sprintf("%s", [app.site_config.min_tls_version]), - "after": "1.3" + "after": "1.3", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/app_service_without_latest_php_version/query.rego b/assets/queries/terraform/azure/app_service_without_latest_php_version/query.rego index 07ec3a9c321..7bfcf6671ed 100644 --- a/assets/queries/terraform/azure/app_service_without_latest_php_version/query.rego +++ b/assets/queries/terraform/azure/app_service_without_latest_php_version/query.rego @@ -7,8 +7,8 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.azurerm_app_service[name] php_version := resource.site_config.php_version - to_number(php_version) != 8.1 - + to_number(php_version) != 8.1 + result := { "documentId": input.document[i].id, "resourceType": "azurerm_app_service", @@ -24,9 +24,9 @@ CxPolicy[result] { # After 3.0, for windows CxPolicy[result] { resource := input.document[i].resource.azurerm_windows_web_app[name] - php_version := resource.site_config.application_stack.php_version + php_version := resource.site_config.application_stack.php_version php_version != "v8.1" - + result := { "documentId": input.document[i].id, "resourceType": "azurerm_windows_web_app", @@ -42,9 +42,9 @@ CxPolicy[result] { # After 3.0, for linux CxPolicy[result] { resource := input.document[i].resource.azurerm_linux_web_app[name] - php_version := resource.site_config.application_stack.php_version + php_version := resource.site_config.application_stack.php_version to_number(php_version) != 8.1 - + result := { "documentId": input.document[i].id, "resourceType": "azurerm_linux_web_app", diff --git a/assets/queries/terraform/azure/app_service_without_latest_python_version/query.rego b/assets/queries/terraform/azure/app_service_without_latest_python_version/query.rego index fe96b985684..51e32a1c05d 100644 --- a/assets/queries/terraform/azure/app_service_without_latest_python_version/query.rego +++ b/assets/queries/terraform/azure/app_service_without_latest_python_version/query.rego @@ -7,8 +7,8 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.azurerm_app_service[name] python_version := resource.site_config.python_version - to_number(python_version) != 3.10 - + to_number(python_version) != 3.10 + result := { "documentId": input.document[i].id, "resourceType": "azurerm_app_service", @@ -24,9 +24,9 @@ CxPolicy[result] { # After 3.0, for windows CxPolicy[result] { resource := input.document[i].resource.azurerm_windows_web_app[name] - python_version := resource.site_config.application_stack.python_version + python_version := resource.site_config.application_stack.python_version python_version != "v3.10" - + result := { "documentId": input.document[i].id, "resourceType": "azurerm_windows_web_app", @@ -42,9 +42,9 @@ CxPolicy[result] { # After 3.0, for linux CxPolicy[result] { resource := input.document[i].resource.azurerm_linux_web_app[name] - python_version := resource.site_config.application_stack.python_version + python_version := resource.site_config.application_stack.python_version to_number(python_version) != 3.10 - + result := { "documentId": input.document[i].id, "resourceType": "azurerm_linux_web_app", diff --git a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/query.rego b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/query.rego index d99d07bb214..289756da90f 100644 --- a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/query.rego +++ b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/query.rego @@ -5,9 +5,9 @@ import data.generic.terraform as tf_lib CxPolicy[result] { doc := input.document[i] - resource := doc.resource.azurerm_app_service[name] + resource := doc.resource.azurerm_app_service[name] - not common_lib.valid_key(resource, "client_cert_enabled") + not common_lib.valid_key(resource, "client_cert_enabled") result := { "documentId": doc.id, @@ -17,7 +17,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'azurerm_app_service[%s].client_cert_enabled' should be defined", [name]), "keyActualValue": sprintf("'azurerm_app_service[%s].client_cert_enabeld' is undefined", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_app_service" ,name], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_app_service", name], []), "remediation": "client_cert_enabled = true", "remediationType": "addition", } @@ -25,7 +25,7 @@ CxPolicy[result] { CxPolicy[result] { doc := input.document[i] - resource := doc.resource.azurerm_app_service[name] + resource := doc.resource.azurerm_app_service[name] resource.client_cert_enabled == false @@ -37,10 +37,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_app_service[%s].client_cert_enabled' is true", [name]), "keyActualValue": sprintf("'azurerm_app_service[%s].client_cert_enabled' is false", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_app_service" ,name, "client_cert_enabeld"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_app_service", name, "client_cert_enabeld"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/query.rego b/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/query.rego index c6983fdcdce..0a14fd8b498 100644 --- a/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/query.rego +++ b/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/query.rego @@ -38,7 +38,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_search_service", name, "public_network_access_enabled"], []), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/azure_instance_using_basic_authentication/query.rego b/assets/queries/terraform/azure/azure_instance_using_basic_authentication/query.rego index 678a196bb42..8d8f6184588 100644 --- a/assets/queries/terraform/azure/azure_instance_using_basic_authentication/query.rego +++ b/assets/queries/terraform/azure/azure_instance_using_basic_authentication/query.rego @@ -1,13 +1,13 @@ package Cx -import future.keywords.if import data.generic.terraform as tf_lib +import future.keywords.if CxPolicy[result] { vm := input.document[i].resource.azurerm_virtual_machine[name] - object.get(vm, "os_profile_linux_config", false) + object.get(vm, "os_profile_linux_config", false) vm.os_profile_linux_config.disable_password_authentication == false - resource_type := "azurerm_virtual_machine" + resource_type := "azurerm_virtual_machine" result := { "documentId": input.document[i].id, "resourceType": resource_type, @@ -22,7 +22,7 @@ CxPolicy[result] { CxPolicy[result] { vm := input.document[i].resource.azurerm_linux_virtual_machine[name] vm.disable_password_authentication == false - resource_type := "azurerm_linux_virtual_machine" + resource_type := "azurerm_linux_virtual_machine" result := { "documentId": input.document[i].id, "resourceType": resource_type, diff --git a/assets/queries/terraform/azure/dashboard_is_enabled/query.rego b/assets/queries/terraform/azure/dashboard_is_enabled/query.rego index ec8a9cbcbfa..988740ef9f6 100644 --- a/assets/queries/terraform/azure/dashboard_is_enabled/query.rego +++ b/assets/queries/terraform/azure/dashboard_is_enabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { cluster := input.document[i].resource.azurerm_kubernetes_cluster[name] @@ -18,10 +18,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_kubernetes_cluster[%s].addon_profile.kube_dashboard.enabled' should be set to false or undefined", [name]), "keyActualValue": sprintf("'azurerm_kubernetes_cluster[%s].addon_profile.kube_dashboard.enabled' is true", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_kubernetes_cluster" ,name, "addon_profile", "kube_dashboard", "enabled"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_kubernetes_cluster", name, "addon_profile", "kube_dashboard", "enabled"], []), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/notquery.rego b/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/notquery.rego index 60dba683ff9..d67c58c5bf4 100644 --- a/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/notquery.rego +++ b/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/notquery.rego @@ -1,18 +1,18 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib import future.keywords.every import future.keywords.in CxPolicy[result] { - resource := input.document[i].resource.azurerm_storage_account[var0] + resource := input.document[i].resource.azurerm_storage_account[var0] resource_name := tf_lib.get_resource_name(resource, var0) networkRules := input.document[i].resource.azurerm_storage_account_network_rules[var1] - networkRules.storage_account_id == sprintf("${azurerm_storage_account.%s.id}", [var0]) - lower(networkRules.default_action) == "allow" + networkRules.storage_account_id == sprintf("${azurerm_storage_account.%s.id}", [var0]) + lower(networkRules.default_action) == "allow" - result := { + result := { "documentId": input.document[i].id, "resourceType": "azurerm_storage_account", "resourceName": resource_name, @@ -30,13 +30,13 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.azurerm_storage_account[var0] + resource := input.document[i].resource.azurerm_storage_account[var0] resource_name := tf_lib.get_resource_name(resource, var0) - not has_net_rules_obj(resource_name, input.document[i]) - net_rules := object.get(resource, "network_rules", {}) - lower(net_rules.default_action) == "allow" + not has_net_rules_obj(resource_name, input.document[i]) + net_rules := object.get(resource, "network_rules", {}) + lower(net_rules.default_action) == "allow" - result := { + result := { "documentId": input.document[i].id, "resourceType": "azurerm_storage_account", "resourceName": resource_name, @@ -54,12 +54,12 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.azurerm_storage_account[var0] - resource_name := tf_lib.get_resource_name(resource, var0) - has_key(resource, "public_network_access_enabled") - resource.public_network_access_enabled + resource := input.document[i].resource.azurerm_storage_account[var0] + resource_name := tf_lib.get_resource_name(resource, var0) + "public_network_access_enabled" in object.keys(resource) + resource.public_network_access_enabled - result := { + result := { "documentId": input.document[i].id, "resourceType": "azurerm_storage_account", "resourceName": resource_name, @@ -77,11 +77,11 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].resource.azurerm_storage_account[var0] - resource_name := tf_lib.get_resource_name(resource, var0) - not has_key(resource, "public_network_access_enabled") + resource := input.document[i].resource.azurerm_storage_account[var0] + resource_name := tf_lib.get_resource_name(resource, var0) + not "public_network_access_enabled" in object.keys(resource) - result := { + result := { "documentId": input.document[i].id, "resourceType": "azurerm_storage_account", "resourceName": resource_name, @@ -95,13 +95,9 @@ CxPolicy[result] { } } -has_key(x, k) { - _ = x[k] -} - -has_net_rules_obj(res_name, all_resources) = true { - has_key(all_resources, "azurerm_storage_account_network_rules") +has_net_rules_obj(res_name, all_resources) { + "azurerm_storage_account_network_rules" in object.keys(all_resources) every rule in all_resources.resource.azurerm_storage_account_network_rules { - rule.storage_account_id != sprintf("${azurerm_storage_account.%s.id}", [res_name]) - } + rule.storage_account_id != sprintf("${azurerm_storage_account.%s.id}", [res_name]) + } } else = false diff --git a/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/query.rego b/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/query.rego index 9d95feed8d1..56a6ce8dc72 100644 --- a/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/query.rego +++ b/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/query.rego @@ -1,7 +1,8 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { resource := input.document[i].resource.azurerm_storage_account[var0] @@ -28,7 +29,7 @@ CxPolicy[result] { } prepare_issue(res1, res2, resource_id, rules_type, rules_key) = issue { - res1 == "not defined" + res1 == "not defined" res2 == "not defined" issue := { "kav": "azurerm_storage_account.public_network_access_enabled is not set (default is 'true')", @@ -40,8 +41,8 @@ prepare_issue(res1, res2, resource_id, rules_type, rules_key) = issue { "remediationType": "addition", } } else = issue { - res1 == "enabled" - issue := { + res1 == "enabled" + issue := { "kav": "azurerm_storage_account.public_network_access_enabled set to 'true'", "kev": "azurerm_storage_account.public_network_access_enabled should be set to 'false'", "searchLine": common_lib.build_search_line(["resource", "azurerm_storage_account", resource_id, "public_network_access_enabled"], []), @@ -54,9 +55,9 @@ prepare_issue(res1, res2, resource_id, rules_type, rules_key) = issue { "remediationType": "replacement", } } else = issue { - res2 == "allow" - rules_type == "inline" - issue := { + res2 == "allow" + rules_type == "inline" + issue := { "kav": "azurerm_storage_account.network_rules.default_action is set to 'Allow'", "kev": "azurerm_storage_account.network_rules.default_action should be set to 'Deny'", "issueType": "IncorrectValue", @@ -64,14 +65,14 @@ prepare_issue(res1, res2, resource_id, rules_type, rules_key) = issue { "before": "Allow", "after": "Deny", }), - "searchLine": common_lib.build_search_line(["resource", "azurerm_storage_account", resource_id, "network_rules", "default_action"], []), - "searchKey": sprintf("azurerm_storage_account[%s].network_rules.default_action", [resource_id]), - "remediationType": "replacement", + "searchLine": common_lib.build_search_line(["resource", "azurerm_storage_account", resource_id, "network_rules", "default_action"], []), + "searchKey": sprintf("azurerm_storage_account[%s].network_rules.default_action", [resource_id]), + "remediationType": "replacement", } } else = issue { - res2 == "allow" - rules_type == "object" - issue := { + res2 == "allow" + rules_type == "object" + issue := { "kav": "azurerm_storage_account_network_rules.default_action is set to 'Allow'", "kev": "azurerm_storage_account_network_rules.default_action should be set to 'Deny'", "issueType": "IncorrectValue", @@ -79,36 +80,36 @@ prepare_issue(res1, res2, resource_id, rules_type, rules_key) = issue { "before": "Allow", "after": "Deny", }), - "searchLine": common_lib.build_search_line(["resource", "azurerm_storage_account_network_rules", rules_key, "default_action"], []), - "searchKey": sprintf("azurerm_storage_account_network_rules[%s].default_action", [rules_key]), - "remediationType": "replacement", + "searchLine": common_lib.build_search_line(["resource", "azurerm_storage_account_network_rules", rules_key, "default_action"], []), + "searchKey": sprintf("azurerm_storage_account_network_rules[%s].default_action", [rules_key]), + "remediationType": "replacement", } } get_network_rules(storage_account, storage_account_name) = rules { networkRules := input.document[i].resource.azurerm_storage_account_network_rules[var1] - networkRules.storage_account_id == sprintf("${azurerm_storage_account.%s.id}", [storage_account_name]) - rules := { - "rules": object.union(networkRules, {"name": var1}), - "type": "object", - "key": var1 - } + networkRules.storage_account_id == sprintf("${azurerm_storage_account.%s.id}", [storage_account_name]) + rules := { + "rules": object.union(networkRules, {"name": var1}), + "type": "object", + "key": var1, + } } else = rules { rules := { - "rules": storage_account.network_rules, - "type": "inline", - "key": null - } + "rules": storage_account.network_rules, + "type": "inline", + "key": null, + } } else = rules { rules := { - "rules": null, - "type": null, - "key": null + "rules": null, + "type": null, + "key": null, } } publicNetworkAccessEnabled(sa) = reason { - not has_key(sa, "public_network_access_enabled") + not "public_network_access_enabled" in object.keys(sa) reason := "not defined" } else = reason { sa.public_network_access_enabled == true @@ -122,7 +123,3 @@ aclsDefaultActionAllow(network_rules) = reason { lower(network_rules.default_action) == "allow" reason := "allow" } - -has_key(x, k) { - _ = x[k] -} diff --git a/assets/queries/terraform/azure/email_alerts_disabled/query.rego b/assets/queries/terraform/azure/email_alerts_disabled/query.rego index 1d639f0fdb4..f632358cd7f 100644 --- a/assets/queries/terraform/azure/email_alerts_disabled/query.rego +++ b/assets/queries/terraform/azure/email_alerts_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.azurerm_security_center_contact[name] @@ -19,7 +19,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_security_center_contact", name, "alert_notifications"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/query.rego b/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/query.rego index bd7260c3a01..b1ea011df69 100644 --- a/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/query.rego +++ b/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("azurerm_managed_disk[%s].encryption_settings should be defined and not null", [name]), "keyActualValue": sprintf("azurerm_managed_disk[%s].encryption_settings is undefined or null", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_managed_disk" ,name], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_managed_disk", name], []), "remediation": "encryption_settings = {\n\t\t enabled= true\n\t}\n", "remediationType": "addition", } @@ -35,10 +35,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("azurerm_managed_disk[%s].encryption_settings.enabled should be true ", [name]), "keyActualValue": sprintf("azurerm_managed_disk[%s].encryption_settings.enabled is false", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_managed_disk" ,name ,"encryption_settings", "enabled"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_managed_disk", name, "encryption_settings", "enabled"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/query.rego b/assets/queries/terraform/azure/function_app_authentication_disabled/query.rego index e25da9bfbb8..50faf901a67 100644 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/query.rego @@ -38,7 +38,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name, "auth_settings", "enabled"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego index ca2dc5858e6..f2f3859f7ce 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/query.rego @@ -38,7 +38,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name, "client_cert_mode"], []), "remediation": json.marshal({ "before": sprintf("%s", [function.client_cert_mode]), - "after": "Required" + "after": "Required", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego index 14988ab3938..18ffa37e062 100644 --- a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego @@ -38,7 +38,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name, "site_config", "ftps_state"], []), "remediation": json.marshal({ "before": "AllAllowed", - "after": "FtpsOnly" + "after": "FtpsOnly", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/query.rego b/assets/queries/terraform/azure/function_app_http2_disabled/query.rego index dc6babd4894..cd29c8c67ce 100644 --- a/assets/queries/terraform/azure/function_app_http2_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_http2_disabled/query.rego @@ -57,7 +57,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name, "site_config", "http2_enabled"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego index 6b9ac94eda2..5579f1df96d 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/query.rego @@ -19,7 +19,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name, "site_config", "min_tls_version"], []), "remediation": json.marshal({ "before": sprintf("%.1f", [to_number(app.site_config.min_tls_version)]), - "after": "1.2" + "after": "1.2", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/geo_redundancy_is_disabled/query.rego b/assets/queries/terraform/azure/geo_redundancy_is_disabled/query.rego index 06ffdb3b1d4..88538a6a157 100644 --- a/assets/queries/terraform/azure/geo_redundancy_is_disabled/query.rego +++ b/assets/queries/terraform/azure/geo_redundancy_is_disabled/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'azurerm_postgresql_server.%s.geo_redundant_backup_enabled' should be set", [var0]), "keyActualValue": sprintf("'azurerm_postgresql_server.%s.geo_redundant_backup_enabled' is undefined", [var0]), - "searchLine": common_lib.build_search_line(["resource","azurerm_postgresql_server" ,var0], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_postgresql_server", var0], []), "remediation": "geo_redundant_backup_enabled = true", "remediationType": "addition", } @@ -33,10 +33,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_postgresql_server.%s.geo_redundant_backup_enabled' should be true", [var0]), "keyActualValue": sprintf("'azurerm_postgresql_server.%s.geo_redundant_backup_enabled' is false", [var0]), - "searchLine": common_lib.build_search_line(["resource","azurerm_postgresql_server" ,var0, "geo_redundant_backup_enabled"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_postgresql_server", var0, "geo_redundant_backup_enabled"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/log_retention_is_not_set/query.rego b/assets/queries/terraform/azure/log_retention_is_not_set/query.rego index bb0dfb325dc..21bb13073bf 100644 --- a/assets/queries/terraform/azure/log_retention_is_not_set/query.rego +++ b/assets/queries/terraform/azure/log_retention_is_not_set/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.azurerm_postgresql_configuration[var0] @@ -23,10 +23,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_postgresql_configuration.%s.value' should be 'ON'", [var0]), "keyActualValue": sprintf("'azurerm_postgresql_configuration.%s.value' is 'OFF'", [var0]), - "searchLine": common_lib.build_search_line(["resource","azurerm_postgresql_configuration" ,var0, "value"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_postgresql_configuration", var0, "value"], []), "remediation": json.marshal({ "before": sprintf("%s", [resource.value]), - "after": "ON" + "after": "ON", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/mariadb_public_network_access_enabled/query.rego b/assets/queries/terraform/azure/mariadb_public_network_access_enabled/query.rego index 463ae09139d..d43283c7c6e 100644 --- a/assets/queries/terraform/azure/mariadb_public_network_access_enabled/query.rego +++ b/assets/queries/terraform/azure/mariadb_public_network_access_enabled/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'azurerm_mariadb_server[%s].public_network_access_enabled' should be defined and not null", [name]), "keyActualValue": sprintf("'azurerm_mariadb_server[%s].public_network_access_enabled' is undefined or null", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_mariadb_server" ,name], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_mariadb_server", name], []), "remediation": "public_network_access_enabled = true", "remediationType": "addition", } @@ -38,7 +38,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_mariadb_server", name, "public_network_access_enabled"], []), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/query.rego b/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/query.rego index b84f92de476..5bc5a1fb46c 100644 --- a/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/query.rego +++ b/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/query.rego @@ -38,7 +38,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_mariadb_server", name, "geo_redundant_backup_enabled"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/mssql_server_auditing_disabled/query.rego b/assets/queries/terraform/azure/mssql_server_auditing_disabled/query.rego index 29078294bc9..a605d67ce99 100644 --- a/assets/queries/terraform/azure/mssql_server_auditing_disabled/query.rego +++ b/assets/queries/terraform/azure/mssql_server_auditing_disabled/query.rego @@ -4,9 +4,9 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource - - server:= resource.azurerm_mssql_server[name] - + + server := resource.azurerm_mssql_server[name] + not resource.azurerm_mssql_server_extended_auditing_policy[name] result := { diff --git a/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/query.rego b/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/query.rego index f234b86507b..092f69fda00 100644 --- a/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/query.rego +++ b/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/query.rego @@ -40,7 +40,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_mssql_server", name, "public_network_access_enabled"], []), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/mysql_server_public_access_enabled/query.rego b/assets/queries/terraform/azure/mysql_server_public_access_enabled/query.rego index a027a7b0462..0c40fd8167c 100644 --- a/assets/queries/terraform/azure/mysql_server_public_access_enabled/query.rego +++ b/assets/queries/terraform/azure/mysql_server_public_access_enabled/query.rego @@ -17,7 +17,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'azurerm_mysql_server[%s].public_network_access_enabled' should be defined", [name]), "keyActualValue": sprintf("'azurerm_mysql_server[%s].public_network_access_enabled' is undefined", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_mysql_server" ,name], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_mysql_server", name], []), "remediation": "public_network_access_enabled = false", "remediationType": "addition", } @@ -37,10 +37,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_mysql_server[%s].public_network_access_enabled' should be set to false", [name]), "keyActualValue": sprintf("'azurerm_mysql_server[%s].public_network_access_enabled' is set to true", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_mysql_server" ,name, "public_network_access_enabled"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_mysql_server", name, "public_network_access_enabled"], []), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/mysql_ssl_connection_disabled/query.rego b/assets/queries/terraform/azure/mysql_ssl_connection_disabled/query.rego index 6e04b13235f..133d372cc65 100644 --- a/assets/queries/terraform/azure/mysql_ssl_connection_disabled/query.rego +++ b/assets/queries/terraform/azure/mysql_ssl_connection_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.azurerm_mysql_server[name] @@ -18,7 +18,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "ssl_enforcement_enabled", name], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/network_watcher_flow_disabled/query.rego b/assets/queries/terraform/azure/network_watcher_flow_disabled/query.rego index b2eeee66d4c..8b060da2f77 100644 --- a/assets/queries/terraform/azure/network_watcher_flow_disabled/query.rego +++ b/assets/queries/terraform/azure/network_watcher_flow_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { network := input.document[i].resource.azurerm_network_watcher_flow_log[name] @@ -18,7 +18,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_network_watcher_flow_log", name, "enabled"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/query.rego b/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/query.rego index af7372ad168..64cc68a7253 100644 --- a/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/query.rego +++ b/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.azurerm_postgresql_configuration[var0] @@ -23,10 +23,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_postgresql_configuration.%s.value' should be 'ON'", [var0]), "keyActualValue": sprintf("'azurerm_postgresql_configuration.%s.value' is 'OFF'", [var0]), - "searchLine": common_lib.build_search_line(["resource","azurerm_postgresql_configuration" ,var0, "value"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_postgresql_configuration", var0, "value"], []), "remediation": json.marshal({ "before": sprintf("%s", [resource.value]), - "after": "ON" + "after": "ON", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/postgresql_log_connections_not_set/query.rego b/assets/queries/terraform/azure/postgresql_log_connections_not_set/query.rego index 95c5d97040f..d8c6356ab8b 100644 --- a/assets/queries/terraform/azure/postgresql_log_connections_not_set/query.rego +++ b/assets/queries/terraform/azure/postgresql_log_connections_not_set/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.azurerm_postgresql_configuration[var0] @@ -23,10 +23,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_postgresql_configuration.%s.value' should be 'ON'", [var0]), "keyActualValue": sprintf("'azurerm_postgresql_configuration.%s.value' is 'OFF'", [var0]), - "searchLine": common_lib.build_search_line(["resource","azurerm_postgresql_configuration" ,var0, "value"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_postgresql_configuration", var0, "value"], []), "remediation": json.marshal({ "before": sprintf("%s", [resource.value]), - "after": "ON" + "after": "ON", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/query.rego b/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/query.rego index 188eec37202..a005215a00d 100644 --- a/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/query.rego +++ b/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.azurerm_postgresql_configuration[var0] @@ -23,10 +23,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_postgresql_configuration.%s.value' should be 'ON'", [var0]), "keyActualValue": sprintf("'azurerm_postgresql_configuration.%s.value' is 'OFF'", [var0]), - "searchLine": common_lib.build_search_line(["resource","azurerm_postgresql_configuration",var0, "extended_auditing_policy"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_postgresql_configuration", var0, "extended_auditing_policy"], []), "remediation": json.marshal({ "before": sprintf("%s", [resource.value]), - "after": "ON" + "after": "ON", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/postgresql_log_duration_not_set/query.rego b/assets/queries/terraform/azure/postgresql_log_duration_not_set/query.rego index a71ed4a4f25..e3bf93e47cc 100644 --- a/assets/queries/terraform/azure/postgresql_log_duration_not_set/query.rego +++ b/assets/queries/terraform/azure/postgresql_log_duration_not_set/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.azurerm_postgresql_configuration[x] @@ -23,10 +23,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_postgresql_configuration.%s.value' should be 'ON'", [x]), "keyActualValue": sprintf("'azurerm_postgresql_configuration.%s.value' is 'OFF'", [x]), - "searchLine": common_lib.build_search_line(["resource","azurerm_postgresql_configuration" ,x, "value"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_postgresql_configuration", x, "value"], []), "remediation": json.marshal({ "before": sprintf("%s", [resource.value]), - "after": "ON" + "after": "ON", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/query.rego b/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/query.rego index 0e95a665b72..8bbf44202fe 100644 --- a/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/query.rego +++ b/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/query.rego @@ -38,7 +38,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_postgresql_server", name, "infrastructure_encryption_enabled"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/query.rego b/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/query.rego index 997e9a6bc4b..bb4b7f700ef 100644 --- a/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/query.rego +++ b/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/query.rego @@ -38,7 +38,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_postgresql_server", name, "threat_detection_policy", "enabled"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/query.rego b/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/query.rego index ba8ca0e63bb..970a1a8874c 100644 --- a/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/query.rego +++ b/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.azurerm_postgresql_configuration[var0] @@ -23,10 +23,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_postgresql_configuration.%s.value' should be 'ON'", [var0]), "keyActualValue": sprintf("'azurerm_postgresql_configuration.%s.value' is 'OFF'", [var0]), - "searchLine": common_lib.build_search_line(["resource","azurerm_postgresql_configuration" ,var0, "value"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_postgresql_configuration", var0, "value"], []), "remediation": json.marshal({ "before": sprintf("%s", [resource.value]), - "after": "ON" + "after": "ON", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/public_storage_account/query.rego b/assets/queries/terraform/azure/public_storage_account/query.rego index 73134a8514f..8ca65457921 100644 --- a/assets/queries/terraform/azure/public_storage_account/query.rego +++ b/assets/queries/terraform/azure/public_storage_account/query.rego @@ -84,7 +84,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_storage_account", name, "allow_blob_public_access"], []), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/query.rego b/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/query.rego index 3cbcdab062f..90808ebe677 100644 --- a/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/query.rego +++ b/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/query.rego @@ -6,7 +6,7 @@ CxPolicy[result] { resource := input.document[i].resource.azurerm_network_security_rule[var0] upper(resource.access) == "ALLOW" upper(resource.direction) == "INBOUND" - + isRelevantProtocol(resource.protocol) isRelevantPort(resource.destination_port_range) isRelevantAddressPrefix(resource.source_address_prefix) @@ -29,7 +29,7 @@ isRelevantProtocol(protocol) = allow { } isRelevantPort(port) = allow { - regex.match("(^|\\s|,)3389(-|,|$|\\s)", port) + regex.match(`(^|\s|,)3389(-|,|$|\s)`, port) allow = true } diff --git a/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/query.rego b/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/query.rego index 1f36411402c..8602f553b8b 100644 --- a/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/query.rego +++ b/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { cache := input.document[i].resource.azurerm_redis_cache[name] @@ -15,10 +15,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_redis_cache[%s].enable_non_ssl_port' should be set to false or undefined (false as default)", [name]), "keyActualValue": sprintf("'azurerm_redis_cache[%s].enable_non_ssl_port' is true", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_redis_cache" ,name, "enable_non_ssl_port"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_redis_cache", name, "enable_non_ssl_port"], []), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/query.rego b/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/query.rego index f4624d0cd04..0c5f67dad62 100644 --- a/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/query.rego +++ b/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.azurerm_security_center_subscription_pricing[name] @@ -17,10 +17,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_security_center_subscription_pricing.%s.tier' is 'Standard'", [name]), "keyActualValue": sprintf("'azurerm_security_center_subscription_pricing.%s.tier' is 'Free'", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_security_center_subscription_pricing",name, "tier"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_security_center_subscription_pricing", name, "tier"], []), "remediation": json.marshal({ - "before": sprintf("%s",[resource.tier]), - "after": "Standard" + "before": sprintf("%s", [resource.tier]), + "after": "Standard", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/query.rego b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/query.rego index 0dfa4d864c0..1eaf2476ce0 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/query.rego +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as commonLib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.azurerm_network_security_rule[name] @@ -13,7 +13,7 @@ CxPolicy[result] { upper(resource.access) == "ALLOW" upper(resource.direction) == "INBOUND" - + endswith(resource.source_address_prefix, "/0") tf_lib.containsPort(resource, portNumber) isTCPorUDP(protocol) diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/query.rego b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/query.rego index 63a0ddc9453..b3ab9eab12b 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/query.rego +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as commonLib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.azurerm_network_security_rule[name] @@ -13,7 +13,7 @@ CxPolicy[result] { upper(resource.access) == "ALLOW" upper(resource.direction) == "INBOUND" - + isSmallPublicNetwork(resource) tf_lib.containsPort(resource, portNumber) isTCPorUDP(protocol) diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/query.rego b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/query.rego index 55b250df70d..428561e4b91 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/query.rego +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as commonLib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.azurerm_network_security_rule[name] @@ -13,7 +13,7 @@ CxPolicy[result] { upper(resource.access) == "ALLOW" upper(resource.direction) == "INBOUND" - + commonLib.isPrivateIP(resource.source_address_prefix) tf_lib.containsPort(resource, portNumber) isTCPorUDP(protocol) diff --git a/assets/queries/terraform/azure/small_activity_log_retention_period/query.rego b/assets/queries/terraform/azure/small_activity_log_retention_period/query.rego index c95dababab3..fa428f589f5 100644 --- a/assets/queries/terraform/azure/small_activity_log_retention_period/query.rego +++ b/assets/queries/terraform/azure/small_activity_log_retention_period/query.rego @@ -17,7 +17,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'azurerm_monitor_log_profile[%s].retention_policy.days' should be defined and not null", [name]), "keyActualValue": sprintf("'azurerm_monitor_log_profile[%s].retention_policy.days' is undefined or null", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_monitor_log_profile",name, "retention_policy"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_monitor_log_profile", name, "retention_policy"], []), "remediation": "days = 365", "remediationType": "addition", } @@ -36,10 +36,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_monitor_log_profile[%s].retention_policy.enabled' should be set to true", [name]), "keyActualValue": sprintf("'azurerm_monitor_log_profile[%s].retention_policy.enabled' is set to false", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_monitor_log_profile",name, "retention_policy","enabled"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_monitor_log_profile", name, "retention_policy", "enabled"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -60,10 +60,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_monitor_log_profile[%s].retention_policy.days' should be greater than or equal to 365 days or 0 (indefinitely)", [name]), "keyActualValue": sprintf("'azurerm_monitor_log_profile[%s].retention_policy.days' is less than 365 days or different than 0 (indefinitely)", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_monitor_log_profile",name, "retention_policy","days"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_monitor_log_profile", name, "retention_policy", "days"], []), "remediation": json.marshal({ "before": sprintf("%d", [retentionPolicy.days]), - "after": "365" + "after": "365", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/small_flow_logs_retention_period/query.rego b/assets/queries/terraform/azure/small_flow_logs_retention_period/query.rego index 466cd66bf17..1bf7a72fa24 100644 --- a/assets/queries/terraform/azure/small_flow_logs_retention_period/query.rego +++ b/assets/queries/terraform/azure/small_flow_logs_retention_period/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.azurerm_network_watcher_flow_log[name] @@ -20,7 +20,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_network_watcher_flow_log", name, "retention_policy", "days"], []), "remediation": json.marshal({ "before": sprintf("%d", [resource.retention_policy.days]), - "after": "90" + "after": "90", }), "remediationType": "replacement", } @@ -63,7 +63,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_network_watcher_flow_log", name, "retention_policy", "enabled"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/small_msql_server_audit_retention/query.rego b/assets/queries/terraform/azure/small_msql_server_audit_retention/query.rego index 1d7e1744056..74e34f415b3 100644 --- a/assets/queries/terraform/azure/small_msql_server_audit_retention/query.rego +++ b/assets/queries/terraform/azure/small_msql_server_audit_retention/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource_type := ["azurerm_sql_database", "azurerm_sql_server"] @@ -17,7 +17,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "extended_auditing_policy.retention_in_days should be defined and bigger than 90", "keyActualValue": "extended_auditing_policy.retention_in_days is not defined", - "searchLine": common_lib.build_search_line(["resource",resource_type[t] ,name, "extended_auditing_policy"], []), + "searchLine": common_lib.build_search_line(["resource", resource_type[t], name, "extended_auditing_policy"], []), "remediation": "retention_in_days = 200", "remediationType": "addition", } @@ -38,10 +38,10 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'%s.extended_auditing_policy.retention_in_days' should be bigger than 90", [name]), "keyActualValue": sprintf("'extended_auditing_policy.retention_in_days' is %d", [var]), - "searchLine": common_lib.build_search_line(["resource",resource_type[t] ,name, "extended_auditing_policy", "retention_in_days"], []), + "searchLine": common_lib.build_search_line(["resource", resource_type[t], name, "extended_auditing_policy", "retention_in_days"], []), "remediation": json.marshal({ "before": sprintf("%d", [var]), - "after": "200" + "after": "200", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/small_mssql_audit_retention_period/query.rego b/assets/queries/terraform/azure/small_mssql_audit_retention_period/query.rego index 459dfa76220..91c9e85da9c 100644 --- a/assets/queries/terraform/azure/small_mssql_audit_retention_period/query.rego +++ b/assets/queries/terraform/azure/small_mssql_audit_retention_period/query.rego @@ -1,13 +1,13 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource_type := ["azurerm_mssql_database", "azurerm_mssql_server"] resource := input.document[i].resource[resource_type[t]][name] - not common_lib.valid_key(resource.extended_auditing_policy,"retention_in_days") + not common_lib.valid_key(resource.extended_auditing_policy, "retention_in_days") result := { "documentId": input.document[i].id, @@ -17,7 +17,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'%s.extended_auditing_policy.retention_in_days' should be bigger than 90", [name]), "keyActualValue": "'extended_auditing_policy.retention_in_days' is not defined", - "searchLine": common_lib.build_search_line(["resource",resource_type[t] ,name, "extended_auditing_policy"], []), + "searchLine": common_lib.build_search_line(["resource", resource_type[t], name, "extended_auditing_policy"], []), "remediation": "retention_in_days = 200", "remediationType": "addition", } @@ -38,10 +38,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s.extended_auditing_policy.retention_in_days' should be bigger than 90", [name]), "keyActualValue": sprintf("'extended_auditing_policy.retention_in_days' is %d", [var]), - "searchLine": common_lib.build_search_line(["resource",resource_type[t] ,name, "extended_auditing_policy", "retention_in_days"], []), + "searchLine": common_lib.build_search_line(["resource", resource_type[t], name, "extended_auditing_policy", "retention_in_days"], []), "remediation": json.marshal({ "before": sprintf("%d", [var]), - "after": "200" + "after": "200", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/query.rego b/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/query.rego index 2566ca8b293..5ccd78b362d 100644 --- a/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/query.rego +++ b/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/query.rego @@ -17,10 +17,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_postgresql_configuration[%s].value' is greater than 3 and less than 8", [name]), "keyActualValue": sprintf("'azurerm_postgresql_configuration[%s].value' is %s", [name, config.value]), - "searchLine": commonLib.build_search_line(["resource","azurerm_postgresql_configuration" ,name, "value"], []), + "searchLine": commonLib.build_search_line(["resource", "azurerm_postgresql_configuration", name, "value"], []), "remediation": json.marshal({ "before": sprintf("%d", [config.value]), - "after": "7" + "after": "7", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/sql_database_audit_disabled/query.rego b/assets/queries/terraform/azure/sql_database_audit_disabled/query.rego index 576b901c3ba..1e68fb22281 100644 --- a/assets/queries/terraform/azure/sql_database_audit_disabled/query.rego +++ b/assets/queries/terraform/azure/sql_database_audit_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.azurerm_sql_database[name] @@ -16,7 +16,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "'threat_detection_policy' should exist", "keyActualValue": "'threat_detection_policy' is missing", - "searchLine": common_lib.build_search_line(["resource", "azurerm_sql_database" ,name, "threat_detection_policy"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_sql_database", name, "threat_detection_policy"], []), "remediation": "threat_detection_policy {\n\t\tstate = \"Enabled\"\n\t}\n", "remediationType": "addition", } @@ -35,10 +35,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "'threat_detection_policy.state' equal 'Enabled'", "keyActualValue": "'threat_detection_policy.state' equal 'Disabled'", - "searchLine": common_lib.build_search_line(["resource", "azurerm_sql_database" ,name, "threat_detection_policy", "state"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_sql_database", name, "threat_detection_policy", "state"], []), "remediation": json.marshal({ "before": "Disabled", - "after": "Enabled" + "after": "Enabled", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/sql_server_alert_email_disabled/query.rego b/assets/queries/terraform/azure/sql_server_alert_email_disabled/query.rego index 91c4a76441e..0ebfdc6f839 100644 --- a/assets/queries/terraform/azure/sql_server_alert_email_disabled/query.rego +++ b/assets/queries/terraform/azure/sql_server_alert_email_disabled/query.rego @@ -40,7 +40,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_mssql_server_security_alert_policy", name, "email_account_admins"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/query.rego b/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/query.rego index 8885b513b60..bc217a806fd 100644 --- a/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/query.rego +++ b/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/query.rego @@ -29,7 +29,7 @@ isRelevantProtocol(protocol) = allow { } isRelevantPort(port) = allow { - regex.match("(^|\\s|,)22(-|,|$|\\s)", port) + regex.match(`(^|\s|,)22(-|,|$|\s)`, port) allow = true } diff --git a/assets/queries/terraform/azure/ssl_enforce_is_disabled/query.rego b/assets/queries/terraform/azure/ssl_enforce_is_disabled/query.rego index a818f475d6a..2f54304e951 100644 --- a/assets/queries/terraform/azure/ssl_enforce_is_disabled/query.rego +++ b/assets/queries/terraform/azure/ssl_enforce_is_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.azurerm_postgresql_server[var0] @@ -36,7 +36,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_postgresql_server", var0, "ssl_enforcement_enabled"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/storage_account_not_forcing_https/query.rego b/assets/queries/terraform/azure/storage_account_not_forcing_https/query.rego index 3b0e1e8b835..12394c66b5a 100644 --- a/assets/queries/terraform/azure/storage_account_not_forcing_https/query.rego +++ b/assets/queries/terraform/azure/storage_account_not_forcing_https/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'azurerm_storage_account.%s.enable_https_traffic_only' equals 'true'", [var0]), "keyActualValue": sprintf("'azurerm_storage_account.%s.enable_https_traffic_only' does not exist", [var0]), - "searchLine": common_lib.build_search_line(["resource","azurerm_storage_account" ,var0, "enable_https_traffic_only" ], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_storage_account", var0, "enable_https_traffic_only"], []), "remediation": "enable_https_traffic_only = true", "remediationType": "addition", } @@ -33,10 +33,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_storage_account.%s.enable_https_traffic_only' equals 'true'", [var0]), "keyActualValue": sprintf("'azurerm_storage_account.%s.enable_https_traffic_only' equals 'false'", [var0]), - "searchLine": common_lib.build_search_line(["resource","azurerm_storage_account" ,var0, "enable_https_traffic_only" ], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_storage_account", var0, "enable_https_traffic_only"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/query.rego b/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/query.rego index 0943aeb5a64..a2a18b3ae39 100644 --- a/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/query.rego +++ b/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_storage_account", name, "min_tls_version"], []), "remediation": json.marshal({ "before": sprintf("%s", [storage.min_tls_version]), - "after": "TLS1_2" + "after": "TLS1_2", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/storage_container_is_publicly_accessible/query.rego b/assets/queries/terraform/azure/storage_container_is_publicly_accessible/query.rego index 3f46a58fd64..8dd51431f40 100644 --- a/assets/queries/terraform/azure/storage_container_is_publicly_accessible/query.rego +++ b/assets/queries/terraform/azure/storage_container_is_publicly_accessible/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.azurerm_storage_container[name] @@ -16,10 +16,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "'container_access_type' should equal to 'private'", "keyActualValue": "'container_access_type' is not equal to 'private'", - "searchLine": common_lib.build_search_line(["resource","azurerm_storage_container" ,name, "container_access_type"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_storage_container", name, "container_access_type"], []), "remediation": json.marshal({ "before": sprintf("%s", [resource.container_access_type]), - "after": "private" + "after": "private", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/query.rego b/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/query.rego index bc8ac585073..a9a8cac7ca9 100644 --- a/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/query.rego +++ b/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/query.rego @@ -36,7 +36,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "azurerm_virtual_network", name, "ddos_protection_plan", "enable"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/query.rego b/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/query.rego index 42846ca2746..aeceb8e1f51 100644 --- a/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/query.rego +++ b/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'azurerm_application_gateway[%s]' should be set", [name]), "keyActualValue": sprintf("'azurerm_application_gateway[%s]' is undefined", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_application_gateway", name], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_application_gateway", name], []), } } @@ -32,10 +32,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_application_gateway[%s].waf_configuration.enabled' is true", [name]), "keyActualValue": sprintf("'azurerm_application_gateway[%s].waf_configuration.enabled' is false", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_application_gateway", name, "waf_configuration", "enabled"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_application_gateway", name, "waf_configuration", "enabled"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/query.rego b/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/query.rego index 574fd43637a..5b575032ede 100644 --- a/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/query.rego +++ b/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'azurerm_app_service[%s].https_only' should be set", [name]), "keyActualValue": sprintf("'azurerm_app_service[%s].https_only' is undefined", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_app_service" ,name], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_app_service", name], []), "remediation": "https_only = true", "remediationType": "addition", } @@ -35,10 +35,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_app_service[%s].https_only' should be set to true", [name]), "keyActualValue": sprintf("'azurerm_app_service[%s].https_only' is not set to true", [name]), - "searchLine": common_lib.build_search_line(["resource","azurerm_app_service" ,name, "https_only"], []), + "searchLine": common_lib.build_search_line(["resource", "azurerm_app_service", name, "https_only"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/databricks/databricks_permissions/query.rego b/assets/queries/terraform/databricks/databricks_permissions/query.rego index d0093b0b91d..1b013d1d30e 100644 --- a/assets/queries/terraform/databricks/databricks_permissions/query.rego +++ b/assets/queries/terraform/databricks/databricks_permissions/query.rego @@ -25,7 +25,6 @@ is_associated_to_job(databricks_job_name, doc) { not contains(databricks_permissions_used.job_id, sprintf("databricks_job.%s", [databricks_job_name])) } - CxPolicy[result] { databricks_cluster := input.document[i].resource.databricks_cluster[name] @@ -51,7 +50,8 @@ is_associated_to_cluster(databricks_cluster_name, doc) { CxPolicy[result] { databricks_permissions := input.document[i].resource.databricks_permissions[name] - databricks_permissions.access_control.permission_level == "IS_OWNER"; not databricks_permissions.access_control.service_principal_name + databricks_permissions.access_control.permission_level == "IS_OWNER" + not databricks_permissions.access_control.service_principal_name result := { "documentId": input.document[i].id, @@ -68,7 +68,8 @@ CxPolicy[result] { databricks_permissions := input.document[i].resource.databricks_permissions[name] some j - databricks_permissions.access_control[j].permission_level == "IS_OWNER"; not databricks_permissions.access_control[j].service_principal_name + databricks_permissions.access_control[j].permission_level == "IS_OWNER" + not databricks_permissions.access_control[j].service_principal_name result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/gcp/cloud_dns_without_dnssec/query.rego b/assets/queries/terraform/gcp/cloud_dns_without_dnssec/query.rego index feb0cb4d5f9..77c4cb35602 100644 --- a/assets/queries/terraform/gcp/cloud_dns_without_dnssec/query.rego +++ b/assets/queries/terraform/gcp/cloud_dns_without_dnssec/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.google_dns_managed_zone[name] @@ -16,7 +16,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "'dnssec_config.state' should equal to 'on'", "keyActualValue": "'dnssec_config.state' is not equal to 'on'", - "searchLine": common_lib.build_search_line(["resource","google_dns_managed_zone", name, "dnssec_config", "state"],[]) + "searchLine": common_lib.build_search_line(["resource", "google_dns_managed_zone", name, "dnssec_config", "state"], []), } } diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/query.rego b/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/query.rego index 67ce2905f89..6b763b72a43 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/query.rego +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/query.rego @@ -5,7 +5,7 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.google_storage_bucket[name] - not common_lib.valid_key(resource,"logging") + not common_lib.valid_key(resource, "logging") result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/query.rego b/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/query.rego index 2fb83cf2071..5ab4acd765d 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/query.rego +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "'versioning' should be defined and not null", "keyActualValue": "'versioning' it undefined or null", - "searchLine": common_lib.build_search_line(["resource", "google_storage_bucket", name],[]), + "searchLine": common_lib.build_search_line(["resource", "google_storage_bucket", name], []), "remediation": "versioning {\n\t\tenabled = true\n\t}\n", "remediationType": "addition", } @@ -35,10 +35,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "'versioning.enabled' should be true", "keyActualValue": "'versioning.enabled' is false", - "searchLine": common_lib.build_search_line(["resource", "google_storage_bucket", name],["versioning", "enabled"]), + "searchLine": common_lib.build_search_line(["resource", "google_storage_bucket", name], ["versioning", "enabled"]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/gcp/disk_encryption_disabled/query.rego b/assets/queries/terraform/gcp/disk_encryption_disabled/query.rego index 5d2809eab80..79cb729d1e4 100644 --- a/assets/queries/terraform/gcp/disk_encryption_disabled/query.rego +++ b/assets/queries/terraform/gcp/disk_encryption_disabled/query.rego @@ -49,5 +49,3 @@ CxPolicy[result] { "keyActualValue": sprintf("'google_compute_disk[%s].disk_encryption_key.%s' is not empty or null", [name, key]), } } - - diff --git a/assets/queries/terraform/gcp/dnssec_using_rsasha1/query.rego b/assets/queries/terraform/gcp/dnssec_using_rsasha1/query.rego index 0d41aeb5839..cd3f940bf65 100644 --- a/assets/queries/terraform/gcp/dnssec_using_rsasha1/query.rego +++ b/assets/queries/terraform/gcp/dnssec_using_rsasha1/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { dnssec_config := input.document[i].resource.google_dns_managed_zone[name].dnssec_config @@ -14,10 +14,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "dnssec_config.default_key_specs.algorithm shouldn't be 'rsasha1'", "keyActualValue": "dnssec_config.default_key_specs.algorithm is 'rsasha1'", - "searchLine": common_lib.build_search_line(["resource", "google_dns_managed_zone", name],["dnssec_config", "default_key_specs", "algorithm"]), + "searchLine": common_lib.build_search_line(["resource", "google_dns_managed_zone", name], ["dnssec_config", "default_key_specs", "algorithm"]), "remediation": json.marshal({ "before": "rsasha1", - "after": "rsasha256" + "after": "rsasha256", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/query.rego b/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/query.rego index d2202b37331..749ab47f9f9 100644 --- a/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/query.rego +++ b/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.google_container_cluster[primary] @@ -15,10 +15,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'enable_legacy_abac' should be set to false", "keyActualValue": "Attribute 'enable_legacy_abac' is true", - "searchLine": common_lib.build_search_line(["resource", "google_container_cluster", primary],["enable_legacy_abac"]), + "searchLine": common_lib.build_search_line(["resource", "google_container_cluster", primary], ["enable_legacy_abac"]), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/gcp/gke_using_default_service_account/query.rego b/assets/queries/terraform/gcp/gke_using_default_service_account/query.rego index 9210c9a44e0..8631fbf3594 100644 --- a/assets/queries/terraform/gcp/gke_using_default_service_account/query.rego +++ b/assets/queries/terraform/gcp/gke_using_default_service_account/query.rego @@ -5,7 +5,7 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.google_container_cluster[name] - + not common_lib.valid_key(resource.node_config, "service_account") result := { @@ -22,7 +22,7 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i].resource.google_container_cluster[name] - + contains(resource.node_config.service_account, "default") result := { diff --git a/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/query.rego b/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/query.rego index 3a6401fee61..f653c0200a9 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/query.rego +++ b/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/query.rego @@ -4,14 +4,13 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - computeNetwork := input.document[i].resource.google_compute_network[name] - + firewall := input.document[_].resource.google_compute_firewall[_] - + tf_lib.matches(firewall.network, name) contains(firewall.name, "default") - + result := { "documentId": input.document[i].id, "resourceType": "google_compute_network", diff --git a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/query.rego b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/query.rego index 15c4bf7b863..f90f1f61726 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/query.rego +++ b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/query.rego @@ -4,15 +4,14 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - computeNetwork := input.document[i].resource.google_compute_network[name] - + firewall := input.document[_].resource.google_compute_firewall[_] tf_lib.matches(firewall.network, name) common_lib.is_ingress(firewall) all_ports(firewall.allow) - + result := { "documentId": input.document[i].id, "resourceType": "google_compute_network", diff --git a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/query.rego b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/query.rego index a33395f9d82..3b1c8ebdf2d 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/query.rego +++ b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/query.rego @@ -4,15 +4,14 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - computeNetwork := input.document[i].resource.google_compute_network[name] - + firewall := input.document[_].resource.google_compute_firewall[_] tf_lib.matches(firewall.network, name) common_lib.is_ingress(firewall) is_port_range(firewall.allow) - + result := { "documentId": input.document[i].id, "resourceType": "google_compute_network", @@ -27,10 +26,10 @@ CxPolicy[result] { is_port_range(allow) { is_array(allow) - regex.match("[0-9]+-[0-9]+", allow[_].ports[_]) + regex.match(`[0-9]+-[0-9]+`, allow[_].ports[_]) allow[_].ports[_] != "0-65535" } else { is_object(allow) - regex.match("[0-9]+-[0-9]+", allow.ports[_]) + regex.match(`[0-9]+-[0-9]+`, allow.ports[_]) allow.ports[_] != "0-65535" } diff --git a/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/query.rego b/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/query.rego index e9a28db3be4..1a17f105d46 100644 --- a/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/query.rego +++ b/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/query.rego @@ -15,10 +15,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("google_compute_ssl_policy[%s].min_tls_version should be TLS_1_2", [name]), "keyActualValue": sprintf("google_compute_ssl_policy[%s].min_tls_version is not TLS_1_2", [name]), - "searchLine": common_lib.build_search_line(["resource", "google_compute_ssl_policy", name],["min_tls_version"]), + "searchLine": common_lib.build_search_line(["resource", "google_compute_ssl_policy", name], ["min_tls_version"]), "remediation": json.marshal({ - "before": sprintf("%s",[sslPolicy.min_tls_version]), - "after": "TLS_1_2" + "before": sprintf("%s", [sslPolicy.min_tls_version]), + "after": "TLS_1_2", }), "remediationType": "replacement", } @@ -36,7 +36,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("google_compute_ssl_policy[%s].min_tls_version should be TLS_1_2", [name]), "keyActualValue": sprintf("google_compute_ssl_policy[%s].min_tls_version is undefined", [name]), - "searchLine": common_lib.build_search_line(["resource", "google_compute_ssl_policy", name],[]), + "searchLine": common_lib.build_search_line(["resource", "google_compute_ssl_policy", name], []), "remediation": "min_tls_version = \"TLS_1_2\"", "remediationType": "addition", } diff --git a/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/query.rego b/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/query.rego index a68d1d27448..a44a2931451 100644 --- a/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/query.rego +++ b/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/query.rego @@ -36,7 +36,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "google_compute_subnetwork", name, "private_ip_google_access"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/query.rego b/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/query.rego index 0474ead0b9a..0a83703079a 100644 --- a/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/query.rego +++ b/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/query.rego @@ -15,10 +15,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("google_container_node_pool[%s].management.auto_repair should be true", [name]), "keyActualValue": sprintf("google_container_node_pool[%s].management.auto_repair is false", [name]), - "searchLine": common_lib.build_search_line(["resource", "google_container_node_pool", name],["management", "auto_repair"]), + "searchLine": common_lib.build_search_line(["resource", "google_container_node_pool", name], ["management", "auto_repair"]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/query.rego b/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/query.rego index 8e3982ef1a4..88c557a6751 100644 --- a/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/query.rego +++ b/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/query.rego @@ -15,10 +15,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("google_project[%s].auto_create_network should be set to false", [name]), "keyActualValue": sprintf("google_project[%s].auto_create_network is true", [name]), - "searchLine": common_lib.build_search_line(["resource", "google_project", name],["auto_create_network"]), + "searchLine": common_lib.build_search_line(["resource", "google_project", name], ["auto_create_network"]), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } @@ -36,7 +36,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("google_project[%s].auto_create_network should be set to false", [name]), "keyActualValue": sprintf("google_project[%s].auto_create_network is undefined", [name]), - "searchLine": common_lib.build_search_line(["resource", "google_project", name],[]), + "searchLine": common_lib.build_search_line(["resource", "google_project", name], []), "remediation": "auto_create_network = false", "remediationType": "addition", } diff --git a/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/query.rego b/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/query.rego index de9d1334875..1bf4b01018e 100644 --- a/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/query.rego +++ b/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/query.rego @@ -66,6 +66,6 @@ CxPolicy[result] { } } -inArray(array, elem) { - startswith(array[_], elem) +inArray(array_obj, elem) { + startswith(array_obj[_], elem) } diff --git a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/query.rego b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/query.rego index b25adf200ab..4719527b4cd 100644 --- a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/query.rego +++ b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/query.rego @@ -20,7 +20,7 @@ CxPolicy[result] { CxPolicy[result] { projectIam := input.document[i].resource.google_project_iam_member[name] - inArray(projectIam.members, "serviceAccount:") + arrayContains(projectIam.members, "serviceAccount:") contains(projectIam.role, "roles/iam.serviceAccountAdmin") result := { @@ -34,6 +34,6 @@ CxPolicy[result] { } } -inArray(array, elem) { - startswith(array[_], elem) +arrayContains(array_obj, elem) { + startswith(array_obj[_], elem) } diff --git a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/query.rego b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/query.rego index b8ce25bc75c..8d86e4ff762 100644 --- a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/query.rego +++ b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/query.rego @@ -66,8 +66,6 @@ CxPolicy[result] { } } -containsArray(array, elem) { - startswith(array[_], elem) -} else = false { - true -} +containsArray(array_obj, elem) { + startswith(array_obj[_], elem) +} else = false diff --git a/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/query.rego b/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/query.rego index 82b88d4b356..9d6a6208a66 100644 --- a/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/query.rego +++ b/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "google_storage_bucket", name, "uniform_bucket_level_access"], []), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/query.rego b/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/query.rego index e7413a7ac4a..1ed1323cc85 100644 --- a/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/query.rego +++ b/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/query.rego @@ -18,8 +18,8 @@ CxPolicy[result] { "keyActualValue": "'google_kms_crypto_key.rotation_period' exceeds 7776000", "searchLine": common_lib.build_search_line(["resource", "google_kms_crypto_key", name, "rotation_period"], []), "remediation": json.marshal({ - "before": sprintf("%s", [rotationPeriod]) , - "after": "100000" + "before": sprintf("%s", [rotationPeriod]), + "after": "100000", }), "remediationType": "replacement", } @@ -28,7 +28,7 @@ CxPolicy[result] { CxPolicy[result] { cryptoKey := input.document[i].resource.google_kms_crypto_key[name] - not common_lib.valid_key(cryptoKey,"rotation_period") + not common_lib.valid_key(cryptoKey, "rotation_period") result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/gcp/iam_audit_not_properly_configured/query.rego b/assets/queries/terraform/gcp/iam_audit_not_properly_configured/query.rego index 09c542a27c9..7fbedbf88f5 100644 --- a/assets/queries/terraform/gcp/iam_audit_not_properly_configured/query.rego +++ b/assets/queries/terraform/gcp/iam_audit_not_properly_configured/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { resource := input.document[i].resource.google_project_iam_audit_config[name] @@ -41,7 +42,7 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i].resource.google_project_iam_audit_config[name] - audit_log_config = resource.audit_log_config[_] + some audit_log_config in resource.audit_log_config exempted_members = audit_log_config.exempted_members count(exempted_members) != 0 diff --git a/assets/queries/terraform/gcp/ip_forwarding_enabled/query.rego b/assets/queries/terraform/gcp/ip_forwarding_enabled/query.rego index 0e615560caa..6fab53a05d7 100644 --- a/assets/queries/terraform/gcp/ip_forwarding_enabled/query.rego +++ b/assets/queries/terraform/gcp/ip_forwarding_enabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { dt := input.document[i].resource.google_compute_instance[appserver] @@ -15,10 +15,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'can_ip_forward' should be set to false or Attribute 'can_ip_forward' should be undefined", "keyActualValue": "Attribute 'can_ip_forward' is true", - "searchLine": common_lib.build_search_line(["resource", "google_compute_instance", appserver],["can_ip_forward"]), + "searchLine": common_lib.build_search_line(["resource", "google_compute_instance", appserver], ["can_ip_forward"]), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/query.rego b/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/query.rego index 4d27afe5f6b..cac4347ddf5 100644 --- a/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/query.rego +++ b/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/query.rego @@ -2,14 +2,15 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { resource := input.document[i].resource.google_project_iam_policy[name] - policyName := split(resource.policy_data,".")[2] + policyName := split(resource.policy_data, ".")[2] policy := input.document[_].data.google_iam_policy[policyName] - count({x | binding = policy.binding[x]; binding.role == "roles/cloudkms.admin"; has_cryptokey_roles_in_use(policy, binding.members)}) != 0 + count({x | binding = policy.binding[x]; binding.role == "roles/cloudkms.admin"; has_cryptokey_roles_in_use(policy, binding.members)}) != 0 result := { "documentId": input.document[i].id, @@ -23,10 +24,9 @@ CxPolicy[result] { } } - has_cryptokey_roles_in_use(policy, targetMembers) { roles := {"roles/cloudkms.cryptoKeyDecrypter", "roles/cloudkms.cryptoKeyEncrypter", "roles/cloudkms.cryptoKeyEncrypterDecrypter"} binding := policy.binding[_] - binding.role == roles[_] - binding.members[_] == targetMembers[_] + binding.role in roles + binding.members[_] == targetMembers[_] } diff --git a/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/query.rego b/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/query.rego index 11d4e112df9..cc7aaa80bc6 100644 --- a/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/query.rego +++ b/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { kmsPolicy := input.document[i].resource.google_kms_crypto_key_iam_policy[name] @@ -29,9 +30,8 @@ publicly_accessible(policyName) { check_member(policy.binding, options[_]) } - check_member(attribute, search) { - attribute.members[_] == search + search in attribute.members } else { attribute.member == search } diff --git a/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/query.rego b/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/query.rego index 16ab815e3c7..8b07a4297ba 100644 --- a/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/query.rego +++ b/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.google_container_cluster[primary] diff --git a/assets/queries/terraform/gcp/network_policy_disabled/query.rego b/assets/queries/terraform/gcp/network_policy_disabled/query.rego index 318c110753f..41b57f180d2 100644 --- a/assets/queries/terraform/gcp/network_policy_disabled/query.rego +++ b/assets/queries/terraform/gcp/network_policy_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.google_container_cluster[primary] @@ -16,7 +16,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'network_policy' should be defined and Attribute 'addons_config' should be defined", "keyActualValue": "Attribute 'network_policy' is undefined or Attribute 'addons_config' is undefined", - "searchLine": common_lib.build_search_line(["resource", "google_container_cluster", primary],[]), + "searchLine": common_lib.build_search_line(["resource", "google_container_cluster", primary], []), } } @@ -34,7 +34,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'addons_config.network_policy_config' should be defined", "keyActualValue": "Attribute 'addons_config.network_policy_config' is undefined", - "searchLine": common_lib.build_search_line(["resource", "google_container_cluster", primary],["addons_config"]), + "searchLine": common_lib.build_search_line(["resource", "google_container_cluster", primary], ["addons_config"]), } } @@ -50,10 +50,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'network_policy.enabled' should be true", "keyActualValue": "Attribute 'network_policy.enabled' is false", - "searchLine": common_lib.build_search_line(["resource", "google_container_cluster", primary],["network_policy", "enabled"]), + "searchLine": common_lib.build_search_line(["resource", "google_container_cluster", primary], ["network_policy", "enabled"]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -72,10 +72,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'addons_config.network_policy_config.disabled' should be set to false", "keyActualValue": "Attribute 'addons_config.network_policy_config.disabled' is true", - "searchLine": common_lib.build_search_line(["resource", "google_container_cluster", primary],["addons_config", "network_policy_config","disabled"]), + "searchLine": common_lib.build_search_line(["resource", "google_container_cluster", primary], ["addons_config", "network_policy_config", "disabled"]), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/gcp/node_auto_upgrade_disabled/query.rego b/assets/queries/terraform/gcp/node_auto_upgrade_disabled/query.rego index f3e6a0f4fe6..26a635fa15b 100644 --- a/assets/queries/terraform/gcp/node_auto_upgrade_disabled/query.rego +++ b/assets/queries/terraform/gcp/node_auto_upgrade_disabled/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "google_container_node_pool.management should be defined and not null", "keyActualValue": "google_container_node_pool.management is undefined or null", - "searchLine": common_lib.build_search_line(["resource", "google_container_node_pool", name],[]), + "searchLine": common_lib.build_search_line(["resource", "google_container_node_pool", name], []), "remediation": "management {\n\t\tauto_upgrade = true\n\t}\n", "remediationType": "addition", } @@ -31,7 +31,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "management.auto_upgrade should be defined and not null", "keyActualValue": "management.auto_upgrade is undefined or null", - "searchLine": common_lib.build_search_line(["resource", "google_container_node_pool", name],["management"]), + "searchLine": common_lib.build_search_line(["resource", "google_container_node_pool", name], ["management"]), "remediation": "auto_upgrade = true", "remediationType": "addition", } @@ -48,10 +48,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "management.auto_upgrade should be true", "keyActualValue": "management.auto_upgrade is false", - "searchLine": common_lib.build_search_line(["resource", "google_container_node_pool", name],["management", "auto_upgrade"]), + "searchLine": common_lib.build_search_line(["resource", "google_container_node_pool", name], ["management", "auto_upgrade"]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/gcp/os_login_disabled/query.rego b/assets/queries/terraform/gcp/os_login_disabled/query.rego index 19cbbb53807..e4d48f38c96 100644 --- a/assets/queries/terraform/gcp/os_login_disabled/query.rego +++ b/assets/queries/terraform/gcp/os_login_disabled/query.rego @@ -15,10 +15,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("google_compute_project_metadata[%s].metadata['enable-oslogin'] should be true", [name]), "keyActualValue": sprintf("google_compute_project_metadata[%s].metadata['enable-oslogin'] is false", [name]), - "searchLine": common_lib.build_search_line(["resource", "google_compute_project_metadata", name],["metadata", "enable-oslogin"]), + "searchLine": common_lib.build_search_line(["resource", "google_compute_project_metadata", name], ["metadata", "enable-oslogin"]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -36,7 +36,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("google_compute_project_metadata[%s].metadata['enable-oslogin'] should be true", [name]), "keyActualValue": sprintf("google_compute_project_metadata[%s].metadata['enable-oslogin'] is undefined", [name]), - "searchLine": common_lib.build_search_line(["resource", "google_compute_project_metadata", name],["metadata"]), + "searchLine": common_lib.build_search_line(["resource", "google_compute_project_metadata", name], ["metadata"]), "remediation": "enable-oslogin = true", "remediationType": "addition", } diff --git a/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/query.rego b/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/query.rego index 28e9796abf9..a527b186b55 100644 --- a/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/query.rego +++ b/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { compute := input.document[i].resource.google_compute_instance[name] @@ -17,10 +17,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("google_compute_instance[%s].metadata.enable-oslogin should be true or undefined", [name]), "keyActualValue": sprintf("google_compute_instance[%s].metadata.enable-oslogin is false", [name]), - "searchLine": common_lib.build_search_line(["resource", "google_compute_instance", name],["metadata", "enable-oslogin"]), + "searchLine": common_lib.build_search_line(["resource", "google_compute_instance", name], ["metadata", "enable-oslogin"]), "remediation": json.marshal({ "before": sprintf("%s", [oslogin]), - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/gcp/outdated_gke_version/query.rego b/assets/queries/terraform/gcp/outdated_gke_version/query.rego index cad6e634729..d87fd582a8c 100644 --- a/assets/queries/terraform/gcp/outdated_gke_version/query.rego +++ b/assets/queries/terraform/gcp/outdated_gke_version/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.google_container_cluster[primary] @@ -13,12 +13,12 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(resource, primary), "searchKey": sprintf("google_container_cluster[%s]", [primary]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("GKE should not be using outated versions on min_master_version or node_version %s",[common_lib.get_version("gke")]), + "keyExpectedValue": sprintf("GKE should not be using outated versions on min_master_version or node_version %s", [common_lib.get_version("gke")]), "keyActualValue": "GKE is using outated versions on min_master_version or node_version", } } -using_unrecommended_version(resource){ +using_unrecommended_version(resource) { lower(resource.min_master_version) != "latest" latest_version := common_lib.get_version("gke") not startswith(resource.min_master_version, latest_version) @@ -27,4 +27,3 @@ using_unrecommended_version(resource){ latest_version := common_lib.get_version("gke") not startswith(resource.node_version, latest_version) } - diff --git a/assets/queries/terraform/gcp/pod_security_policy_disabled/query.rego b/assets/queries/terraform/gcp/pod_security_policy_disabled/query.rego index cfa16ffafa5..7107ebcbc7f 100644 --- a/assets/queries/terraform/gcp/pod_security_policy_disabled/query.rego +++ b/assets/queries/terraform/gcp/pod_security_policy_disabled/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.google_container_cluster[primary] @@ -15,7 +15,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'pod_security_policy_config' should be defined", "keyActualValue": "Attribute 'pod_security_policy_config' is undefined", - "searchLine": common_lib.build_search_line(["resource", "google_container_cluster", primary],[]), + "searchLine": common_lib.build_search_line(["resource", "google_container_cluster", primary], []), "remediation": "pod_security_policy_config {\n\t\tenabled = true\n\t}\n", "remediationType": "addition", } @@ -34,10 +34,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'enabled' of 'pod_security_policy_config' should be true", "keyActualValue": "Attribute 'enabled' of 'pod_security_policy_config' is false", - "searchLine": common_lib.build_search_line(["resource", "google_container_cluster", primary],["pod_security_policy_config", "enabled"]), + "searchLine": common_lib.build_search_line(["resource", "google_container_cluster", primary], ["pod_security_policy_config", "enabled"]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/query.rego b/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/query.rego index 096091cdfc1..0a345bc3e06 100644 --- a/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/query.rego +++ b/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/query.rego @@ -22,7 +22,7 @@ CxPolicy[result] { CxPolicy[result] { compute := input.document[i].resource.google_compute_instance[name] - not common_lib.valid_key(compute,"metadata") + not common_lib.valid_key(compute, "metadata") result := { "documentId": input.document[i].id, @@ -37,7 +37,7 @@ CxPolicy[result] { CxPolicy[result] { compute := input.document[i].resource.google_compute_instance[name] - not common_lib.valid_key(compute.metadata,"block-project-ssh-keys") + not common_lib.valid_key(compute.metadata, "block-project-ssh-keys") result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/gcp/rdp_access_is_not_restricted/query.rego b/assets/queries/terraform/gcp/rdp_access_is_not_restricted/query.rego index 694b75880f6..5e4e9024454 100644 --- a/assets/queries/terraform/gcp/rdp_access_is_not_restricted/query.rego +++ b/assets/queries/terraform/gcp/rdp_access_is_not_restricted/query.rego @@ -45,8 +45,8 @@ isRDPport(allow) { contains(allow.ports[j], "-") == false to_number(allow.ports[j]) == 3389 } else { - not allow.ports - isTCPorUDP(allow.protocol) + not allow.ports + isTCPorUDP(allow.protocol) } isInBounds(low, high) { diff --git a/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/query.rego b/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/query.rego index bbbda110ab5..753032c72d1 100644 --- a/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/query.rego +++ b/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/query.rego @@ -15,4 +15,4 @@ CxPolicy[result] { "keyExpectedValue": "google_container_cluster.enable_shielded_nodes should be set to true", "keyActualValue": "google_container_cluster.enable_shielded_nodes is set to false", } -} \ No newline at end of file +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/query.rego b/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/query.rego index 94546e058a0..18441f70119 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "settings.backup_configuration should be defined and not null", "keyActualValue": "settings.backup_configuration is undefined or null", - "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name],["settings"]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name], ["settings"]), } } @@ -29,7 +29,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "settings.backup_configuration.enabled should be defined and not null", "keyActualValue": "settings.backup_configuration.enabled is undefined or null", - "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name],["settings", "backup_configuration"]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name], ["settings", "backup_configuration"]), "remediation": "enabled = true", "remediationType": "addition", } @@ -46,10 +46,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "settings.backup_configuration.enabled should be true", "keyActualValue": "settings.backup_configuration.enabled is false", - "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name],["settings", "backup_configuration", "enabled"]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name], ["settings", "backup_configuration", "enabled"]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/query.rego b/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/query.rego index cb4c00f21f2..6f4d8bb03cb 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/query.rego @@ -28,7 +28,7 @@ CxPolicy[result] { resource := input.document[i].resource.google_sql_database_instance[name] ip_configuration := resource.settings.ip_configuration - not common_lib.valid_key(ip_configuration,"authorized_networks") + not common_lib.valid_key(ip_configuration, "authorized_networks") ip_configuration.ipv4_enabled @@ -47,10 +47,10 @@ CxPolicy[result] { resource := input.document[i].resource.google_sql_database_instance[name] ip_configuration := resource.settings.ip_configuration - not common_lib.valid_key(ip_configuration,"authorized_networks") + not common_lib.valid_key(ip_configuration, "authorized_networks") not ip_configuration.ipv4_enabled - not common_lib.valid_key(ip_configuration,"private_network") + not common_lib.valid_key(ip_configuration, "private_network") result := { "documentId": input.document[i].id, @@ -67,7 +67,7 @@ CxPolicy[result] { resource := input.document[i].resource.google_sql_database_instance[name] settings := resource.settings - not common_lib.valid_key(settings,"ip_configuration") + not common_lib.valid_key(settings, "ip_configuration") result := { "documentId": input.document[i].id, @@ -81,10 +81,9 @@ CxPolicy[result] { } getAuthorizedNetworks(networks) = list { - is_array(networks) - list := networks + is_array(networks) + list := networks } else = list { - is_object(networks) - list := [networks] + is_object(networks) + list := [networks] } else = null - diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego index ca8961c9785..aa7e3592843 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "'settings.ip_configuration' should be defined and not null", "keyActualValue": "'settings.ip_configuration' is undefined or null", - "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name],["settings"]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name], ["settings"]), "remediation": "ip_configuration {\n\t\trequire_ssl = true\n\t}\n", "remediationType": "addition", } @@ -36,7 +36,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "'settings.ip_configuration.require_ssl' should be defined and not null", "keyActualValue": "'settings.ip_configuration.require_ssl' is undefined or null", - "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name],["settings", "ip_configuration"]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name], ["settings", "ip_configuration"]), "remediation": "require_ssl = true", "remediationType": "addition", } @@ -55,10 +55,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "'settings.ip_configuration.require_ssl' should be true", "keyActualValue": "'settings.ip_configuration.require_ssl' is false", - "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name],["settings", "ip_configuration", "require_ssl"]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name], ["settings", "ip_configuration", "require_ssl"]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/gcp/ssh_access_is_not_restricted/query.rego b/assets/queries/terraform/gcp/ssh_access_is_not_restricted/query.rego index c22d4680528..6c186d14cc9 100644 --- a/assets/queries/terraform/gcp/ssh_access_is_not_restricted/query.rego +++ b/assets/queries/terraform/gcp/ssh_access_is_not_restricted/query.rego @@ -39,19 +39,19 @@ isSSHport(allow) = ports { low_bound := to_number(port_bounds[0]) high_bound := to_number(port_bounds[1]) isInBounds(low_bound, high_bound) - ports := allow.ports[j] + ports := allow.ports[j] } isSSHport(allow) = ports { contains(allow.ports[j], "-") == false to_number(allow.ports[j]) == 22 - ports := allow.ports[j] + ports := allow.ports[j] } isSSHport(allow) = ports { not allow.ports - isTCPorAll(allow.protocol) - ports := "0-65535" + isTCPorAll(allow.protocol) + ports := "0-65535" } isTCPorAll(protocol) { diff --git a/assets/queries/terraform/gcp/user_with_iam_role/query.rego b/assets/queries/terraform/gcp/user_with_iam_role/query.rego index 6dc7f4d7c02..69db722cec2 100644 --- a/assets/queries/terraform/gcp/user_with_iam_role/query.rego +++ b/assets/queries/terraform/gcp/user_with_iam_role/query.rego @@ -38,6 +38,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s[%s].role should not be set", [resources[idx], name]), "keyActualValue": sprintf("%s[%s].role is set", [resources[idx], name]), - "searchLine": common_lib.build_search_line(["resource", resources[idx], name, "role"], []) + "searchLine": common_lib.build_search_line(["resource", resources[idx], name, "role"], []), } } diff --git a/assets/queries/terraform/gcp/using_default_service_account/query.rego b/assets/queries/terraform/gcp/using_default_service_account/query.rego index 52d28f893a4..9b918ec66a6 100644 --- a/assets/queries/terraform/gcp/using_default_service_account/query.rego +++ b/assets/queries/terraform/gcp/using_default_service_account/query.rego @@ -52,7 +52,7 @@ CxPolicy[result] { resource := input.document[i].resource.google_compute_instance[name] count(resource.service_account.email) > 0 not contains(resource.service_account.email, "@") - not emailInVar(resource.service_account.email) + not emailInVar(resource.service_account.email) result := { "documentId": input.document[i].id, @@ -81,6 +81,6 @@ CxPolicy[result] { } emailInVar(email) { - startswith(email,"${google_service_account.") - endswith(email,".email}") + startswith(email, "${google_service_account.") + endswith(email, ".email}") } diff --git a/assets/queries/terraform/gcp_bom/pst/query.rego b/assets/queries/terraform/gcp_bom/pst/query.rego index 5106f252103..b9e0a560754 100644 --- a/assets/queries/terraform/gcp_bom/pst/query.rego +++ b/assets/queries/terraform/gcp_bom/pst/query.rego @@ -33,25 +33,25 @@ check_encrytion(resource) = enc_status { enc_status := "unencrypted" } -get_accessibility(topic_name) = accessibility_status{ - iam_binding := input.document[i].resource.google_pubsub_topic_iam_binding[_] +get_accessibility(topic_name) = accessibility_status { + iam_binding := input.document[i].resource.google_pubsub_topic_iam_binding[_] topicRefArray := split(iam_binding.topic, ".") topicRefArray[1] == topic_name iam_binding.role == "roles/pubsub.publisher" checkMembers(iam_binding) - accessibility_status :="public" + accessibility_status := "public" } else = accessibility_status { - iam_binding := input.document[i].resource.google_pubsub_topic_iam_member[_] + iam_binding := input.document[i].resource.google_pubsub_topic_iam_member[_] topicRefArray := split(iam_binding.topic, ".") topicRefArray[1] == topic_name iam_binding.role == "roles/pubsub.publisher" checkMembers(iam_binding) accessibility_status := "public" -} else = accessibility_status{ +} else = accessibility_status { accessibility_status := "unknown" -} +} -consideredPublicPolicyMembers := {"allUsers","allAuthenticatedUsers"} +consideredPublicPolicyMembers := {"allUsers", "allAuthenticatedUsers"} checkMembers(resource) { common_lib.valid_key(resource, "members") diff --git a/assets/queries/terraform/gcp_bom/redis/query.rego b/assets/queries/terraform/gcp_bom/redis/query.rego index c59b6bc8a73..68fd45b8d7e 100644 --- a/assets/queries/terraform/gcp_bom/redis/query.rego +++ b/assets/queries/terraform/gcp_bom/redis/query.rego @@ -34,7 +34,7 @@ check_accessability(redis_instance) = acc_status { acc_status := "unknown" } -has_public_firewall(authorized_network){ +has_public_firewall(authorized_network) { firewall := input.document[_].resource.google_compute_firewall[_] common_lib.is_ingress(firewall) diff --git a/assets/queries/terraform/gcp_bom/sb/query.rego b/assets/queries/terraform/gcp_bom/sb/query.rego index 718954252e7..4b6994aadec 100644 --- a/assets/queries/terraform/gcp_bom/sb/query.rego +++ b/assets/queries/terraform/gcp_bom/sb/query.rego @@ -2,6 +2,7 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { s_bucket := input.document[i].resource.google_storage_bucket[name] @@ -33,27 +34,27 @@ check_encrytion(resource) = enc_status { enc_status := "unencrypted" } -consideredPublicPolicyMembers := {"allUsers","allAuthenticatedUsers"} +consideredPublicPolicyMembers := {"allUsers", "allAuthenticatedUsers"} -get_accessibility(bucket_name) = accessibility_status{ - access_control := input.document[i].resource.google_storage_bucket_access_control[_] +get_accessibility(bucket_name) = accessibility_status { + access_control := input.document[i].resource.google_storage_bucket_access_control[_] bucketRefArray := split(access_control.bucket, ".") bucketRefArray[1] == bucket_name - access_control.entity == consideredPublicPolicyMembers[_] - accessibility_status :="public" -} else = accessibility_status{ - iam_binding := input.document[i].resource.google_storage_bucket_iam_binding[_] + access_control.entity in consideredPublicPolicyMembers + accessibility_status := "public" +} else = accessibility_status { + iam_binding := input.document[i].resource.google_storage_bucket_iam_binding[_] bucketRefArray := split(iam_binding.bucket, ".") bucketRefArray[1] == bucket_name - checkMembers(iam_binding) - accessibility_status :="public" + checkMembers(iam_binding) + accessibility_status := "public" } else = accessibility_status { - iam_member := input.document[i].resource.google_storage_bucket_iam_member[_] + iam_member := input.document[i].resource.google_storage_bucket_iam_member[_] bucketRefArray := split(iam_member.bucket, ".") bucketRefArray[1] == bucket_name checkMembers(iam_member) accessibility_status := "public" -} else = accessibility_status{ +} else = accessibility_status { accessibility_status := "unknown" } diff --git a/assets/queries/terraform/general/variable_without_description/query.rego b/assets/queries/terraform/general/variable_without_description/query.rego index dc93f25f1d0..ddc5b189f4b 100644 --- a/assets/queries/terraform/general/variable_without_description/query.rego +++ b/assets/queries/terraform/general/variable_without_description/query.rego @@ -8,7 +8,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "resourceType": "n/a", + "resourceType": "n/a", "resourceName": "n/a", "searchKey": sprintf("variable.{{%s}}", [variableName]), "issueType": "MissingAttribute", @@ -23,7 +23,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "resourceType": "n/a", + "resourceType": "n/a", "resourceName": "n/a", "searchKey": sprintf("variable.{{%s}}.description", [variableName]), "issueType": "IncorrectValue", diff --git a/assets/queries/terraform/kubernetes/container_host_pid_is_true/query.rego b/assets/queries/terraform/kubernetes/container_host_pid_is_true/query.rego index 14dbbfcdf12..d162df44ceb 100644 --- a/assets/queries/terraform/kubernetes/container_host_pid_is_true/query.rego +++ b/assets/queries/terraform/kubernetes/container_host_pid_is_true/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource[resourceType] @@ -18,10 +18,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'host_pid' should be undefined or false", "keyActualValue": "Attribute 'host_pid' is true", - "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path],["host_pid"]), + "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path], ["host_pid"]), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/kubernetes/container_is_privileged/query.rego b/assets/queries/terraform/kubernetes/container_is_privileged/query.rego index 43bd449a877..c36e81668be 100644 --- a/assets/queries/terraform/kubernetes/container_is_privileged/query.rego +++ b/assets/queries/terraform/kubernetes/container_is_privileged/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib types := {"init_container", "container"} @@ -18,14 +18,14 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s[%s].%s.%s.name={{%s}}.security_context.privileged", [resourceType, name, specInfo.path, types[x],containers[y].name]), + "searchKey": sprintf("%s[%s].%s.%s.name={{%s}}.security_context.privileged", [resourceType, name, specInfo.path, types[x], containers[y].name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s[%s].%s.%s[%d].security_context.privileged should be set to false", [resourceType, name, specInfo.path, types[x], y]), "keyActualValue": sprintf("%s[%s].%s.%s[%d].security_context.privileged is set to true", [resourceType, name, specInfo.path, types[x], y]), - "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path],[types[x], y, "security_context","privileged"]), + "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path], [types[x], y, "security_context", "privileged"]), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } @@ -48,10 +48,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s[%s].%s.%s.security_context.privileged should not be set to true", [resourceType, name, specInfo.path, types[x]]), "keyActualValue": sprintf("%s[%s].%s.%s.security_context.privileged is set to true", [resourceType, name, specInfo.path, types[x]]), - "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path],[types[x], "security_context","privileged"]), + "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path], [types[x], "security_context", "privileged"]), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/kubernetes/container_resources_limits_undefined/query.rego b/assets/queries/terraform/kubernetes/container_resources_limits_undefined/query.rego index 415d495a998..37c4ebaf10f 100644 --- a/assets/queries/terraform/kubernetes/container_resources_limits_undefined/query.rego +++ b/assets/queries/terraform/kubernetes/container_resources_limits_undefined/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib types := {"init_container", "container"} diff --git a/assets/queries/terraform/kubernetes/container_runs_unmasked/query.rego b/assets/queries/terraform/kubernetes/container_runs_unmasked/query.rego index 4f0f5fcdd3f..6f0a57867a4 100644 --- a/assets/queries/terraform/kubernetes/container_runs_unmasked/query.rego +++ b/assets/queries/terraform/kubernetes/container_runs_unmasked/query.rego @@ -1,12 +1,13 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { resource := input.document[i].resource.kubernetes_pod_security_policy[name] allowed_proc_mount_types := resource.spec.allowed_proc_mount_types - allowed_proc_mount_types[_] == "Unmasked" + "Unmasked" in allowed_proc_mount_types result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/kubernetes/container_with_added_capabilities/query.rego b/assets/queries/terraform/kubernetes/container_with_added_capabilities/query.rego index 6a389e96420..c8640de5d58 100644 --- a/assets/queries/terraform/kubernetes/container_with_added_capabilities/query.rego +++ b/assets/queries/terraform/kubernetes/container_with_added_capabilities/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib types := {"init_container", "container"} diff --git a/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/query.rego b/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/query.rego index 924b704443d..413542d392b 100644 --- a/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/query.rego +++ b/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in types := {"init_container", "container"} @@ -11,7 +12,7 @@ CxPolicy[result] { containers := specInfo.spec[types[x]] is_array(containers) == true - containers[y].security_context.capabilities.add[_] = "SYS_ADMIN" + "SYS_ADMIN" in containers[y].security_context.capabilities.add result := { "documentId": input.document[i].id, @@ -31,7 +32,7 @@ CxPolicy[result] { containers := specInfo.spec[types[x]] is_object(containers) == true - containers.security_context.capabilities.add[_] = "SYS_ADMIN" + "SYS_ADMIN" in containers.security_context.capabilities.add result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/kubernetes/cpu_limits_not_set/query.rego b/assets/queries/terraform/kubernetes/cpu_limits_not_set/query.rego index 1cc3b5e6cbe..995d677463c 100644 --- a/assets/queries/terraform/kubernetes/cpu_limits_not_set/query.rego +++ b/assets/queries/terraform/kubernetes/cpu_limits_not_set/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib types := {"init_container", "container"} diff --git a/assets/queries/terraform/kubernetes/cpu_requests_not_set/query.rego b/assets/queries/terraform/kubernetes/cpu_requests_not_set/query.rego index 90f4372333b..a17e98182b6 100644 --- a/assets/queries/terraform/kubernetes/cpu_requests_not_set/query.rego +++ b/assets/queries/terraform/kubernetes/cpu_requests_not_set/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib types := {"init_container", "container"} diff --git a/assets/queries/terraform/kubernetes/default_service_account_in_use/query.rego b/assets/queries/terraform/kubernetes/default_service_account_in_use/query.rego index 949d725a5bf..d4abb61a8ec 100644 --- a/assets/queries/terraform/kubernetes/default_service_account_in_use/query.rego +++ b/assets/queries/terraform/kubernetes/default_service_account_in_use/query.rego @@ -18,9 +18,9 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("kubernetes_service_account[%s].automount_service_account_token should be set", [name]), "keyActualValue": sprintf("kubernetes_service_account[%s].automount_service_account_token is undefined", [name]), - "searchLine": common_lib.build_search_line(["resource", "kubernetes_service_account", name],[]), + "searchLine": common_lib.build_search_line(["resource", "kubernetes_service_account", name], []), "remediation": "automount_service_account_token = false", - "remediationType": "addition" + "remediationType": "addition", } } @@ -39,10 +39,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("kubernetes_service_account[%s].automount_service_account_token should be set to false", [name]), "keyActualValue": sprintf("kubernetes_service_account[%s].automount_service_account_token is not set to false", [name]), - "searchLine": common_lib.build_search_line(["resource", "kubernetes_service_account", name],["automount_service_account_token"]), + "searchLine": common_lib.build_search_line(["resource", "kubernetes_service_account", name], ["automount_service_account_token"]), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/query.rego b/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/query.rego index 78ced265c6e..bc58869232c 100644 --- a/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/query.rego +++ b/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/query.rego @@ -185,6 +185,4 @@ CxPolicy[result] { match_labels(templateLabels, selectorLabels) { some Key templateLabels[Key] == selectorLabels[Key] -} else = false { - true -} +} else = false diff --git a/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/query.rego b/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/query.rego index 4347b7ec368..cc72c41f8ab 100644 --- a/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/query.rego +++ b/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/query.rego @@ -37,10 +37,8 @@ hasPodDisruptionBudget(lValue, lKey) { some key key == lKey labels[key] == lValue -} else = false { - true -} +} else = false hasReference(label) { - regex.match("kubernetes_pod_disruption_budget.[a-zA-Z-_0-9]+", label) + regex.match(`kubernetes_pod_disruption_budget.[a-zA-Z-_0-9]+`, label) } diff --git a/assets/queries/terraform/kubernetes/image_without_digest/query.rego b/assets/queries/terraform/kubernetes/image_without_digest/query.rego index 4d654f074ad..bf2dc3f7baf 100644 --- a/assets/queries/terraform/kubernetes/image_without_digest/query.rego +++ b/assets/queries/terraform/kubernetes/image_without_digest/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib types := {"init_container", "container"} diff --git a/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/query.rego b/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/query.rego index 825f25bfba3..12b2f4ea774 100644 --- a/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/query.rego +++ b/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/query.rego @@ -5,8 +5,8 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.kubernetes_ingress[name] - metadata := resource.metadata - annotations := metadata.annotations + metadata := resource.metadata + annotations := metadata.annotations common_lib.valid_key(annotations, "kubernetes.io/ingress.class") @@ -19,32 +19,38 @@ CxPolicy[result] { "resourceType": "kubernetes_ingress", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("kubernetes_ingress[%s].spec.rule.http.path.backend", [name]), - "issueType": "IncorrectValue", + "issueType": "IncorrectValue", "keyExpectedValue": sprintf("kubernetes_ingress[%s] should not be exposing the workload", [name]), "keyActualValue": sprintf("kubernetes_ingress[%s] is exposing the workload", [name]), } } ingressControllerExposesWorload(service_name, service_port) { - services := input.document[i].resource.kubernetes_service[name] + services := input.document[i].resource.kubernetes_service[name] services.spec.port.target_port == service_port name == service_name } -contentRule(spec) { #rule[r] and path +contentRule(spec) { # rule[r] and path is_array(spec.rule) - backend := spec.rule[r].http.path.backend + backend := spec.rule[r].http.path.backend ingressControllerExposesWorload(backend.service_name, backend.service_port) -} else { #rule and path - backend := spec.rule.http.path.backend +} # rule and path + +else { + backend := spec.rule.http.path.backend ingressControllerExposesWorload(backend.service_name, backend.service_port) -} else { #rule[r] and path[p] +} # rule[r] and path[p] + +else { is_array(spec.rule) - is_array(spec.rule[r].http.path) - backend := spec.rule[r].http.path[p].backend + is_array(spec.rule[r].http.path) + backend := spec.rule[r].http.path[p].backend ingressControllerExposesWorload(backend.service_name, backend.service_port) -} else { #rule and path[p] +} # rule and path[p] + +else { is_array(spec.rule.http.path) backend := spec.rule.http.path[p].backend ingressControllerExposesWorload(backend.service_name, backend.service_port) diff --git a/assets/queries/terraform/kubernetes/invalid_image/query.rego b/assets/queries/terraform/kubernetes/invalid_image/query.rego index e4f1b1d7266..2dc19808a41 100644 --- a/assets/queries/terraform/kubernetes/invalid_image/query.rego +++ b/assets/queries/terraform/kubernetes/invalid_image/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib types := {"init_container", "container"} diff --git a/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/query.rego b/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/query.rego index 19f76eee321..81f9efb830c 100644 --- a/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/query.rego +++ b/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/query.rego @@ -4,12 +4,11 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - - types := {"kubernetes_pod": "spec.container", "kubernetes_deployment": "spec.template.spec.container"} - resource_prefix := types[x] + types := {"kubernetes_pod": "spec.container", "kubernetes_deployment": "spec.template.spec.container"} + resource_prefix := types[x] resource := input.document[i].resource[x][name] - path := checkPath(resource) + path := checkPath(resource) not common_lib.valid_key(path, "liveness_probe") @@ -24,8 +23,8 @@ CxPolicy[result] { } } -checkPath(resource) = path{ +checkPath(resource) = path { path := resource.spec.template.spec.container -}else = path{ +} else = path { path := resource.spec.container } diff --git a/assets/queries/terraform/kubernetes/memory_limits_not_defined/query.rego b/assets/queries/terraform/kubernetes/memory_limits_not_defined/query.rego index 1ffdf1a8f9d..b3269cfbb0b 100644 --- a/assets/queries/terraform/kubernetes/memory_limits_not_defined/query.rego +++ b/assets/queries/terraform/kubernetes/memory_limits_not_defined/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib types := {"init_container", "container"} diff --git a/assets/queries/terraform/kubernetes/memory_requests_not_defined/query.rego b/assets/queries/terraform/kubernetes/memory_requests_not_defined/query.rego index a9989e7aba4..c10ee36e220 100644 --- a/assets/queries/terraform/kubernetes/memory_requests_not_defined/query.rego +++ b/assets/queries/terraform/kubernetes/memory_requests_not_defined/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib types := {"init_container", "container"} diff --git a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego index 74ba07b792e..22675161468 100644 --- a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego +++ b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { labels := resource[name].metadata.labels - regex.match("^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", labels[key]) == false + regex.match(`^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$`, labels[key]) == false result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/query.rego b/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/query.rego index 8a6c85fce2d..9bc669c9ebf 100644 --- a/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/query.rego +++ b/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/query.rego @@ -17,6 +17,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "spec.required_drop_capabilities 'is ALL or NET_RAW'", "keyActualValue": "spec.required_drop_capabilities 'is not ALL or NET_RAW'", - "searchLine": commonLib.build_search_line(["resource", "kubernetes_pod_security_policy" ,name, "spec"],["required_drop_capabilities"]), + "searchLine": commonLib.build_search_line(["resource", "kubernetes_pod_security_policy", name, "spec"], ["required_drop_capabilities"]), } } diff --git a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/query.rego b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/query.rego index 2a0e61fce87..107eb92bd20 100644 --- a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/query.rego +++ b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib types := {"init_container", "container"} @@ -176,6 +176,6 @@ CxPolicy[result] { } } -drop(array, elem) { - upper(array[_]) == elem[_] +drop(array_obj, elem) { + upper(array_obj[_]) == elem[_] } diff --git a/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/query.rego b/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/query.rego index 7cdfcc92d06..d4cb6aaa7f1 100644 --- a/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/query.rego +++ b/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/query.rego @@ -34,10 +34,8 @@ findTargettedPod(lValue, lKey) { some key key == lKey labels[key] == lValue -} else = false { - true -} +} else = false hasReference(label) { - regex.match("kubernetes_[_a-zA-Z]+.[a-zA-Z-_0-9]+", label) + regex.match(`kubernetes_[_a-zA-Z]+.[a-zA-Z-_0-9]+`, label) } diff --git a/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/query.rego b/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/query.rego index e2d40121434..8a1d43286be 100644 --- a/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/query.rego +++ b/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib types := {"init_container", "container"} diff --git a/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/query.rego b/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/query.rego index 85bbedc952d..8719c23d9c0 100644 --- a/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/query.rego +++ b/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/query.rego @@ -137,5 +137,5 @@ CxPolicy[result] { } isWildCardValue(val) { - regex.match(".*\\*.*", val) + regex.match(`.*\*.*`, val) } diff --git a/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/query.rego b/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/query.rego index 2fa02bedee4..cbd615ada48 100644 --- a/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/query.rego +++ b/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.kubernetes_pod[name] diff --git a/assets/queries/terraform/kubernetes/privilege_escalation_allowed/query.rego b/assets/queries/terraform/kubernetes/privilege_escalation_allowed/query.rego index da0b6b308c7..7008e8d12d6 100644 --- a/assets/queries/terraform/kubernetes/privilege_escalation_allowed/query.rego +++ b/assets/queries/terraform/kubernetes/privilege_escalation_allowed/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib types := {"init_container", "container"} @@ -18,14 +18,14 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resourceType, "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s[%s].%s.%s.name={{%s}}.security_context.allow_privilege_escalation", [resourceType, name, specInfo.path, types[x],containers[y].name]), + "searchKey": sprintf("%s[%s].%s.%s.name={{%s}}.security_context.allow_privilege_escalation", [resourceType, name, specInfo.path, types[x], containers[y].name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s[%s].%s.%s[%d].security_context.allow_privilege_escalation should not be set to true", [resourceType, name, specInfo.path, types[x], y]), "keyActualValue": sprintf("%s[%s].%s.%s[%d].security_context.allow_privilege_escalation is set to true", [resourceType, name, specInfo.path, types[x], y]), - "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path],[types[x], "security_context","allow_privilege_escalation"]), + "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path], [types[x], "security_context", "allow_privilege_escalation"]), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } @@ -48,10 +48,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s[%s].%s.%s.security_context.allow_privilege_escalation should not be set to true", [resourceType, name, specInfo.path, types[x]]), "keyActualValue": sprintf("%s[%s].%s.%s.security_context.allow_privilege_escalation is set to true", [resourceType, name, specInfo.path, types[x]]), - "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path],[types[x], "security_context","allow_privilege_escalation"]), + "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path], [types[x], "security_context", "allow_privilege_escalation"]), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/query.rego b/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/query.rego index 6069a2ea153..b6139a9650f 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/query.rego +++ b/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("kubernetes_pod_security_policy[%s].spec.allow_privilege_escalation should be set", [name]), "keyActualValue": sprintf("kubernetes_pod_security_policy[%s].spec.allow_privilege_escalation is undefined", [name]), - "searchLine": common_lib.build_search_line(["resource", "kubernetes_pod_security_policy",name, "spec"],[]), + "searchLine": common_lib.build_search_line(["resource", "kubernetes_pod_security_policy", name, "spec"], []), "remediation": "allow_privilege_escalation = false", "remediationType": "addition", } @@ -35,10 +35,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("kubernetes_pod_security_policy[%s].spec.allow_privilege_escalation should be set to false", [name]), "keyActualValue": sprintf("kubernetes_pod_security_policy[%s].spec.allow_privilege_escalation is set to true", [name]), - "searchLine": common_lib.build_search_line(["resource", "kubernetes_pod_security_policy",name, "spec"],["allow_privilege_escalation"]), + "searchLine": common_lib.build_search_line(["resource", "kubernetes_pod_security_policy", name, "spec"], ["allow_privilege_escalation"]), "remediation": json.marshal({ - "before": sprintf("%s",[resource.spec.allow_privilege_escalation]), - "after": "false" + "before": sprintf("%s", [resource.spec.allow_privilege_escalation]), + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/query.rego b/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/query.rego index b1e176613eb..7fbbece1d9a 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/query.rego +++ b/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.kubernetes_pod_security_policy[name] @@ -16,10 +16,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'host_ipc' should be undefined or false", "keyActualValue": "Attribute 'host_ipc' is true", - "searchLine": common_lib.build_search_line(["resource", "kubernetes_pod_security_policy",name, "spec"],["host_ipc"]), + "searchLine": common_lib.build_search_line(["resource", "kubernetes_pod_security_policy", name, "spec"], ["host_ipc"]), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/kubernetes/psp_set_to_privileged/query.rego b/assets/queries/terraform/kubernetes/psp_set_to_privileged/query.rego index e1c1d230a85..a50bcda0b6a 100644 --- a/assets/queries/terraform/kubernetes/psp_set_to_privileged/query.rego +++ b/assets/queries/terraform/kubernetes/psp_set_to_privileged/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.kubernetes_pod_security_policy[name] @@ -16,10 +16,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("kubernetes_pod_security_policy[%s].spec.privileged should be set to false", [name]), "keyActualValue": sprintf("kubernetes_pod_security_policy[%s].spec.privileged is not set to false", [name]), - "searchLine": common_lib.build_search_line(["resource", "kubernetes_pod_security_policy",name, "spec"],["privileged"]), + "searchLine": common_lib.build_search_line(["resource", "kubernetes_pod_security_policy", name, "spec"], ["privileged"]), "remediation": json.marshal({ "before": sprintf("%s", [resource.spec.privileged]), - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/query.rego b/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/query.rego index 705b6bd0882..29166a50434 100644 --- a/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/query.rego +++ b/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.terraform as tf_lib +import future.keywords.in readVerbs := ["get", "watch", "list"] @@ -23,12 +24,12 @@ CxPolicy[result] { allowsSecrets(rules) { is_array(rules) some r - rules[r].resources[_] == "secrets" + "secrets" in rules[r].resources rules[r].verbs[_] == readVerbs[_] } allowsSecrets(rule) { is_object(rule) - rule.resources[_] == "secrets" + "secrets" in rule.resources rule.verbs[_] == readVerbs[_] } diff --git a/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/query.rego b/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/query.rego index c707af42b7c..6b7ae66977b 100644 --- a/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/query.rego +++ b/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/query.rego @@ -1,7 +1,8 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib +import future.keywords.in types := {"init_container", "container"} @@ -54,6 +55,5 @@ CxPolicy[result] { resource_equal(type) { resources := {"kubernetes_cron_job", "kubernetes_job"} - - type == resources[_] + type in resources } diff --git a/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/query.rego b/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/query.rego index af1178a5c55..d68a550ee38 100644 --- a/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/query.rego +++ b/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib types := {"init_container", "container"} @@ -24,7 +24,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s[%s].%s.%s[%d].security_context should be set", [resourceType, name, specInfo.path, types[x], containersType]), "keyActualValue": sprintf("k%s[%s].%s.%s[%d].security_context is undefined", [resourceType, name, specInfo.path, types[x], containersType]), - "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path],[types[x]]), + "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path], [types[x]]), } } @@ -35,8 +35,8 @@ CxPolicy[result] { containers := specInfo.spec[types[x]] is_array(containers) == true - common_lib.valid_key(containers[j], "security_context") - not common_lib.valid_key(containers[j].security_context, "read_only_root_filesystem") + common_lib.valid_key(containers[j], "security_context") + not common_lib.valid_key(containers[j].security_context, "read_only_root_filesystem") result := { "documentId": input.document[i].id, @@ -45,7 +45,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s[%s].%s.%s[%d].security_context.read_only_root_filesystem should be set", [resourceType, name, specInfo.path, types[x], j]), "keyActualValue": sprintf("%s[%s].%s.%s[%d].security_context.read_only_root_filesystem is undefined", [resourceType, name, specInfo.path, types[x], j]), - "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path],[types[x], "security_context"]), + "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path], [types[x], "security_context"]), "remediation": "read_only_root_filesystem = true", "remediationType": "addition", } @@ -70,10 +70,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s[%s].%s.%s[%d].security_context.read_only_root_filesystem should be set to true", [resourceType, name, specInfo.path, types[x], y]), "keyActualValue": sprintf("%s[%s].%s.%s[%d].security_context.read_only_root_filesystem is not set to true", [resourceType, name, specInfo.path, types[x], y]), - "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path],[types[x], "security_context", "read_only_root_filesystem"]), + "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path], [types[x], "security_context", "read_only_root_filesystem"]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } @@ -96,7 +96,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s[%s].%s.%s.security_context should be set", [resourceType, name, specInfo.path, types[x]]), "keyActualValue": sprintf("%s[%s].%s.%s.security_context is undefined", [resourceType, name, specInfo.path, types[x]]), - "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path],[types[x]]), + "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path], [types[x]]), } } @@ -117,7 +117,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s[%s].%s.%s.security_context.read_only_root_filesystem should be set", [resourceType, name, specInfo.path, types[x]]), "keyActualValue": sprintf("%s[%s].%s.%s.security_context.read_only_root_filesystem is undefined", [resourceType, name, specInfo.path, types[x]]), - "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path],[types[x], "security_context"]), + "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path], [types[x], "security_context"]), "remediation": "read_only_root_filesystem = true", "remediationType": "addition", } @@ -140,10 +140,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s[%s].%s.%s.security_context.read_only_root_filesystem should be set to true", [resourceType, name, specInfo.path, types[x]]), "keyActualValue": sprintf("%s[%s].%s.%s.security_context.read_only_root_filesystem is not set to true", [resourceType, name, specInfo.path, types[x]]), - "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path],[types[x], "security_context" ,"read_only_root_filesystem"]), + "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path], [types[x], "security_context", "read_only_root_filesystem"]), "remediation": json.marshal({ "before": "false", - "after": "true" + "after": "true", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/query.rego b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/query.rego index c05ac78230a..a4449dfa007 100644 --- a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/query.rego +++ b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/query.rego @@ -3,7 +3,7 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib -#pod +# pod CxPolicy[result] { resource := input.document[i].resource.kubernetes_pod[name] @@ -126,7 +126,7 @@ CxPolicy[result] { } } -#general +# general resources := {"kubernetes_cron_job", "kubernetes_pod"} CxPolicy[result] { diff --git a/assets/queries/terraform/kubernetes/secrets_as_environment_variables/query.rego b/assets/queries/terraform/kubernetes/secrets_as_environment_variables/query.rego index 6c4526a6688..bcb30a78e7b 100644 --- a/assets/queries/terraform/kubernetes/secrets_as_environment_variables/query.rego +++ b/assets/queries/terraform/kubernetes/secrets_as_environment_variables/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib types := {"init_container", "container"} diff --git a/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/query.rego b/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/query.rego index d2b04507713..4365dda981a 100644 --- a/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/query.rego +++ b/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/query.rego @@ -2,14 +2,15 @@ package Cx import data.generic.common as commonLib import data.generic.terraform as tf_lib +import future.keywords.in CxPolicy[result] { resources_types := ["kubernetes_role", "kubernetes_cluster_role"] resource := input.document[i].resource[resources_types[type]] - ruleTaint := ["get", "watch", "list", "*"] - kind := resources_types[type] - getName := resource[name] - bindingExists(name, kind) + ruleTaint := ["get", "watch", "list", "*"] + kind := resources_types[type] + getName := resource[name] + bindingExists(name, kind) contentRule(resource[name].rule, ruleTaint) @@ -18,7 +19,7 @@ CxPolicy[result] { "resourceType": resources_types[type], "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s[%s].rule", [resources_types[type], name]), - "issueType": "IncorrectValue", + "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s[%s].rule.verbs should not contain the following verbs: %s", [resources_types[type], name, ruleTaint]), "keyActualValue": sprintf("%s[%s].rule.verbs contain one of the following verbs: %s", [resources_types[type], name, ruleTaint]), } @@ -27,22 +28,22 @@ CxPolicy[result] { bindingExists(name, kind) { kind == "kubernetes_role" - resource = input.document[roleBinding].resource.kubernetes_role_binding[kcr_name] + resource = input.document[roleBinding].resource.kubernetes_role_binding[kcr_name] resource.subject[s].kind == "ServiceAccount" resource.role_ref.kind == "Role" resource.role_ref.name == name } else { kind == "kubernetes_cluster_role" - resource = input.document[roleBinding].resource.kubernetes_cluster_role_binding[kcr_name] + resource = input.document[roleBinding].resource.kubernetes_cluster_role_binding[kcr_name] resource.subject[s].kind == "ServiceAccount" resource.role_ref.kind == "ClusterRole" resource.role_ref.name == name } contentRule(rule, ruleTaint) { - resources := rule.resources - resources[_] == "secrets" + resources := rule.resources + "secrets" in resources verbs := rule.verbs commonLib.compareArrays(ruleTaint, verbs) @@ -50,10 +51,9 @@ contentRule(rule, ruleTaint) { contentRule(rule, ruleTaint) { is_array(rule) - resources := rule[r].resources - resources[_] == "secrets" + resources := rule[r].resources + "secrets" in resources verbs := rule[r].verbs commonLib.compareArrays(ruleTaint, verbs) } - diff --git a/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/query.rego b/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/query.rego index 37e5dd92d79..6faa9e82e8b 100644 --- a/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/query.rego +++ b/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/query.rego @@ -7,7 +7,7 @@ CxPolicy[result] { resource := input.document[i].resource.kubernetes_pod[name] spec := resource.spec - not common_lib.valid_key(spec, "service_account_name") + not common_lib.valid_key(spec, "service_account_name") result := { "documentId": input.document[i].id, @@ -24,7 +24,7 @@ CxPolicy[result] { resource := input.document[i].resource.kubernetes_pod[name] service_account_name := resource.spec.service_account_name - service_account_name == "" + service_account_name == "" result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/query.rego b/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/query.rego index a37de39a998..4e9540fe851 100644 --- a/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/query.rego +++ b/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("kubernetes_pod[%s].spec.automount_service_account_token should be set", [name]), "keyActualValue": sprintf("kubernetes_pod[%s].spec.automount_service_account_token is undefined", [name]), - "searchLine": common_lib.build_search_line(["resource", "kubernetes_pod", name, "spec"],[]), + "searchLine": common_lib.build_search_line(["resource", "kubernetes_pod", name, "spec"], []), "remediation": "automount_service_account_token = false", "remediationType": "addition", } @@ -35,10 +35,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("kubernetes_pod[%s].spec.automount_service_account_token should be set to false", [name]), "keyActualValue": sprintf("kubernetes_pod[%s].spec.automount_service_account_token is set to true", [name]), - "searchLine": common_lib.build_search_line(["resource", "kubernetes_pod", name, "spec"],["automount_service_account_token"]), + "searchLine": common_lib.build_search_line(["resource", "kubernetes_pod", name, "spec"], ["automount_service_account_token"]), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } @@ -61,7 +61,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("%s[%s].spec.template.spec.automount_service_account_token should be set", [listKinds[x], name]), "keyActualValue": sprintf("%s[%s].spec.template.spec.automount_service_account_token is undefined", [listKinds[x], name]), - "searchLine": common_lib.build_search_line(["resource", listKinds[x], name, "spec", "template", "spec"],[]), + "searchLine": common_lib.build_search_line(["resource", listKinds[x], name, "spec", "template", "spec"], []), "remediation": "automount_service_account_token = false", "remediationType": "addition", } @@ -80,10 +80,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s[%s].spec.template.spec.automount_service_account_token should be set to false", [listKinds[x], name]), "keyActualValue": sprintf("%s[%s].spec.template.spec.automount_service_account_token is set to true", [listKinds[x], name]), - "searchLine": common_lib.build_search_line(["resource", listKinds[x], name, "spec", "template", "spec"],["automount_service_account_token"]), + "searchLine": common_lib.build_search_line(["resource", listKinds[x], name, "spec", "template", "spec"], ["automount_service_account_token"]), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } @@ -102,7 +102,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("kubernetes_cron_job[%s].spec.job_template.spec.template.spec.automount_service_account_token should be set", [name]), "keyActualValue": sprintf("kubernetes_cron_job[%s].spec.job_template.spec.template.spec.automount_service_account_token is undefined", [name]), - "searchLine": common_lib.build_search_line(["resource", "kubernetes_cron_job", name, "spec", "template", "spec", "template", "spec"],[]), + "searchLine": common_lib.build_search_line(["resource", "kubernetes_cron_job", name, "spec", "template", "spec", "template", "spec"], []), "remediation": "automount_service_account_token = false", "remediationType": "addition", } @@ -121,10 +121,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("kubernetes_cron_job[%s].spec.job_template.spec.template.spec.automount_service_account_token should be set to false", [name]), "keyActualValue": sprintf("kubernetes_cron_job[%s].spec.job_template.spec.template.spec.automount_service_account_token is set to true", [name]), - "searchLine": common_lib.build_search_line(["resource", "kubernetes_cron_job", name, "spec", "template", "spec", "template", "spec"],["automount_service_account_token"]), + "searchLine": common_lib.build_search_line(["resource", "kubernetes_cron_job", name, "spec", "template", "spec", "template", "spec"], ["automount_service_account_token"]), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/query.rego b/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/query.rego index ac61dbbd157..dac7a491c11 100644 --- a/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/query.rego +++ b/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource[resourceType] @@ -18,10 +18,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'host_ipc' should be undefined or false", "keyActualValue": "Attribute 'host_ipc' is true", - "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path],["host_ipc"]), + "searchLine": common_lib.build_search_line([resourceType, name, specInfo.path], ["host_ipc"]), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/kubernetes/shared_host_network_namespace/query.rego b/assets/queries/terraform/kubernetes/shared_host_network_namespace/query.rego index 927576acaaa..97e584ac710 100644 --- a/assets/queries/terraform/kubernetes/shared_host_network_namespace/query.rego +++ b/assets/queries/terraform/kubernetes/shared_host_network_namespace/query.rego @@ -1,7 +1,7 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource[resourceType] @@ -18,10 +18,10 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s[%s].%s.host_network should be undefined or set to false", [resourceType, name, specInfo.path]), "keyActualValue": sprintf("%s[%s].%s.host_network is set to true", [resourceType, name, specInfo.path]), - "searchLine": common_lib.build_search_line(["resource", resourceType, name, specInfo.path],["host_network"]), + "searchLine": common_lib.build_search_line(["resource", resourceType, name, specInfo.path], ["host_network"]), "remediation": json.marshal({ "before": "true", - "after": "false" + "after": "false", }), "remediationType": "replacement", } diff --git a/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/query.rego b/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/query.rego index 246019e8852..fd07cda50ce 100644 --- a/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/query.rego +++ b/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/query.rego @@ -37,10 +37,8 @@ hasPodDisruptionBudget(lValue, lKey) { some key key == lKey labels[key] == lValue -} else = false { - true -} +} else = false hasReference(label) { - regex.match("kubernetes_pod_disruption_budget.[a-zA-Z-_0-9]+", label) + regex.match(`kubernetes_pod_disruption_budget.[a-zA-Z-_0-9]+`, label) } diff --git a/assets/queries/terraform/kubernetes/statefulset_without_service_name/query.rego b/assets/queries/terraform/kubernetes/statefulset_without_service_name/query.rego index 3b1d6afa5c7..66bdd7f87fd 100644 --- a/assets/queries/terraform/kubernetes/statefulset_without_service_name/query.rego +++ b/assets/queries/terraform/kubernetes/statefulset_without_service_name/query.rego @@ -5,11 +5,13 @@ import data.generic.terraform as tf_lib CxPolicy[result] { stateful := input.document[i].resource.kubernetes_stateful_set[name] - count({x | resource := input.document[_].resource.kubernetes_service[x]; - resource.spec.cluster_ip == "None"; - stateful.metadata.namespace == resource.metadata.namespace; - stateful.spec.service_name == resource.metadata.name; - match_labels(stateful.spec.template.metadata.labels, resource.spec.selector) == true}) == 0 + count({x | + resource := input.document[_].resource.kubernetes_service[x] + resource.spec.cluster_ip == "None" + stateful.metadata.namespace == resource.metadata.namespace + stateful.spec.service_name == resource.metadata.name + match_labels(stateful.spec.template.metadata.labels, resource.spec.selector) == true + }) == 0 result := { "documentId": input.document[i].id, @@ -23,5 +25,5 @@ CxPolicy[result] { } match_labels(serviceLabels, statefulsetLabels) { - count({x | label := serviceLabels[x]; label == statefulsetLabels[x]}) == count(serviceLabels) + count({x | label := serviceLabels[x]; label == statefulsetLabels[x]}) == count(serviceLabels) } diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/query.rego b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/query.rego index adebc5501e8..83e04bff24c 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/query.rego +++ b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/query.rego @@ -1,10 +1,9 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - instance := input.document[i].resource.nifcloud_instance[name] instance.network_interface[_].network_id == "net-COMMON_PRIVATE" @@ -20,7 +19,6 @@ CxPolicy[result] { } CxPolicy[result] { - instance := input.document[i].resource.nifcloud_instance[name] instance.network_interface.network_id == "net-COMMON_PRIVATE" diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/query.rego b/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/query.rego index ce60a3b0a7c..646c77d6f8c 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/query.rego +++ b/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/query.rego @@ -1,10 +1,9 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - securityGroupRule := input.document[i].resource.nifcloud_security_group_rule[name] cidr := split(securityGroupRule.cidr_ip, "/") to_number(cidr[1]) < 1 diff --git a/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/query.rego b/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/query.rego index 0b1226e3359..2faa60ef8d1 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/query.rego +++ b/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/query.rego @@ -1,12 +1,11 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - instance := input.document[i].resource.nifcloud_instance[name] - not common_lib.valid_key(instance, "security_group") + not common_lib.valid_key(instance, "security_group") result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/query.rego b/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/query.rego index 7f490285abe..8341d350929 100644 --- a/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/query.rego +++ b/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/query.rego @@ -1,12 +1,11 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - securityGroup := input.document[i].resource.nifcloud_security_group[name] - not common_lib.valid_key(securityGroup, "description") + not common_lib.valid_key(securityGroup, "description") result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/query.rego b/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/query.rego index b7d1b87175a..494febbcfde 100644 --- a/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/query.rego +++ b/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/query.rego @@ -1,12 +1,11 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - securityGroupRule := input.document[i].resource.nifcloud_security_group_rule[name] - not common_lib.valid_key(securityGroupRule, "description") + not common_lib.valid_key(securityGroupRule, "description") result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/query.rego b/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/query.rego index 965203d8c44..d76d96359f2 100644 --- a/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/query.rego +++ b/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/query.rego @@ -1,12 +1,11 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - dbInstance := input.document[i].resource.nifcloud_db_instance[name] - not common_lib.valid_key(dbInstance, "backup_retention_period") + not common_lib.valid_key(dbInstance, "backup_retention_period") result := { "documentId": input.document[i].id, @@ -20,7 +19,6 @@ CxPolicy[result] { } CxPolicy[result] { - dbInstance := input.document[i].resource.nifcloud_db_instance[name] dbInstance.backup_retention_period < 7 diff --git a/assets/queries/terraform/nifcloud/db_has_public_access/query.rego b/assets/queries/terraform/nifcloud/db_has_public_access/query.rego index 7c36874fee8..c2c7196acdd 100644 --- a/assets/queries/terraform/nifcloud/db_has_public_access/query.rego +++ b/assets/queries/terraform/nifcloud/db_has_public_access/query.rego @@ -1,11 +1,11 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { dbInstance := input.document[i].resource.nifcloud_db_instance[name] - dbInstance.publicly_accessible == true + dbInstance.publicly_accessible == true result := { "documentId": input.document[i].id, "resourceType": "nifcloud_db_instance", @@ -18,9 +18,8 @@ CxPolicy[result] { } CxPolicy[result] { - dbInstance := input.document[i].resource.nifcloud_db_instance[name] - not common_lib.valid_key(dbInstance, "publicly_accessible") + not common_lib.valid_key(dbInstance, "publicly_accessible") result := { "documentId": input.document[i].id, @@ -31,4 +30,4 @@ CxPolicy[result] { "keyExpectedValue": sprintf("'nifcloud_db_instance[%s]' should have publicly accessible defined as the default value is set to true. You should limit all access to the minimum that is required for your application to function.", [name]), "keyActualValue": sprintf("'nifcloud_db_instance[%s]' doesn't define publicly accessible.", [name]), } -} \ No newline at end of file +} diff --git a/assets/queries/terraform/nifcloud/db_instance_has_common_private/query.rego b/assets/queries/terraform/nifcloud/db_instance_has_common_private/query.rego index ef517aa58da..ce8019a5e87 100644 --- a/assets/queries/terraform/nifcloud/db_instance_has_common_private/query.rego +++ b/assets/queries/terraform/nifcloud/db_instance_has_common_private/query.rego @@ -1,10 +1,9 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - dbInstance := input.document[i].resource.nifcloud_db_instance[name] dbInstance.network_id == "net-COMMON_PRIVATE" diff --git a/assets/queries/terraform/nifcloud/db_security_group_description_undefined/query.rego b/assets/queries/terraform/nifcloud/db_security_group_description_undefined/query.rego index eb5e8b887df..7cd36e6d187 100644 --- a/assets/queries/terraform/nifcloud/db_security_group_description_undefined/query.rego +++ b/assets/queries/terraform/nifcloud/db_security_group_description_undefined/query.rego @@ -1,10 +1,9 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - dbSecurityGroup := input.document[i].resource.nifcloud_db_security_group[name] not common_lib.valid_key(dbSecurityGroup, "description") diff --git a/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/query.rego b/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/query.rego index ce28d2a9546..5a56b9f92f9 100644 --- a/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/query.rego +++ b/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/query.rego @@ -1,10 +1,9 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - dbSecurityGroupRule := input.document[i].resource.nifcloud_db_security_group[name] cidr := split(getRules(dbSecurityGroupRule.rule)[_].cidr_ip, "/") to_number(cidr[1]) < 1 @@ -20,9 +19,9 @@ CxPolicy[result] { } } -getRules (rule) = output { - not is_array(rule) +getRules(rule) = output { + not is_array(rule) output := [rule] } else = output { output := rule -} \ No newline at end of file +} diff --git a/assets/queries/terraform/nifcloud/dns_has_verified_record/query.rego b/assets/queries/terraform/nifcloud/dns_has_verified_record/query.rego index 08dfd6e7ccc..5a8b9c9ef38 100644 --- a/assets/queries/terraform/nifcloud/dns_has_verified_record/query.rego +++ b/assets/queries/terraform/nifcloud/dns_has_verified_record/query.rego @@ -1,10 +1,9 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - dnsRecord := input.document[i].resource.nifcloud_dns_record[name] contains(dnsRecord.record, "nifty-dns-verify=") diff --git a/assets/queries/terraform/nifcloud/elb_has_common_private/query.rego b/assets/queries/terraform/nifcloud/elb_has_common_private/query.rego index e4dcd6aee11..1e3b7948c61 100644 --- a/assets/queries/terraform/nifcloud/elb_has_common_private/query.rego +++ b/assets/queries/terraform/nifcloud/elb_has_common_private/query.rego @@ -1,10 +1,9 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - elb := input.document[i].resource.nifcloud_elb[name] elb.network_interface[_].network_id == "net-COMMON_PRIVATE" @@ -20,7 +19,6 @@ CxPolicy[result] { } CxPolicy[result] { - elb := input.document[i].resource.nifcloud_elb[name] elb.network_interface.network_id == "net-COMMON_PRIVATE" diff --git a/assets/queries/terraform/nifcloud/elb_listener_use_http/query.rego b/assets/queries/terraform/nifcloud/elb_listener_use_http/query.rego index f62aec73e0e..d4ecde81f8a 100644 --- a/assets/queries/terraform/nifcloud/elb_listener_use_http/query.rego +++ b/assets/queries/terraform/nifcloud/elb_listener_use_http/query.rego @@ -1,10 +1,9 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - elb_listener := input.document[i].resource.nifcloud_elb_listener[name] elbRef := getElbNetworkInterface(input.document[i].resource, elb_listener.elb_id) @@ -25,14 +24,14 @@ CxPolicy[result] { } } -getElbNetworkInterface (resource, interfaceRef) = output { +getElbNetworkInterface(resource, interfaceRef) = output { interfaceName := split(interfaceRef, ".")[1] output := resource.nifcloud_elb[interfaceName] } -getNetworkInterfaces (networkInterface) = output { - not is_array(networkInterface) +getNetworkInterfaces(networkInterface) = output { + not is_array(networkInterface) output := [networkInterface] } else = output { output := networkInterface -} \ No newline at end of file +} diff --git a/assets/queries/terraform/nifcloud/elb_use_http/query.rego b/assets/queries/terraform/nifcloud/elb_use_http/query.rego index 3fdbf23e575..080709febec 100644 --- a/assets/queries/terraform/nifcloud/elb_use_http/query.rego +++ b/assets/queries/terraform/nifcloud/elb_use_http/query.rego @@ -1,10 +1,9 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - elb := input.document[i].resource.nifcloud_elb[name] elbNetworkInterface := elb.network_interface[_] @@ -25,7 +24,6 @@ CxPolicy[result] { } CxPolicy[result] { - elb := input.document[i].resource.nifcloud_elb[name] elbNetworkInterface := elb.network_interface diff --git a/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/query.rego b/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/query.rego index 00045c9c3ba..f950bfa2800 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/query.rego +++ b/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/query.rego @@ -1,10 +1,9 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - lb_listener := input.document[i].resource.nifcloud_load_balancer_listener[name] lb_listener.load_balancer_port == 80 diff --git a/assets/queries/terraform/nifcloud/load_balancer_use_http/query.rego b/assets/queries/terraform/nifcloud/load_balancer_use_http/query.rego index 0f66222c54c..47e285b44c5 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_use_http/query.rego +++ b/assets/queries/terraform/nifcloud/load_balancer_use_http/query.rego @@ -1,10 +1,9 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - lb := input.document[i].resource.nifcloud_load_balancer[name] lb.load_balancer_port == 80 diff --git a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/query.rego b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/query.rego index f8d5efe46ae..f5be37ef5cf 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/query.rego +++ b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/query.rego @@ -1,20 +1,20 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib +import future.keywords.in outdatedSSLPolicies := { "1", "2", "3", "5", - "8" + "8", } CxPolicy[result] { - lb := input.document[i].resource.nifcloud_load_balancer[name] - not common_lib.valid_key(lb, "ssl_policy_id") + not common_lib.valid_key(lb, "ssl_policy_id") result := { "documentId": input.document[i].id, @@ -28,9 +28,8 @@ CxPolicy[result] { } CxPolicy[result] { - lb := input.document[i].resource.nifcloud_load_balancer[name] - lb.ssl_policy_id == outdatedSSLPolicies[_] + lb.ssl_policy_id in outdatedSSLPolicies result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/query.rego b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/query.rego index eb14db07744..5e5ce008f65 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/query.rego +++ b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/query.rego @@ -1,18 +1,18 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib +import future.keywords.in outdatedSSLPolicies := { "Standard Ciphers A ver1", "Standard Ciphers B ver1", "Standard Ciphers C ver1", "Ats Ciphers A ver1", - "Ats Ciphers D ver1" + "Ats Ciphers D ver1", } CxPolicy[result] { - lb := input.document[i].resource.nifcloud_load_balancer[name] not common_lib.valid_key(lb, "ssl_policy_name") @@ -28,9 +28,8 @@ CxPolicy[result] { } CxPolicy[result] { - lb := input.document[i].resource.nifcloud_load_balancer[name] - lb.ssl_policy_name == outdatedSSLPolicies[_] + lb.ssl_policy_name in outdatedSSLPolicies result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/nifcloud/nas_instance_has_common_private/query.rego b/assets/queries/terraform/nifcloud/nas_instance_has_common_private/query.rego index 1ec0b873410..c996cca46f7 100644 --- a/assets/queries/terraform/nifcloud/nas_instance_has_common_private/query.rego +++ b/assets/queries/terraform/nifcloud/nas_instance_has_common_private/query.rego @@ -1,10 +1,9 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - nasInstance := input.document[i].resource.nifcloud_nas_instance[name] nasInstance.network_id == "net-COMMON_PRIVATE" diff --git a/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/query.rego b/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/query.rego index b9613edcd91..b89fce86b8c 100644 --- a/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/query.rego +++ b/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/query.rego @@ -1,10 +1,9 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - nasSecurityGroup := input.document[i].resource.nifcloud_nas_security_group[name] not common_lib.valid_key(nasSecurityGroup, "description") diff --git a/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/query.rego b/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/query.rego index 365c45041f0..e030aecedd4 100644 --- a/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/query.rego +++ b/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/query.rego @@ -1,10 +1,9 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - nasSecurityGroupRule := input.document[i].resource.nifcloud_nas_security_group[name] cidr := split(getRules(nasSecurityGroupRule.rule)[_].cidr_ip, "/") to_number(cidr[1]) < 1 @@ -20,9 +19,9 @@ CxPolicy[result] { } } -getRules (rule) = output { - not is_array(rule) +getRules(rule) = output { + not is_array(rule) output := [rule] } else = output { output := rule -} \ No newline at end of file +} diff --git a/assets/queries/terraform/nifcloud/router_has_common_private/query.rego b/assets/queries/terraform/nifcloud/router_has_common_private/query.rego index 1d1165bcc5f..6e91670febe 100644 --- a/assets/queries/terraform/nifcloud/router_has_common_private/query.rego +++ b/assets/queries/terraform/nifcloud/router_has_common_private/query.rego @@ -1,10 +1,9 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - router := input.document[i].resource.nifcloud_router[name] router.network_interface[_].network_id == "net-COMMON_PRIVATE" @@ -20,7 +19,6 @@ CxPolicy[result] { } CxPolicy[result] { - router := input.document[i].resource.nifcloud_router[name] router.network_interface.network_id == "net-COMMON_PRIVATE" diff --git a/assets/queries/terraform/nifcloud/router_security_group_undefined/query.rego b/assets/queries/terraform/nifcloud/router_security_group_undefined/query.rego index 17468f768bf..ddc0e231235 100644 --- a/assets/queries/terraform/nifcloud/router_security_group_undefined/query.rego +++ b/assets/queries/terraform/nifcloud/router_security_group_undefined/query.rego @@ -1,10 +1,9 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - router := input.document[i].resource.nifcloud_router[name] not common_lib.valid_key(router, "security_group") diff --git a/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/query.rego b/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/query.rego index bbba29a4222..1fecb03f5fd 100644 --- a/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/query.rego +++ b/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/query.rego @@ -1,10 +1,9 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { - vpnGateway := input.document[i].resource.nifcloud_vpn_gateway[name] not common_lib.valid_key(vpnGateway, "security_group") diff --git a/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/query.rego b/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/query.rego index 0f49b3fd3a0..fd3df0e9727 100644 --- a/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/query.rego +++ b/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/query.rego @@ -5,7 +5,7 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.tencentcloud_mysql_instance[name] - resource.internet_service == 1 + resource.internet_service == 1 result := { "documentId": input.document[i].id, @@ -15,6 +15,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("[%s] has 'internet_service' set to 0 or undefined", [name]), "keyActualValue": sprintf("[%s] has 'internet_service' set to 1", [name]), - "searchLine":common_lib.build_search_line(["resource", "tencentcloud_mysql_instance", name, "internet_service"], []), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_mysql_instance", name, "internet_service"], []), } } diff --git a/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/query.rego b/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/query.rego index 1a63d48d4f4..e418b6f4e24 100644 --- a/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/query.rego +++ b/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/query.rego @@ -5,7 +5,7 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.tencentcloud_mysql_instance[name] - resource.intranet_port == 3306 + resource.intranet_port == 3306 result := { "documentId": input.document[i].id, @@ -15,22 +15,22 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("[%s] has 'intranet_port' set to non 3306", [name]), "keyActualValue": sprintf("[%s] has 'intranet_port' set to 3306", [name]), - "searchLine":common_lib.build_search_line(["resource", "tencentcloud_mysql_instance", name, "intranet_port"], []), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_mysql_instance", name, "intranet_port"], []), } } CxPolicy[result] { resource := input.document[i].resource.tencentcloud_mysql_instance[name] - not common_lib.valid_key(resource, "intranet_port") + not common_lib.valid_key(resource, "intranet_port") result := { "documentId": input.document[i].id, "resourceType": "tencentcloud_mysql_instance", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("tencentcloud_mysql_instance[%s]",[name]), + "searchKey": sprintf("tencentcloud_mysql_instance[%s]", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("[%s] 'intranet_port' should be set and the value should not be 3306",[name]), - "keyActualValue": sprintf("[%s] does not set 'intranet_port'",[name]), - "searchLine":common_lib.build_search_line(["resource", "tencentcloud_mysql_instance", name], []), + "keyExpectedValue": sprintf("[%s] 'intranet_port' should be set and the value should not be 3306", [name]), + "keyActualValue": sprintf("[%s] does not set 'intranet_port'", [name]), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_mysql_instance", name], []), } } diff --git a/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/query.rego b/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/query.rego index f865aa77370..7fd6e33600f 100644 --- a/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/query.rego +++ b/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/query.rego @@ -5,7 +5,7 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.tencentcloud_mysql_instance[name] - not any_backup_policy_matches_instance(name) + not any_backup_policy_matches_instance(name) result := { "documentId": input.document[i].id, @@ -15,12 +15,12 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("tencentcloud_mysql_instance[%s] should have 'tencentcloud_mysql_backup_policy'", [name]), "keyActualValue": sprintf("tencentcloud_mysql_instance[%s] does not have 'tencentcloud_mysql_backup_policy'", [name]), - "searchLine":common_lib.build_search_line(["resource", "tencentcloud_mysql_instance", name], []), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_mysql_instance", name], []), } } any_backup_policy_matches_instance(resource_name) { - backup_policy := input.document[_].resource.tencentcloud_mysql_backup_policy[_] - split_name := split(backup_policy.mysql_id, ".")[1] - split_name == resource_name + backup_policy := input.document[_].resource.tencentcloud_mysql_backup_policy[_] + split_name := split(backup_policy.mysql_id, ".")[1] + split_name == resource_name } diff --git a/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/query.rego b/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/query.rego index 50ca039d6f2..ff4ddbf3df5 100644 --- a/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/query.rego +++ b/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/query.rego @@ -5,8 +5,8 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.tencentcloud_clb_instance[name] - not common_lib.valid_key(resource, "log_set_id") - not common_lib.valid_key(resource, "log_topic_id") + not common_lib.valid_key(resource, "log_set_id") + not common_lib.valid_key(resource, "log_topic_id") result := { "documentId": input.document[i].id, @@ -16,6 +16,6 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("tencentcloud_clb_instance[%s] should set 'log_set_id' and 'log_topic_id'", [name]), "keyActualValue": sprintf("tencentcloud_clb_instance[%s] not set 'log_set_id' and 'log_topic_id'", [name]), - "searchLine":common_lib.build_search_line(["resource", "tencentcloud_clb_instance", name], []), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_clb_instance", name], []), } } diff --git a/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/query.rego b/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/query.rego index fbe6b036466..80d19117070 100644 --- a/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/query.rego +++ b/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/query.rego @@ -7,8 +7,8 @@ insecure_protocols := {"TCP", "UDP", "HTTP"} CxPolicy[result] { resource := input.document[i].resource.tencentcloud_clb_listener[name] - protocolCheck := resource.protocol - insecure_protocols[protocolCheck] + protocolCheck := resource.protocol + insecure_protocols[protocolCheck] result := { "documentId": input.document[i].id, @@ -18,6 +18,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("tencentcloud_clb_listener[%s].protocol[%s] should not be an insecure protocol", [name, protocolCheck]), "keyActualValue": sprintf("tencentcloud_clb_listener[%s].protocol[%s] is an insecure protocol", [name, protocolCheck]), - "searchLine":common_lib.build_search_line(["resource", "tencentcloud_clb_listener", name, "protocol"], []), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_clb_listener", name, "protocol"], []), } } diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/query.rego b/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/query.rego index 1de80f0fbdb..ad4b6b9afe0 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/query.rego +++ b/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/query.rego @@ -4,17 +4,17 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_instance[name] - resource.disable_monitor_service == true + resource := input.document[i].resource.tencentcloud_instance[name] + resource.disable_monitor_service == true - result := { - "documentId": input.document[i].id, - "resourceType": "tencentcloud_instance", - "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("tencentcloud_instance[%s].disable_monitor_service", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("[%s] 'disable_monitor_service' should be set to false", [name]), - "keyActualValue": sprintf("[%s] 'disable_monitor_service' is true", [name]), - "searchLine":common_lib.build_search_line(["resource", "tencentcloud_instance", name, "disable_monitor_service"], []), - } + result := { + "documentId": input.document[i].id, + "resourceType": "tencentcloud_instance", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("tencentcloud_instance[%s].disable_monitor_service", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("[%s] 'disable_monitor_service' should be set to false", [name]), + "keyActualValue": sprintf("[%s] 'disable_monitor_service' is true", [name]), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_instance", name, "disable_monitor_service"], []), + } } diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/query.rego b/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/query.rego index 58c19e7494f..83f770eb619 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/query.rego +++ b/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/query.rego @@ -4,17 +4,17 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_instance[name] - resource.allocate_public_ip == true + resource := input.document[i].resource.tencentcloud_instance[name] + resource.allocate_public_ip == true - result := { - "documentId": input.document[i].id, - "resourceType": "tencentcloud_instance", - "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("tencentcloud_instance[%s].allocate_public_ip", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("[%s] 'allocate_public_ip' should be set to false", [name]), - "keyActualValue": sprintf("[%s] 'allocate_public_ip' is true", [name]), - "searchLine":common_lib.build_search_line(["resource", "tencentcloud_instance", name, "allocate_public_ip"], []), - } + result := { + "documentId": input.document[i].id, + "resourceType": "tencentcloud_instance", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("tencentcloud_instance[%s].allocate_public_ip", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("[%s] 'allocate_public_ip' should be set to false", [name]), + "keyActualValue": sprintf("[%s] 'allocate_public_ip' is true", [name]), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_instance", name, "allocate_public_ip"], []), + } } diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/query.rego b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/query.rego index 5d7286c391a..681b28b3d44 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/query.rego +++ b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/query.rego @@ -4,23 +4,23 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - doc := input.document[i] - resource := doc.resource.tencentcloud_instance[name] + doc := input.document[i] + resource := doc.resource.tencentcloud_instance[name] - sgs := {"orderly_security_groups", "security_groups"} + sgs := {"orderly_security_groups", "security_groups"} - sgInfo := resource[sgs[s]][_] + sgInfo := resource[sgs[s]][_] - contains(lower(sgInfo), "default") + contains(lower(sgInfo), "default") - result := { - "documentId": doc.id, - "resourceType": "tencentcloud_instance", - "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("tencentcloud_instance[%s].%s", [name, sgs[s]]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("tencentcloud_instance[%s].%s should not contain 'default'", [name, s]), - "keyActualValue": sprintf("tencentcloud_instance[%s].%s contains 'default'", [name, s]), - "searchLine": common_lib.build_search_line(["resource", "tencentcloud_instance", name, sgs[s]], []), - } + result := { + "documentId": doc.id, + "resourceType": "tencentcloud_instance", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("tencentcloud_instance[%s].%s", [name, sgs[s]]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("tencentcloud_instance[%s].%s should not contain 'default'", [name, s]), + "keyActualValue": sprintf("tencentcloud_instance[%s].%s contains 'default'", [name, s]), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_instance", name, sgs[s]], []), + } } diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/query.rego b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/query.rego index ad9f095ecfb..3d1a855cfe0 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/query.rego +++ b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/query.rego @@ -4,22 +4,22 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - doc := input.document[i] - resource := doc.resource.tencentcloud_instance[name] - vpc_id := resource.vpc_id + doc := input.document[i] + resource := doc.resource.tencentcloud_instance[name] + vpc_id := resource.vpc_id - contains(lower(vpc_id), "default") + contains(lower(vpc_id), "default") - result := { - "documentId": doc.id, - "resourceType": "tencentcloud_instance", - "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("tencentcloud_instance[%s].vpc_id", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("tencentcloud_instance[%s].vpc_id should not contain 'default'", [name]), - "keyActualValue": sprintf("tencentcloud_instance[%s].vpc_id contains 'default'", [name]), - "searchLine": common_lib.build_search_line(["resource", "tencentcloud_instance", name, "vpc_id"], []), - } + result := { + "documentId": doc.id, + "resourceType": "tencentcloud_instance", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("tencentcloud_instance[%s].vpc_id", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("tencentcloud_instance[%s].vpc_id should not contain 'default'", [name]), + "keyActualValue": sprintf("tencentcloud_instance[%s].vpc_id contains 'default'", [name]), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_instance", name, "vpc_id"], []), + } } CxPolicy[result] { @@ -27,16 +27,16 @@ CxPolicy[result] { resource := doc.resource.tencentcloud_instance[name] subnet_id := resource.subnet_id - contains(lower(subnet_id), "default") + contains(lower(subnet_id), "default") result := { "documentId": doc.id, - "resourceType": "tencentcloud_instance", - "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("tencentcloud_instance[%s].subnet_id", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("tencentcloud_instance[%s].subnet_id should not be associated with a default Subnet", [name]), - "keyActualValue": sprintf("tencentcloud_instance[%s].subnet_id is associated with a default Subnet", [name]), - "searchLine": common_lib.build_search_line(["resource", "tencentcloud_instance", name, "subnet_id"], []), + "resourceType": "tencentcloud_instance", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("tencentcloud_instance[%s].subnet_id", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("tencentcloud_instance[%s].subnet_id should not be associated with a default Subnet", [name]), + "keyActualValue": sprintf("tencentcloud_instance[%s].subnet_id is associated with a default Subnet", [name]), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_instance", name, "subnet_id"], []), } } diff --git a/assets/queries/terraform/tencentcloud/disk_encryption_disabled/query.rego b/assets/queries/terraform/tencentcloud/disk_encryption_disabled/query.rego index 31ee40836c3..2b297bbd0bc 100644 --- a/assets/queries/terraform/tencentcloud/disk_encryption_disabled/query.rego +++ b/assets/queries/terraform/tencentcloud/disk_encryption_disabled/query.rego @@ -4,9 +4,8 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_cbs_storage[name] - resource.encrypt == false + resource.encrypt == false result := { "documentId": input.document[i].id, @@ -16,24 +15,22 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("[%s] has encryption set to true", [name]), "keyActualValue": sprintf("[%s] has encryption set to false", [name]), - "searchLine":common_lib.build_search_line(["resource", "tencentcloud_cbs_storage", name, "encrypt"], []), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_cbs_storage", name, "encrypt"], []), } } CxPolicy[result] { - resource := input.document[i].resource.tencentcloud_cbs_storage[name] - not common_lib.valid_key(resource, "encrypt") + not common_lib.valid_key(resource, "encrypt") result := { "documentId": input.document[i].id, "resourceType": "tencentcloud_cbs_storage", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("tencentcloud_cbs_storage[%s]",[name]), + "searchKey": sprintf("tencentcloud_cbs_storage[%s]", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("[%s] has encryption enabled",[name]), - "keyActualValue": sprintf("[%s] does not have encryption enabled",[name]), - "searchLine":common_lib.build_search_line(["resource", "tencentcloud_cbs_storage", name], []), + "keyExpectedValue": sprintf("[%s] has encryption enabled", [name]), + "keyActualValue": sprintf("[%s] does not have encryption enabled", [name]), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_cbs_storage", name], []), } } - diff --git a/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/query.rego b/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/query.rego index 4f54dde5423..0e74e5a19c7 100644 --- a/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/query.rego +++ b/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/query.rego @@ -6,17 +6,17 @@ import data.generic.terraform as tf_lib # ingress ipv4 CxPolicy[result] { resource := input.document[i].resource.tencentcloud_security_group_rule_set[name] - ingressCheck := resource.ingress + ingressCheck := resource.ingress common_lib.valid_key(ingressCheck, "action") common_lib.valid_key(ingressCheck, "cidr_block") common_lib.valid_key(ingressCheck, "protocol") - common_lib.valid_key(ingressCheck, "port") + common_lib.valid_key(ingressCheck, "port") ingressCheck.action == "ACCEPT" - ingressCheck.cidr_block == "0.0.0.0/0" - ingressCheck.protocol == "ALL" - ingressCheck.port == "ALL" + ingressCheck.cidr_block == "0.0.0.0/0" + ingressCheck.protocol == "ALL" + ingressCheck.port == "ALL" result := { "documentId": input.document[i].id, @@ -32,17 +32,17 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i].resource.tencentcloud_security_group_rule_set[name] - ingressCheck := resource.ingress[index] + ingressCheck := resource.ingress[index] common_lib.valid_key(ingressCheck, "action") common_lib.valid_key(ingressCheck, "cidr_block") common_lib.valid_key(ingressCheck, "protocol") - common_lib.valid_key(ingressCheck, "port") + common_lib.valid_key(ingressCheck, "port") ingressCheck.action == "ACCEPT" - ingressCheck.cidr_block == "0.0.0.0/0" - ingressCheck.protocol == "ALL" - ingressCheck.port == "ALL" + ingressCheck.cidr_block == "0.0.0.0/0" + ingressCheck.protocol == "ALL" + ingressCheck.port == "ALL" result := { "documentId": input.document[i].id, @@ -58,15 +58,15 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i].resource.tencentcloud_security_group_rule_set[name] - ingressCheck := resource.ingress + ingressCheck := resource.ingress common_lib.valid_key(ingressCheck, "action") - common_lib.valid_key(ingressCheck, "cidr_block") - not common_lib.valid_key(ingressCheck, "protocol") - not common_lib.valid_key(ingressCheck, "port") + common_lib.valid_key(ingressCheck, "cidr_block") + not common_lib.valid_key(ingressCheck, "protocol") + not common_lib.valid_key(ingressCheck, "port") - ingressCheck.cidr_block == "0.0.0.0/0" - ingressCheck.action == "ACCEPT" + ingressCheck.cidr_block == "0.0.0.0/0" + ingressCheck.action == "ACCEPT" result := { "documentId": input.document[i].id, @@ -82,32 +82,32 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i].resource.tencentcloud_security_group_rule_set[name] - ingressCheck := resource.ingress[index] + ingressCheck := resource.ingress[index] common_lib.valid_key(ingressCheck, "action") - common_lib.valid_key(ingressCheck, "cidr_block") - not common_lib.valid_key(ingressCheck, "protocol") - not common_lib.valid_key(ingressCheck, "port") + common_lib.valid_key(ingressCheck, "cidr_block") + not common_lib.valid_key(ingressCheck, "protocol") + not common_lib.valid_key(ingressCheck, "port") - ingressCheck.cidr_block == "0.0.0.0/0" - ingressCheck.action == "ACCEPT" + ingressCheck.cidr_block == "0.0.0.0/0" + ingressCheck.action == "ACCEPT" result := { "documentId": input.document[i].id, - "resourceType": "tencentcloud_security_group_rule_set", - "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("tencentcloud_security_group_rule_set[%s].ingress", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("tencentcloud_security_group_rule_set[%s] ingress should not set accept all traffic", [name]), - "keyActualValue": sprintf("tencentcloud_security_group_rule_set[%s] ingress accept all traffic", [name]), - "searchLine": common_lib.build_search_line(["resource", "tencentcloud_security_group_rule_set", name, "ingress", index], []), + "resourceType": "tencentcloud_security_group_rule_set", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("tencentcloud_security_group_rule_set[%s].ingress", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("tencentcloud_security_group_rule_set[%s] ingress should not set accept all traffic", [name]), + "keyActualValue": sprintf("tencentcloud_security_group_rule_set[%s] ingress accept all traffic", [name]), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_security_group_rule_set", name, "ingress", index], []), } } # ingress ipv6 CxPolicy[result] { resource := input.document[i].resource.tencentcloud_security_group_rule_set[name] - ingressCheck := resource.ingress + ingressCheck := resource.ingress common_lib.valid_key(ingressCheck, "action") common_lib.valid_key(ingressCheck, "ipv6_cidr_block") @@ -115,9 +115,9 @@ CxPolicy[result] { common_lib.valid_key(ingressCheck, "port") ingressCheck.action == "ACCEPT" - ingressCheck.ipv6_cidr_block == "::/0" - ingressCheck.protocol == "ALL" - ingressCheck.port == "ALL" + ingressCheck.ipv6_cidr_block == "::/0" + ingressCheck.protocol == "ALL" + ingressCheck.port == "ALL" result := { "documentId": input.document[i].id, @@ -133,7 +133,7 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i].resource.tencentcloud_security_group_rule_set[name] - ingressCheck := resource.ingress[index] + ingressCheck := resource.ingress[index] common_lib.valid_key(ingressCheck, "action") common_lib.valid_key(ingressCheck, "ipv6_cidr_block") @@ -141,9 +141,9 @@ CxPolicy[result] { common_lib.valid_key(ingressCheck, "port") ingressCheck.action == "ACCEPT" - ingressCheck.ipv6_cidr_block == "::/0" - ingressCheck.protocol == "ALL" - ingressCheck.port == "ALL" + ingressCheck.ipv6_cidr_block == "::/0" + ingressCheck.protocol == "ALL" + ingressCheck.port == "ALL" result := { "documentId": input.document[i].id, @@ -159,15 +159,15 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i].resource.tencentcloud_security_group_rule_set[name] - ingressCheck := resource.ingress + ingressCheck := resource.ingress common_lib.valid_key(ingressCheck, "action") - common_lib.valid_key(ingressCheck, "ipv6_cidr_block") - not common_lib.valid_key(ingressCheck, "protocol") - not common_lib.valid_key(ingressCheck, "port") + common_lib.valid_key(ingressCheck, "ipv6_cidr_block") + not common_lib.valid_key(ingressCheck, "protocol") + not common_lib.valid_key(ingressCheck, "port") ingressCheck.action == "ACCEPT" - ingressCheck.ipv6_cidr_block == "::/0" + ingressCheck.ipv6_cidr_block == "::/0" result := { "documentId": input.document[i].id, @@ -183,17 +183,17 @@ CxPolicy[result] { CxPolicy[result] { resource := input.document[i].resource.tencentcloud_security_group_rule_set[name] - ingressCheck := resource.ingress[index] + ingressCheck := resource.ingress[index] common_lib.valid_key(ingressCheck, "action") - common_lib.valid_key(ingressCheck, "ipv6_cidr_block") - not common_lib.valid_key(ingressCheck, "protocol") - not common_lib.valid_key(ingressCheck, "port") + common_lib.valid_key(ingressCheck, "ipv6_cidr_block") + not common_lib.valid_key(ingressCheck, "protocol") + not common_lib.valid_key(ingressCheck, "port") ingressCheck.action == "ACCEPT" - ingressCheck.ipv6_cidr_block == "::/0" + ingressCheck.ipv6_cidr_block == "::/0" - result := { + result := { "documentId": input.document[i].id, "resourceType": "tencentcloud_security_group_rule_set", "resourceName": tf_lib.get_resource_name(resource, name), diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego index c8cb4adf142..5d0420d06fe 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego +++ b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/query.rego @@ -5,7 +5,7 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] - not any_kubernetes_encryption_protection(name) + not any_kubernetes_encryption_protection(name) result := { "documentId": input.document[i].id, @@ -15,12 +15,12 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s] should have 'tencentcloud_kubernetes_encryption_protection' enabled", [name]), "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s] does not have 'tencentcloud_kubernetes_encryption_protection' enabled or is undefined", [name]), - "searchLine":common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name], []), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name], []), } } any_kubernetes_encryption_protection(resource_name) { - encryption := input.document[_].resource.tencentcloud_kubernetes_encryption_protection[_] - split_name := split(encryption.cluster_id, ".")[1] - split_name == resource_name + encryption := input.document[_].resource.tencentcloud_kubernetes_encryption_protection[_] + split_name := split(encryption.cluster_id, ".")[1] + split_name == resource_name } diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego index 5b7c03e5096..d50ac695c24 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/query.rego @@ -1,15 +1,15 @@ package Cx -import data.generic.terraform as tf_lib import data.generic.common as common_lib +import data.generic.terraform as tf_lib # master_config CxPolicy[result] { resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] masterConfig := resource.master_config - common_lib.valid_key(masterConfig, "public_ip_assigned") - common_lib.valid_key(masterConfig, "internet_max_bandwidth_out") + common_lib.valid_key(masterConfig, "public_ip_assigned") + common_lib.valid_key(masterConfig, "internet_max_bandwidth_out") masterConfig.public_ip_assigned == true masterConfig.internet_max_bandwidth_out > 0 @@ -30,8 +30,8 @@ CxPolicy[result] { resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] masterConfig := resource.master_config[index] - common_lib.valid_key(masterConfig, "public_ip_assigned") - common_lib.valid_key(masterConfig, "internet_max_bandwidth_out") + common_lib.valid_key(masterConfig, "public_ip_assigned") + common_lib.valid_key(masterConfig, "internet_max_bandwidth_out") masterConfig.public_ip_assigned == true masterConfig.internet_max_bandwidth_out > 0 @@ -52,10 +52,10 @@ CxPolicy[result] { resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] masterConfig := resource.master_config - not common_lib.valid_key(masterConfig, "public_ip_assigned") - common_lib.valid_key(masterConfig, "internet_max_bandwidth_out") + not common_lib.valid_key(masterConfig, "public_ip_assigned") + common_lib.valid_key(masterConfig, "internet_max_bandwidth_out") - masterConfig.internet_max_bandwidth_out > 0 + masterConfig.internet_max_bandwidth_out > 0 result := { "documentId": input.document[i].id, @@ -74,20 +74,20 @@ CxPolicy[result] { masterConfig := resource.master_config[index] not common_lib.valid_key(masterConfig, "public_ip_assigned") - common_lib.valid_key(masterConfig, "internet_max_bandwidth_out") + common_lib.valid_key(masterConfig, "internet_max_bandwidth_out") masterConfig.internet_max_bandwidth_out > 0 result := { - "documentId": input.document[i].id, - "resourceType": "tencentcloud_kubernetes_cluster", - "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.internet_max_bandwidth_out", [name]), - "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "master_config", index, "internet_max_bandwidth_out"], []), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.internet_max_bandwidth_out should equal '0' or null", [name]), - "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.internet_max_bandwidth_out is not equal '0'", [name]), - } + "documentId": input.document[i].id, + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.internet_max_bandwidth_out", [name]), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "master_config", index, "internet_max_bandwidth_out"], []), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.internet_max_bandwidth_out should equal '0' or null", [name]), + "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].master_config.internet_max_bandwidth_out is not equal '0'", [name]), + } } # worker_config @@ -95,8 +95,8 @@ CxPolicy[result] { resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] workerConfig := resource.worker_config - common_lib.valid_key(workerConfig, "public_ip_assigned") - common_lib.valid_key(workerConfig, "internet_max_bandwidth_out") + common_lib.valid_key(workerConfig, "public_ip_assigned") + common_lib.valid_key(workerConfig, "internet_max_bandwidth_out") workerConfig.public_ip_assigned == true workerConfig.internet_max_bandwidth_out > 0 @@ -117,8 +117,8 @@ CxPolicy[result] { resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] workerConfig := resource.worker_config[index] - common_lib.valid_key(workerConfig, "public_ip_assigned") - common_lib.valid_key(workerConfig, "internet_max_bandwidth_out") + common_lib.valid_key(workerConfig, "public_ip_assigned") + common_lib.valid_key(workerConfig, "internet_max_bandwidth_out") workerConfig.public_ip_assigned == true workerConfig.internet_max_bandwidth_out > 0 @@ -139,10 +139,10 @@ CxPolicy[result] { resource := input.document[i].resource.tencentcloud_kubernetes_cluster[name] workerConfig := resource.worker_config - not common_lib.valid_key(workerConfig, "public_ip_assigned") - common_lib.valid_key(workerConfig, "internet_max_bandwidth_out") + not common_lib.valid_key(workerConfig, "public_ip_assigned") + common_lib.valid_key(workerConfig, "internet_max_bandwidth_out") - workerConfig.internet_max_bandwidth_out > 0 + workerConfig.internet_max_bandwidth_out > 0 result := { "documentId": input.document[i].id, @@ -161,18 +161,18 @@ CxPolicy[result] { workerConfig := resource.worker_config[index] not common_lib.valid_key(workerConfig, "public_ip_assigned") - common_lib.valid_key(workerConfig, "internet_max_bandwidth_out") + common_lib.valid_key(workerConfig, "internet_max_bandwidth_out") workerConfig.internet_max_bandwidth_out > 0 result := { - "documentId": input.document[i].id, - "resourceType": "tencentcloud_kubernetes_cluster", - "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out", [name]), - "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "worker_config", index, "internet_max_bandwidth_out"], []), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out should be equal to '0' or null", [name]), - "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out is defined and not equal to '0'", [name]), - } + "documentId": input.document[i].id, + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out", [name]), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "worker_config", index, "internet_max_bandwidth_out"], []), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out should be equal to '0' or null", [name]), + "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].worker_config.internet_max_bandwidth_out is defined and not equal to '0'", [name]), + } } diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/query.rego b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/query.rego index cf6ecb08826..a8c1f219548 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/query.rego +++ b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "issueType": "MissingAttribute", "keyExpectedValue": "'log_agent' should be defined and not null", "keyActualValue": "'log_agent' is undefined or null", - "searchLine":common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name], []), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name], []), } } @@ -23,8 +23,8 @@ CxPolicy[result] { cluster := input.document[i].resource.tencentcloud_kubernetes_cluster[name] common_lib.valid_key(cluster, "log_agent") - log_agent := cluster.log_agent - log_agent.enabled == false + log_agent := cluster.log_agent + log_agent.enabled == false result := { "documentId": input.document[i].id, @@ -33,7 +33,7 @@ CxPolicy[result] { "searchKey": sprintf("tencentcloud_kubernetes_cluster[%s].log_agent.enabled", [name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("tencentcloud_kubernetes_cluster[%s].log_agent.enabled should be set to 'true'", [name]), - "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].log_agent.enabled is not set to 'true'", [name]), - "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "log_agent", "enabled"], []), + "keyActualValue": sprintf("tencentcloud_kubernetes_cluster[%s].log_agent.enabled is not set to 'true'", [name]), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_kubernetes_cluster", name, "log_agent", "enabled"], []), } } diff --git a/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/query.rego b/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/query.rego index 077336dc69d..508f2d7d773 100644 --- a/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/query.rego +++ b/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/query.rego @@ -5,7 +5,7 @@ import data.generic.terraform as tf_lib CxPolicy[result] { resource := input.document[i].resource.tencentcloud_vpc_flow_log_config[name] - resource.enable == false + resource.enable == false result := { "documentId": input.document[i].id, @@ -15,6 +15,6 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("[%s] should have enable set to true", [name]), "keyActualValue": sprintf("[%s] has enable set to false", [name]), - "searchLine":common_lib.build_search_line(["resource", "tencentcloud_vpc_flow_log_config", name, "enable"], []), + "searchLine": common_lib.build_search_line(["resource", "tencentcloud_vpc_flow_log_config", name, "enable"], []), } } diff --git a/assets/template/query/query.rego b/assets/template/query/query.rego index 20099c9288a..f7707194953 100644 --- a/assets/template/query/query.rego +++ b/assets/template/query/query.rego @@ -1,14 +1,14 @@ package Cx -CxPolicy [ result ] { - resource := input.document[i].resource - resource == "" +CxPolicy[result] { + resource := input.document[i].resource + resource == "" result := { - "documentId": input.document[i].id, - "searchKey": sprintf("%s", [resource]), - "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" - "keyExpectedValue": "", - "keyActualValue": resource - } -} \ No newline at end of file + "documentId": input.document[i].id, + "searchKey": sprintf("%s", [resource]), + "issueType": "IncorrectValue", # "MissingAttribute" / "RedundantAttribute" + "keyExpectedValue": "", + "keyActualValue": resource, + } +} diff --git a/e2e/fixtures/samples/libraries/terraform.rego b/e2e/fixtures/samples/libraries/terraform.rego index 8ad285d993b..b56f44ee885 100644 --- a/e2e/fixtures/samples/libraries/terraform.rego +++ b/e2e/fixtures/samples/libraries/terraform.rego @@ -2,7 +2,7 @@ package generic.terraform ***** &? INVALID-ENTRY &? ***** -check_cidr(rule) { +check_cidr(rule) { rule.cidr_blocks[_] == "0.0.0.0/0" } else { rule.cidr_block == "0.0.0.0/0" @@ -30,7 +30,7 @@ containsPort(rule, port) { rule.from_port == 0 rule.to_port == 0 } else { - regex.match(sprintf("(^|\\s|,)%d(-|,|$|\\s)", [port]), rule.destination_port_range) + regex.match(sprintf(`(^|\s|,)%d(-|,|$|\s)`, [port]), rule.destination_port_range) } else { ports := split(rule.destination_port_range, ",") sublist := split(ports[var], "-") diff --git a/test/fixtures/type-test01/template01/query.rego b/test/fixtures/type-test01/template01/query.rego index 2cc70640e8b..76df1519ef1 100644 --- a/test/fixtures/type-test01/template01/query.rego +++ b/test/fixtures/type-test01/template01/query.rego @@ -7,7 +7,7 @@ CxPolicy [ result ] { result := { "documentId": input.document[i].id, "searchKey": sprintf("%s", [resource]), - "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" + "issueType": "IncorrectValue", # "MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "", "keyActualValue": resource } diff --git a/test/fixtures/type-test01/template02/query.rego b/test/fixtures/type-test01/template02/query.rego index 2cc70640e8b..76df1519ef1 100644 --- a/test/fixtures/type-test01/template02/query.rego +++ b/test/fixtures/type-test01/template02/query.rego @@ -7,7 +7,7 @@ CxPolicy [ result ] { result := { "documentId": input.document[i].id, "searchKey": sprintf("%s", [resource]), - "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" + "issueType": "IncorrectValue", # "MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "", "keyActualValue": resource } diff --git a/test/fixtures/type-test01/template03/query.rego b/test/fixtures/type-test01/template03/query.rego index 2cc70640e8b..76df1519ef1 100644 --- a/test/fixtures/type-test01/template03/query.rego +++ b/test/fixtures/type-test01/template03/query.rego @@ -7,7 +7,7 @@ CxPolicy [ result ] { result := { "documentId": input.document[i].id, "searchKey": sprintf("%s", [resource]), - "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" + "issueType": "IncorrectValue", # "MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "", "keyActualValue": resource } diff --git a/test/fixtures/type-test02/template01/query.rego b/test/fixtures/type-test02/template01/query.rego index 2cc70640e8b..76df1519ef1 100644 --- a/test/fixtures/type-test02/template01/query.rego +++ b/test/fixtures/type-test02/template01/query.rego @@ -7,7 +7,7 @@ CxPolicy [ result ] { result := { "documentId": input.document[i].id, "searchKey": sprintf("%s", [resource]), - "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" + "issueType": "IncorrectValue", # "MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "", "keyActualValue": resource } diff --git a/test/fixtures/type-test02/template02/query.rego b/test/fixtures/type-test02/template02/query.rego index 2cc70640e8b..76df1519ef1 100644 --- a/test/fixtures/type-test02/template02/query.rego +++ b/test/fixtures/type-test02/template02/query.rego @@ -7,7 +7,7 @@ CxPolicy [ result ] { result := { "documentId": input.document[i].id, "searchKey": sprintf("%s", [resource]), - "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" + "issueType": "IncorrectValue", # "MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "", "keyActualValue": resource }