From 8e30cdb63a8e528ca12e569fb42d915bc77fe313 Mon Sep 17 00:00:00 2001 From: pereiramarco011 Date: Thu, 7 Mar 2024 16:12:24 +0000 Subject: [PATCH] add cloudProvider to request queries --- .../missing_app_armor_config/metadata.json | 19 ++++++++++--------- .../psp_set_to_privileged/metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../container_host_pid_is_true/metadata.json | 19 ++++++++++--------- .../container_is_privileged/metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../container_runs_unmasked/metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../cpu_limits_not_set/metadata.json | 19 ++++++++++--------- .../cpu_requests_not_set/metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../hpa_targets_invalid_object/metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../image_without_digest/metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../kubernetes/invalid_image/metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../memory_limits_not_defined/metadata.json | 19 ++++++++++--------- .../memory_requests_not_defined/metadata.json | 19 ++++++++++--------- .../metadata_label_is_invalid/metadata.json | 19 ++++++++++--------- .../missing_app_armor_config/metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../psp_allows_sharing_host_ipc/metadata.json | 19 ++++++++++--------- .../psp_set_to_privileged/metadata.json | 19 ++++++++++--------- .../psp_with_added_capabilities/metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../root_containers_admitted/metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../service_type_is_nodeport/metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../shared_host_ipc_namespace/metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../shared_service_account/metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../tiller_is_deployed/metadata.json | 19 ++++++++++--------- .../using_default_namespace/metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- .../metadata.json | 19 ++++++++++--------- 67 files changed, 670 insertions(+), 603 deletions(-) diff --git a/assets/queries/pulumi/kubernetes/missing_app_armor_config/metadata.json b/assets/queries/pulumi/kubernetes/missing_app_armor_config/metadata.json index 0bfe4d89cd1..177026fb49d 100644 --- a/assets/queries/pulumi/kubernetes/missing_app_armor_config/metadata.json +++ b/assets/queries/pulumi/kubernetes/missing_app_armor_config/metadata.json @@ -1,11 +1,12 @@ { - "id": "95588189-1abd-4df1-9588-b0a5034f9e87", - "queryName": "Missing App Armor Config", - "severity": "LOW", - "category": "Access Control", - "descriptionText": "Containers should be configured with AppArmor for any application to reduce its potential attack", - "descriptionUrl": "https://www.pulumi.com/registry/packages/kubernetes/api-docs/core/v1/pod/#objectmeta", - "platform": "Pulumi", - "descriptionID": "15676623", - "cwe": "" + "id": "95588189-1abd-4df1-9588-b0a5034f9e87", + "queryName": "Missing App Armor Config", + "severity": "LOW", + "category": "Access Control", + "descriptionText": "Containers should be configured with AppArmor for any application to reduce its potential attack", + "descriptionUrl": "https://www.pulumi.com/registry/packages/kubernetes/api-docs/core/v1/pod/#objectmeta", + "platform": "Pulumi", + "descriptionID": "15676623", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/pulumi/kubernetes/psp_set_to_privileged/metadata.json b/assets/queries/pulumi/kubernetes/psp_set_to_privileged/metadata.json index 6025117eb53..155cb986ff5 100644 --- a/assets/queries/pulumi/kubernetes/psp_set_to_privileged/metadata.json +++ b/assets/queries/pulumi/kubernetes/psp_set_to_privileged/metadata.json @@ -1,11 +1,12 @@ { - "id": "ee305555-6b1d-4055-94cf-e22131143c34", - "queryName": "PSP Set To Privileged", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "Do not allow pod to request execution as privileged.", - "descriptionUrl": "https://www.pulumi.com/registry/packages/kubernetes/api-docs/policy/v1beta1/podsecuritypolicy/#privileged_yaml", - "platform": "Pulumi", - "descriptionID": "7a6c8b70", - "cwe": "" + "id": "ee305555-6b1d-4055-94cf-e22131143c34", + "queryName": "PSP Set To Privileged", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "Do not allow pod to request execution as privileged.", + "descriptionUrl": "https://www.pulumi.com/registry/packages/kubernetes/api-docs/policy/v1beta1/podsecuritypolicy/#privileged_yaml", + "platform": "Pulumi", + "descriptionID": "7a6c8b70", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/metadata.json b/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/metadata.json index 116bef9c819..2e781587bab 100644 --- a/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/metadata.json +++ b/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/metadata.json @@ -1,11 +1,12 @@ { - "id": "ce7c874e-1b88-450b-a5e4-cb76ada3c8a9", - "queryName": "Github Organization Webhook With SSL Disabled", - "severity": "MEDIUM", - "category": "Encryption", - "descriptionText": "Check if insecure SSL is being used in the GitHub organization webhooks", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/github/latest/docs/resources/organization_webhook", - "platform": "Terraform", - "descriptionID": "5def6580", - "cwe": "" + "id": "ce7c874e-1b88-450b-a5e4-cb76ada3c8a9", + "queryName": "Github Organization Webhook With SSL Disabled", + "severity": "MEDIUM", + "category": "Encryption", + "descriptionText": "Check if insecure SSL is being used in the GitHub organization webhooks", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/github/latest/docs/resources/organization_webhook", + "platform": "Terraform", + "descriptionID": "5def6580", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/github/github_repository_set_to_public/metadata.json b/assets/queries/terraform/github/github_repository_set_to_public/metadata.json index 077addc095b..6be7a8e1f08 100644 --- a/assets/queries/terraform/github/github_repository_set_to_public/metadata.json +++ b/assets/queries/terraform/github/github_repository_set_to_public/metadata.json @@ -1,11 +1,12 @@ { - "id": "15d8a7fd-465a-4d15-a868-add86552f17b", - "queryName": "GitHub Repository Set To Public", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')", - "descriptionUrl": "https://www.terraform.io/docs/providers/github/r/repository.html", - "platform": "Terraform", - "descriptionID": "4df8b842", - "cwe": "" + "id": "15d8a7fd-465a-4d15-a868-add86552f17b", + "queryName": "GitHub Repository Set To Public", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')", + "descriptionUrl": "https://www.terraform.io/docs/providers/github/r/repository.html", + "platform": "Terraform", + "descriptionID": "4df8b842", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/metadata.json b/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/metadata.json index 5190e6ebdc5..8cfdcffdba2 100644 --- a/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/metadata.json +++ b/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/metadata.json @@ -1,11 +1,12 @@ { - "id": "17172bc2-56fb-4f17-916f-a014147706cd", - "queryName": "Cluster Admin Rolebinding With Superuser Permissions", - "severity": "LOW", - "category": "Access Control", - "descriptionText": "Ensure that the cluster-admin role is only used where required (RBAC)", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding#name", - "platform": "Terraform", - "descriptionID": "3cfeabe4", - "cwe": "" + "id": "17172bc2-56fb-4f17-916f-a014147706cd", + "queryName": "Cluster Admin Rolebinding With Superuser Permissions", + "severity": "LOW", + "category": "Access Control", + "descriptionText": "Ensure that the cluster-admin role is only used where required (RBAC)", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding#name", + "platform": "Terraform", + "descriptionID": "3cfeabe4", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/metadata.json b/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/metadata.json index 3ea2fbb9e25..d4fc8f717b8 100644 --- a/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/metadata.json +++ b/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/metadata.json @@ -1,11 +1,12 @@ { - "id": "a9174d31-d526-4ad9-ace4-ce7ddbf52e03", - "queryName": "Cluster Allows Unsafe Sysctls", - "severity": "HIGH", - "category": "Insecure Configurations", - "descriptionText": "A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_unsafe_sysctls", - "platform": "Terraform", - "descriptionID": "21547beb", - "cwe": "" + "id": "a9174d31-d526-4ad9-ace4-ce7ddbf52e03", + "queryName": "Cluster Allows Unsafe Sysctls", + "severity": "HIGH", + "category": "Insecure Configurations", + "descriptionText": "A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_unsafe_sysctls", + "platform": "Terraform", + "descriptionID": "21547beb", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_host_pid_is_true/metadata.json b/assets/queries/terraform/kubernetes/container_host_pid_is_true/metadata.json index 60c19102772..9ce08630f35 100644 --- a/assets/queries/terraform/kubernetes/container_host_pid_is_true/metadata.json +++ b/assets/queries/terraform/kubernetes/container_host_pid_is_true/metadata.json @@ -1,11 +1,12 @@ { - "id": "587d5d82-70cf-449b-9817-f60f9bccb88c", - "queryName": "Container Host Pid Is True", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "Minimize the admission of containers wishing to share the host process ID namespace", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_pid", - "platform": "Terraform", - "descriptionID": "74aa164e", - "cwe": "" + "id": "587d5d82-70cf-449b-9817-f60f9bccb88c", + "queryName": "Container Host Pid Is True", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "Minimize the admission of containers wishing to share the host process ID namespace", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_pid", + "platform": "Terraform", + "descriptionID": "74aa164e", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_is_privileged/metadata.json b/assets/queries/terraform/kubernetes/container_is_privileged/metadata.json index 02394f07af0..73503d02187 100644 --- a/assets/queries/terraform/kubernetes/container_is_privileged/metadata.json +++ b/assets/queries/terraform/kubernetes/container_is_privileged/metadata.json @@ -1,11 +1,12 @@ { - "id": "87065ef8-de9b-40d8-9753-f4a4303e27a4", - "queryName": "Container Is Privileged", - "severity": "HIGH", - "category": "Insecure Configurations", - "descriptionText": "Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#privileged", - "platform": "Terraform", - "descriptionID": "e2be4ab9", - "cwe": "" + "id": "87065ef8-de9b-40d8-9753-f4a4303e27a4", + "queryName": "Container Is Privileged", + "severity": "HIGH", + "category": "Insecure Configurations", + "descriptionText": "Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#privileged", + "platform": "Terraform", + "descriptionID": "e2be4ab9", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_resources_limits_undefined/metadata.json b/assets/queries/terraform/kubernetes/container_resources_limits_undefined/metadata.json index ac23c0266ff..4cc9c6482c5 100644 --- a/assets/queries/terraform/kubernetes/container_resources_limits_undefined/metadata.json +++ b/assets/queries/terraform/kubernetes/container_resources_limits_undefined/metadata.json @@ -1,11 +1,12 @@ { - "id": "60af03ff-a421-45c8-b214-6741035476fa", - "queryName": "Container Resources Limits Undefined", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "Kubernetes container should have resource limitations defined such as CPU and memory", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod", - "platform": "Terraform", - "descriptionID": "36651cdf", - "cwe": "" + "id": "60af03ff-a421-45c8-b214-6741035476fa", + "queryName": "Container Resources Limits Undefined", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "Kubernetes container should have resource limitations defined such as CPU and memory", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod", + "platform": "Terraform", + "descriptionID": "36651cdf", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_runs_unmasked/metadata.json b/assets/queries/terraform/kubernetes/container_runs_unmasked/metadata.json index 32d09e32170..d842978b8d7 100644 --- a/assets/queries/terraform/kubernetes/container_runs_unmasked/metadata.json +++ b/assets/queries/terraform/kubernetes/container_runs_unmasked/metadata.json @@ -1,11 +1,12 @@ { - "id": "0ad60203-c050-4115-83b6-b94bde92541d", - "queryName": "Container Runs Unmasked", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_proc_mount_types", - "platform": "Terraform", - "descriptionID": "bbb3aa40", - "cwe": "" + "id": "0ad60203-c050-4115-83b6-b94bde92541d", + "queryName": "Container Runs Unmasked", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "Check if a container has full access (unmasked) to the host\u00e2\u20ac\u2122s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_proc_mount_types", + "platform": "Terraform", + "descriptionID": "bbb3aa40", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/container_with_added_capabilities/metadata.json b/assets/queries/terraform/kubernetes/container_with_added_capabilities/metadata.json index f432defb204..6d0784d59fd 100644 --- a/assets/queries/terraform/kubernetes/container_with_added_capabilities/metadata.json +++ b/assets/queries/terraform/kubernetes/container_with_added_capabilities/metadata.json @@ -1,11 +1,12 @@ { - "id": "fe771ff7-ba15-4f8f-ad7a-8aa232b49a28", - "queryName": "Containers With Added Capabilities", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "Containers should not have extra capabilities allowed", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#capabilities-1", - "platform": "Terraform", - "descriptionID": "4422c052", - "cwe": "" + "id": "fe771ff7-ba15-4f8f-ad7a-8aa232b49a28", + "queryName": "Containers With Added Capabilities", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "Containers should not have extra capabilities allowed", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#capabilities-1", + "platform": "Terraform", + "descriptionID": "4422c052", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/metadata.json b/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/metadata.json index 8093e33ea66..2ad0a3e6378 100644 --- a/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/metadata.json +++ b/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/metadata.json @@ -1,11 +1,12 @@ { - "id": "3f55386d-75cd-4e9a-ac47-167b26c04724", - "queryName": "Containers With Sys Admin Capabilities", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "Containers should not have CAP_SYS_ADMIN Linux capability", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#capabilities-1", - "platform": "Terraform", - "descriptionID": "03622ad2", - "cwe": "" + "id": "3f55386d-75cd-4e9a-ac47-167b26c04724", + "queryName": "Containers With Sys Admin Capabilities", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "Containers should not have CAP_SYS_ADMIN Linux capability", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#capabilities-1", + "platform": "Terraform", + "descriptionID": "03622ad2", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cpu_limits_not_set/metadata.json b/assets/queries/terraform/kubernetes/cpu_limits_not_set/metadata.json index 35f72ac7b26..1f4c8fdfee6 100644 --- a/assets/queries/terraform/kubernetes/cpu_limits_not_set/metadata.json +++ b/assets/queries/terraform/kubernetes/cpu_limits_not_set/metadata.json @@ -1,11 +1,12 @@ { - "id": "5f4735ce-b9ba-4d95-a089-a37a767b716f", - "queryName": "CPU Limits Not Set", - "severity": "MEDIUM", - "category": "Resource Management", - "descriptionText": "CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#limits", - "platform": "Terraform", - "descriptionID": "9dd8e356", - "cwe": "" + "id": "5f4735ce-b9ba-4d95-a089-a37a767b716f", + "queryName": "CPU Limits Not Set", + "severity": "MEDIUM", + "category": "Resource Management", + "descriptionText": "CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#limits", + "platform": "Terraform", + "descriptionID": "9dd8e356", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cpu_requests_not_set/metadata.json b/assets/queries/terraform/kubernetes/cpu_requests_not_set/metadata.json index 58307f196d6..dc5f88bedb4 100644 --- a/assets/queries/terraform/kubernetes/cpu_requests_not_set/metadata.json +++ b/assets/queries/terraform/kubernetes/cpu_requests_not_set/metadata.json @@ -1,11 +1,12 @@ { - "id": "577ac19c-6a77-46d7-9f14-e049cdd15ec2", - "queryName": "CPU Requests Not Set", - "severity": "MEDIUM", - "category": "Resource Management", - "descriptionText": "CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#requests", - "platform": "Terraform", - "descriptionID": "957f09a7", - "cwe": "" + "id": "577ac19c-6a77-46d7-9f14-e049cdd15ec2", + "queryName": "CPU Requests Not Set", + "severity": "MEDIUM", + "category": "Resource Management", + "descriptionText": "CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#requests", + "platform": "Terraform", + "descriptionID": "957f09a7", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/metadata.json b/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/metadata.json index 4dbf6ce692c..693c7fd4a4a 100644 --- a/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/metadata.json +++ b/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/metadata.json @@ -1,11 +1,12 @@ { - "id": "58876b44-a690-4e9f-9214-7735fa0dd15d", - "queryName": "CronJob Deadline Not Configured", - "severity": "LOW", - "category": "Resource Management", - "descriptionText": "Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cron_job#starting_deadline_seconds", - "platform": "Terraform", - "descriptionID": "030edc62", - "cwe": "" + "id": "58876b44-a690-4e9f-9214-7735fa0dd15d", + "queryName": "CronJob Deadline Not Configured", + "severity": "LOW", + "category": "Resource Management", + "descriptionText": "Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cron_job#starting_deadline_seconds", + "platform": "Terraform", + "descriptionID": "030edc62", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/default_service_account_in_use/metadata.json b/assets/queries/terraform/kubernetes/default_service_account_in_use/metadata.json index 4e79b43a424..2bc14adc292 100644 --- a/assets/queries/terraform/kubernetes/default_service_account_in_use/metadata.json +++ b/assets/queries/terraform/kubernetes/default_service_account_in_use/metadata.json @@ -1,11 +1,12 @@ { - "id": "737a0dd9-0aaa-4145-8118-f01778262b8a", - "queryName": "Default Service Account In Use", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "Default service accounts should not be actively used", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account#automount_service_account_token", - "platform": "Terraform", - "descriptionID": "b0822187", - "cwe": "" + "id": "737a0dd9-0aaa-4145-8118-f01778262b8a", + "queryName": "Default Service Account In Use", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "Default service accounts should not be actively used", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account#automount_service_account_token", + "platform": "Terraform", + "descriptionID": "b0822187", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/metadata.json b/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/metadata.json index db3c3c63691..5f0ac082b57 100644 --- a/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/metadata.json +++ b/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/metadata.json @@ -1,11 +1,12 @@ { - "id": "461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3", - "queryName": "Deployment Has No PodAntiAffinity", - "severity": "LOW", - "category": "Resource Management", - "descriptionText": "Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment#affinity", - "platform": "Terraform", - "descriptionID": "4a5ad90d", - "cwe": "" + "id": "461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3", + "queryName": "Deployment Has No PodAntiAffinity", + "severity": "LOW", + "category": "Resource Management", + "descriptionText": "Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment#affinity", + "platform": "Terraform", + "descriptionID": "4a5ad90d", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/metadata.json b/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/metadata.json index 5c1333c4137..d1ce7306f15 100644 --- a/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/metadata.json +++ b/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/metadata.json @@ -1,11 +1,12 @@ { - "id": "a05331ee-1653-45cb-91e6-13637a76e4f0", - "queryName": "Deployment Without PodDisruptionBudget", - "severity": "LOW", - "category": "Availability", - "descriptionText": "Deployments should be assigned with a PodDisruptionBudget to ensure high availability", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment#selector", - "platform": "Terraform", - "descriptionID": "add58c0c", - "cwe": "" + "id": "a05331ee-1653-45cb-91e6-13637a76e4f0", + "queryName": "Deployment Without PodDisruptionBudget", + "severity": "LOW", + "category": "Availability", + "descriptionText": "Deployments should be assigned with a PodDisruptionBudget to ensure high availability", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment#selector", + "platform": "Terraform", + "descriptionID": "add58c0c", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/metadata.json b/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/metadata.json index 33d4bb4f17b..b3a9349450d 100644 --- a/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/metadata.json +++ b/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/metadata.json @@ -1,11 +1,12 @@ { - "id": "4e203a65-c8d8-49a2-b749-b124d43c9dc1", - "queryName": "Docker Daemon Socket is Exposed to Containers", - "severity": "LOW", - "category": "Access Control", - "descriptionText": "Sees if Docker Daemon Socket is not exposed to Containers", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_path", - "platform": "Terraform", - "descriptionID": "836d927e", - "cwe": "" + "id": "4e203a65-c8d8-49a2-b749-b124d43c9dc1", + "queryName": "Docker Daemon Socket is Exposed to Containers", + "severity": "LOW", + "category": "Access Control", + "descriptionText": "Sees if Docker Daemon Socket is not exposed to Containers", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_path", + "platform": "Terraform", + "descriptionID": "836d927e", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/metadata.json b/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/metadata.json index 51da5c45d4a..8a1d482fd08 100644 --- a/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/metadata.json +++ b/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/metadata.json @@ -1,11 +1,12 @@ { - "id": "17e52ca3-ddd0-4610-9d56-ce107442e110", - "queryName": "HPA Targets Invalid Object", - "severity": "LOW", - "category": "Availability", - "descriptionText": "The Horizontal Pod Autoscaler must target a valid object", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/horizontal_pod_autoscaler#metric", - "platform": "Terraform", - "descriptionID": "f4d95aa4", - "cwe": "" + "id": "17e52ca3-ddd0-4610-9d56-ce107442e110", + "queryName": "HPA Targets Invalid Object", + "severity": "LOW", + "category": "Availability", + "descriptionText": "The Horizontal Pod Autoscaler must target a valid object", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/horizontal_pod_autoscaler#metric", + "platform": "Terraform", + "descriptionID": "f4d95aa4", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/metadata.json b/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/metadata.json index 886b1bb4d8e..920dacc631a 100644 --- a/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/metadata.json +++ b/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/metadata.json @@ -1,11 +1,12 @@ { - "id": "aa737abf-6b1d-4aba-95aa-5c160bd7f96e", - "queryName": "Image Pull Policy Of The Container Is Not Set To Always", - "severity": "LOW", - "category": "Insecure Configurations", - "descriptionText": "Image Pull Policy of the container must be defined and set to Always", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image_pull_policy", - "platform": "Terraform", - "descriptionID": "d2abf21b", - "cwe": "" + "id": "aa737abf-6b1d-4aba-95aa-5c160bd7f96e", + "queryName": "Image Pull Policy Of The Container Is Not Set To Always", + "severity": "LOW", + "category": "Insecure Configurations", + "descriptionText": "Image Pull Policy of the container must be defined and set to Always", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image_pull_policy", + "platform": "Terraform", + "descriptionID": "d2abf21b", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/image_without_digest/metadata.json b/assets/queries/terraform/kubernetes/image_without_digest/metadata.json index e2f19b906e9..522dcc5f34e 100644 --- a/assets/queries/terraform/kubernetes/image_without_digest/metadata.json +++ b/assets/queries/terraform/kubernetes/image_without_digest/metadata.json @@ -1,11 +1,12 @@ { - "id": "228c4c19-feeb-4c18-848c-800ac70fdfb7", - "queryName": "Image Without Digest", - "severity": "LOW", - "category": "Insecure Configurations", - "descriptionText": "Images should be specified together with their digests to ensure integrity", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image", - "platform": "Terraform", - "descriptionID": "fec9b353", - "cwe": "" + "id": "228c4c19-feeb-4c18-848c-800ac70fdfb7", + "queryName": "Image Without Digest", + "severity": "LOW", + "category": "Insecure Configurations", + "descriptionText": "Images should be specified together with their digests to ensure integrity", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image", + "platform": "Terraform", + "descriptionID": "fec9b353", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/metadata.json b/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/metadata.json index df49f85af39..8527c1080b3 100644 --- a/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/metadata.json +++ b/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/metadata.json @@ -1,11 +1,12 @@ { - "id": "26b047a9-0329-48fd-8fb7-05bbe5ba80ee", - "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", - "severity": "MEDIUM", - "category": "Build Process", - "descriptionText": "Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#volume_claim_template", - "platform": "Terraform", - "descriptionID": "02756212", - "cwe": "" + "id": "26b047a9-0329-48fd-8fb7-05bbe5ba80ee", + "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", + "severity": "MEDIUM", + "category": "Build Process", + "descriptionText": "Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#volume_claim_template", + "platform": "Terraform", + "descriptionID": "02756212", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/metadata.json b/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/metadata.json index 97f531dc75c..0aefb1e932c 100644 --- a/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/metadata.json +++ b/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/metadata.json @@ -1,11 +1,12 @@ { - "id": "e2c83c1f-84d7-4467-966c-ed41fd015bb9", - "queryName": "Ingress Controller Exposes Workload", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress#http", - "platform": "Terraform", - "descriptionID": "88c1dfb2", - "cwe": "" + "id": "e2c83c1f-84d7-4467-966c-ed41fd015bb9", + "queryName": "Ingress Controller Exposes Workload", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress#http", + "platform": "Terraform", + "descriptionID": "88c1dfb2", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/invalid_image/metadata.json b/assets/queries/terraform/kubernetes/invalid_image/metadata.json index d011ccd812c..5cd836fb81d 100644 --- a/assets/queries/terraform/kubernetes/invalid_image/metadata.json +++ b/assets/queries/terraform/kubernetes/invalid_image/metadata.json @@ -1,11 +1,12 @@ { - "id": "e76cca7c-c3f9-4fc9-884c-b2831168ebd8", - "queryName": "Invalid Image", - "severity": "LOW", - "category": "Supply-Chain", - "descriptionText": "Image must be defined and not be empty or equal to latest.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image", - "platform": "Terraform", - "descriptionID": "56713716", - "cwe": "" + "id": "e76cca7c-c3f9-4fc9-884c-b2831168ebd8", + "queryName": "Invalid Image", + "severity": "LOW", + "category": "Supply-Chain", + "descriptionText": "Image must be defined and not be empty or equal to latest.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image", + "platform": "Terraform", + "descriptionID": "56713716", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/metadata.json b/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/metadata.json index e43f9dea6c8..9571835c060 100644 --- a/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/metadata.json +++ b/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/metadata.json @@ -1,11 +1,12 @@ { - "id": "5b6d53dd-3ba3-4269-b4d7-f82e880e43c3", - "queryName": "Liveness Probe Is Not Defined", - "severity": "LOW", - "category": "Availability", - "descriptionText": "In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#liveness_probe", - "platform": "Terraform", - "descriptionID": "e5105a57", - "cwe": "" + "id": "5b6d53dd-3ba3-4269-b4d7-f82e880e43c3", + "queryName": "Liveness Probe Is Not Defined", + "severity": "LOW", + "category": "Availability", + "descriptionText": "In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#liveness_probe", + "platform": "Terraform", + "descriptionID": "e5105a57", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/memory_limits_not_defined/metadata.json b/assets/queries/terraform/kubernetes/memory_limits_not_defined/metadata.json index 629b38f83bd..9e64e8ca99b 100644 --- a/assets/queries/terraform/kubernetes/memory_limits_not_defined/metadata.json +++ b/assets/queries/terraform/kubernetes/memory_limits_not_defined/metadata.json @@ -1,11 +1,12 @@ { - "id": "fd097ed0-7fe6-4f58-8b71-fef9f0820a21", - "queryName": "Memory Limits Not Defined", - "severity": "MEDIUM", - "category": "Resource Management", - "descriptionText": "Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#limits", - "platform": "Terraform", - "descriptionID": "c957affa", - "cwe": "" + "id": "fd097ed0-7fe6-4f58-8b71-fef9f0820a21", + "queryName": "Memory Limits Not Defined", + "severity": "MEDIUM", + "category": "Resource Management", + "descriptionText": "Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#limits", + "platform": "Terraform", + "descriptionID": "c957affa", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/memory_requests_not_defined/metadata.json b/assets/queries/terraform/kubernetes/memory_requests_not_defined/metadata.json index 81c56f79eb4..8c688678de7 100644 --- a/assets/queries/terraform/kubernetes/memory_requests_not_defined/metadata.json +++ b/assets/queries/terraform/kubernetes/memory_requests_not_defined/metadata.json @@ -1,11 +1,12 @@ { - "id": "21719347-d02b-497d-bda4-04a03c8e5b61", - "queryName": "Memory Requests Not Defined", - "severity": "MEDIUM", - "category": "Resource Management", - "descriptionText": "Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#requests", - "platform": "Terraform", - "descriptionID": "a77e5da7", - "cwe": "" + "id": "21719347-d02b-497d-bda4-04a03c8e5b61", + "queryName": "Memory Requests Not Defined", + "severity": "MEDIUM", + "category": "Resource Management", + "descriptionText": "Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#requests", + "platform": "Terraform", + "descriptionID": "a77e5da7", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/metadata.json b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/metadata.json index 039c91d0526..dc7adc90461 100644 --- a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/metadata.json +++ b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/metadata.json @@ -1,11 +1,12 @@ { - "id": "bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e", - "queryName": "Metadata Label Is Invalid", - "severity": "LOW", - "category": "Best Practices", - "descriptionText": "Check if any label in the metadata is invalid.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#labels", - "platform": "Terraform", - "descriptionID": "5448851e", - "cwe": "" + "id": "bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e", + "queryName": "Metadata Label Is Invalid", + "severity": "LOW", + "category": "Best Practices", + "descriptionText": "Check if any label in the metadata is invalid.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#labels", + "platform": "Terraform", + "descriptionID": "5448851e", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/missing_app_armor_config/metadata.json b/assets/queries/terraform/kubernetes/missing_app_armor_config/metadata.json index 7d3fc2c2ad2..afa49c7e331 100644 --- a/assets/queries/terraform/kubernetes/missing_app_armor_config/metadata.json +++ b/assets/queries/terraform/kubernetes/missing_app_armor_config/metadata.json @@ -1,11 +1,12 @@ { - "id": "bd6bd46c-57db-4887-956d-d372f21291b6", - "queryName": "Missing App Armor Config", - "severity": "LOW", - "category": "Access Control", - "descriptionText": "Containers should be configured with AppArmor for any application to reduce its potential attack", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#annotations", - "platform": "Terraform", - "descriptionID": "ba36908b", - "cwe": "" + "id": "bd6bd46c-57db-4887-956d-d372f21291b6", + "queryName": "Missing App Armor Config", + "severity": "LOW", + "category": "Access Control", + "descriptionText": "Containers should be configured with AppArmor for any application to reduce its potential attack", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#annotations", + "platform": "Terraform", + "descriptionID": "ba36908b", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/metadata.json b/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/metadata.json index edd7503f98f..6addec8e644 100644 --- a/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/metadata.json +++ b/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/metadata.json @@ -1,11 +1,12 @@ { - "id": "9aa32890-ac1a-45ee-81ca-5164e2098556", - "queryName": "NET_RAW Capabilities Disabled for PSP", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "Containers need to have NET_RAW or All as drop capabilities", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#required_drop_capabilities", - "platform": "Terraform", - "descriptionID": "631e9c61", - "cwe": "" + "id": "9aa32890-ac1a-45ee-81ca-5164e2098556", + "queryName": "NET_RAW Capabilities Disabled for PSP", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "Containers need to have NET_RAW or All as drop capabilities", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#required_drop_capabilities", + "platform": "Terraform", + "descriptionID": "631e9c61", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/metadata.json b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/metadata.json index 4a991139bce..76eafe4ef19 100644 --- a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/metadata.json +++ b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/metadata.json @@ -1,11 +1,12 @@ { - "id": "e5587d53-a673-4a6b-b3f2-ba07ec274def", - "queryName": "NET_RAW Capabilities Not Being Dropped", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "Containers should drop 'ALL' or at least 'NET_RAW' capabilities", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#drop", - "platform": "Terraform", - "descriptionID": "548d4eac", - "cwe": "" + "id": "e5587d53-a673-4a6b-b3f2-ba07ec274def", + "queryName": "NET_RAW Capabilities Not Being Dropped", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "Containers should drop 'ALL' or at least 'NET_RAW' capabilities", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#drop", + "platform": "Terraform", + "descriptionID": "548d4eac", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/metadata.json b/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/metadata.json index 124741bb186..4867dd0d05b 100644 --- a/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/metadata.json +++ b/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/metadata.json @@ -1,11 +1,12 @@ { - "id": "b80b14c6-aaa2-4876-b651-8a48b6c32fbf", - "queryName": "Network Policy Is Not Targeting Any Pod", - "severity": "MEDIUM", - "category": "Networking and Firewall", - "descriptionText": "Check if any network policy is not targeting any pod.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#match_labels", - "platform": "Terraform", - "descriptionID": "1598c368", - "cwe": "" + "id": "b80b14c6-aaa2-4876-b651-8a48b6c32fbf", + "queryName": "Network Policy Is Not Targeting Any Pod", + "severity": "MEDIUM", + "category": "Networking and Firewall", + "descriptionText": "Check if any network policy is not targeting any pod.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#match_labels", + "platform": "Terraform", + "descriptionID": "1598c368", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/metadata.json b/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/metadata.json index 5696dc3a01b..f89a2aafef4 100644 --- a/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/metadata.json +++ b/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/metadata.json @@ -1,11 +1,12 @@ { - "id": "21cef75f-289f-470e-8038-c7cee0664164", - "queryName": "No Drop Capabilities for Containers", - "severity": "LOW", - "category": "Best Practices", - "descriptionText": "Sees if Kubernetes Drop Capabilities exists to ensure containers security context", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#drop", - "platform": "Terraform", - "descriptionID": "f547f3d7", - "cwe": "" + "id": "21cef75f-289f-470e-8038-c7cee0664164", + "queryName": "No Drop Capabilities for Containers", + "severity": "LOW", + "category": "Best Practices", + "descriptionText": "Sees if Kubernetes Drop Capabilities exists to ensure containers security context", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#drop", + "platform": "Terraform", + "descriptionID": "f547f3d7", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/metadata.json b/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/metadata.json index d8f6a65eb4e..751a64bb43d 100644 --- a/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/metadata.json +++ b/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/metadata.json @@ -1,11 +1,12 @@ { - "id": "86a947ea-f577-4efb-a8b0-5fc00257d521", - "queryName": "Non Kube System Pod With Host Mount", - "severity": "MEDIUM", - "category": "Access Control", - "descriptionText": "A non kube-system workload should not have hostPath mounted", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod", - "platform": "Terraform", - "descriptionID": "5b17fdb1", - "cwe": "" + "id": "86a947ea-f577-4efb-a8b0-5fc00257d521", + "queryName": "Non Kube System Pod With Host Mount", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "A non kube-system workload should not have hostPath mounted", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod", + "platform": "Terraform", + "descriptionID": "5b17fdb1", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/not_limited_capabilities_for_pod_security_policy/metadata.json b/assets/queries/terraform/kubernetes/not_limited_capabilities_for_pod_security_policy/metadata.json index e7f63903f5f..e5d9cda8200 100644 --- a/assets/queries/terraform/kubernetes/not_limited_capabilities_for_pod_security_policy/metadata.json +++ b/assets/queries/terraform/kubernetes/not_limited_capabilities_for_pod_security_policy/metadata.json @@ -1,11 +1,12 @@ { - "id": "2acb555f-f4ad-4b1b-b984-84e6588f4b05", - "queryName": "Not Limited Capabilities For Pod Security Policy", - "severity": "HIGH", - "category": "Insecure Configurations", - "descriptionText": "Limit capabilities for a Pod Security Policy", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#required_drop_capabilities", - "platform": "Terraform", - "descriptionID": "c42b1890", - "cwe": "" + "id": "2acb555f-f4ad-4b1b-b984-84e6588f4b05", + "queryName": "Not Limited Capabilities For Pod Security Policy", + "severity": "HIGH", + "category": "Insecure Configurations", + "descriptionText": "Limit capabilities for a Pod Security Policy", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#required_drop_capabilities", + "platform": "Terraform", + "descriptionID": "c42b1890", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/metadata.json b/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/metadata.json index 4acf0c31a4c..07cf2cc9661 100644 --- a/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/metadata.json +++ b/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/metadata.json @@ -1,11 +1,12 @@ { - "id": "522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba", - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "category": "Access Control", - "descriptionText": "The permission to create pods in a cluster should be restricted because it allows privilege escalation.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role#rule", - "platform": "Terraform", - "descriptionID": "cca5f42d", - "cwe": "" + "id": "522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba", + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "The permission to create pods in a cluster should be restricted because it allows privilege escalation.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role#rule", + "platform": "Terraform", + "descriptionID": "cca5f42d", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/metadata.json b/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/metadata.json index 6c010e208eb..dc3bd8b92dc 100644 --- a/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/metadata.json +++ b/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/metadata.json @@ -1,11 +1,12 @@ { - "id": "ad69e38a-d92e-4357-a8da-f2f29d545883", - "queryName": "Pod or Container Without Security Context", - "severity": "LOW", - "category": "Insecure Configurations", - "descriptionText": "A security context defines privilege and access control settings for a Pod or Container", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#security_context", - "platform": "Terraform", - "descriptionID": "a465ab52", - "cwe": "" + "id": "ad69e38a-d92e-4357-a8da-f2f29d545883", + "queryName": "Pod or Container Without Security Context", + "severity": "LOW", + "category": "Insecure Configurations", + "descriptionText": "A security context defines privilege and access control settings for a Pod or Container", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#security_context", + "platform": "Terraform", + "descriptionID": "a465ab52", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/privilege_escalation_allowed/metadata.json b/assets/queries/terraform/kubernetes/privilege_escalation_allowed/metadata.json index b9f95b8eeb4..b300c779369 100644 --- a/assets/queries/terraform/kubernetes/privilege_escalation_allowed/metadata.json +++ b/assets/queries/terraform/kubernetes/privilege_escalation_allowed/metadata.json @@ -1,11 +1,12 @@ { - "id": "c878abb4-cca5-4724-92b9-289be68bd47c", - "queryName": "Privilege Escalation Allowed", - "severity": "HIGH", - "category": "Insecure Configurations", - "descriptionText": "Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#allow_privilege_escalation", - "platform": "Terraform", - "descriptionID": "e693ddd6", - "cwe": "" + "id": "c878abb4-cca5-4724-92b9-289be68bd47c", + "queryName": "Privilege Escalation Allowed", + "severity": "HIGH", + "category": "Insecure Configurations", + "descriptionText": "Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#allow_privilege_escalation", + "platform": "Terraform", + "descriptionID": "e693ddd6", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/metadata.json b/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/metadata.json index 4d457cd02b5..13358aa5e8b 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/metadata.json +++ b/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/metadata.json @@ -1,11 +1,12 @@ { - "id": "4950837c-0ce5-4e42-9bee-a25eae73740b", - "queryName": "PSP Allows Containers To Share The Host Network Namespace", - "severity": "HIGH", - "category": "Insecure Configurations", - "descriptionText": "Check if Pod Security Policies allow containers to share the host network namespace.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#host_network", - "platform": "Terraform", - "descriptionID": "531152cf", - "cwe": "" + "id": "4950837c-0ce5-4e42-9bee-a25eae73740b", + "queryName": "PSP Allows Containers To Share The Host Network Namespace", + "severity": "HIGH", + "category": "Insecure Configurations", + "descriptionText": "Check if Pod Security Policies allow containers to share the host network namespace.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#host_network", + "platform": "Terraform", + "descriptionID": "531152cf", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/metadata.json b/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/metadata.json index 00579915ef7..fafbd2578dc 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/metadata.json +++ b/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/metadata.json @@ -1,11 +1,12 @@ { - "id": "2bff9906-4e9b-4f71-9346-8ebedfdf43ef", - "queryName": "PSP Allows Privilege Escalation", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "PodSecurityPolicy should not allow privilege escalation", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allow_privilege_escalation", - "platform": "Terraform", - "descriptionID": "1cdd3f21", - "cwe": "" + "id": "2bff9906-4e9b-4f71-9346-8ebedfdf43ef", + "queryName": "PSP Allows Privilege Escalation", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "PodSecurityPolicy should not allow privilege escalation", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allow_privilege_escalation", + "platform": "Terraform", + "descriptionID": "1cdd3f21", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/metadata.json b/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/metadata.json index 3bf14e54e87..b0c5f4639df 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/metadata.json +++ b/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/metadata.json @@ -1,11 +1,12 @@ { - "id": "51bed0ac-a8ae-407a-895e-90c6cb0610ce", - "queryName": "PSP Allows Sharing Host IPC", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "Pod Security Policy allows containers to share the host IPC namespace", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#host_ipc", - "platform": "Terraform", - "descriptionID": "45566e38", - "cwe": "" + "id": "51bed0ac-a8ae-407a-895e-90c6cb0610ce", + "queryName": "PSP Allows Sharing Host IPC", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "Pod Security Policy allows containers to share the host IPC namespace", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#host_ipc", + "platform": "Terraform", + "descriptionID": "45566e38", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/psp_set_to_privileged/metadata.json b/assets/queries/terraform/kubernetes/psp_set_to_privileged/metadata.json index 2e325761caa..e2bd80f4b9e 100644 --- a/assets/queries/terraform/kubernetes/psp_set_to_privileged/metadata.json +++ b/assets/queries/terraform/kubernetes/psp_set_to_privileged/metadata.json @@ -1,11 +1,12 @@ { - "id": "a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9", - "queryName": "PSP Set To Privileged", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "Do not allow pod to request execution as privileged.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#privileged", - "platform": "Terraform", - "descriptionID": "5ca96212", - "cwe": "" + "id": "a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9", + "queryName": "PSP Set To Privileged", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "Do not allow pod to request execution as privileged.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#privileged", + "platform": "Terraform", + "descriptionID": "5ca96212", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/psp_with_added_capabilities/metadata.json b/assets/queries/terraform/kubernetes/psp_with_added_capabilities/metadata.json index 19fa029a8b8..6be1be86258 100644 --- a/assets/queries/terraform/kubernetes/psp_with_added_capabilities/metadata.json +++ b/assets/queries/terraform/kubernetes/psp_with_added_capabilities/metadata.json @@ -1,11 +1,12 @@ { - "id": "48388bd2-7201-4dcc-b56d-e8a9efa58fad", - "queryName": "PSP With Added Capabilities", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "PodSecurityPolicy should not have added capabilities", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_capabilities", - "platform": "Terraform", - "descriptionID": "f3ad2d09", - "cwe": "" + "id": "48388bd2-7201-4dcc-b56d-e8a9efa58fad", + "queryName": "PSP With Added Capabilities", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "PodSecurityPolicy should not have added capabilities", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_capabilities", + "platform": "Terraform", + "descriptionID": "f3ad2d09", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/metadata.json b/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/metadata.json index 1dde2d17912..85b13593622 100644 --- a/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/metadata.json +++ b/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/metadata.json @@ -1,11 +1,12 @@ { - "id": "826abb30-3cd5-4e0b-a93b-67729b4f7e63", - "queryName": "RBAC Roles with Read Secrets Permissions", - "severity": "MEDIUM", - "category": "Access Control", - "descriptionText": "Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role#rule", - "platform": "Terraform", - "descriptionID": "a4fb7558", - "cwe": "" + "id": "826abb30-3cd5-4e0b-a93b-67729b4f7e63", + "queryName": "RBAC Roles with Read Secrets Permissions", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role#rule", + "platform": "Terraform", + "descriptionID": "a4fb7558", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/metadata.json b/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/metadata.json index 553a1b8abda..47b01f801d4 100644 --- a/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/metadata.json +++ b/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/metadata.json @@ -1,11 +1,12 @@ { - "id": "8657197e-3f87-4694-892b-8144701d83c1", - "queryName": "Readiness Probe Is Not Configured", - "severity": "MEDIUM", - "category": "Availability", - "descriptionText": "Check if Readiness Probe is not configured.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#readiness_probe", - "platform": "Terraform", - "descriptionID": "a333fe96", - "cwe": "" + "id": "8657197e-3f87-4694-892b-8144701d83c1", + "queryName": "Readiness Probe Is Not Configured", + "severity": "MEDIUM", + "category": "Availability", + "descriptionText": "Check if Readiness Probe is not configured.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#readiness_probe", + "platform": "Terraform", + "descriptionID": "a333fe96", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/metadata.json b/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/metadata.json index 3bf73e0d2d9..1ff5e2a329a 100644 --- a/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/metadata.json +++ b/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/metadata.json @@ -1,11 +1,12 @@ { - "id": "3360c01e-c8c0-4812-96a2-a6329b9b7f9f", - "queryName": "Role Binding To Default Service Account", - "severity": "HIGH", - "category": "Insecure Defaults", - "descriptionText": "No role nor cluster role should bind to a default service account", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding#subject", - "platform": "Terraform", - "descriptionID": "a90a96ca", - "cwe": "" + "id": "3360c01e-c8c0-4812-96a2-a6329b9b7f9f", + "queryName": "Role Binding To Default Service Account", + "severity": "HIGH", + "category": "Insecure Defaults", + "descriptionText": "No role nor cluster role should bind to a default service account", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding#subject", + "platform": "Terraform", + "descriptionID": "a90a96ca", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/metadata.json b/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/metadata.json index c0a46e7b7de..19b3c373b82 100644 --- a/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/metadata.json +++ b/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/metadata.json @@ -1,11 +1,12 @@ { - "id": "d532566b-8d9d-4f3b-80bd-361fe802f9c2", - "queryName": "Root Container Not Mounted As Read-only", - "severity": "LOW", - "category": "Build Process", - "descriptionText": "Check if the root container filesystem is not being mounted as read-only.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#read_only_root_filesystem", - "platform": "Terraform", - "descriptionID": "b7afed50", - "cwe": "" + "id": "d532566b-8d9d-4f3b-80bd-361fe802f9c2", + "queryName": "Root Container Not Mounted As Read-only", + "severity": "LOW", + "category": "Build Process", + "descriptionText": "Check if the root container filesystem is not being mounted as read-only.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#read_only_root_filesystem", + "platform": "Terraform", + "descriptionID": "b7afed50", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/root_containers_admitted/metadata.json b/assets/queries/terraform/kubernetes/root_containers_admitted/metadata.json index 01c8e9d8799..281739b529b 100644 --- a/assets/queries/terraform/kubernetes/root_containers_admitted/metadata.json +++ b/assets/queries/terraform/kubernetes/root_containers_admitted/metadata.json @@ -1,11 +1,12 @@ { - "id": "4c415497-7410-4559-90e8-f2c8ac64ee38", - "queryName": "Root Containers Admitted", - "severity": "MEDIUM", - "category": "Best Practices", - "descriptionText": "Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#run_as_user", - "platform": "Terraform", - "descriptionID": "aa6d70b9", - "cwe": "" + "id": "4c415497-7410-4559-90e8-f2c8ac64ee38", + "queryName": "Root Containers Admitted", + "severity": "MEDIUM", + "category": "Best Practices", + "descriptionText": "Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#run_as_user", + "platform": "Terraform", + "descriptionID": "aa6d70b9", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/metadata.json b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/metadata.json index 7011821c31c..d78fe27fe1e 100644 --- a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/metadata.json +++ b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/metadata.json @@ -1,11 +1,12 @@ { - "id": "455f2e0c-686d-4fcb-8b5f-3f953f12c43c", - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#annotations", - "platform": "Terraform", - "descriptionID": "ad5436a1", - "cwe": "" + "id": "455f2e0c-686d-4fcb-8b5f-3f953f12c43c", + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#annotations", + "platform": "Terraform", + "descriptionID": "ad5436a1", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/secrets_as_environment_variables/metadata.json b/assets/queries/terraform/kubernetes/secrets_as_environment_variables/metadata.json index e967ab5798b..f4f06e77232 100644 --- a/assets/queries/terraform/kubernetes/secrets_as_environment_variables/metadata.json +++ b/assets/queries/terraform/kubernetes/secrets_as_environment_variables/metadata.json @@ -1,11 +1,12 @@ { - "id": "6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8", - "queryName": "Secrets As Environment Variables", - "severity": "LOW", - "category": "Secret Management", - "descriptionText": "Container should not use secrets as environment variables", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#secret_key_ref", - "platform": "Terraform", - "descriptionID": "f5c43d1e", - "cwe": "" + "id": "6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8", + "queryName": "Secrets As Environment Variables", + "severity": "LOW", + "category": "Secret Management", + "descriptionText": "Container should not use secrets as environment variables", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#secret_key_ref", + "platform": "Terraform", + "descriptionID": "f5c43d1e", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/metadata.json b/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/metadata.json index 5ff98a58938..c9289ecbbc2 100644 --- a/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/metadata.json +++ b/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/metadata.json @@ -1,11 +1,12 @@ { - "id": "07fc3413-e572-42f7-9877-5c8fc6fccfb5", - "queryName": "Service Account Allows Access Secrets", - "severity": "MEDIUM", - "category": "Secret Management", - "descriptionText": "Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding#subject", - "platform": "Terraform", - "descriptionID": "93294320", - "cwe": "" + "id": "07fc3413-e572-42f7-9877-5c8fc6fccfb5", + "queryName": "Service Account Allows Access Secrets", + "severity": "MEDIUM", + "category": "Secret Management", + "descriptionText": "Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding#subject", + "platform": "Terraform", + "descriptionID": "93294320", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/metadata.json b/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/metadata.json index 1852195d01b..330b8c7f081 100644 --- a/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/metadata.json +++ b/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/metadata.json @@ -1,11 +1,12 @@ { - "id": "24b132df-5cc7-4823-8029-f898e1c50b72", - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "category": "Insecure Defaults", - "descriptionText": "A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#service_account_name", - "platform": "Terraform", - "descriptionID": "ce3648b0", - "cwe": "" + "id": "24b132df-5cc7-4823-8029-f898e1c50b72", + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "category": "Insecure Defaults", + "descriptionText": "A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#service_account_name", + "platform": "Terraform", + "descriptionID": "ce3648b0", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/metadata.json b/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/metadata.json index 94c3e21fa1e..ef48be2cbdd 100644 --- a/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/metadata.json +++ b/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/metadata.json @@ -1,11 +1,12 @@ { - "id": "a9a13d4f-f17a-491b-b074-f54bffffcb4a", - "queryName": "Service Account Token Automount Not Disabled", - "severity": "MEDIUM", - "category": "Insecure Defaults", - "descriptionText": "Service Account Tokens are automatically mounted even if not necessary", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#automount_service_account_token", - "platform": "Terraform", - "descriptionID": "9674e7f6", - "cwe": "" + "id": "a9a13d4f-f17a-491b-b074-f54bffffcb4a", + "queryName": "Service Account Token Automount Not Disabled", + "severity": "MEDIUM", + "category": "Insecure Defaults", + "descriptionText": "Service Account Tokens are automatically mounted even if not necessary", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#automount_service_account_token", + "platform": "Terraform", + "descriptionID": "9674e7f6", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_type_is_nodeport/metadata.json b/assets/queries/terraform/kubernetes/service_type_is_nodeport/metadata.json index 830afb99c8d..7f601446b17 100644 --- a/assets/queries/terraform/kubernetes/service_type_is_nodeport/metadata.json +++ b/assets/queries/terraform/kubernetes/service_type_is_nodeport/metadata.json @@ -1,11 +1,12 @@ { - "id": "5c281bf8-d9bb-47f2-b909-3f6bb11874ad", - "queryName": "Service Type is NodePort", - "severity": "LOW", - "category": "Networking and Firewall", - "descriptionText": "Service type should not be NodePort", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service#type", - "platform": "Terraform", - "descriptionID": "50e2c36f", - "cwe": "" + "id": "5c281bf8-d9bb-47f2-b909-3f6bb11874ad", + "queryName": "Service Type is NodePort", + "severity": "LOW", + "category": "Networking and Firewall", + "descriptionText": "Service type should not be NodePort", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service#type", + "platform": "Terraform", + "descriptionID": "50e2c36f", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/service_with_external_load_balancer/metadata.json b/assets/queries/terraform/kubernetes/service_with_external_load_balancer/metadata.json index 903c7d17d15..f14e6edbba8 100644 --- a/assets/queries/terraform/kubernetes/service_with_external_load_balancer/metadata.json +++ b/assets/queries/terraform/kubernetes/service_with_external_load_balancer/metadata.json @@ -1,11 +1,12 @@ { - "id": "2a52567c-abb8-4651-a038-52fa27c77aed", - "queryName": "Service With External Load Balancer", - "severity": "MEDIUM", - "category": "Networking and Firewall", - "descriptionText": "Service has an external load balancer, which may cause accessibility from other networks and the Internet", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service", - "platform": "Terraform", - "descriptionID": "18a78d03", - "cwe": "" + "id": "2a52567c-abb8-4651-a038-52fa27c77aed", + "queryName": "Service With External Load Balancer", + "severity": "MEDIUM", + "category": "Networking and Firewall", + "descriptionText": "Service has an external load balancer, which may cause accessibility from other networks and the Internet", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service", + "platform": "Terraform", + "descriptionID": "18a78d03", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/metadata.json b/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/metadata.json index abda941ecc0..e096cb8305a 100644 --- a/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/metadata.json +++ b/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/metadata.json @@ -1,11 +1,12 @@ { - "id": "e94d3121-c2d1-4e34-a295-139bfeb73ea3", - "queryName": "Shared Host IPC Namespace", - "severity": "MEDIUM", - "category": "Resource Management", - "descriptionText": "Container should not share the host IPC namespace", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_ipc", - "platform": "Terraform", - "descriptionID": "e76243f6", - "cwe": "" + "id": "e94d3121-c2d1-4e34-a295-139bfeb73ea3", + "queryName": "Shared Host IPC Namespace", + "severity": "MEDIUM", + "category": "Resource Management", + "descriptionText": "Container should not share the host IPC namespace", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_ipc", + "platform": "Terraform", + "descriptionID": "e76243f6", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/shared_host_network_namespace/metadata.json b/assets/queries/terraform/kubernetes/shared_host_network_namespace/metadata.json index 3a58226d456..17b7b0415c4 100644 --- a/assets/queries/terraform/kubernetes/shared_host_network_namespace/metadata.json +++ b/assets/queries/terraform/kubernetes/shared_host_network_namespace/metadata.json @@ -1,11 +1,12 @@ { - "id": "ac1564a3-c324-4747-9fa1-9dfc234dace0", - "queryName": "Shared Host Network Namespace", - "severity": "MEDIUM", - "category": "Resource Management", - "descriptionText": "Container should not share the host network namespace", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_network", - "platform": "Terraform", - "descriptionID": "bf155ca7", - "cwe": "" + "id": "ac1564a3-c324-4747-9fa1-9dfc234dace0", + "queryName": "Shared Host Network Namespace", + "severity": "MEDIUM", + "category": "Resource Management", + "descriptionText": "Container should not share the host network namespace", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_network", + "platform": "Terraform", + "descriptionID": "bf155ca7", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/shared_service_account/metadata.json b/assets/queries/terraform/kubernetes/shared_service_account/metadata.json index 8418038fba3..937c9c2a631 100644 --- a/assets/queries/terraform/kubernetes/shared_service_account/metadata.json +++ b/assets/queries/terraform/kubernetes/shared_service_account/metadata.json @@ -1,11 +1,12 @@ { - "id": "f74b9c43-161a-4799-bc95-0b0ec81801b9", - "queryName": "Shared Service Account", - "severity": "MEDIUM", - "category": "Secret Management", - "descriptionText": "A Service Account token is shared between workloads", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#service_account_name", - "platform": "Terraform", - "descriptionID": "a13adbaa", - "cwe": "" + "id": "f74b9c43-161a-4799-bc95-0b0ec81801b9", + "queryName": "Shared Service Account", + "severity": "MEDIUM", + "category": "Secret Management", + "descriptionText": "A Service Account token is shared between workloads", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#service_account_name", + "platform": "Terraform", + "descriptionID": "a13adbaa", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/statefulset_requests_storage/metadata.json b/assets/queries/terraform/kubernetes/statefulset_requests_storage/metadata.json index a077d9aa540..9f6a1292b40 100644 --- a/assets/queries/terraform/kubernetes/statefulset_requests_storage/metadata.json +++ b/assets/queries/terraform/kubernetes/statefulset_requests_storage/metadata.json @@ -1,11 +1,12 @@ { - "id": "fcc2612a-1dfe-46e4-8ce6-0320959f0040", - "queryName": "StatefulSet Requests Storage", - "severity": "LOW", - "category": "Build Process", - "descriptionText": "A StatefulSet requests volume storage.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#volume_claim_template", - "platform": "Terraform", - "descriptionID": "3a82ccdb", - "cwe": "" + "id": "fcc2612a-1dfe-46e4-8ce6-0320959f0040", + "queryName": "StatefulSet Requests Storage", + "severity": "LOW", + "category": "Build Process", + "descriptionText": "A StatefulSet requests volume storage.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#volume_claim_template", + "platform": "Terraform", + "descriptionID": "3a82ccdb", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/metadata.json b/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/metadata.json index d77fa2f6c5e..3559012866d 100644 --- a/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/metadata.json +++ b/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/metadata.json @@ -1,11 +1,12 @@ { - "id": "7249e3b0-9231-4af3-bc5f-5daf4988ecbf", - "queryName": "StatefulSet Without PodDisruptionBudget", - "severity": "LOW", - "category": "Availability", - "descriptionText": "StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#selector", - "platform": "Terraform", - "descriptionID": "efa415db", - "cwe": "" + "id": "7249e3b0-9231-4af3-bc5f-5daf4988ecbf", + "queryName": "StatefulSet Without PodDisruptionBudget", + "severity": "LOW", + "category": "Availability", + "descriptionText": "StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#selector", + "platform": "Terraform", + "descriptionID": "efa415db", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/statefulset_without_service_name/metadata.json b/assets/queries/terraform/kubernetes/statefulset_without_service_name/metadata.json index 0fb339eba89..29f2b4c5f5b 100644 --- a/assets/queries/terraform/kubernetes/statefulset_without_service_name/metadata.json +++ b/assets/queries/terraform/kubernetes/statefulset_without_service_name/metadata.json @@ -1,11 +1,12 @@ { - "id": "420e6360-47bb-46f6-9072-b20ed22c842d", - "queryName": "StatefulSet Without Service Name", - "severity": "LOW", - "category": "Availability", - "descriptionText": "StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#selector", - "platform": "Terraform", - "descriptionID": "a0d17b18", - "cwe": "" + "id": "420e6360-47bb-46f6-9072-b20ed22c842d", + "queryName": "StatefulSet Without Service Name", + "severity": "LOW", + "category": "Availability", + "descriptionText": "StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#selector", + "platform": "Terraform", + "descriptionID": "a0d17b18", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/tiller_is_deployed/metadata.json b/assets/queries/terraform/kubernetes/tiller_is_deployed/metadata.json index 5c9fe316553..bd329297fd0 100644 --- a/assets/queries/terraform/kubernetes/tiller_is_deployed/metadata.json +++ b/assets/queries/terraform/kubernetes/tiller_is_deployed/metadata.json @@ -1,11 +1,12 @@ { - "id": "ca2fba76-c1a7-4afd-be67-5249f861cb0e", - "queryName": "Tiller (Helm v2) Is Deployed", - "severity": "HIGH", - "category": "Insecure Configurations", - "descriptionText": "Check if Tiller is deployed.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image", - "platform": "Terraform", - "descriptionID": "bf1b3f30", - "cwe": "" + "id": "ca2fba76-c1a7-4afd-be67-5249f861cb0e", + "queryName": "Tiller (Helm v2) Is Deployed", + "severity": "HIGH", + "category": "Insecure Configurations", + "descriptionText": "Check if Tiller is deployed.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image", + "platform": "Terraform", + "descriptionID": "bf1b3f30", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/using_default_namespace/metadata.json b/assets/queries/terraform/kubernetes/using_default_namespace/metadata.json index b8889939ebf..95081142ebc 100644 --- a/assets/queries/terraform/kubernetes/using_default_namespace/metadata.json +++ b/assets/queries/terraform/kubernetes/using_default_namespace/metadata.json @@ -1,11 +1,12 @@ { - "id": "abcb818b-5af7-4d72-aba9-6dd84956b451", - "queryName": "Using Default Namespace", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "The default namespace should not be used", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#namespace", - "platform": "Terraform", - "descriptionID": "4d26d672", - "cwe": "" + "id": "abcb818b-5af7-4d72-aba9-6dd84956b451", + "queryName": "Using Default Namespace", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "The default namespace should not be used", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#namespace", + "platform": "Terraform", + "descriptionID": "4d26d672", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/metadata.json b/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/metadata.json index b5aa95eb401..621d05943c3 100644 --- a/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/metadata.json +++ b/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/metadata.json @@ -1,11 +1,12 @@ { - "id": "a62a99d1-8196-432f-8f80-3c100b05d62a", - "queryName": "Volume Mount With OS Directory Write Permissions", - "severity": "MEDIUM", - "category": "Resource Management", - "descriptionText": "Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#volume_mount", - "platform": "Terraform", - "descriptionID": "48833ef2", - "cwe": "" + "id": "a62a99d1-8196-432f-8f80-3c100b05d62a", + "queryName": "Volume Mount With OS Directory Write Permissions", + "severity": "MEDIUM", + "category": "Resource Management", + "descriptionText": "Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#volume_mount", + "platform": "Terraform", + "descriptionID": "48833ef2", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/metadata.json b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/metadata.json index df28b5f722d..f6c94893da4 100644 --- a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/metadata.json +++ b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/metadata.json @@ -1,11 +1,12 @@ { - "id": "4e74cf4f-ff65-4c1a-885c-67ab608206ce", - "queryName": "Workload Host Port Not Specified", - "severity": "LOW", - "category": "Networking and Firewall", - "descriptionText": "Verifies if Kubernetes workload's host port is specified", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_port", - "platform": "Terraform", - "descriptionID": "b7ddd063", - "cwe": "" + "id": "4e74cf4f-ff65-4c1a-885c-67ab608206ce", + "queryName": "Workload Host Port Not Specified", + "severity": "LOW", + "category": "Networking and Firewall", + "descriptionText": "Verifies if Kubernetes workload's host port is specified", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_port", + "platform": "Terraform", + "descriptionID": "b7ddd063", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file diff --git a/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/metadata.json b/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/metadata.json index 312067f2d6f..dbbd7a0302a 100644 --- a/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/metadata.json +++ b/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/metadata.json @@ -1,11 +1,12 @@ { - "id": "a737be28-37d8-4bff-aa6d-1be8aa0a0015", - "queryName": "Workload Mounting With Sensitive OS Directory", - "severity": "MEDIUM", - "category": "Insecure Configurations", - "descriptionText": "Workload is mounting a volume with sensitive OS Directory", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_path", - "platform": "Terraform", - "descriptionID": "2047253f", - "cwe": "" + "id": "a737be28-37d8-4bff-aa6d-1be8aa0a0015", + "queryName": "Workload Mounting With Sensitive OS Directory", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "Workload is mounting a volume with sensitive OS Directory", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_path", + "platform": "Terraform", + "descriptionID": "2047253f", + "cwe": "", + "cloudProvider": "common" } \ No newline at end of file