Skip to content

Commit

Permalink
Update docs automated change (Checkmarx#2604)
Browse files Browse the repository at this point in the history 
Co-authored-by: ruigomescx <[email protected]>
  • Loading branch information
@kicsbot @ruigomescx
kicsbot and ruigomescx authored Mar 30, 2021
1 parent ebf2b2e commit e5e9c55
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 2 deletions.
8 changes: 7 additions & 1 deletion docs/queries/all-queries.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -210,8 +210,9 @@ This page contains all queries.
|Containers With Added Capabilities<br/><sup><sub>fe771ff7-ba15-4f8f-ad7a-8aa232b49a28</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Access Control|Kubernetes Pod should not have extra capabilities allowed|<a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#capabilities-1">Documentation</a><br/>|
|ElastiCache Nodes Are Not Created Across Multi AZ<br/><sup><sub>6db03a91-f933-4f13-ab38-a8b87a7de54d</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Availability|Check if ElastiCache nodes are not being created across multi AZ|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster">Documentation</a><br/>|
|Liveness Probe Is Not Defined<br/><sup><sub>5b6d53dd-3ba3-4269-b4d7-f82e880e43c3</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Availability|Liveness Probe must be defined|<a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#liveness_probe">Documentation</a><br/>|
|Stack Retention Is Disabled<br/><sup><sub>6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance#stack_set_name">Documentation</a><br/>|
|RDS Without Backup<br/><sup><sub>1dc73fb4-5b51-430c-8c5f-25dcf9090b02</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Backup|RDS configured without backup|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance">Documentation</a><br/>|
|Stack Retention Disabled<br/><sup><sub>6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance#stack_set_name">Documentation</a><br/>|
|Cognito UserPool Without MFA<br/><sup><sub>ec28bf61-a474-4dbe-b414-6dd3a067d6f0</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool">Documentation</a><br/>|
|Incorrect Volume Claim Access Mode ReadWriteOnce<br/><sup><sub>26b047a9-0329-48fd-8fb7-05bbe5ba80ee</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|<a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#volume_claim_template">Documentation</a><br/>|
|Insecure SSL Is Enabled For GitHub Organization Webhook<br/><sup><sub>ce7c874e-1b88-450b-a5e4-cb76ada3c8a9</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|<a href="https://registry.terraform.io/providers/hashicorp/github/latest/docs/resources/organization_webhook">Documentation</a><br/>|
|ElasticSearch Encryption With KMS Disabled<br/><sup><sub>7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain">Documentation</a><br/>|
Expand Down Expand Up @@ -324,9 +325,12 @@ This page contains all queries.
|CPU Limits Not Set<br/><sup><sub>5f4735ce-b9ba-4d95-a089-a37a767b716f</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|<a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#limits">Documentation</a><br/>|
|CPU Requests Not Set<br/><sup><sub>577ac19c-6a77-46d7-9f14-e049cdd15ec2</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|<a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#requests">Documentation</a><br/>|
|Incorrect Password Policy Expiration<br/><sup><sub>ce60d060-efb8-4bfd-9cf7-ff8945d00d90</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Secret Management|No password exeration policy|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy">Documentation</a><br/>|
|Shared Service Account<br/><sup><sub>f74b9c43-161a-4799-bc95-0b0ec81801b9</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Secret Management|A Service Account token is shared between workloads|<a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#service_account_name">Documentation</a><br/>|
|Service Account Allows Access Secrets<br/><sup><sub>07fc3413-e572-42f7-9877-5c8fc6fccfb5</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|<a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding#subject">Documentation</a><br/>|
|IAM Role Allows Public Assume<br/><sup><sub>bcdcbdc6-a350-4855-ae7c-d1e6436f7c97</sub></sup>|Terraform|<span style="color:#CC0">Low</span>|Access Control|IAM role allows All services or principals to assume it|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role">Documentation</a><br/>|
|IAM Role Allows All Principals To Assume<br/><sup><sub>12b7e704-37f0-4d1e-911a-44bf60c48c21</sub></sup>|Terraform|<span style="color:#CC0">Low</span>|Access Control|IAM role allows all services or principals to assume it|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role">Documentation</a><br/>|
|Cluster Admin Rolebinding With Superuser Permissions<br/><sup><sub>17172bc2-56fb-4f17-916f-a014147706cd</sub></sup>|Terraform|<span style="color:#CC0">Low</span>|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|<a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding#name">Documentation</a><br/>|
|Permissive Access to Create Pods<br/><sup><sub>522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba</sub></sup>|Terraform|<span style="color:#CC0">Low</span>|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|<a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role#rule">Documentation</a><br/>|
|Docker Daemon Socket is Exposed to Containers<br/><sup><sub>4e203a65-c8d8-49a2-b749-b124d43c9dc1</sub></sup>|Terraform|<span style="color:#CC0">Low</span>|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|<a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_path">Documentation</a><br/>|
|Lambda Permission Misconfigured<br/><sup><sub>75ec6890-83af-4bf1-9f16-e83726df0bd0</sub></sup>|Terraform|<span style="color:#CC0">Low</span>|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission">Documentation</a><br/>|
|StatefulSet Requests Storage<br/><sup><sub>fcc2612a-1dfe-46e4-8ce6-0320959f0040</sub></sup>|Terraform|<span style="color:#CC0">Low</span>|Build Process|A StatefulSet requests volume storage.|<a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#volume_claim_template">Documentation</a><br/>|
Expand Down Expand Up @@ -461,6 +465,7 @@ This page contains all queries.
|Firewall Rule Allows Too Many Hosts To Access Redis Cache<br/><sup><sub>69f72007-502e-457b-bd2d-5012e31ac049</sub></sup>|Ansible|<span style="color:#C60">Medium</span>|Access Control|Check if any firewall rule allows too many hosts to access Redis Cache.|<a href="https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscachefirewallrule_module.html">Documentation</a><br/>|
|AKS RBAC Disabled<br/><sup><sub>149fa56c-4404-4f90-9e25-d34b676d5b39</sub></sup>|Ansible|<span style="color:#C60">Medium</span>|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|<a href="https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_aks_module.html">Documentation</a><br/>|
|RDS Without Backup<br/><sup><sub>e69890e6-fce5-461d-98ad-cb98318dfc96</sub></sup>|Ansible|<span style="color:#C60">Medium</span>|Backup|RDS configured without backup|<a href="https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-backup_retention_period">Documentation</a><br/>|
|Stack Retention Disabled<br/><sup><sub>17d5ba1d-7667-4729-b1a6-b11fde3db7f7</sub></sup>|Ansible|<span style="color:#C60">Medium</span>|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|<a href="https://docs.ansible.com/ansible/latest/collections/community/aws/cloudformation_stack_set_module.html#parameter-purge_stacks">Documentation</a><br/>|
|Key Vault Soft Delete Is Disabled<br/><sup><sub>881696a8-68c5-4073-85bc-7c38a3deb854</sub></sup>|Ansible|<span style="color:#C60">Medium</span>|Backup|Make sure Soft Delete is enabled for Key Vault|<a href="https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_keyvault_module.html#parameter-enable_soft_delete">Documentation</a><br/>|
|Incorrect Password Policy Expiration<br/><sup><sub>3f2cf811-88fa-4eda-be45-7a191a18aba9</sub></sup>|Ansible|<span style="color:#C60">Medium</span>|Best Practices|No password expiration policy|<a href="https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html">Documentation</a><br/>|
|IAM Password Without Lowercase Letter<br/><sup><sub>8e3063f4-b511-45c3-b030-f3b0c9131951</sub></sup>|Ansible|<span style="color:#C60">Medium</span>|Best Practices|Check if IAM account password has at least one lowercase letter|<a href="https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html">Documentation</a><br/>|
Expand Down Expand Up @@ -706,6 +711,7 @@ This page contains all queries.
|EBS Volume Not Attached To Instances<br/><sup><sub>1819ac03-542b-4026-976b-f37addd59f3b</sub></sup>|CloudFormation|<span style="color:#C60">Medium</span>|Availability|EBS Volumes that are unattached to instances may contain sensitive data|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volumeattachment.html">Documentation</a><br/>|
|ECS Service Without Running Tasks<br/><sup><sub>79d745f0-d5f3-46db-9504-bef73e9fd528</sub></sup>|CloudFormation|<span style="color:#C60">Medium</span>|Availability|ECS Service should have at least 1 task running|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#cfn-ecs-service-deploymentconfiguration">Documentation</a><br/>|
|CMK Is Unusable<br/><sup><sub>2844c749-bd78-4cd1-90e8-b179df827602</sub></sup>|CloudFormation|<span style="color:#C60">Medium</span>|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html">Documentation</a><br/>|
|Stack Retention Disabled<br/><sup><sub>fe974ae9-858e-4991-bbd5-e040a834679f</sub></sup>|CloudFormation|<span style="color:#C60">Medium</span>|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-stackset-autodeployment.html#cfn-cloudformation-stackset-autodeployment-retainstacksonaccountremoval">Documentation</a><br/>|
|RDS Multi-AZ Deployment Disabled<br/><sup><sub>2b1d4935-9acf-48a7-8466-10d18bf51a69</sub></sup>|CloudFormation|<span style="color:#C60">Medium</span>|Backup|AWS RDS Instance should have a multi-az deployment|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html">Documentation</a><br/>|
|RDS Backup Retention Period Insufficient<br/><sup><sub>e649a218-d099-4550-86a4-1231e1fcb60d</sub></sup>|CloudFormation|<span style="color:#C60">Medium</span>|Backup|AWS RDS backup retention policy should be at least 7 days|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html">Documentation</a><br/>|
|Access Key Is Not Rotated Within 90 Days<br/><sup><sub>800fa019-49dd-421b-9042-7331fdd83fa2</sub></sup>|CloudFormation|<span style="color:#C60">Medium</span>|Best Practices|Check if there is a rule that enforces access keys to be rotated within 90 days.|<a href="https://docs.amazonaws.cn/en_us/config/latest/developerguide/access-keys-rotated.html">Documentation</a><br/>|
Expand Down
1 change: 1 addition & 0 deletions docs/queries/ansible-queries.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@ This page contains all queries from Ansible.
|Firewall Rule Allows Too Many Hosts To Access Redis Cache<br/><sup><sub>69f72007-502e-457b-bd2d-5012e31ac049</sub></sup>|<span style="color:#C60">Medium</span>|Access Control|Check if any firewall rule allows too many hosts to access Redis Cache.|<a href="https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscachefirewallrule_module.html">Documentation</a><br/>|
|AKS RBAC Disabled<br/><sup><sub>149fa56c-4404-4f90-9e25-d34b676d5b39</sub></sup>|<span style="color:#C60">Medium</span>|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|<a href="https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_aks_module.html">Documentation</a><br/>|
|RDS Without Backup<br/><sup><sub>e69890e6-fce5-461d-98ad-cb98318dfc96</sub></sup>|<span style="color:#C60">Medium</span>|Backup|RDS configured without backup|<a href="https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-backup_retention_period">Documentation</a><br/>|
|Stack Retention Disabled<br/><sup><sub>17d5ba1d-7667-4729-b1a6-b11fde3db7f7</sub></sup>|<span style="color:#C60">Medium</span>|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|<a href="https://docs.ansible.com/ansible/latest/collections/community/aws/cloudformation_stack_set_module.html#parameter-purge_stacks">Documentation</a><br/>|
|Key Vault Soft Delete Is Disabled<br/><sup><sub>881696a8-68c5-4073-85bc-7c38a3deb854</sub></sup>|<span style="color:#C60">Medium</span>|Backup|Make sure Soft Delete is enabled for Key Vault|<a href="https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_keyvault_module.html#parameter-enable_soft_delete">Documentation</a><br/>|
|Incorrect Password Policy Expiration<br/><sup><sub>3f2cf811-88fa-4eda-be45-7a191a18aba9</sub></sup>|<span style="color:#C60">Medium</span>|Best Practices|No password expiration policy|<a href="https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html">Documentation</a><br/>|
|IAM Password Without Lowercase Letter<br/><sup><sub>8e3063f4-b511-45c3-b030-f3b0c9131951</sub></sup>|<span style="color:#C60">Medium</span>|Best Practices|Check if IAM account password has at least one lowercase letter|<a href="https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html">Documentation</a><br/>|
Expand Down
1 change: 1 addition & 0 deletions docs/queries/cloudformation-queries.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ This page contains all queries from CloudFormation.
|EBS Volume Not Attached To Instances<br/><sup><sub>1819ac03-542b-4026-976b-f37addd59f3b</sub></sup>|<span style="color:#C60">Medium</span>|Availability|EBS Volumes that are unattached to instances may contain sensitive data|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volumeattachment.html">Documentation</a><br/>|
|ECS Service Without Running Tasks<br/><sup><sub>79d745f0-d5f3-46db-9504-bef73e9fd528</sub></sup>|<span style="color:#C60">Medium</span>|Availability|ECS Service should have at least 1 task running|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#cfn-ecs-service-deploymentconfiguration">Documentation</a><br/>|
|CMK Is Unusable<br/><sup><sub>2844c749-bd78-4cd1-90e8-b179df827602</sub></sup>|<span style="color:#C60">Medium</span>|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html">Documentation</a><br/>|
|Stack Retention Disabled<br/><sup><sub>fe974ae9-858e-4991-bbd5-e040a834679f</sub></sup>|<span style="color:#C60">Medium</span>|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-stackset-autodeployment.html#cfn-cloudformation-stackset-autodeployment-retainstacksonaccountremoval">Documentation</a><br/>|
|RDS Multi-AZ Deployment Disabled<br/><sup><sub>2b1d4935-9acf-48a7-8466-10d18bf51a69</sub></sup>|<span style="color:#C60">Medium</span>|Backup|AWS RDS Instance should have a multi-az deployment|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html">Documentation</a><br/>|
|RDS Backup Retention Period Insufficient<br/><sup><sub>e649a218-d099-4550-86a4-1231e1fcb60d</sub></sup>|<span style="color:#C60">Medium</span>|Backup|AWS RDS backup retention policy should be at least 7 days|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html">Documentation</a><br/>|
|Access Key Is Not Rotated Within 90 Days<br/><sup><sub>800fa019-49dd-421b-9042-7331fdd83fa2</sub></sup>|<span style="color:#C60">Medium</span>|Best Practices|Check if there is a rule that enforces access keys to be rotated within 90 days.|<a href="https://docs.amazonaws.cn/en_us/config/latest/developerguide/access-keys-rotated.html">Documentation</a><br/>|
Expand Down
Loading

0 comments on commit e5e9c55

Please sign in to comment.