diff --git a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/query.rego b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/query.rego index 15a8888beaf..fa3a59a8d22 100644 --- a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/query.rego +++ b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/query.rego @@ -1,25 +1,108 @@ package Cx import future.keywords.if +import data.generic.common as common_lib CxPolicy[result] { vm := input.document[i].playbooks[k].azure_rm_virtualmachine - is_linux_vm(vm) - not vm.ssh_password_enabled == false - not vm.linux_config.disable_password_authentication == false + is_linux_vm(vm) + res := get_results(vm, ["playbooks", k, "azure_rm_virtualmachine"]) result := { "documentId": input.document[i].id, "resourceType": "azure_rm_virtualmachine", "resourceName": vm.name, - "searchKey": sprintf("azure_rm_virtualmachine[%s].ssh_public_keys", [vm.name]), + "searchKey": res.searchKey, + "issueType": res.issueType, + "keyExpectedValue": res.keyExpectedValue, + "keyActualValue": res.keyActualValue, + "searchLine": res.searchLine, + } +} + +CxPolicy[result] { + vm := input.document[i].playbooks[k].tasks[y].azure_rm_virtualmachine + is_linux_vm(vm) + res := get_results(vm, ["playbooks", k, "tasks", y, "azure_rm_virtualmachine"]) + result := { + "documentId": input.document[i].id, + "resourceType": "azure_rm_virtualmachine", + "resourceName": vm.name, + "searchKey": res.searchKey, + "issueType": res.issueType, + "keyExpectedValue": res.keyExpectedValue, + "keyActualValue": res.keyActualValue, + "searchLine": res.searchLine, + } +} + +get_results(vm, path) = res { # both "ssh_password_enabled" and "linux_config" undefined + not common_lib.valid_key(vm, "ssh_password_enabled") + not common_lib.valid_key(vm, "linux_config") + res := { + "searchKey": sprintf("azure_rm_virtualmachine.%s", [vm.name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'azure_rm_virtualmachine[%s]' should be using SSH keys for authentication", [vm.name]), - "keyActualValue": sprintf("'azure_rm_virtualmachine[%s]' is using username and password for authentication", [vm.name]), + "keyExpectedValue": sprintf("'azure_rm_virtualmachine[%s]' should set 'ssh_password_enabled' to false and 'linux_config.disable_password_authentication' to true", [vm.name]), + "keyActualValue": sprintf("'azure_rm_virtualmachine[%s].ssh_password_enabled' and 'linux_config' are both undefined", [vm.name]), + "searchLine": common_lib.build_search_line(path, []), + } +} else = res { # "ssh_password_enabled" undefined with "linux_config" missing "disable_password_authentication" field + not common_lib.valid_key(vm, "ssh_password_enabled") + common_lib.valid_key(vm, "linux_config") + not common_lib.valid_key(vm.linux_config, "disable_password_authentication") + res := { + "searchKey": sprintf("azure_rm_virtualmachine.%s.linux_config", [vm.name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'azure_rm_virtualmachine[%s]' should set 'ssh_password_enabled' to false and 'linux_config.disable_password_authentication' to true", [vm.name]), + "keyActualValue": sprintf("'azure_rm_virtualmachine[%s].ssh_password_enabled' and 'linux_config.disable_password_authentication' are both undefined", [vm.name]), + "searchLine": common_lib.build_search_line(path, ["linux_config"]), + } +} else = res { # "ssh_password_enabled" undefined with "linux_config.disable_password_authentication" set to false + not common_lib.valid_key(vm, "ssh_password_enabled") + common_lib.valid_key(vm, "linux_config") + vm.linux_config.disable_password_authentication == false + res := { + "searchKey": sprintf("azure_rm_virtualmachine.%s.linux_config.disable_password_authentication", [vm.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'azure_rm_virtualmachine[%s]' should set 'ssh_password_enabled' to false and 'linux_config.disable_password_authentication' to true", [vm.name]), + "keyActualValue": sprintf("'azure_rm_virtualmachine[%s].ssh_password_enabled' is undefined and 'linux_config.disable_password_authentication' is set to false", [vm.name]), + "searchLine": common_lib.build_search_line(path, ["linux_config", "disable_password_authentication"]), + } +} else = res { # "ssh_password_enabled" set to true, "linux_config" undefined + vm.ssh_password_enabled == true + not common_lib.valid_key(vm, "linux_config") + res := { + "searchKey": sprintf("azure_rm_virtualmachine.%s.ssh_password_enabled", [vm.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'azure_rm_virtualmachine[%s]' should set 'ssh_password_enabled' to false and 'linux_config.disable_password_authentication' to true", [vm.name]), + "keyActualValue": sprintf("'azure_rm_virtualmachine[%s].ssh_password_enabled' is set to true and 'linux_config' is undefined", [vm.name]), + "searchLine": common_lib.build_search_line(path, ["ssh_password_enabled"]), + } +} else = res { # "ssh_password_enabled" set to true with "linux_config" missing "disable_password_authentication" field + vm.ssh_password_enabled == true + common_lib.valid_key(vm, "linux_config") + not common_lib.valid_key(vm.linux_config, "disable_password_authentication") + res := { + "searchKey": sprintf("azure_rm_virtualmachine.%s.ssh_password_enabled", [vm.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'azure_rm_virtualmachine[%s]' should set 'ssh_password_enabled' to false and 'linux_config.disable_password_authentication' to true", [vm.name]), + "keyActualValue": sprintf("'azure_rm_virtualmachine[%s].ssh_password_enabled' is true and 'linux_config.disable_password_authentication' is undefined", [vm.name]), + "searchLine": common_lib.build_search_line(path, ["ssh_password_enabled"]), + } +} else = res { # "ssh_password_enabled" set to true with "linux_config.disable_password_authentication" set to false + vm.ssh_password_enabled == true + common_lib.valid_key(vm, "linux_config") + vm.linux_config.disable_password_authentication == false + res := { + "searchKey": sprintf("azure_rm_virtualmachine.%s.ssh_password_enabled", [vm.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'azure_rm_virtualmachine[%s]' should set 'ssh_password_enabled' to false and 'linux_config.disable_password_authentication' to true", [vm.name]), + "keyActualValue": sprintf("'azure_rm_virtualmachine[%s].ssh_password_enabled' is set to true and 'linux_config.disable_password_authentication' to false", [vm.name]), + "searchLine": common_lib.build_search_line(path, ["ssh_password_enabled"]), } } is_linux_vm(vm) { - lower(vm.os_type) == "linux" + lower(vm.os_type) == "linux" } else { - not vm.os_type -} + not common_lib.valid_key(vm, "os_type") +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/negative.yaml b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/negative1.yaml similarity index 73% rename from assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/negative.yaml rename to assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/negative1.yaml index cc8d2e0a874..cc02009e26e 100644 --- a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/negative.yaml +++ b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/negative1.yaml @@ -1,12 +1,12 @@ --- -- name: Create a VM with a custom image +- name: ssh_password_enabled false, no linux_config azure_rm_virtualmachine: resource_group: myResourceGroup - name: testvm001 + name: negative1 vm_size: Standard_DS1_v2 ssh_password_enabled: false ssh_public_keys: - path: ~/.ssh/id_rsa.pub key_data: somegeneratedkeydata image: customimage001 - os_type: Linux + os_type: Linux \ No newline at end of file diff --git a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/negative2.yaml b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/negative2.yaml new file mode 100644 index 00000000000..388203bc8a0 --- /dev/null +++ b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/negative2.yaml @@ -0,0 +1,43 @@ +--- +- hosts: localhost + tasks: + - name: ssh_password_enabled false and disable_password_authentication true + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: negative2_1 + vm_size: Standard_DS1_v2 + admin_username: adminUser + os_type: Linux + ssh_password_enabled: false + linux_config: + disable_password_authentication: true + + - name: both ssh_password_enabled false and disable_password_authentication false - ssh_password_enabled will still prevent basic authentication + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: negative2_2 + vm_size: Standard_DS1_v2 + admin_username: adminUser + os_type: Linux + ssh_password_enabled: false + linux_config: + disable_password_authentication: false + + - name: no ssh_password_enabled, linux_config.disable_password_authentication explicitly true + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: negative2_3 + vm_size: Standard_DS1_v2 + admin_username: adminUser + os_type: Linux + linux_config: + disable_password_authentication: true + + - name: Windows VM is not checked + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: negative2_4 + vm_size: Standard_DS1_v2 + admin_username: adminUser + admin_password: Password123! + os_type: Windows \ No newline at end of file diff --git a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive.yaml b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive1.yaml similarity index 64% rename from assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive.yaml rename to assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive1.yaml index 1ed67e16cb0..db10993bd39 100644 --- a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive.yaml +++ b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive1.yaml @@ -1,10 +1,10 @@ --- -- name: Create a VM with a custom image +- name: neither ssh_password_enabled nor linux_config defined azure_rm_virtualmachine: resource_group: myResourceGroup - name: testvm001 + name: positive1 vm_size: Standard_DS1_v2 admin_username: adminUser admin_password: password01 image: customimage001 - os_type: Linux + os_type: Linux \ No newline at end of file diff --git a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive2.yaml b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive2.yaml new file mode 100644 index 00000000000..052733e884e --- /dev/null +++ b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive2.yaml @@ -0,0 +1,56 @@ +--- # support for multiple azure_rm_virtualmachines (tasks set) +- hosts: localhost + tasks: + - name: no ssh_password_enabled, linux_config defined but disable_password_authentication undefined + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: positive2_1 + vm_size: Standard_DS1_v2 + admin_username: adminUser + admin_password: Password123! + os_type: Linux + linux_config: {} + + - name: no ssh_password_enabled, disable_password_authentication set to false + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: positive2_2 + vm_size: Standard_DS1_v2 + admin_username: adminUser + admin_password: Password123! + os_type: Linux + linux_config: + disable_password_authentication: false + + - name: ssh_password_enabled true, no linux_config + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: positive2_3 + vm_size: Standard_DS1_v2 + admin_username: adminUser + admin_password: Password123! + os_type: Linux + ssh_password_enabled: true + + - name: ssh_password_enabled true, linux_config defined but disable_password_authentication undefined + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: positive2_4 + vm_size: Standard_DS1_v2 + admin_username: adminUser + admin_password: Password123! + os_type: Linux + ssh_password_enabled: true + linux_config: {} + + - name: ssh_password_enabled set to true and disable_password_authentication set to false + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: positive2_5 + vm_size: Standard_DS1_v2 + admin_username: adminUser + admin_password: Password123! + os_type: Linux + ssh_password_enabled: true + linux_config: + disable_password_authentication: false \ No newline at end of file diff --git a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json index 7f2e13b5a90..fde36c31c87 100644 --- a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json @@ -2,7 +2,37 @@ { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 1, - "fileName": "positive.yaml" + "line": 3, + "fileName": "positive1.yaml" + }, + { + "queryName": "Azure Instance Using Basic Authentication", + "severity": "MEDIUM", + "line": 12, + "fileName": "positive2.yaml" + }, + { + "queryName": "Azure Instance Using Basic Authentication", + "severity": "MEDIUM", + "line": 23, + "fileName": "positive2.yaml" + }, + { + "queryName": "Azure Instance Using Basic Authentication", + "severity": "MEDIUM", + "line": 33, + "fileName": "positive2.yaml" + }, + { + "queryName": "Azure Instance Using Basic Authentication", + "severity": "MEDIUM", + "line": 43, + "fileName": "positive2.yaml" + }, + { + "queryName": "Azure Instance Using Basic Authentication", + "severity": "MEDIUM", + "line": 54, + "fileName": "positive2.yaml" } ] \ No newline at end of file diff --git a/assets/queries/cicd/github/run_block_injection/query.rego b/assets/queries/cicd/github/run_block_injection/query.rego index ae9a223c10e..d51d9d2800e 100644 --- a/assets/queries/cicd/github/run_block_injection/query.rego +++ b/assets/queries/cicd/github/run_block_injection/query.rego @@ -22,7 +22,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("run={{%s}}", [run]), + "searchKey": sprintf("jobs.%s.steps.run", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", @@ -45,7 +45,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("run={{%s}}", [run]), + "searchKey": sprintf("jobs.%s.steps.run", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", @@ -69,7 +69,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("run={{%s}}", [run]), + "searchKey": sprintf("jobs.%s.steps.run", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", @@ -92,7 +92,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("run={{%s}}", [run]), + "searchKey": sprintf("jobs.%s.steps.run", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", @@ -116,7 +116,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("run={{%s}}", [run]), + "searchKey": sprintf("jobs.%s.steps.run", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", @@ -143,7 +143,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("run={{%s}}", [run]), + "searchKey": sprintf("jobs.%s.steps.run", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", @@ -166,7 +166,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("run={{%s}}", [run]), + "searchKey": sprintf("jobs.%s.steps.run", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", @@ -175,12 +175,9 @@ CxPolicy[result] { } } - - containsPatterns(str, patterns) = matched { matched := {pattern | pattern := patterns[_] regex.match(pattern, str) } } - diff --git a/assets/queries/cicd/github/script_block_injection/query.rego b/assets/queries/cicd/github/script_block_injection/query.rego index e93b11a0814..2a8efde6cb7 100644 --- a/assets/queries/cicd/github/script_block_injection/query.rego +++ b/assets/queries/cicd/github/script_block_injection/query.rego @@ -27,7 +27,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("script={{%s}}", [script]), + "searchKey": sprintf("jobs.%s.steps.script", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", @@ -55,7 +55,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("script={{%s}}", [script]), + "searchKey": sprintf("jobs.%s.steps.script", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", @@ -84,7 +84,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("script={{%s}}", [script]), + "searchKey": sprintf("jobs.%s.steps.script", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", @@ -112,7 +112,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("script={{%s}}", [script]), + "searchKey": sprintf("jobs.%s.steps.script", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", @@ -141,7 +141,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("script={{%s}}", [script]), + "searchKey": sprintf("jobs.%s.steps.script", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", @@ -173,7 +173,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("script={{%s}}", [script]), + "searchKey": sprintf("jobs.%s.steps.script", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", @@ -201,7 +201,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("script={{%s}}", [script]), + "searchKey": sprintf("jobs.%s.steps.script", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", diff --git a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/query.rego b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/query.rego index 07af1435bc6..c4be19ae28d 100644 --- a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/query.rego +++ b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.kind, "resourceName": cp_lib.getResourceName(resource), - "searchKey": sprintf("%s.metadata.name={{%s}}.spec.forProvider", [cp_lib.getPath(path), resource.metadata.name]), + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider", [cp_lib.getPath(path), resource.metadata.name]), "issueType": "MissingAttribute", "keyExpectedValue": "storageEncrypted should be defined and set to true", "keyActualValue": "storageEncrypted is not defined", diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego index 458553ce571..0fa4186a10e 100644 --- a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego @@ -27,25 +27,25 @@ existsInternetGateway(dbSubnetGroupName) { [_, IGresource] := walk(IGdocs) startswith(IGresource.apiVersion, "network.aws.crossplane.io") IGresource.kind == "InternetGateway" - + IGforProvider := IGresource.spec.forProvider - + common_lib.valid_key(IGforProvider, "vpcId") vpcId == IGforProvider.vpcId -} +} CxPolicy[result] { docs := input.document[i] [path, resource] := walk(docs) startswith(resource.apiVersion, "database.aws.crossplane.io") resource.kind == "RDSInstance" - + forProvider := resource.spec.forProvider not common_lib.valid_key(forProvider, "publiclyAccessible") - + dbSubnetGroupName := forProvider.dbSubnetGroupName - + existsInternetGateway(dbSubnetGroupName) == true result := { @@ -64,7 +64,7 @@ CxPolicy[result] { [path, resource] := walk(docs) startswith(resource.apiVersion, "database.aws.crossplane.io") resource.kind == "RDSInstance" - + forProvider := resource.spec.forProvider forProvider.publiclyAccessible == true diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/negative1.yaml b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/negative1.yaml index 2cf4f3c8a51..0c66ac28368 100644 --- a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/negative1.yaml +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/negative1.yaml @@ -2,7 +2,7 @@ apiVersion: database.aws.crossplane.io/v1beta1 kind: RDSInstance metadata: name: sample-cluster3 -spec: +spec: forProvider: publiclyAccessible: false diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive1.yaml b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive1.yaml index d08764de5da..cdec8f5e1c5 100644 --- a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive1.yaml +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive1.yaml @@ -2,7 +2,7 @@ apiVersion: database.aws.crossplane.io/v1beta1 kind: RDSInstance metadata: name: sample-cluster3 -spec: +spec: forProvider: publiclyAccessible: true diff --git a/assets/queries/grpc/enum_name_not_camel_case/query.rego b/assets/queries/grpc/enum_name_not_camel_case/query.rego index 11d72d88a0d..b3fbb96f265 100644 --- a/assets/queries/grpc/enum_name_not_camel_case/query.rego +++ b/assets/queries/grpc/enum_name_not_camel_case/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { result := { "documentId": doc.id, - "searchKey": sprintf("enum[%s]", [name]), + "searchKey": sprintf("enum.%s", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Enum Name should follow CamelCase (Initial Letter is Capital)", "keyActualValue": "Enum Name doesn't follow CamelCase", diff --git a/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/query.rego b/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/query.rego index 8f5d43ca429..dc19d4dbf53 100644 --- a/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/query.rego +++ b/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.publiclyAccessible", [name]), + "searchKey": sprintf("resources.%s.properties.publiclyAccessible", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'publiclyAccessible' is should be set to 'false'", "keyActualValue": "Attribute 'publiclyAccessible' is defined to 'true'", @@ -32,7 +32,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'publiclyAccessible' should be defined", "keyActualValue": "Attribute 'publiclyAccessible' is not defined", diff --git a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/query.rego b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/query.rego index 95fe06edad4..02ba36e83ea 100644 --- a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/query.rego +++ b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'accessLogSettings' should be defined", "keyActualValue": "Attribute 'accessLogSettings' is not defined", diff --git a/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/query.rego b/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/query.rego index cc07e37e6c2..d6da2e78f45 100644 --- a/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/query.rego +++ b/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'clientCertificateId' should be defined", "keyActualValue": "Attribute 'clientCertificateId' is not defined", diff --git a/assets/queries/pulumi/aws/docdb_logging_disabled/query.rego b/assets/queries/pulumi/aws/docdb_logging_disabled/query.rego index 9096089b002..35074319224 100644 --- a/assets/queries/pulumi/aws/docdb_logging_disabled/query.rego +++ b/assets/queries/pulumi/aws/docdb_logging_disabled/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": name, - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "searchLine": common_lib.build_search_line(["resources", name, "properties"],[]), "issueType": "MissingAttribute", "keyExpectedValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports should be defined", @@ -40,7 +40,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": name, - "searchKey": sprintf("resources[%s].properties.enabledCloudwatchLogsExports", [name]), + "searchKey": sprintf("resources.%s.properties.enabledCloudwatchLogsExports", [name]), "searchLine": common_lib.build_search_line(["resources", name, "properties", "enabledCloudwatchLogsExports"],[]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("aws:docdb:Cluster.enabledCloudwatchLogsExports should have all following values: %s", [validTypeConcat]), diff --git a/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/query.rego b/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/query.rego index e712aa443c9..93f9f089777 100644 --- a/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/query.rego +++ b/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'serverSideEncryption' should be defined", "keyActualValue": "Attribute 'serverSideEncryption' is not defined", @@ -32,7 +32,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.serverSideEncryption.enabled", [name]), + "searchKey": sprintf("resources.%s.properties.serverSideEncryption.enabled", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'enabled' in 'serverSideEncryption' should be set to true", "keyActualValue": "Attribute 'enabled' in 'serverSideEncryption' is set to false", diff --git a/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/query.rego b/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/query.rego index 2526ac7fbb0..f54b6c4dcb6 100644 --- a/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/query.rego +++ b/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'pointInTimeRecovery' should be defined", "keyActualValue": "Attribute 'pointInTimeRecovery' is not defined", @@ -32,7 +32,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.pointInTimeRecovery.enabled", [name]), + "searchKey": sprintf("resources.%s.properties.pointInTimeRecovery.enabled", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'enabled' in 'pointInTimeRecovery' should be set to true", "keyActualValue": "Attribute 'enabled' in 'pointInTimeRecovery' is set to false", diff --git a/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/query.rego b/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/query.rego index cb90a4bcc3c..e33ce2e93bd 100644 --- a/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/query.rego +++ b/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'monitoring' should be defined and set to true", "keyActualValue": "Attribute 'monitoring' is not defined", @@ -32,7 +32,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.monitoring", [name]), + "searchKey": sprintf("resources.%s.properties.monitoring", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'monitoring' should be set to true", "keyActualValue": "Attribute 'monitoring' is set to false", diff --git a/assets/queries/pulumi/aws/ec2_not_ebs_optimized/query.rego b/assets/queries/pulumi/aws/ec2_not_ebs_optimized/query.rego index 2860ab7071d..a4eae6600bf 100644 --- a/assets/queries/pulumi/aws/ec2_not_ebs_optimized/query.rego +++ b/assets/queries/pulumi/aws/ec2_not_ebs_optimized/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": name, - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'ebsOptimized' should be defined and set to true", "keyActualValue": "Attribute 'ebsOptimized' is not defined", @@ -36,7 +36,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.ebsOptimized", [name]), + "searchKey": sprintf("resources.%s.properties.ebsOptimized", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'ebsOptimized' should be set to true", "keyActualValue": "Attribute 'ebsOptimized' is set to false", diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/query.rego b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/query.rego index 89f03888651..d0c116b488b 100644 --- a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/query.rego +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'settings' should be defined and have a ClusterSetting named 'containerInsights' which value is 'enabled'", "keyActualValue": "Attribute 'settings' is not defined", @@ -31,7 +31,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.settings", [name]), + "searchKey": sprintf("resources.%s.properties.settings", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'settings' should have a ClusterSetting named 'containerInsights' which value is 'enabled'", "keyActualValue": "Attribute 'settings' doesn't have a ClusterSetting named 'containerInsights' which value is 'enabled'", diff --git a/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/query.rego b/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/query.rego index ce97c6c8ce7..15e31c78123 100644 --- a/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/query.rego +++ b/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'azMode' should be defined and set to 'cross-az' in multi nodes cluster", "keyActualValue": "Attribute 'azMode' is not defined", @@ -36,7 +36,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.azMode", [name]), + "searchKey": sprintf("resources.%s.properties.azMode", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'azMode' should be set to 'cross-az' in multi nodes cluster", "keyActualValue": sprintf("Attribute 'azMode' is set to %s", [resource.properties.azMode]), diff --git a/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/query.rego b/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/query.rego index 26f53b94a32..58454b4b214 100644 --- a/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/query.rego +++ b/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'snapshotRetentionLimit' should be defined and set to higher than 0", "keyActualValue": "Attribute 'snapshotRetentionLimit' is not defined", @@ -35,7 +35,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.snapshotRetentionLimit", [name]), + "searchKey": sprintf("resources.%s.properties.snapshotRetentionLimit", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'snapshotRetentionLimit' should be set to higher than 0", "keyActualValue": "Attribute 'snapshotRetentionLimit' is set to 0", diff --git a/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/query.rego b/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/query.rego index f60652d3bb4..7b813f469e7 100644 --- a/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/query.rego +++ b/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.domainEndpointOptions.enforceHTTPS", [name]), + "searchKey": sprintf("resources.%s.properties.domainEndpointOptions.enforceHTTPS", [name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("resources[%s].properties.domainEndpointOptions.enforceHTTPS should be set to 'true'", [name]), "keyActualValue": sprintf("resources[%s].properties.domainEndpointOptions.enforceHTTPS is set to 'false'", [name]), diff --git a/assets/queries/pulumi/aws/iam_password_without_minimum_length/query.rego b/assets/queries/pulumi/aws/iam_password_without_minimum_length/query.rego index 65272e2e745..8463553fc68 100644 --- a/assets/queries/pulumi/aws/iam_password_without_minimum_length/query.rego +++ b/assets/queries/pulumi/aws/iam_password_without_minimum_length/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'minimumPasswordLength' should be defined and set to 14 or higher", "keyActualValue": "Attribute 'minimumPasswordLength' is not defined", @@ -33,7 +33,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.minimumPasswordLength", [name]), + "searchKey": sprintf("resources.%s.properties.minimumPasswordLength", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'minimumPasswordLength' should be set to 14 or higher", "keyActualValue": "Attribute 'minimumPasswordLength' is set to less than 14", diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/query.rego b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/query.rego index 4f3cd288559..e43dc584fe0 100644 --- a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/query.rego +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/query.rego @@ -11,7 +11,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": name, - "searchKey": sprintf("resources[%s].properties.publiclyAccessible", [name]), + "searchKey": sprintf("resources.%s.properties.publiclyAccessible", [name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'resources.%s.properties.publiclyAccessible' should be set to 'false'", [name]), "keyActualValue": sprintf("'resources.%s.properties.publiclyAccessible' is set to 'true'", [name]), diff --git a/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/query.rego b/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/query.rego index 3331de0988d..d42a33d53a9 100644 --- a/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/query.rego +++ b/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.enableNonSslPort", [name]), + "searchKey": sprintf("resources.%s.properties.enableNonSslPort", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Redis Cache should have attribute 'enableNonSslPort' set to false", "keyActualValue": "Redis Cache has attribute 'enableNonSslPort' set to true", diff --git a/assets/queries/pulumi/azure/storage_account_not_forcing_https/query.rego b/assets/queries/pulumi/azure/storage_account_not_forcing_https/query.rego index 4215b857ab4..9a8d1981802 100644 --- a/assets/queries/pulumi/azure/storage_account_not_forcing_https/query.rego +++ b/assets/queries/pulumi/azure/storage_account_not_forcing_https/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.enableHttpsTrafficOnly", [name]), + "searchKey": sprintf("resources.%s.properties.enableHttpsTrafficOnly", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Storage Account should have attribute 'enableHttpsTrafficOnly' set to true", "keyActualValue": "Storage Account has attribute 'enableHttpsTrafficOnly' set to false", diff --git a/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/query.rego b/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/query.rego index e7772f1c6a3..cb496b09faa 100644 --- a/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/query.rego +++ b/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Storage Bucket should have attribute 'logging' defined", "keyActualValue": "Storage Bucket attribute 'logging' is not defined", diff --git a/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/query.rego b/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/query.rego index a77a6d06da7..5d3b201eaf3 100644 --- a/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/query.rego +++ b/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "SSLPolicy should have 'minTlsVersion' defined and set to 'TLS_1_2'", "keyActualValue": "SSLPolicy 'minTlsVersion' attribute is not defined", @@ -31,7 +31,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.minTlsVersion", [name]), + "searchKey": sprintf("resources.%s.properties.minTlsVersion", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "SSLPolicy should have 'minTlsVersion' set to 'TLS_1_2'", "keyActualValue": sprintf("SSLPolicy 'minTlsVersion' attribute is set to %s", [resource.properties.minTlsVersion]), diff --git a/assets/queries/pulumi/kubernetes/missing_app_armor_config/query.rego b/assets/queries/pulumi/kubernetes/missing_app_armor_config/query.rego index 73657cecee7..88feb4f2a73 100644 --- a/assets/queries/pulumi/kubernetes/missing_app_armor_config/query.rego +++ b/assets/queries/pulumi/kubernetes/missing_app_armor_config/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.metadata.annotations", [name]), + "searchKey": sprintf("resources.%s.properties.metadata.annotations", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Pod should have annotation 'container.apparmor.security.beta.kubernetes.io' defined", "keyActualValue": "Pod does not have annotation 'container.apparmor.security.beta.kubernetes.io' defined", @@ -41,7 +41,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.metadata", [name]), + "searchKey": sprintf("resources.%s.properties.metadata", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Pod should have annotation 'container.apparmor.security.beta.kubernetes.io' defined", "keyActualValue": "Pod does not have annotations defined in metadata", diff --git a/assets/queries/pulumi/kubernetes/psp_set_to_privileged/query.rego b/assets/queries/pulumi/kubernetes/psp_set_to_privileged/query.rego index ce707ababbd..6b390cc52b1 100644 --- a/assets/queries/pulumi/kubernetes/psp_set_to_privileged/query.rego +++ b/assets/queries/pulumi/kubernetes/psp_set_to_privileged/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.spec.privileged", [name]), + "searchKey": sprintf("resources.%s.properties.spec.privileged", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "PSP should have 'privileged' set to false or not defined", "keyActualValue": "PSP has 'privileged' set to true", diff --git a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/query.rego b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/query.rego index a7aefe3f136..a575385551d 100644 --- a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/query.rego +++ b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/query.rego @@ -35,7 +35,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": sfw_lib.resourceTypeMapping("function", document.provider.name), "resourceName": fname, - "searchKey": sprintf("functions[%s].%s", [k,fname]), + "searchKey": sprintf("functions.%s.%s", [k,fname]), "issueType": "MissingAttribute", "keyExpectedValue": "'role' should be defined inside the function", "keyActualValue": "'role' is not defined", diff --git a/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/query.rego b/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/query.rego index 6a6d567c7cc..dff79a0e62d 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/query.rego +++ b/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/query.rego @@ -58,7 +58,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": "alicloud_db_instance", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("alicloud_db_instance[%s]]", [name]), + "searchKey": sprintf("alicloud_db_instance[%s]", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'log_disconnections' parameter should be defined and value should be 'ON' in parametes array", "keyActualValue": "'log_disconnections' parameter is not defined in parametes array", diff --git a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/query.rego b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/query.rego index 760bc704a9c..735587c3ce1 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/query.rego +++ b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/query.rego @@ -58,7 +58,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": "alicloud_db_instance", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("alicloud_db_instance[%s]]", [name]), + "searchKey": sprintf("alicloud_db_instance[%s]", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'log_duration' parameter should be defined and value should be 'ON' in parameters array", "keyActualValue": "'log_duration' parameter is not defined in parameters array", diff --git a/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/query.rego b/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/query.rego index b54aaae9da8..30fe527349d 100644 --- a/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/query.rego +++ b/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": document.id, "resourceType": "aws_api_gateway_deployment", "resourceName": tf_lib.get_resource_name(deployment, name), - "searchKey": sprintf("aws_api_gateway_deployment[%s]", [name]), + "searchKey": sprintf("aws_api_gateway_deployment.%s", [name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("aws_api_gateway_deployment[%s] has a 'aws_api_gateway_stage' resource associated", [name]), "keyActualValue": sprintf("aws_api_gateway_deployment[%s] doesn't have a 'aws_api_gateway_stage' resource associated", [name]), @@ -32,7 +32,7 @@ CxPolicy[result] { "documentId": document.id, "resourceType": "aws_api_gateway_deployment", "resourceName": tf_lib.get_resource_name(deployment, name), - "searchKey": sprintf("aws_api_gateway_deployment[%s]", [name]), + "searchKey": sprintf("aws_api_gateway_deployment.%s", [name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("aws_api_gateway_deployment[%s] has a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set", [name]), "keyActualValue": sprintf("aws_api_gateway_deployment[%s] doesn't have a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set", [name]), @@ -53,7 +53,7 @@ CxPolicy[result] { "documentId": document.id, "resourceType": "aws_api_gateway_deployment", "resourceName": tf_lib.get_resource_name(deployment, name), - "searchKey": sprintf("aws_api_gateway_deployment[%s]", [name]), + "searchKey": sprintf("aws_api_gateway_deployment.%s.", [name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("aws_api_gateway_deployment[%s].stage_description should be set", [name]), "keyActualValue": sprintf("aws_api_gateway_deployment[%s].stage_description is undefined", [name]), diff --git a/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/query.rego b/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/query.rego index 83d181e40de..7f4f3ca656e 100644 --- a/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/query.rego +++ b/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": document.id, "resourceType": "aws_api_gateway_deployment", "resourceName": tf_lib.get_resource_name(deployment, name), - "searchKey": sprintf("aws_api_gateway_deployment[%s]", [name]), + "searchKey": sprintf("aws_api_gateway_deployment.%s", [name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("aws_api_gateway_deployment[%s] has a 'aws_api_gateway_usage_plan' resource associated. ", [name]), "keyActualValue": sprintf("aws_api_gateway_deployment[%s] doesn't have a 'aws_api_gateway_usage_plan' resource associated.", [name]), diff --git a/assets/queries/terraform/aws/ec2_not_ebs_optimized/query.rego b/assets/queries/terraform/aws/ec2_not_ebs_optimized/query.rego index e8269ddf7dd..fbb263f2da0 100644 --- a/assets/queries/terraform/aws/ec2_not_ebs_optimized/query.rego +++ b/assets/queries/terraform/aws/ec2_not_ebs_optimized/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": "aws_instance", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("aws_instance[{{%s}}].ebs_optimized", [name]), + "searchKey": sprintf("aws_instance.%s.ebs_optimized", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "'ebs_optimized' should be set to true", "keyActualValue": "'ebs_optimized' is set to false", @@ -40,7 +40,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": "n/a", "resourceName": "n/a", - "searchKey": sprintf("module[%s].ebs_optimized", [name]), + "searchKey": sprintf("module.%s.ebs_optimized", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "'ebs_optimized' should be set to true", "keyActualValue": "'ebs_optimized' is set to false", @@ -64,7 +64,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": "aws_instance", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("aws_instance[{{%s}}]", [name]), + "searchKey": sprintf("aws_instance.%s", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'ebs_optimized' should be set to true", "keyActualValue": "'ebs_optimized' is undefined or null", @@ -87,7 +87,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": "n/a", "resourceName": "n/a", - "searchKey": sprintf("module[%s]", [name]), + "searchKey": sprintf("module.%s", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'ebs_optimized' should be set to true", "keyActualValue": "'ebs_optimized' is undefined or null", diff --git a/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/query.rego b/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/query.rego index db52f092a62..c0aa8737574 100644 --- a/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/query.rego +++ b/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/query.rego @@ -59,7 +59,7 @@ http_tokens_undefined_or_not_required(resource, name, type, path) = res { res := { "kev": sprintf("'%s[%s].metadata_options' should be defined with 'http_tokens' field set to 'required'", [type, name]), "kav": sprintf("'%s[%s].metadata_options' is not defined", [type, name]), - "sk": sprintf("%s[%s]",[type, name]), + "sk": sprintf("%s.%s",[type, name]), "sl": common_lib.build_search_line(path, [name]), "it": "MissingAttribute", } @@ -70,7 +70,7 @@ http_tokens_undefined_or_not_required(resource, name, type, path) = res { res := { "kev": sprintf("'%s[%s].metadata_options.http_tokens' should be defined to 'required'", [type, name]), "kav": sprintf("'%s[%s].metadata_options.http_tokens' is not defined", [type, name]), - "sk": sprintf("%s[%s].metadata_options", [type, name]), + "sk": sprintf("%s.%s.metadata_options", [type, name]), "sl": common_lib.build_search_line(path, [name, "metadata_options"]), "it": "MissingAttribute", } @@ -81,7 +81,7 @@ http_tokens_undefined_or_not_required(resource, name, type, path) = res { res := { "kev": sprintf("'%s[%s].metadata_options.http_tokens' should be defined to 'required'", [type, name]), "kav": sprintf("'%s[%s].metadata_options.http_tokens' is not defined to 'required'", [type, name]), - "sk": sprintf("%s[%s].metadata_options.http_tokens", [type, name]), + "sk": sprintf("%s.%s.metadata_options.http_tokens", [type, name]), "sl": common_lib.build_search_line(path, [name, "metadata_options", "http_tokens"]), "it": "IncorrectValue", } diff --git a/assets/queries/terraform/aws/instance_with_no_vpc/query.rego b/assets/queries/terraform/aws/instance_with_no_vpc/query.rego index 31ce90dbe59..7d70b808de0 100644 --- a/assets/queries/terraform/aws/instance_with_no_vpc/query.rego +++ b/assets/queries/terraform/aws/instance_with_no_vpc/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": "aws_instance", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("aws_instance[%s]", [name]), + "searchKey": sprintf("aws_instance.%s", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'vpc_security_group_ids' should be defined and not null", "keyActualValue": "Attribute 'vpc_security_group_ids' is undefined or null", @@ -31,7 +31,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": "n/a", "resourceName": "n/a", - "searchKey": sprintf("module[%s]", [name]), + "searchKey": sprintf("module.%s", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'vpc_security_group_ids' should be defined and not null", "keyActualValue": "Attribute 'vpc_security_group_ids' is undefined or null", diff --git a/assets/queries/terraform/aws/resource_not_using_tags/query.rego b/assets/queries/terraform/aws/resource_not_using_tags/query.rego index 7d496c6bd2d..180453bba65 100644 --- a/assets/queries/terraform/aws/resource_not_using_tags/query.rego +++ b/assets/queries/terraform/aws/resource_not_using_tags/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": res, "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s[{{%s}}]", [res, name]), + "searchKey": sprintf("%s.%s", [res, name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("%s[{{%s}}].tags should be defined and not null", [res, name]), "keyActualValue": sprintf("%s[{{%s}}].tags is undefined or null", [res, name]), @@ -32,7 +32,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": res, "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s[{{%s}}].tags", [res, name]), + "searchKey": sprintf("%s.%s.tags", [res, name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("%s[{{%s}}].tags has additional tags defined other than 'Name'", [res, name]), "keyActualValue": sprintf("%s[{{%s}}].tags does not have additional tags defined other than 'Name'", [res, name]), diff --git a/assets/queries/terraform/azure/app_service_authentication_disabled/query.rego b/assets/queries/terraform/azure/app_service_authentication_disabled/query.rego index ceaf145ddf0..547cec098dd 100644 --- a/assets/queries/terraform/azure/app_service_authentication_disabled/query.rego +++ b/assets/queries/terraform/azure/app_service_authentication_disabled/query.rego @@ -54,7 +54,7 @@ prepare_issues(resource, type, name) = res { # auth_settings not defined for azu common_lib.valid_key(resource, "auth_settings") resource.auth_settings.enabled == false res := { - "sk": sprintf("'%s[%s].auth_settings.enabled'", [type, name]), + "sk": sprintf("%s[%s].auth_settings.enabled", [type, name]), "sl": common_lib.build_search_line(["resource", type, name, "auth_settings", "enabled"], []), "it": "IncorrectValue", "kev": sprintf("'%s[%s].auth_settings.enabled' should be defined to 'true'", [type, name]), diff --git a/assets/queries/terraform/azure/azure_instance_using_basic_authentication/query.rego b/assets/queries/terraform/azure/azure_instance_using_basic_authentication/query.rego index 56b51d4a353..a0d0ec6d46e 100644 --- a/assets/queries/terraform/azure/azure_instance_using_basic_authentication/query.rego +++ b/assets/queries/terraform/azure/azure_instance_using_basic_authentication/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": types[t], "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s[%s].os_profile_linux_config.disable_password_authentication", [types[t], name]), + "searchKey": sprintf("%s.%s.os_profile_linux_config.disable_password_authentication", [types[t], name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s[%s].os_profile_linux_config.disable_password_authentication' should be set to 'true'", [types[t], name]), "keyActualValue": sprintf("'%s[%s].os_profile_linux_config.disable_password_authentication' is set to 'false'", [types[t], name]), @@ -29,7 +29,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": types[t], "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s[%s].disable_password_authentication", [types[t], name]), + "searchKey": sprintf("%s.%s.disable_password_authentication", [types[t], name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s[%s].disable_password_authentication' should be set to 'true'", [types[t], name]), "keyActualValue": sprintf("'%s[%s].disable_password_authentication' is set to 'false'", [types[t], name]), diff --git a/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/query.rego b/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/query.rego index 9d95feed8d1..530ed9e4c26 100644 --- a/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/query.rego +++ b/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/query.rego @@ -6,7 +6,7 @@ import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].resource.azurerm_storage_account[var0] resource_name := tf_lib.get_resource_name(resource, var0) - networkRules := get_network_rules(resource, var0) + networkRules := get_network_rules(resource, var0, i) res1 := publicNetworkAccessEnabled(resource) res2 := aclsDefaultActionAllow(networkRules.rules) @@ -33,8 +33,8 @@ prepare_issue(res1, res2, resource_id, rules_type, rules_key) = issue { issue := { "kav": "azurerm_storage_account.public_network_access_enabled is not set (default is 'true')", "kev": "azurerm_storage_account.public_network_access_enabled should be set to 'false'", - "searchLine": common_lib.build_search_line(["resource", "azurerm_storage_account", resource_id, "public_network_access_enabled"], []), - "searchKey": sprintf("azurerm_storage_account[%s].public_network_access_enabled", [resource_id]), + "searchLine": common_lib.build_search_line(["resource", "azurerm_storage_account", resource_id], []), + "searchKey": sprintf("azurerm_storage_account[%s]", [resource_id]), "issueType": "MissingAttribute", "remediation": "public_network_access_enabled = false", "remediationType": "addition", @@ -85,8 +85,8 @@ prepare_issue(res1, res2, resource_id, rules_type, rules_key) = issue { } } -get_network_rules(storage_account, storage_account_name) = rules { - networkRules := input.document[i].resource.azurerm_storage_account_network_rules[var1] +get_network_rules(storage_account, storage_account_name, doc_index) = rules { + networkRules := input.document[doc_index].resource.azurerm_storage_account_network_rules[var1] networkRules.storage_account_id == sprintf("${azurerm_storage_account.%s.id}", [storage_account_name]) rules := { "rules": object.union(networkRules, {"name": var1}), @@ -107,11 +107,11 @@ get_network_rules(storage_account, storage_account_name) = rules { } } -publicNetworkAccessEnabled(sa) = reason { - not has_key(sa, "public_network_access_enabled") +publicNetworkAccessEnabled(resource) = reason { + not common_lib.valid_key(resource, "public_network_access_enabled") reason := "not defined" } else = reason { - sa.public_network_access_enabled == true + resource.public_network_access_enabled == true reason := "enabled" } @@ -122,7 +122,3 @@ aclsDefaultActionAllow(network_rules) = reason { lower(network_rules.default_action) == "allow" reason := "allow" } - -has_key(x, k) { - _ = x[k] -} diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/query.rego b/assets/queries/terraform/azure/function_app_authentication_disabled/query.rego index a14944237e3..076f3419a2e 100644 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/query.rego @@ -54,7 +54,7 @@ prepare_issues(resource, type, name) = res { # auth_settings not defined for azu common_lib.valid_key(resource, "auth_settings") resource.auth_settings.enabled == false res := { - "sk": sprintf("'%s[%s].auth_settings.enabled'", [type, name]), + "sk": sprintf("%s[%s].auth_settings.enabled", [type, name]), "sl": common_lib.build_search_line(["resource", type, name, "auth_settings", "enabled"], []), "it": "IncorrectValue", "kev": sprintf("'%s[%s].auth_settings.enabled' should be defined to 'true'", [type, name]), diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego index 2110525522e..0729db43ab7 100644 --- a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego @@ -8,7 +8,7 @@ types := {"azurerm_function_app", "azurerm_linux_function_app", "azurerm_windows CxPolicy[result] { # for legacy "azurerm_function_app" -- ftps_state defaults to "AllAllowed" function := input.document[i].resource.azurerm_function_app[name] - results := get_path(function,name) + results := get_path(function, name) result := { "documentId": input.document[i].id, @@ -24,10 +24,10 @@ CxPolicy[result] { # for legacy "azurerm_function_app" -- ftps_state defaults to } } -get_path(function,name) = results { +get_path(function, name) = results { not common_lib.valid_key(function, "site_config") results := { - "searchKey": sprintf("azurerm_function_app[%s]'", [name]), + "searchKey": sprintf("azurerm_function_app.%s'", [name]), "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name], []), "remediation": null, "remediationType": null, diff --git a/assets/queries/terraform/azure/sql_database_without_data_encryption/test/negative.tf b/assets/queries/terraform/azure/sql_database_without_data_encryption/test/negative.tf index d1c7e5c1d16..c9321efbd1b 100644 --- a/assets/queries/terraform/azure/sql_database_without_data_encryption/test/negative.tf +++ b/assets/queries/terraform/azure/sql_database_without_data_encryption/test/negative.tf @@ -1,6 +1,6 @@ -resource "azurerm_mssql_database" "example" { - name = "example-db" - server_id = azurerm_mssql_server.example.id +resource "azurerm_mssql_database" "negative_1" { + name = "negative_1-db" + server_id = azurerm_mssql_server.negative_1.id collation = "SQL_Latin1_General_CP1_CI_AS" license_type = "LicenseIncluded" max_size_gb = 4 @@ -12,9 +12,9 @@ resource "azurerm_mssql_database" "example" { # missing "transparent_data_encryption_enabled" - defaults to true } -resource "azurerm_mssql_database" "example" { - name = "example-db" - server_id = azurerm_mssql_server.example.id +resource "azurerm_mssql_database" "negative_2" { + name = "negative_2-db" + server_id = azurerm_mssql_server.negative_2.id collation = "SQL_Latin1_General_CP1_CI_AS" license_type = "LicenseIncluded" max_size_gb = 4 diff --git a/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive.tf b/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive.tf index a007f1a4d14..c7aea5b0c5a 100644 --- a/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive.tf +++ b/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive.tf @@ -1,6 +1,6 @@ -resource "azurerm_mssql_database" "example" { - name = "example-db" - server_id = azurerm_mssql_server.example.id +resource "azurerm_mssql_database" "positive" { + name = "positive-db" + server_id = azurerm_mssql_server.positive.id collation = "SQL_Latin1_General_CP1_CI_AS" license_type = "LicenseIncluded" max_size_gb = 4 diff --git a/assets/queries/terraform/azure/vm_with_extension_operations_enabled/query.rego b/assets/queries/terraform/azure/vm_with_extension_operations_enabled/query.rego index 169863b8f30..6a9ba54b6dc 100644 --- a/assets/queries/terraform/azure/vm_with_extension_operations_enabled/query.rego +++ b/assets/queries/terraform/azure/vm_with_extension_operations_enabled/query.rego @@ -26,7 +26,7 @@ get_results(resource, type, name) = results { contains(type, "scale_set") not common_lib.valid_key(resource, "extension_operations_enabled") results := [{ - "searchKey": sprintf("%s[%s]", [type, name]), + "searchKey": sprintf("%s.%s", [type, name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'%s[%s].extension_operations_enabled' should be defined and set to 'false'", [type, name]), "keyActualValue": sprintf("'%s[%s].extension_operations_enabled' is undefined or null", [type, name]), @@ -36,7 +36,7 @@ get_results(resource, type, name) = results { contains(type, "scale_set") resource.extension_operations_enabled != false results := [{ - "searchKey": sprintf("%s[%s].extension_operations_enabled", [type, name]), + "searchKey": sprintf("%s.%s.extension_operations_enabled", [type, name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s[%s].extension_operations_enabled' should be defined and set to 'false'", [type, name]), "keyActualValue": sprintf("'%s[%s].extension_operations_enabled' is set to '%s'", [type, name, resource.extension_operations_enabled]), @@ -46,7 +46,7 @@ get_results(resource, type, name) = results { not contains(type, "scale_set") not common_lib.valid_key(resource, "allow_extension_operations") results := [{ - "searchKey": sprintf("%s[%s]", [type, name]), + "searchKey": sprintf("%s.%s", [type, name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'%s[%s].allow_extension_operations' should be defined and set to 'false'", [type, name]), "keyActualValue": sprintf("'%s[%s].allow_extension_operations' is undefined or null", [type, name]), @@ -55,7 +55,7 @@ get_results(resource, type, name) = results { } else = results { resource.allow_extension_operations != false results := [{ - "searchKey": sprintf("%s[%s].allow_extension_operations", [type, name]), + "searchKey": sprintf("%s.%s.allow_extension_operations", [type, name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s[%s].allow_extension_operations' should be defined and set to 'false'", [type, name]), "keyActualValue": sprintf("'%s[%s].allow_extension_operations' is set to '%s'", [type, name, resource.allow_extension_operations]), diff --git a/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/query.rego b/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/query.rego index a7018ea285d..a4cff851ea4 100644 --- a/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/query.rego +++ b/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/query.rego @@ -42,7 +42,7 @@ get_results(resource, type, name) = results { is_array(resource.admin_ssh_key) resource.admin_ssh_key == [] results := [{ - "searchKey": sprintf("%s[%s].admin_ssh_key", [type, name]), + "searchKey": sprintf("resource.%s.%s.admin_ssh_key", [type, name]), "keyActualValue": sprintf("'%s[%s].admin_ssh_key' is undefined or null", [type, name]), "searchLine": common_lib.build_search_line(["resource", type, name, "admin_ssh_key"], []) }] diff --git a/assets/queries/terraform/azure/vm_without_encryption_at_host/query.rego b/assets/queries/terraform/azure/vm_without_encryption_at_host/query.rego index 13880e101e4..da7f7b41fdd 100644 --- a/assets/queries/terraform/azure/vm_without_encryption_at_host/query.rego +++ b/assets/queries/terraform/azure/vm_without_encryption_at_host/query.rego @@ -25,7 +25,7 @@ CxPolicy[result] { get_results(resource, type, name) = results { not common_lib.valid_key(resource, "encryption_at_host_enabled") results := { - "searchKey": sprintf("%s[%s]", [type, name]), + "searchKey": sprintf("%s.%s", [type, name]), "issueType": "MissingAttribute", "keyActualValue": sprintf("'%s[%s].encryption_at_host_enabled' is undefined or null", [type, name]), "searchLine": common_lib.build_search_line(["resource", type, name], []) @@ -33,7 +33,7 @@ get_results(resource, type, name) = results { } else = results { resource.encryption_at_host_enabled != true results := { - "searchKey": sprintf("%s[%s].encryption_at_host_enabled", [type, name]), + "searchKey": sprintf("%s.%s.encryption_at_host_enabled", [type, name]), "issueType": "IncorrectValue", "keyActualValue": sprintf("'%s[%s].encryption_at_host_enabled' is set to '%s'", [type, name, resource.encryption_at_host_enabled]), "searchLine": common_lib.build_search_line(["resource", type, name, "encryption_at_host_enabled"], []) diff --git a/assets/queries/terraform/azure/vm_without_managed_disk/query.rego b/assets/queries/terraform/azure/vm_without_managed_disk/query.rego index 60363e33be2..c3e5eeaea20 100644 --- a/assets/queries/terraform/azure/vm_without_managed_disk/query.rego +++ b/assets/queries/terraform/azure/vm_without_managed_disk/query.rego @@ -26,7 +26,7 @@ get_results(resource, name, type) = results { type == "azurerm_virtual_machine" not common_lib.valid_key(resource, "storage_os_disk") results := { - "searchKey": sprintf("azurerm_virtual_machine[%s]", [name]), + "searchKey": sprintf("azurerm_virtual_machine.%s", [name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'azurerm_virtual_machine[%s].storage_os_disk' should be defined and not null", [name]), "keyActualValue": sprintf("'azurerm_virtual_machine[%s].storage_os_disk' is undefined or null", [name]), @@ -36,7 +36,7 @@ get_results(resource, name, type) = results { type == "azurerm_virtual_machine" common_lib.valid_key(resource.storage_os_disk, "vhd_uri") results := { - "searchKey": sprintf("azurerm_virtual_machine[%s].storage_os_disk.vhd_uri", [name]), + "searchKey": sprintf("azurerm_virtual_machine.%s.storage_os_disk.vhd_uri", [name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_virtual_machine[%s].storage_os_disk.vhd_uri' should not be set", [name]), "keyActualValue": sprintf("'azurerm_virtual_machine[%s].storage_os_disk.vhd_uri' is set", [name]), @@ -47,7 +47,7 @@ get_results(resource, name, type) = results { not common_lib.valid_key(resource.storage_os_disk, "managed_disk_id") not common_lib.valid_key(resource.storage_os_disk, "managed_disk_type") results := { - "searchKey": sprintf("azurerm_virtual_machine[%s].storage_os_disk", [name]), + "searchKey": sprintf("azurerm_virtual_machine.%s.storage_os_disk", [name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'azurerm_virtual_machine[%s].storage_os_disk' should define a 'managed_disk_id' or 'managed_disk_type'", [name]), "keyActualValue": sprintf("'azurerm_virtual_machine[%s].storage_os_disk' does not define or sets to null 'managed_disk_id' and 'managed_disk_type'", [name]), @@ -57,7 +57,7 @@ get_results(resource, name, type) = results { type == ["azurerm_linux_virtual_machine", "azurerm_windows_virtual_machine"][_] not common_lib.valid_key(resource, "os_managed_disk_id") results := { - "searchKey": sprintf("%s[%s]", [type, name]), + "searchKey": sprintf("%s.%s", [type, name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'%s[%s].os_managed_disk_id' should be defined and not null", [type, name]), "keyActualValue": sprintf("'%s[%s].os_managed_disk_id' is undefined or null", [type, name]), @@ -67,7 +67,7 @@ get_results(resource, name, type) = results { type == "azurerm_virtual_machine_scale_set" common_lib.valid_key(resource.storage_profile_os_disk, "vhd_containers") results := { - "searchKey": sprintf("%s[%s].storage_profile_os_disk.vhd_containers", [type, name]), + "searchKey": sprintf("%s.%s.storage_profile_os_disk.vhd_containers", [type, name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s[%s].storage_profile_os_disk.vhd_containers' should not be set", [type, name]), "keyActualValue": sprintf("'%s[%s].storage_profile_os_disk.vhd_containers' is set", [type, name]), @@ -77,7 +77,7 @@ get_results(resource, name, type) = results { type == "azurerm_virtual_machine_scale_set" not common_lib.valid_key(resource.storage_profile_os_disk, "managed_disk_type") results := { - "searchKey": sprintf("%s[%s].storage_profile_os_disk", [type, name]), + "searchKey": sprintf("%s.%s.storage_profile_os_disk", [type, name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'%s[%s].storage_profile_os_disk.managed_disk_type' should be defined and not null", [type, name]), "keyActualValue": sprintf("'%s[%s].storage_profile_os_disk.managed_disk_type' is undefined or null", [type, name]), diff --git a/e2e/fixtures/E2E_CLI_033_RESULT.json b/e2e/fixtures/E2E_CLI_033_RESULT.json index 54e004bf7d5..6a5d1f4d84e 100644 --- a/e2e/fixtures/E2E_CLI_033_RESULT.json +++ b/e2e/fixtures/E2E_CLI_033_RESULT.json @@ -173,12 +173,12 @@ "files": [ { "file_name": "/path/e2e/fixtures/samples/terraform-single.tf", - "similarity_id": "406b71d9fd0edb656a4735df30dde77c5f8a6c4ec3caa3442f986a92832c653b", + "similarity_id": "77363db6350f38d12d51eae554b988852f3f7da1f7a05c030d51002492561cbd", "line": 1, "resource_type": "aws_redshift_cluster", "resource_name": "default1", "issue_type": "MissingAttribute", - "search_key": "aws_redshift_cluster[{{default1}}]", + "search_key": "aws_redshift_cluster.default1", "search_line": -1, "search_value": "", "expected_value": "aws_redshift_cluster[{{default1}}].tags should be defined and not null", diff --git a/e2e/fixtures/E2E_CLI_086_RESULT.json b/e2e/fixtures/E2E_CLI_086_RESULT.json index 2cc097c63b1..dcadc2460d5 100644 --- a/e2e/fixtures/E2E_CLI_086_RESULT.json +++ b/e2e/fixtures/E2E_CLI_086_RESULT.json @@ -357,29 +357,29 @@ "files": [ { "file_name": "/path/e2e/fixtures/samples/terraform.tf", - "similarity_id": "406b71d9fd0edb656a4735df30dde77c5f8a6c4ec3caa3442f986a92832c653b", - "line": 10, + "similarity_id": "4167d43dbe790b65e4feb88157852beb3bf6d65c8c3ff68921bb99db2d574655", + "line": 1, "resource_type": "aws_redshift_cluster", - "resource_name": "default1", + "resource_name": "default", "issue_type": "MissingAttribute", - "search_key": "aws_redshift_cluster[{{default1}}]", + "search_key": "aws_redshift_cluster.default", "search_line": -1, "search_value": "", - "expected_value": "aws_redshift_cluster[{{default1}}].tags should be defined and not null", - "actual_value": "aws_redshift_cluster[{{default1}}].tags is undefined or null" + "expected_value": "aws_redshift_cluster[{{default}}].tags should be defined and not null", + "actual_value": "aws_redshift_cluster[{{default}}].tags is undefined or null" }, { "file_name": "/path/e2e/fixtures/samples/terraform.tf", - "similarity_id": "b44463ffd0f5c1eadc04ce6649982da68658349ad880daef470250661d3d1512", - "line": 1, + "similarity_id": "77363db6350f38d12d51eae554b988852f3f7da1f7a05c030d51002492561cbd", + "line": 10, "resource_type": "aws_redshift_cluster", - "resource_name": "default", + "resource_name": "default1", "issue_type": "MissingAttribute", - "search_key": "aws_redshift_cluster[{{default}}]", + "search_key": "aws_redshift_cluster.default1", "search_line": -1, "search_value": "", - "expected_value": "aws_redshift_cluster[{{default}}].tags should be defined and not null", - "actual_value": "aws_redshift_cluster[{{default}}].tags is undefined or null" + "expected_value": "aws_redshift_cluster[{{default1}}].tags should be defined and not null", + "actual_value": "aws_redshift_cluster[{{default1}}].tags is undefined or null" } ] } diff --git a/e2e/fixtures/E2E_CLI_087_RESULT.json b/e2e/fixtures/E2E_CLI_087_RESULT.json index 8856e9f53c3..3b3e5f72299 100644 --- a/e2e/fixtures/E2E_CLI_087_RESULT.json +++ b/e2e/fixtures/E2E_CLI_087_RESULT.json @@ -356,30 +356,30 @@ "description_id": "09db2d52", "files": [ { - "file_name": "\\path\\e2e\\fixtures\\samples\\terraform.tf", - "similarity_id": "406b71d9fd0edb656a4735df30dde77c5f8a6c4ec3caa3442f986a92832c653b", - "line": 10, + "file_name": "/path/e2e/fixtures/samples/terraform.tf", + "similarity_id": "4167d43dbe790b65e4feb88157852beb3bf6d65c8c3ff68921bb99db2d574655", + "line": 1, "resource_type": "aws_redshift_cluster", - "resource_name": "default1", + "resource_name": "default", "issue_type": "MissingAttribute", - "search_key": "aws_redshift_cluster[{{default1}}]", + "search_key": "aws_redshift_cluster.default", "search_line": -1, "search_value": "", - "expected_value": "aws_redshift_cluster[{{default1}}].tags should be defined and not null", - "actual_value": "aws_redshift_cluster[{{default1}}].tags is undefined or null" + "expected_value": "aws_redshift_cluster[{{default}}].tags should be defined and not null", + "actual_value": "aws_redshift_cluster[{{default}}].tags is undefined or null" }, { - "file_name": "\\path\\e2e\\fixtures\\samples\\terraform.tf", - "similarity_id": "b44463ffd0f5c1eadc04ce6649982da68658349ad880daef470250661d3d1512", - "line": 1, + "file_name": "/path/e2e/fixtures/samples/terraform.tf", + "similarity_id": "77363db6350f38d12d51eae554b988852f3f7da1f7a05c030d51002492561cbd", + "line": 10, "resource_type": "aws_redshift_cluster", - "resource_name": "default", + "resource_name": "default1", "issue_type": "MissingAttribute", - "search_key": "aws_redshift_cluster[{{default}}]", + "search_key": "aws_redshift_cluster.default1", "search_line": -1, "search_value": "", - "expected_value": "aws_redshift_cluster[{{default}}].tags should be defined and not null", - "actual_value": "aws_redshift_cluster[{{default}}].tags is undefined or null" + "expected_value": "aws_redshift_cluster[{{default1}}].tags should be defined and not null", + "actual_value": "aws_redshift_cluster[{{default1}}].tags is undefined or null" } ] } diff --git a/e2e/fixtures/E2E_CLI_088_RESULT.json b/e2e/fixtures/E2E_CLI_088_RESULT.json index 6afd542c7f2..c280bcb2f81 100644 --- a/e2e/fixtures/E2E_CLI_088_RESULT.json +++ b/e2e/fixtures/E2E_CLI_088_RESULT.json @@ -357,12 +357,12 @@ "files": [ { "file_name": "/path/e2e/fixtures/samples/terraform.tf", - "similarity_id": "406b71d9fd0edb656a4735df30dde77c5f8a6c4ec3caa3442f986a92832c653b", + "similarity_id": "77363db6350f38d12d51eae554b988852f3f7da1f7a05c030d51002492561cbd", "line": 10, "resource_type": "aws_redshift_cluster", "resource_name": "default1", "issue_type": "MissingAttribute", - "search_key": "aws_redshift_cluster[{{default1}}]", + "search_key": "aws_redshift_cluster.default1", "search_line": -1, "search_value": "", "expected_value": "aws_redshift_cluster[{{default1}}].tags should be defined and not null", @@ -370,12 +370,12 @@ }, { "file_name": "/path/e2e/fixtures/samples/terraform.tf", - "similarity_id": "b44463ffd0f5c1eadc04ce6649982da68658349ad880daef470250661d3d1512", + "similarity_id": "4167d43dbe790b65e4feb88157852beb3bf6d65c8c3ff68921bb99db2d574655", "line": 1, "resource_type": "aws_redshift_cluster", "resource_name": "default", "issue_type": "MissingAttribute", - "search_key": "aws_redshift_cluster[{{default}}]", + "search_key": "aws_redshift_cluster.default", "search_line": -1, "search_value": "", "expected_value": "aws_redshift_cluster[{{default}}].tags should be defined and not null", diff --git a/e2e/testcases/e2e-cli-037_scan_exclude-results_include-queries.go b/e2e/testcases/e2e-cli-037_scan_exclude-results_include-queries.go index 6e4327af9dc..a9c4f502c97 100644 --- a/e2e/testcases/e2e-cli-037_scan_exclude-results_include-queries.go +++ b/e2e/testcases/e2e-cli-037_scan_exclude-results_include-queries.go @@ -9,7 +9,7 @@ func init() { //nolint Args: []cmdArgs{ []string{"scan", "--include-queries", "e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10", - "--exclude-results", "406b71d9fd0edb656a4735df30dde77c5f8a6c4ec3caa3442f986a92832c653b", + "--exclude-results", "77363db6350f38d12d51eae554b988852f3f7da1f7a05c030d51002492561cbd", "-p", "/path/e2e/fixtures/samples/terraform-single.tf"}, []string{"scan", "--include-queries", "e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10",