-
Notifications
You must be signed in to change notification settings - Fork 316
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #6775 from Checkmarx/feature/kicsbot-update-querie…
…s-docs docs(queries): update queries catalog
- Loading branch information
Showing
17 changed files
with
2,657 additions
and
2,562 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,16 @@ | ||
| ## Crossplane Queries List | ||
| This page contains all queries from Crossplane. | ||
|
|
||
| ### GCP | ||
| Bellow are listed queries related with Crossplane GCP: | ||
|
|
||
|
|
||
|
|
||
| | Query |Severity|Category|Description|Help| | ||
| |------------------------------|--------|--------|-----------|----| | ||
| |Cloud Storage Bucket Logging Not Enabled<br/><sup><sub>6c2d627c-de0f-45fb-b33d-dad9bffbb421</sub></sup>|<span style="color:#C00">High</span>|Observability|Cloud storage bucket should have logging enabled (<a href="../crossplane-queries/gcp/6c2d627c-de0f-45fb-b33d-dad9bffbb421" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-gcp/storage.gcp.crossplane.io/Bucket/[email protected]#spec-logging">Documentation</a><br/>| | ||
| |Google Container Node Pool Auto Repair Disabled<br/><sup><sub>b4f65d13-a609-4dc1-af7c-63d2e08bffe9</sub></sup>|<span style="color:#C60">Medium</span>|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (<a href="../crossplane-queries/gcp/b4f65d13-a609-4dc1-af7c-63d2e08bffe9" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-gcp/container.gcp.crossplane.io/NodePool/[email protected]#spec-forProvider-management-autoRepair">Documentation</a><br/>| | ||
|
|
||
| ### AZURE | ||
| Bellow are listed queries related with Crossplane AZURE: | ||
|
|
||
|
|
@@ -18,26 +28,16 @@ Bellow are listed queries related with Crossplane AWS: | |
|
|
||
| | Query |Severity|Category|Description|Help| | ||
| |------------------------------|--------|--------|-----------|----| | ||
| |EFS Without KMS<br/><sup><sub>bdecd6db-2600-47dd-a10c-72c97cf17ae9</sub></sup>|<span style="color:#C00">High</span>|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (<a href="../crossplane-queries/aws/bdecd6db-2600-47dd-a10c-72c97cf17ae9" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/efs.aws.crossplane.io/FileSystem/[email protected]#spec-forProvider-kmsKeyID">Documentation</a><br/>| | ||
| |DB Instance Storage Not Encrypted<br/><sup><sub>e50eb68a-a4af-4048-8bbe-8ec324421469</sub></sup>|<span style="color:#C00">High</span>|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (<a href="../crossplane-queries/aws/e50eb68a-a4af-4048-8bbe-8ec324421469" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/[email protected]#spec-forProvider-storageEncrypted">Documentation</a><br/>| | ||
| |ELB Using Weak Ciphers<br/><sup><sub>a507daa5-0795-4380-960b-dd7bb7c56661</sub></sup>|<span style="color:#C00">High</span>|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers. (<a href="../crossplane-queries/aws/a507daa5-0795-4380-960b-dd7bb7c56661" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/elbv2.aws.crossplane.io/Listener/[email protected]#spec-forProvider-sslPolicy">Documentation</a><br/>| | ||
| |EFS Without KMS<br/><sup><sub>bdecd6db-2600-47dd-a10c-72c97cf17ae9</sub></sup>|<span style="color:#C00">High</span>|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (<a href="../crossplane-queries/aws/bdecd6db-2600-47dd-a10c-72c97cf17ae9" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/efs.aws.crossplane.io/FileSystem/[email protected]#spec-forProvider-kmsKeyID">Documentation</a><br/>| | ||
| |EFS Not Encrypted<br/><sup><sub>72840c35-3876-48be-900d-f21b2f0c2ea1</sub></sup>|<span style="color:#C00">High</span>|Encryption|Elastic File System (EFS) must be encrypted (<a href="../crossplane-queries/aws/72840c35-3876-48be-900d-f21b2f0c2ea1" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/efs.aws.crossplane.io/FileSystem/[email protected]#spec-forProvider-encrypted">Documentation</a><br/>| | ||
| |RDS DB Instance Publicly Accessible<br/><sup><sub>d9dc6429-5140-498a-8f55-a10daac5f000</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it (<a href="../crossplane-queries/aws/d9dc6429-5140-498a-8f55-a10daac5f000" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/[email protected]">Documentation</a><br/>| | ||
| |DB Security Group Has Public Interface<br/><sup><sub>dd667399-8d9d-4a8d-bbb4-e49ab53b2f52</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|The CIDR IP should not be a public interface (<a href="../crossplane-queries/aws/dd667399-8d9d-4a8d-bbb4-e49ab53b2f52" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/ec2.aws.crossplane.io/SecurityGroup/[email protected]#spec-forProvider-ingress-ipRanges-cidrIp">Documentation</a><br/>| | ||
| |DB Instance Storage Not Encrypted<br/><sup><sub>e50eb68a-a4af-4048-8bbe-8ec324421469</sub></sup>|<span style="color:#C00">High</span>|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (<a href="../crossplane-queries/aws/e50eb68a-a4af-4048-8bbe-8ec324421469" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/[email protected]#spec-forProvider-storageEncrypted">Documentation</a><br/>| | ||
| |CloudFront Without Minimum Protocol TLS 1.2<br/><sup><sub>255b0fcc-9f82-41fe-9229-01b163e3376b</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (<a href="../crossplane-queries/aws/255b0fcc-9f82-41fe-9229-01b163e3376b" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/[email protected]#spec-forProvider-distributionConfig-viewerCertificate-minimumProtocolVersion">Documentation</a><br/>| | ||
| |SQS With SSE Disabled<br/><sup><sub>9296f1cc-7a40-45de-bd41-f31745488a0e</sub></sup>|<span style="color:#C60">Medium</span>|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (<a href="../crossplane-queries/aws/9296f1cc-7a40-45de-bd41-f31745488a0e" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/sqs.aws.crossplane.io/Queue/[email protected]#spec-forProvider-kmsMasterKeyId">Documentation</a><br/>| | ||
| |DB Security Group Has Public Interface<br/><sup><sub>dd667399-8d9d-4a8d-bbb4-e49ab53b2f52</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|The CIDR IP should not be a public interface (<a href="../crossplane-queries/aws/dd667399-8d9d-4a8d-bbb4-e49ab53b2f52" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/ec2.aws.crossplane.io/SecurityGroup/[email protected]#spec-forProvider-ingress-ipRanges-cidrIp">Documentation</a><br/>| | ||
| |RDS DB Instance Publicly Accessible<br/><sup><sub>d9dc6429-5140-498a-8f55-a10daac5f000</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it (<a href="../crossplane-queries/aws/d9dc6429-5140-498a-8f55-a10daac5f000" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/[email protected]">Documentation</a><br/>| | ||
| |Neptune Database Cluster Encryption Disabled<br/><sup><sub>83bf5aca-138a-498e-b9cd-ad5bc5e117b4</sub></sup>|<span style="color:#C60">Medium</span>|Encryption|Neptune database cluster storage should have encryption enabled (<a href="../crossplane-queries/aws/83bf5aca-138a-498e-b9cd-ad5bc5e117b4" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/neptune.aws.crossplane.io/DBCluster/[email protected]#spec-forProvider-storageEncrypted">Documentation</a><br/>| | ||
| |CloudFront Logging Disabled<br/><sup><sub>7b590235-1ff4-421b-b9ff-5227134be9bb</sub></sup>|<span style="color:#C60">Medium</span>|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (<a href="../crossplane-queries/aws/7b590235-1ff4-421b-b9ff-5227134be9bb" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-logging">Documentation</a><br/>| | ||
| |SQS With SSE Disabled<br/><sup><sub>9296f1cc-7a40-45de-bd41-f31745488a0e</sub></sup>|<span style="color:#C60">Medium</span>|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (<a href="../crossplane-queries/aws/9296f1cc-7a40-45de-bd41-f31745488a0e" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/sqs.aws.crossplane.io/Queue/v1beta1@v0.29.0#spec-forProvider-kmsMasterKeyId">Documentation</a><br/>| | ||
| |CloudWatch Without Retention Period Specified<br/><sup><sub>934613fe-b12c-4e5a-95f5-c1dcdffac1ff</sub></sup>|<span style="color:#C60">Medium</span>|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (<a href="../crossplane-queries/aws/934613fe-b12c-4e5a-95f5-c1dcdffac1ff" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/cloudwatchlogs.aws.crossplane.io/LogGroup/[email protected]#spec-forProvider-retentionInDays">Documentation</a><br/>| | ||
| |CloudFront Logging Disabled<br/><sup><sub>7b590235-1ff4-421b-b9ff-5227134be9bb</sub></sup>|<span style="color:#C60">Medium</span>|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (<a href="../crossplane-queries/aws/7b590235-1ff4-421b-b9ff-5227134be9bb" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/[email protected]#spec-forProvider-distributionConfig-logging">Documentation</a><br/>| | ||
| |CloudFront Without WAF<br/><sup><sub>6d19ce0f-b3d8-4128-ac3d-1064e0f00494</sub></sup>|<span style="color:#CC0">Low</span>|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (<a href="../crossplane-queries/aws/6d19ce0f-b3d8-4128-ac3d-1064e0f00494" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/[email protected]#spec-forProvider-distributionConfig-webACLID">Documentation</a><br/>| | ||
| |DocDB Logging Is Disabled<br/><sup><sub>e6cd49ba-77ed-417f-9bca-4f5303554308</sub></sup>|<span style="color:#CC0">Low</span>|Observability|DocDB logging should be enabled (<a href="../crossplane-queries/aws/e6cd49ba-77ed-417f-9bca-4f5303554308" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/docdb.aws.crossplane.io/DBCluster/[email protected]#status-atProvider-enabledCloudwatchLogsExports">Documentation</a><br/>| | ||
|
|
||
| ### GCP | ||
| Bellow are listed queries related with Crossplane GCP: | ||
|
|
||
|
|
||
|
|
||
| | Query |Severity|Category|Description|Help| | ||
| |------------------------------|--------|--------|-----------|----| | ||
| |Cloud Storage Bucket Logging Not Enabled<br/><sup><sub>6c2d627c-de0f-45fb-b33d-dad9bffbb421</sub></sup>|<span style="color:#C00">High</span>|Observability|Cloud storage bucket should have logging enabled (<a href="../crossplane-queries/gcp/6c2d627c-de0f-45fb-b33d-dad9bffbb421" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-gcp/storage.gcp.crossplane.io/Bucket/[email protected]#spec-logging">Documentation</a><br/>| | ||
| |Google Container Node Pool Auto Repair Disabled<br/><sup><sub>b4f65d13-a609-4dc1-af7c-63d2e08bffe9</sub></sup>|<span style="color:#C60">Medium</span>|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (<a href="../crossplane-queries/gcp/b4f65d13-a609-4dc1-af7c-63d2e08bffe9" target="_blank">read more</a>)|<a href="https://doc.crds.dev/github.com/crossplane/provider-gcp/container.gcp.crossplane.io/NodePool/[email protected]#spec-forProvider-management-autoRepair">Documentation</a><br/>| | ||
Oops, something went wrong.