Skip to content

fix(query): resolve false positive on API Gateway access logging#7996

Open
cx-prathmesh-borle wants to merge 1 commit intoCheckmarx:masterfrom
cx-prathmesh-borle:hotfix/7466-api-gateway-access-logging-fp
Open

fix(query): resolve false positive on API Gateway access logging#7996
cx-prathmesh-borle wants to merge 1 commit intoCheckmarx:masterfrom
cx-prathmesh-borle:hotfix/7466-api-gateway-access-logging-fp

Conversation

@cx-prathmesh-borle
Copy link
Copy Markdown

@cx-prathmesh-borle cx-prathmesh-borle commented Mar 12, 2026
edited
Loading

Closes #7466

Reason for Proposed Changes

  • The KICS query 80d45af4-4920-4236-a56e-b7ef419d1941 (API Gateway V2 Stage Access Logging Settings Not Defined) produces false positives on CloudFormation templates because 3 Rego rules access MethodSettings as a flat object (properties.MethodSettings.LoggingLevel) instead of iterating it as an array;
  • The AWS CloudFormation documentation defines MethodSettings as a List of MethodSetting, meaning it is always an array of objects (e.g., MethodSettings[0].LoggingLevel), not a single object;
  • This caused two problems:
    • False positives: Templates with correctly configured logging were flagged because the object-access pattern (MethodSettings.LoggingLevel) silently failed to match array elements;
    • Incorrect searchKey/searchLine: When results were generated, the searchKey paths did not include the array index (e.g., MethodSettings.LoggingLevel instead of MethodSettings[0].LoggingLevel), making it difficult to identify which method setting was affected;

Proposed Changes

  • Updated 3 Rego rules in query.rego to iterate over MethodSettings as an array using properties.MethodSettings[j] instead of accessing properties.MethodSettings directly:
    • Rule: LoggingLevel missing - checks not common_lib.valid_key(methodSetting, "LoggingLevel") per array element;
    • Rule: LoggingLevel empty - checks properties.MethodSettings[j].LoggingLevel == "" per array element;
    • Rule: LoggingLevel OFF - checks properties.MethodSettings[j].LoggingLevel == "OFF" per array element;
  • Updated searchKey, keyExpectedValue, keyActualValue, and searchLine in all 3 rules to include the array index [j] for precise result identification;
  • Updated 6 test files to use the correct array format per the CloudFormation spec:
    • positive6.json, positive10.json, positive12.json: Wrapped MethodSettings in array brackets;
    • positive14.yaml, positive16.yaml: Changed from MethodSettings.LoggingLevel to MethodSettings: - LoggingLevel (YAML list syntax);
    • negative3.json, negative4.yaml: Corrected to array format to ensure negative tests validate the updated logic;
  • Updated positive_expected_result.json to reflect corrected line numbers and removed stale entries from positive11.yaml that no longer apply;

I submit this contribution under the Apache-2.0 license.

@cx-prathmesh-borle cx-prathmesh-borle requested a review from a team as a code owner March 12, 2026 19:08
@github-actions github-actions bot added community Community contribution query New query feature cloudformation CloudFormation query aws PR related with AWS Cloud labels Mar 12, 2026
@cx-prathmesh-borle cx-prathmesh-borle force-pushed the hotfix/7466-api-gateway-access-logging-fp branch from dbdd7e2 to c952c1d Compare March 19, 2026 06:41
@cx-prathmesh-borle cx-prathmesh-borle force-pushed the hotfix/7466-api-gateway-access-logging-fp branch from c952c1d to 72af7d5 Compare March 25, 2026 11:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@cx-prathmesh-borle cx-prathmesh-borle

Labels

aws PR related with AWS Cloud cloudformation CloudFormation query community Community contribution query New query feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug(cloudformation): false positive on API Gateway V2 Stage Access Logging Settings Not Defined

1 participant

@cx-prathmesh-borle