From 8af1efd80c341d7785841836bbac31be278754bf Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 24 Mar 2026 17:33:43 +0000 Subject: [PATCH 1/2] Fixs for a lot of cli warnings when scanning 'assets' folder --- .../query.rego | 101 ++++++++++++++++-- .../test/{negative.yaml => negative1.yaml} | 6 +- .../test/negative2.yaml | 43 ++++++++ .../test/{positive.yaml => positive1.yaml} | 6 +- .../test/positive2.yaml | 56 ++++++++++ .../test/positive_expected_result.json | 32 +++++- .../github/run_block_injection/query.rego | 17 ++- .../github/script_block_injection/query.rego | 14 +-- .../query.rego | 2 +- .../query.rego | 81 +++++++------- .../test/negative1.yaml | 2 +- .../test/positive1.yaml | 2 +- .../query.rego | 4 +- .../query.rego | 2 +- .../query.rego | 2 +- .../aws/docdb_logging_disabled/query.rego | 4 +- .../dynamodb_table_not_encrypted/query.rego | 4 +- .../query.rego | 4 +- .../query.rego | 4 +- .../aws/ec2_not_ebs_optimized/query.rego | 4 +- .../query.rego | 4 +- .../query.rego | 4 +- .../query.rego | 4 +- .../query.rego | 2 +- .../query.rego | 4 +- .../query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 4 +- .../missing_app_armor_config/query.rego | 4 +- .../psp_set_to_privileged/query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 6 +- .../test/negative.tf | 12 +-- .../test/positive.tf | 6 +- .../query.rego | 2 +- 41 files changed, 334 insertions(+), 128 deletions(-) rename assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/{negative.yaml => negative1.yaml} (73%) create mode 100644 assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/negative2.yaml rename assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/{positive.yaml => positive1.yaml} (64%) create mode 100644 assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive2.yaml diff --git a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/query.rego b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/query.rego index 15a8888beaf..fa3a59a8d22 100644 --- a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/query.rego +++ b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/query.rego @@ -1,25 +1,108 @@ package Cx import future.keywords.if +import data.generic.common as common_lib CxPolicy[result] { vm := input.document[i].playbooks[k].azure_rm_virtualmachine - is_linux_vm(vm) - not vm.ssh_password_enabled == false - not vm.linux_config.disable_password_authentication == false + is_linux_vm(vm) + res := get_results(vm, ["playbooks", k, "azure_rm_virtualmachine"]) result := { "documentId": input.document[i].id, "resourceType": "azure_rm_virtualmachine", "resourceName": vm.name, - "searchKey": sprintf("azure_rm_virtualmachine[%s].ssh_public_keys", [vm.name]), + "searchKey": res.searchKey, + "issueType": res.issueType, + "keyExpectedValue": res.keyExpectedValue, + "keyActualValue": res.keyActualValue, + "searchLine": res.searchLine, + } +} + +CxPolicy[result] { + vm := input.document[i].playbooks[k].tasks[y].azure_rm_virtualmachine + is_linux_vm(vm) + res := get_results(vm, ["playbooks", k, "tasks", y, "azure_rm_virtualmachine"]) + result := { + "documentId": input.document[i].id, + "resourceType": "azure_rm_virtualmachine", + "resourceName": vm.name, + "searchKey": res.searchKey, + "issueType": res.issueType, + "keyExpectedValue": res.keyExpectedValue, + "keyActualValue": res.keyActualValue, + "searchLine": res.searchLine, + } +} + +get_results(vm, path) = res { # both "ssh_password_enabled" and "linux_config" undefined + not common_lib.valid_key(vm, "ssh_password_enabled") + not common_lib.valid_key(vm, "linux_config") + res := { + "searchKey": sprintf("azure_rm_virtualmachine.%s", [vm.name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'azure_rm_virtualmachine[%s]' should be using SSH keys for authentication", [vm.name]), - "keyActualValue": sprintf("'azure_rm_virtualmachine[%s]' is using username and password for authentication", [vm.name]), + "keyExpectedValue": sprintf("'azure_rm_virtualmachine[%s]' should set 'ssh_password_enabled' to false and 'linux_config.disable_password_authentication' to true", [vm.name]), + "keyActualValue": sprintf("'azure_rm_virtualmachine[%s].ssh_password_enabled' and 'linux_config' are both undefined", [vm.name]), + "searchLine": common_lib.build_search_line(path, []), + } +} else = res { # "ssh_password_enabled" undefined with "linux_config" missing "disable_password_authentication" field + not common_lib.valid_key(vm, "ssh_password_enabled") + common_lib.valid_key(vm, "linux_config") + not common_lib.valid_key(vm.linux_config, "disable_password_authentication") + res := { + "searchKey": sprintf("azure_rm_virtualmachine.%s.linux_config", [vm.name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'azure_rm_virtualmachine[%s]' should set 'ssh_password_enabled' to false and 'linux_config.disable_password_authentication' to true", [vm.name]), + "keyActualValue": sprintf("'azure_rm_virtualmachine[%s].ssh_password_enabled' and 'linux_config.disable_password_authentication' are both undefined", [vm.name]), + "searchLine": common_lib.build_search_line(path, ["linux_config"]), + } +} else = res { # "ssh_password_enabled" undefined with "linux_config.disable_password_authentication" set to false + not common_lib.valid_key(vm, "ssh_password_enabled") + common_lib.valid_key(vm, "linux_config") + vm.linux_config.disable_password_authentication == false + res := { + "searchKey": sprintf("azure_rm_virtualmachine.%s.linux_config.disable_password_authentication", [vm.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'azure_rm_virtualmachine[%s]' should set 'ssh_password_enabled' to false and 'linux_config.disable_password_authentication' to true", [vm.name]), + "keyActualValue": sprintf("'azure_rm_virtualmachine[%s].ssh_password_enabled' is undefined and 'linux_config.disable_password_authentication' is set to false", [vm.name]), + "searchLine": common_lib.build_search_line(path, ["linux_config", "disable_password_authentication"]), + } +} else = res { # "ssh_password_enabled" set to true, "linux_config" undefined + vm.ssh_password_enabled == true + not common_lib.valid_key(vm, "linux_config") + res := { + "searchKey": sprintf("azure_rm_virtualmachine.%s.ssh_password_enabled", [vm.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'azure_rm_virtualmachine[%s]' should set 'ssh_password_enabled' to false and 'linux_config.disable_password_authentication' to true", [vm.name]), + "keyActualValue": sprintf("'azure_rm_virtualmachine[%s].ssh_password_enabled' is set to true and 'linux_config' is undefined", [vm.name]), + "searchLine": common_lib.build_search_line(path, ["ssh_password_enabled"]), + } +} else = res { # "ssh_password_enabled" set to true with "linux_config" missing "disable_password_authentication" field + vm.ssh_password_enabled == true + common_lib.valid_key(vm, "linux_config") + not common_lib.valid_key(vm.linux_config, "disable_password_authentication") + res := { + "searchKey": sprintf("azure_rm_virtualmachine.%s.ssh_password_enabled", [vm.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'azure_rm_virtualmachine[%s]' should set 'ssh_password_enabled' to false and 'linux_config.disable_password_authentication' to true", [vm.name]), + "keyActualValue": sprintf("'azure_rm_virtualmachine[%s].ssh_password_enabled' is true and 'linux_config.disable_password_authentication' is undefined", [vm.name]), + "searchLine": common_lib.build_search_line(path, ["ssh_password_enabled"]), + } +} else = res { # "ssh_password_enabled" set to true with "linux_config.disable_password_authentication" set to false + vm.ssh_password_enabled == true + common_lib.valid_key(vm, "linux_config") + vm.linux_config.disable_password_authentication == false + res := { + "searchKey": sprintf("azure_rm_virtualmachine.%s.ssh_password_enabled", [vm.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'azure_rm_virtualmachine[%s]' should set 'ssh_password_enabled' to false and 'linux_config.disable_password_authentication' to true", [vm.name]), + "keyActualValue": sprintf("'azure_rm_virtualmachine[%s].ssh_password_enabled' is set to true and 'linux_config.disable_password_authentication' to false", [vm.name]), + "searchLine": common_lib.build_search_line(path, ["ssh_password_enabled"]), } } is_linux_vm(vm) { - lower(vm.os_type) == "linux" + lower(vm.os_type) == "linux" } else { - not vm.os_type -} + not common_lib.valid_key(vm, "os_type") +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/negative.yaml b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/negative1.yaml similarity index 73% rename from assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/negative.yaml rename to assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/negative1.yaml index cc8d2e0a874..cc02009e26e 100644 --- a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/negative.yaml +++ b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/negative1.yaml @@ -1,12 +1,12 @@ --- -- name: Create a VM with a custom image +- name: ssh_password_enabled false, no linux_config azure_rm_virtualmachine: resource_group: myResourceGroup - name: testvm001 + name: negative1 vm_size: Standard_DS1_v2 ssh_password_enabled: false ssh_public_keys: - path: ~/.ssh/id_rsa.pub key_data: somegeneratedkeydata image: customimage001 - os_type: Linux + os_type: Linux \ No newline at end of file diff --git a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/negative2.yaml b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/negative2.yaml new file mode 100644 index 00000000000..388203bc8a0 --- /dev/null +++ b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/negative2.yaml @@ -0,0 +1,43 @@ +--- +- hosts: localhost + tasks: + - name: ssh_password_enabled false and disable_password_authentication true + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: negative2_1 + vm_size: Standard_DS1_v2 + admin_username: adminUser + os_type: Linux + ssh_password_enabled: false + linux_config: + disable_password_authentication: true + + - name: both ssh_password_enabled false and disable_password_authentication false - ssh_password_enabled will still prevent basic authentication + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: negative2_2 + vm_size: Standard_DS1_v2 + admin_username: adminUser + os_type: Linux + ssh_password_enabled: false + linux_config: + disable_password_authentication: false + + - name: no ssh_password_enabled, linux_config.disable_password_authentication explicitly true + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: negative2_3 + vm_size: Standard_DS1_v2 + admin_username: adminUser + os_type: Linux + linux_config: + disable_password_authentication: true + + - name: Windows VM is not checked + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: negative2_4 + vm_size: Standard_DS1_v2 + admin_username: adminUser + admin_password: Password123! + os_type: Windows \ No newline at end of file diff --git a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive.yaml b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive1.yaml similarity index 64% rename from assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive.yaml rename to assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive1.yaml index 1ed67e16cb0..db10993bd39 100644 --- a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive.yaml +++ b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive1.yaml @@ -1,10 +1,10 @@ --- -- name: Create a VM with a custom image +- name: neither ssh_password_enabled nor linux_config defined azure_rm_virtualmachine: resource_group: myResourceGroup - name: testvm001 + name: positive1 vm_size: Standard_DS1_v2 admin_username: adminUser admin_password: password01 image: customimage001 - os_type: Linux + os_type: Linux \ No newline at end of file diff --git a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive2.yaml b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive2.yaml new file mode 100644 index 00000000000..052733e884e --- /dev/null +++ b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive2.yaml @@ -0,0 +1,56 @@ +--- # support for multiple azure_rm_virtualmachines (tasks set) +- hosts: localhost + tasks: + - name: no ssh_password_enabled, linux_config defined but disable_password_authentication undefined + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: positive2_1 + vm_size: Standard_DS1_v2 + admin_username: adminUser + admin_password: Password123! + os_type: Linux + linux_config: {} + + - name: no ssh_password_enabled, disable_password_authentication set to false + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: positive2_2 + vm_size: Standard_DS1_v2 + admin_username: adminUser + admin_password: Password123! + os_type: Linux + linux_config: + disable_password_authentication: false + + - name: ssh_password_enabled true, no linux_config + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: positive2_3 + vm_size: Standard_DS1_v2 + admin_username: adminUser + admin_password: Password123! + os_type: Linux + ssh_password_enabled: true + + - name: ssh_password_enabled true, linux_config defined but disable_password_authentication undefined + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: positive2_4 + vm_size: Standard_DS1_v2 + admin_username: adminUser + admin_password: Password123! + os_type: Linux + ssh_password_enabled: true + linux_config: {} + + - name: ssh_password_enabled set to true and disable_password_authentication set to false + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: positive2_5 + vm_size: Standard_DS1_v2 + admin_username: adminUser + admin_password: Password123! + os_type: Linux + ssh_password_enabled: true + linux_config: + disable_password_authentication: false \ No newline at end of file diff --git a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json index 7f2e13b5a90..5ec292f019e 100644 --- a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json @@ -3,6 +3,36 @@ "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", "line": 1, - "fileName": "positive.yaml" + "fileName": "positive1.yaml" + }, + { + "queryName": "Azure Instance Using Basic Authentication", + "severity": "MEDIUM", + "line": 12, + "fileName": "positive2.yaml" + }, + { + "queryName": "Azure Instance Using Basic Authentication", + "severity": "MEDIUM", + "line": 23, + "fileName": "positive2.yaml" + }, + { + "queryName": "Azure Instance Using Basic Authentication", + "severity": "MEDIUM", + "line": 33, + "fileName": "positive2.yaml" + }, + { + "queryName": "Azure Instance Using Basic Authentication", + "severity": "MEDIUM", + "line": 43, + "fileName": "positive2.yaml" + }, + { + "queryName": "Azure Instance Using Basic Authentication", + "severity": "MEDIUM", + "line": 54, + "fileName": "positive2.yaml" } ] \ No newline at end of file diff --git a/assets/queries/cicd/github/run_block_injection/query.rego b/assets/queries/cicd/github/run_block_injection/query.rego index ae9a223c10e..d51d9d2800e 100644 --- a/assets/queries/cicd/github/run_block_injection/query.rego +++ b/assets/queries/cicd/github/run_block_injection/query.rego @@ -22,7 +22,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("run={{%s}}", [run]), + "searchKey": sprintf("jobs.%s.steps.run", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", @@ -45,7 +45,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("run={{%s}}", [run]), + "searchKey": sprintf("jobs.%s.steps.run", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", @@ -69,7 +69,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("run={{%s}}", [run]), + "searchKey": sprintf("jobs.%s.steps.run", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", @@ -92,7 +92,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("run={{%s}}", [run]), + "searchKey": sprintf("jobs.%s.steps.run", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", @@ -116,7 +116,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("run={{%s}}", [run]), + "searchKey": sprintf("jobs.%s.steps.run", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", @@ -143,7 +143,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("run={{%s}}", [run]), + "searchKey": sprintf("jobs.%s.steps.run", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", @@ -166,7 +166,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("run={{%s}}", [run]), + "searchKey": sprintf("jobs.%s.steps.run", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Run block does not contain dangerous input controlled by user.", "keyActualValue": "Run block contains dangerous input controlled by user.", @@ -175,12 +175,9 @@ CxPolicy[result] { } } - - containsPatterns(str, patterns) = matched { matched := {pattern | pattern := patterns[_] regex.match(pattern, str) } } - diff --git a/assets/queries/cicd/github/script_block_injection/query.rego b/assets/queries/cicd/github/script_block_injection/query.rego index e93b11a0814..2a8efde6cb7 100644 --- a/assets/queries/cicd/github/script_block_injection/query.rego +++ b/assets/queries/cicd/github/script_block_injection/query.rego @@ -27,7 +27,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("script={{%s}}", [script]), + "searchKey": sprintf("jobs.%s.steps.script", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", @@ -55,7 +55,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("script={{%s}}", [script]), + "searchKey": sprintf("jobs.%s.steps.script", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", @@ -84,7 +84,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("script={{%s}}", [script]), + "searchKey": sprintf("jobs.%s.steps.script", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", @@ -112,7 +112,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("script={{%s}}", [script]), + "searchKey": sprintf("jobs.%s.steps.script", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", @@ -141,7 +141,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("script={{%s}}", [script]), + "searchKey": sprintf("jobs.%s.steps.script", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", @@ -173,7 +173,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("script={{%s}}", [script]), + "searchKey": sprintf("jobs.%s.steps.script", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", @@ -201,7 +201,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("script={{%s}}", [script]), + "searchKey": sprintf("jobs.%s.steps.script", [j]), "issueType": "IncorrectValue", "keyExpectedValue": "Script block does not contain dangerous input controlled by user.", "keyActualValue": "Script block contains dangerous input controlled by user.", diff --git a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/query.rego b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/query.rego index 07af1435bc6..c4be19ae28d 100644 --- a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/query.rego +++ b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.kind, "resourceName": cp_lib.getResourceName(resource), - "searchKey": sprintf("%s.metadata.name={{%s}}.spec.forProvider", [cp_lib.getPath(path), resource.metadata.name]), + "searchKey": sprintf("%smetadata.name={{%s}}.spec.forProvider", [cp_lib.getPath(path), resource.metadata.name]), "issueType": "MissingAttribute", "keyExpectedValue": "storageEncrypted should be defined and set to true", "keyActualValue": "storageEncrypted is not defined", diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego index 458553ce571..493317786fc 100644 --- a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/query.rego @@ -3,78 +3,75 @@ package Cx import data.generic.common as common_lib import data.generic.crossplane as cp_lib -getForProvider(apiVersion, kind, name, docs) = forProvider { - doc := docs[_] - [_, resource] := walk(doc) - startswith(resource.apiVersion, apiVersion) - resource.kind == kind - resource.metadata.name == name +getForProvider(apiVersion, kind, name, docs, file) = forProvider { + doc := docs[_] + [_, resource] := walk(doc) + startswith(resource.apiVersion, apiVersion) + resource.kind == kind + resource.metadata.name == name + resource.file == file forProvider := resource.spec.forProvider } -existsInternetGateway(dbSubnetGroupName) { - DBSGforProvider := getForProvider("database.aws.crossplane.io", "DBSubnetGroup", dbSubnetGroupName, input.document) +existsInternetGateway(dbSubnetGroupName, file) { + DBSGforProvider := getForProvider("database.aws.crossplane.io", "DBSubnetGroup", dbSubnetGroupName, input.document, file) subnetIds := DBSGforProvider.subnetIds - count(subnetIds) > 0 subnetId := subnetIds[s] - EC2SforProvider := getForProvider("ec2.aws.crossplane.io", "Subnet", subnetId, input.document) - + EC2SforProvider := getForProvider("ec2.aws.crossplane.io", "Subnet", subnetId, input.document, file) + common_lib.valid_key(EC2SforProvider, "vpcId") vpcId := EC2SforProvider.vpcId IGdocs := input.document[_] [_, IGresource] := walk(IGdocs) - startswith(IGresource.apiVersion, "network.aws.crossplane.io") + startswith(IGresource.apiVersion, "network.aws.crossplane.io") IGresource.kind == "InternetGateway" - + IGresource.file == file IGforProvider := IGresource.spec.forProvider - common_lib.valid_key(IGforProvider, "vpcId") - vpcId == IGforProvider.vpcId -} + vpcId == IGforProvider.vpcId +} CxPolicy[result] { docs := input.document[i] - [path, resource] := walk(docs) - startswith(resource.apiVersion, "database.aws.crossplane.io") + [path, resource] := walk(docs) + startswith(resource.apiVersion, "database.aws.crossplane.io") + resource.kind == "RDSInstance" - forProvider := resource.spec.forProvider - not common_lib.valid_key(forProvider, "publiclyAccessible") - + dbSubnetGroupName := forProvider.dbSubnetGroupName - - existsInternetGateway(dbSubnetGroupName) == true + existsInternetGateway(dbSubnetGroupName, resource.file) == true result := { - "documentId": input.document[i].id, - "resourceType": resource.kind, - "resourceName": cp_lib.getResourceName(resource), - "searchKey": sprintf("metadata.name={{%s}}.spec.forProvider.dbSubnetGroupName", [resource.metadata.name]), - "issueType": "MissingAttribute", - "keyActualValue": "dbSubnetGroupName' subnets are part of a VPC that has an Internet gateway attached to it", - "keyExpectedValue": "dbSubnetGroupName' subnets not being part of a VPC that has an Internet gateway attached to it", - } + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": cp_lib.getResourceName(resource), + "searchKey": sprintf("metadata.name={{%s}}.spec.forProvider.dbSubnetGroupName", [resource.metadata.name]), + "issueType": "MissingAttribute", + "keyActualValue": "dbSubnetGroupName' subnets are part of a VPC that has an Internet gateway attached to it", + "keyExpectedValue": "dbSubnetGroupName' subnets not being part of a VPC that has an Internet gateway attached to it", + } } CxPolicy[result] { docs := input.document[i] - [path, resource] := walk(docs) - startswith(resource.apiVersion, "database.aws.crossplane.io") + [path, resource] := walk(docs) + startswith(resource.apiVersion, "database.aws.crossplane.io") resource.kind == "RDSInstance" - + forProvider := resource.spec.forProvider forProvider.publiclyAccessible == true result := { - "documentId": input.document[i].id, - "resourceType": resource.kind, - "resourceName": cp_lib.getResourceName(resource), - "searchKey": sprintf("metadata.name={{%s}}.spec.forProvider.publiclyAccessible", [resource.metadata.name]), - "issueType": "MissingAttribute", - "keyExpectedValue": "publiclyAccessible should be set to false", - "keyActualValue": "publiclyAccessible is set to true", - } + "documentId": input.document[i].id, + "resourceType": resource.kind, + "resourceName": cp_lib.getResourceName(resource), + "searchKey": sprintf("metadata.name={{%s}}.spec.forProvider.publiclyAccessible", [resource.metadata.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "publiclyAccessible should be set to false", + "keyActualValue": "publiclyAccessible is set to true", + } } \ No newline at end of file diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/negative1.yaml b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/negative1.yaml index 2cf4f3c8a51..0c66ac28368 100644 --- a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/negative1.yaml +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/negative1.yaml @@ -2,7 +2,7 @@ apiVersion: database.aws.crossplane.io/v1beta1 kind: RDSInstance metadata: name: sample-cluster3 -spec: +spec: forProvider: publiclyAccessible: false diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive1.yaml b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive1.yaml index d08764de5da..cdec8f5e1c5 100644 --- a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive1.yaml +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive1.yaml @@ -2,7 +2,7 @@ apiVersion: database.aws.crossplane.io/v1beta1 kind: RDSInstance metadata: name: sample-cluster3 -spec: +spec: forProvider: publiclyAccessible: true diff --git a/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/query.rego b/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/query.rego index 8f5d43ca429..dc19d4dbf53 100644 --- a/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/query.rego +++ b/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.publiclyAccessible", [name]), + "searchKey": sprintf("resources.%s.properties.publiclyAccessible", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'publiclyAccessible' is should be set to 'false'", "keyActualValue": "Attribute 'publiclyAccessible' is defined to 'true'", @@ -32,7 +32,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'publiclyAccessible' should be defined", "keyActualValue": "Attribute 'publiclyAccessible' is not defined", diff --git a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/query.rego b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/query.rego index 95fe06edad4..02ba36e83ea 100644 --- a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/query.rego +++ b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'accessLogSettings' should be defined", "keyActualValue": "Attribute 'accessLogSettings' is not defined", diff --git a/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/query.rego b/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/query.rego index cc07e37e6c2..d6da2e78f45 100644 --- a/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/query.rego +++ b/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'clientCertificateId' should be defined", "keyActualValue": "Attribute 'clientCertificateId' is not defined", diff --git a/assets/queries/pulumi/aws/docdb_logging_disabled/query.rego b/assets/queries/pulumi/aws/docdb_logging_disabled/query.rego index 9096089b002..35074319224 100644 --- a/assets/queries/pulumi/aws/docdb_logging_disabled/query.rego +++ b/assets/queries/pulumi/aws/docdb_logging_disabled/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": name, - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "searchLine": common_lib.build_search_line(["resources", name, "properties"],[]), "issueType": "MissingAttribute", "keyExpectedValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports should be defined", @@ -40,7 +40,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": name, - "searchKey": sprintf("resources[%s].properties.enabledCloudwatchLogsExports", [name]), + "searchKey": sprintf("resources.%s.properties.enabledCloudwatchLogsExports", [name]), "searchLine": common_lib.build_search_line(["resources", name, "properties", "enabledCloudwatchLogsExports"],[]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("aws:docdb:Cluster.enabledCloudwatchLogsExports should have all following values: %s", [validTypeConcat]), diff --git a/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/query.rego b/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/query.rego index e712aa443c9..93f9f089777 100644 --- a/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/query.rego +++ b/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'serverSideEncryption' should be defined", "keyActualValue": "Attribute 'serverSideEncryption' is not defined", @@ -32,7 +32,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.serverSideEncryption.enabled", [name]), + "searchKey": sprintf("resources.%s.properties.serverSideEncryption.enabled", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'enabled' in 'serverSideEncryption' should be set to true", "keyActualValue": "Attribute 'enabled' in 'serverSideEncryption' is set to false", diff --git a/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/query.rego b/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/query.rego index 2526ac7fbb0..f54b6c4dcb6 100644 --- a/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/query.rego +++ b/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'pointInTimeRecovery' should be defined", "keyActualValue": "Attribute 'pointInTimeRecovery' is not defined", @@ -32,7 +32,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.pointInTimeRecovery.enabled", [name]), + "searchKey": sprintf("resources.%s.properties.pointInTimeRecovery.enabled", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'enabled' in 'pointInTimeRecovery' should be set to true", "keyActualValue": "Attribute 'enabled' in 'pointInTimeRecovery' is set to false", diff --git a/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/query.rego b/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/query.rego index cb90a4bcc3c..e33ce2e93bd 100644 --- a/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/query.rego +++ b/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'monitoring' should be defined and set to true", "keyActualValue": "Attribute 'monitoring' is not defined", @@ -32,7 +32,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.monitoring", [name]), + "searchKey": sprintf("resources.%s.properties.monitoring", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'monitoring' should be set to true", "keyActualValue": "Attribute 'monitoring' is set to false", diff --git a/assets/queries/pulumi/aws/ec2_not_ebs_optimized/query.rego b/assets/queries/pulumi/aws/ec2_not_ebs_optimized/query.rego index 2860ab7071d..a4eae6600bf 100644 --- a/assets/queries/pulumi/aws/ec2_not_ebs_optimized/query.rego +++ b/assets/queries/pulumi/aws/ec2_not_ebs_optimized/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": name, - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'ebsOptimized' should be defined and set to true", "keyActualValue": "Attribute 'ebsOptimized' is not defined", @@ -36,7 +36,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.ebsOptimized", [name]), + "searchKey": sprintf("resources.%s.properties.ebsOptimized", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'ebsOptimized' should be set to true", "keyActualValue": "Attribute 'ebsOptimized' is set to false", diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/query.rego b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/query.rego index 89f03888651..d0c116b488b 100644 --- a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/query.rego +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'settings' should be defined and have a ClusterSetting named 'containerInsights' which value is 'enabled'", "keyActualValue": "Attribute 'settings' is not defined", @@ -31,7 +31,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.settings", [name]), + "searchKey": sprintf("resources.%s.properties.settings", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'settings' should have a ClusterSetting named 'containerInsights' which value is 'enabled'", "keyActualValue": "Attribute 'settings' doesn't have a ClusterSetting named 'containerInsights' which value is 'enabled'", diff --git a/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/query.rego b/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/query.rego index ce97c6c8ce7..15e31c78123 100644 --- a/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/query.rego +++ b/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'azMode' should be defined and set to 'cross-az' in multi nodes cluster", "keyActualValue": "Attribute 'azMode' is not defined", @@ -36,7 +36,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.azMode", [name]), + "searchKey": sprintf("resources.%s.properties.azMode", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'azMode' should be set to 'cross-az' in multi nodes cluster", "keyActualValue": sprintf("Attribute 'azMode' is set to %s", [resource.properties.azMode]), diff --git a/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/query.rego b/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/query.rego index 26f53b94a32..58454b4b214 100644 --- a/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/query.rego +++ b/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'snapshotRetentionLimit' should be defined and set to higher than 0", "keyActualValue": "Attribute 'snapshotRetentionLimit' is not defined", @@ -35,7 +35,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.snapshotRetentionLimit", [name]), + "searchKey": sprintf("resources.%s.properties.snapshotRetentionLimit", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'snapshotRetentionLimit' should be set to higher than 0", "keyActualValue": "Attribute 'snapshotRetentionLimit' is set to 0", diff --git a/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/query.rego b/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/query.rego index f60652d3bb4..7b813f469e7 100644 --- a/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/query.rego +++ b/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.domainEndpointOptions.enforceHTTPS", [name]), + "searchKey": sprintf("resources.%s.properties.domainEndpointOptions.enforceHTTPS", [name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("resources[%s].properties.domainEndpointOptions.enforceHTTPS should be set to 'true'", [name]), "keyActualValue": sprintf("resources[%s].properties.domainEndpointOptions.enforceHTTPS is set to 'false'", [name]), diff --git a/assets/queries/pulumi/aws/iam_password_without_minimum_length/query.rego b/assets/queries/pulumi/aws/iam_password_without_minimum_length/query.rego index 65272e2e745..8463553fc68 100644 --- a/assets/queries/pulumi/aws/iam_password_without_minimum_length/query.rego +++ b/assets/queries/pulumi/aws/iam_password_without_minimum_length/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Attribute 'minimumPasswordLength' should be defined and set to 14 or higher", "keyActualValue": "Attribute 'minimumPasswordLength' is not defined", @@ -33,7 +33,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.minimumPasswordLength", [name]), + "searchKey": sprintf("resources.%s.properties.minimumPasswordLength", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Attribute 'minimumPasswordLength' should be set to 14 or higher", "keyActualValue": "Attribute 'minimumPasswordLength' is set to less than 14", diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/query.rego b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/query.rego index 4f3cd288559..e43dc584fe0 100644 --- a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/query.rego +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/query.rego @@ -11,7 +11,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": name, - "searchKey": sprintf("resources[%s].properties.publiclyAccessible", [name]), + "searchKey": sprintf("resources.%s.properties.publiclyAccessible", [name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'resources.%s.properties.publiclyAccessible' should be set to 'false'", [name]), "keyActualValue": sprintf("'resources.%s.properties.publiclyAccessible' is set to 'true'", [name]), diff --git a/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/query.rego b/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/query.rego index 3331de0988d..d42a33d53a9 100644 --- a/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/query.rego +++ b/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.enableNonSslPort", [name]), + "searchKey": sprintf("resources.%s.properties.enableNonSslPort", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Redis Cache should have attribute 'enableNonSslPort' set to false", "keyActualValue": "Redis Cache has attribute 'enableNonSslPort' set to true", diff --git a/assets/queries/pulumi/azure/storage_account_not_forcing_https/query.rego b/assets/queries/pulumi/azure/storage_account_not_forcing_https/query.rego index 4215b857ab4..9a8d1981802 100644 --- a/assets/queries/pulumi/azure/storage_account_not_forcing_https/query.rego +++ b/assets/queries/pulumi/azure/storage_account_not_forcing_https/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.enableHttpsTrafficOnly", [name]), + "searchKey": sprintf("resources.%s.properties.enableHttpsTrafficOnly", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "Storage Account should have attribute 'enableHttpsTrafficOnly' set to true", "keyActualValue": "Storage Account has attribute 'enableHttpsTrafficOnly' set to false", diff --git a/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/query.rego b/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/query.rego index e7772f1c6a3..cb496b09faa 100644 --- a/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/query.rego +++ b/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Storage Bucket should have attribute 'logging' defined", "keyActualValue": "Storage Bucket attribute 'logging' is not defined", diff --git a/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/query.rego b/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/query.rego index a77a6d06da7..5d3b201eaf3 100644 --- a/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/query.rego +++ b/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties", [name]), + "searchKey": sprintf("resources.%s.properties", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "SSLPolicy should have 'minTlsVersion' defined and set to 'TLS_1_2'", "keyActualValue": "SSLPolicy 'minTlsVersion' attribute is not defined", @@ -31,7 +31,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.minTlsVersion", [name]), + "searchKey": sprintf("resources.%s.properties.minTlsVersion", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "SSLPolicy should have 'minTlsVersion' set to 'TLS_1_2'", "keyActualValue": sprintf("SSLPolicy 'minTlsVersion' attribute is set to %s", [resource.properties.minTlsVersion]), diff --git a/assets/queries/pulumi/kubernetes/missing_app_armor_config/query.rego b/assets/queries/pulumi/kubernetes/missing_app_armor_config/query.rego index 73657cecee7..88feb4f2a73 100644 --- a/assets/queries/pulumi/kubernetes/missing_app_armor_config/query.rego +++ b/assets/queries/pulumi/kubernetes/missing_app_armor_config/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.metadata.annotations", [name]), + "searchKey": sprintf("resources.%s.properties.metadata.annotations", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Pod should have annotation 'container.apparmor.security.beta.kubernetes.io' defined", "keyActualValue": "Pod does not have annotation 'container.apparmor.security.beta.kubernetes.io' defined", @@ -41,7 +41,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.metadata", [name]), + "searchKey": sprintf("resources.%s.properties.metadata", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "Pod should have annotation 'container.apparmor.security.beta.kubernetes.io' defined", "keyActualValue": "Pod does not have annotations defined in metadata", diff --git a/assets/queries/pulumi/kubernetes/psp_set_to_privileged/query.rego b/assets/queries/pulumi/kubernetes/psp_set_to_privileged/query.rego index ce707ababbd..6b390cc52b1 100644 --- a/assets/queries/pulumi/kubernetes/psp_set_to_privileged/query.rego +++ b/assets/queries/pulumi/kubernetes/psp_set_to_privileged/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": resource.type, "resourceName": plm_lib.getResourceName(resource, name), - "searchKey": sprintf("resources[%s].properties.spec.privileged", [name]), + "searchKey": sprintf("resources.%s.properties.spec.privileged", [name]), "issueType": "IncorrectValue", "keyExpectedValue": "PSP should have 'privileged' set to false or not defined", "keyActualValue": "PSP has 'privileged' set to true", diff --git a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/query.rego b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/query.rego index a7aefe3f136..a575385551d 100644 --- a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/query.rego +++ b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/query.rego @@ -35,7 +35,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": sfw_lib.resourceTypeMapping("function", document.provider.name), "resourceName": fname, - "searchKey": sprintf("functions[%s].%s", [k,fname]), + "searchKey": sprintf("functions.%s.%s", [k,fname]), "issueType": "MissingAttribute", "keyExpectedValue": "'role' should be defined inside the function", "keyActualValue": "'role' is not defined", diff --git a/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/query.rego b/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/query.rego index 6a6d567c7cc..dff79a0e62d 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/query.rego +++ b/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/query.rego @@ -58,7 +58,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "resourceType": "alicloud_db_instance", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("alicloud_db_instance[%s]]", [name]), + "searchKey": sprintf("alicloud_db_instance[%s]", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "'log_disconnections' parameter should be defined and value should be 'ON' in parametes array", "keyActualValue": "'log_disconnections' parameter is not defined in parametes array", diff --git a/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/query.rego b/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/query.rego index 83d181e40de..7f4f3ca656e 100644 --- a/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/query.rego +++ b/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { "documentId": document.id, "resourceType": "aws_api_gateway_deployment", "resourceName": tf_lib.get_resource_name(deployment, name), - "searchKey": sprintf("aws_api_gateway_deployment[%s]", [name]), + "searchKey": sprintf("aws_api_gateway_deployment.%s", [name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("aws_api_gateway_deployment[%s] has a 'aws_api_gateway_usage_plan' resource associated. ", [name]), "keyActualValue": sprintf("aws_api_gateway_deployment[%s] doesn't have a 'aws_api_gateway_usage_plan' resource associated.", [name]), diff --git a/assets/queries/terraform/azure/app_service_authentication_disabled/query.rego b/assets/queries/terraform/azure/app_service_authentication_disabled/query.rego index ceaf145ddf0..547cec098dd 100644 --- a/assets/queries/terraform/azure/app_service_authentication_disabled/query.rego +++ b/assets/queries/terraform/azure/app_service_authentication_disabled/query.rego @@ -54,7 +54,7 @@ prepare_issues(resource, type, name) = res { # auth_settings not defined for azu common_lib.valid_key(resource, "auth_settings") resource.auth_settings.enabled == false res := { - "sk": sprintf("'%s[%s].auth_settings.enabled'", [type, name]), + "sk": sprintf("%s[%s].auth_settings.enabled", [type, name]), "sl": common_lib.build_search_line(["resource", type, name, "auth_settings", "enabled"], []), "it": "IncorrectValue", "kev": sprintf("'%s[%s].auth_settings.enabled' should be defined to 'true'", [type, name]), diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/query.rego b/assets/queries/terraform/azure/function_app_authentication_disabled/query.rego index a14944237e3..076f3419a2e 100644 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/query.rego @@ -54,7 +54,7 @@ prepare_issues(resource, type, name) = res { # auth_settings not defined for azu common_lib.valid_key(resource, "auth_settings") resource.auth_settings.enabled == false res := { - "sk": sprintf("'%s[%s].auth_settings.enabled'", [type, name]), + "sk": sprintf("%s[%s].auth_settings.enabled", [type, name]), "sl": common_lib.build_search_line(["resource", type, name, "auth_settings", "enabled"], []), "it": "IncorrectValue", "kev": sprintf("'%s[%s].auth_settings.enabled' should be defined to 'true'", [type, name]), diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego index 2110525522e..0729db43ab7 100644 --- a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/query.rego @@ -8,7 +8,7 @@ types := {"azurerm_function_app", "azurerm_linux_function_app", "azurerm_windows CxPolicy[result] { # for legacy "azurerm_function_app" -- ftps_state defaults to "AllAllowed" function := input.document[i].resource.azurerm_function_app[name] - results := get_path(function,name) + results := get_path(function, name) result := { "documentId": input.document[i].id, @@ -24,10 +24,10 @@ CxPolicy[result] { # for legacy "azurerm_function_app" -- ftps_state defaults to } } -get_path(function,name) = results { +get_path(function, name) = results { not common_lib.valid_key(function, "site_config") results := { - "searchKey": sprintf("azurerm_function_app[%s]'", [name]), + "searchKey": sprintf("azurerm_function_app.%s'", [name]), "searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name], []), "remediation": null, "remediationType": null, diff --git a/assets/queries/terraform/azure/sql_database_without_data_encryption/test/negative.tf b/assets/queries/terraform/azure/sql_database_without_data_encryption/test/negative.tf index d1c7e5c1d16..c9321efbd1b 100644 --- a/assets/queries/terraform/azure/sql_database_without_data_encryption/test/negative.tf +++ b/assets/queries/terraform/azure/sql_database_without_data_encryption/test/negative.tf @@ -1,6 +1,6 @@ -resource "azurerm_mssql_database" "example" { - name = "example-db" - server_id = azurerm_mssql_server.example.id +resource "azurerm_mssql_database" "negative_1" { + name = "negative_1-db" + server_id = azurerm_mssql_server.negative_1.id collation = "SQL_Latin1_General_CP1_CI_AS" license_type = "LicenseIncluded" max_size_gb = 4 @@ -12,9 +12,9 @@ resource "azurerm_mssql_database" "example" { # missing "transparent_data_encryption_enabled" - defaults to true } -resource "azurerm_mssql_database" "example" { - name = "example-db" - server_id = azurerm_mssql_server.example.id +resource "azurerm_mssql_database" "negative_2" { + name = "negative_2-db" + server_id = azurerm_mssql_server.negative_2.id collation = "SQL_Latin1_General_CP1_CI_AS" license_type = "LicenseIncluded" max_size_gb = 4 diff --git a/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive.tf b/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive.tf index a007f1a4d14..c7aea5b0c5a 100644 --- a/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive.tf +++ b/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive.tf @@ -1,6 +1,6 @@ -resource "azurerm_mssql_database" "example" { - name = "example-db" - server_id = azurerm_mssql_server.example.id +resource "azurerm_mssql_database" "positive" { + name = "positive-db" + server_id = azurerm_mssql_server.positive.id collation = "SQL_Latin1_General_CP1_CI_AS" license_type = "LicenseIncluded" max_size_gb = 4 diff --git a/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/query.rego b/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/query.rego index a7018ea285d..a4cff851ea4 100644 --- a/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/query.rego +++ b/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/query.rego @@ -42,7 +42,7 @@ get_results(resource, type, name) = results { is_array(resource.admin_ssh_key) resource.admin_ssh_key == [] results := [{ - "searchKey": sprintf("%s[%s].admin_ssh_key", [type, name]), + "searchKey": sprintf("resource.%s.%s.admin_ssh_key", [type, name]), "keyActualValue": sprintf("'%s[%s].admin_ssh_key' is undefined or null", [type, name]), "searchLine": common_lib.build_search_line(["resource", type, name, "admin_ssh_key"], []) }] From 7c7114c5592efaab8d482e416e5f24f27e4fabcf Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 24 Mar 2026 18:05:59 +0000 Subject: [PATCH 2/2] Mini fix for expected results line in 'azure_instance_using_basic_authentication' --- .../test/positive_expected_result.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json index 5ec292f019e..fde36c31c87 100644 --- a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json @@ -2,7 +2,7 @@ { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 1, + "line": 3, "fileName": "positive1.yaml" }, {