update integrations version (#5459)

* ci(deps): bump checkmarx/kics-action from 1.4 to 1.5 (#5207) Bumps [checkmarx/kics-action](https://github.com/checkmarx/kics-action) from 1.4 to 1.5. - [Release notes](https://github.com/checkmarx/kics-action/releases) - [Commits](https://github.com/checkmarx/kics-action/compare/v1.4...v1.5) --- updated-dependencies: - dependency-name: checkmarx/kics-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.43.39 to 1.43.41 (#5200) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.43.39 to 1.43.41. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.43.39...v1.43.41) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.43.41 to 1.43.42 (#5218) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.43.41 to 1.43.42. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.43.41...v1.43.42) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/tidwall/gjson from 1.14.0 to 1.14.1 (#5217) Bumps [github.com/tidwall/gjson](https://github.com/tidwall/gjson) from 1.14.0 to 1.14.1. - [Release notes](https://github.com/tidwall/gjson/releases) - [Commits](https://github.com/tidwall/gjson/compare/v1.14.0...v1.14.1) --- updated-dependencies: - dependency-name: github.com/tidwall/gjson dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * bug: Remove viewer from list of improper privileges (#5211) * added possibility of sec group being a var (#5208) * fix(query): extended scope of MissingAttribute rule in seccomp k8s rule (#5201) * fix(query): fixed searchKey and resource kind in pod_or_container_without_resource_quota k8s rule (#5199) * fix(query): fixed searchKey and resource kind in pod_or_container_without_resource_quota k8s rule * capitalization * fix(query): fixed searchKey and resource kind in pod_or_container_without_limit_range k8s rule (#5198) * fix(query): added support for aws_iam_policy_document.Principals to policy_without_principal tf rule (#5196) * update/fix(query): SNS Topic is Publicly Accessible (#5210) * delete duplicated queries #5191 * remove redundant check for SSEType #5189 * add support for topic ref in SNS::Subscription cf * add support to yaml files in query * fix query (#5215) Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * build(deps): bump github.com/emicklei/proto from 1.9.2 to 1.10.0 (#5216) Bumps [github.com/emicklei/proto](https://github.com/emicklei/proto) from 1.9.2 to 1.10.0. - [Release notes](https://github.com/emicklei/proto/releases) - [Changelog](https://github.com/emicklei/proto/blob/master/CHANGES.md) - [Commits](https://github.com/emicklei/proto/compare/v1.9.2...v1.10.0) --- updated-dependencies: - dependency-name: github.com/emicklei/proto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.43.42 to 1.43.43 (#5224) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.43.42 to 1.43.43. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.43.42...v1.43.43) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs(implementations): fix changed directory for kics assets queries (#5213) * updated missing technologies supported in docs (#5223) * build(deps): bump github.com/aws/aws-sdk-go from 1.43.43 to 1.43.44 (#5230) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.43.43 to 1.43.44. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.43.43...v1.43.44) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * update(docs): updated missing technologies supported logs in docs (#5226) * updated platform images * changed dockercompose image size * docs(kicsbot): update images digest (#5219) Co-authored-by: rogeriopeixotocx <rogeriopeixotocx@users.noreply.github.com> * fix(query): Api Gateway Without Content Encoding on Terraform platform (#5227) * fix query name Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * fix result Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * update query (#5233) Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * build(deps): bump github.com/hashicorp/hcl/v2 from 2.11.1 to 2.12.0 (#5238) Bumps [github.com/hashicorp/hcl/v2](https://github.com/hashicorp/hcl) from 2.11.1 to 2.12.0. - [Release notes](https://github.com/hashicorp/hcl/releases) - [Changelog](https://github.com/hashicorp/hcl/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/hcl/compare/v2.11.1...v2.12.0) --- updated-dependencies: - dependency-name: github.com/hashicorp/hcl/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci(deps): bump github/codeql-action from 1 to 2 (#5243) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1 to 2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v1...v2) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.43.44 to 1.44.0 (#5244) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.43.44 to 1.44.0. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.43.44...v1.44.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * refactor(analyzer): analyzer usage when types flag is passed (#5222) * refactored analyzer + update docs * corrected supportedRegexes * improving log message * Discard files pointed in -e in the analyzer * requested changes * Fix(e2e): Results json compare (index out of range) (#5209) * fix(script): queries validator files filtering * fix(e2e): added validation for query name & results in json file * docs(kicsbot): update github-action image digest (#5228) Co-authored-by: nunoocx <nunoocx@users.noreply.github.com> * remove -q flag (#5225) Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * fix(query): ALB Listening on HTTP for AWS CloudFormation (#5212) * fix incorrect line in result exposure * Fix E2E * update seach line * change search line * Feat(Query): OSS Bucket Allows Delete From All Principals for Alicloud Terraform (#5232) * Query alicloud terraform bucket allows delete * Changed as requested * Changed the search range to a bigger delete scope * updated terralib and query to save code * build(deps): bump github.com/aws/aws-sdk-go from 1.44.0 to 1.44.1 (#5256) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.0 to 1.44.1. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.0...v1.44.1) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/tdewolff/minify/v2 from 2.11.1 to 2.11.2 (#5257) Bumps [github.com/tdewolff/minify/v2](https://github.com/tdewolff/minify) from 2.11.1 to 2.11.2. - [Release notes](https://github.com/tdewolff/minify/releases) - [Commits](https://github.com/tdewolff/minify/compare/v2.11.1...v2.11.2) --- updated-dependencies: - dependency-name: github.com/tdewolff/minify/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(query): updated ecr_repositories_not_encrypted TF rule to match KMS type (#5195) * Feat(query): Oss Bucket Allows List Action From All Principals for Alicloud Terraform (#5247) * query oss bucket allow list action from all principals * corrected keyvalues * changed resource names * Feat(Query): Oss Bucket Allows All Actions for Alicloud Terraform (#5235) * query oss bucket allows all actions * renamed query and added func to terralib * changed aws queries to terralib func * saving code * Query Oss Bucket Allows Put Action For All Principals (#5250) * + DB Instance Publicly Accessible (#5251) * Feat(e2e): Allow E2E Tests to run locally (dev) and dockerized (CI) (#5214) * fix(script): queries validator files filtering * fix(e2e): added validation for query name & results in json file * feat(tests): added option to run e2e tests from binary (faster) and docker. * fix(e2e): fix lint issues & code security * fix(e2e): lint issues * model.NewIgnore.Reset() at the YAML parser top (#5255) * feat(query): Added NAS File System Not Encrypted for Terraform Alicloud (#5249) * + NAS File System Not Encrypted * add searchLine * feat(query): Added Using Kubernetes Native Secret Management for Kubernetes (#5237) * + Using Kubernetes Native Secret Management * update query description * change severirty & remove SecretStore verification * remove SecretStore in git hub checks * fix(queries): Fixed aws unique identifiers from common queries (#5236) * separated ids Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * added positive41 sample Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * feat(query): Added NAS File System Without KMS for Alicloud (#5248) * + NAS File System Without KMS * update policies to check for encrypt_type * change key values and issue type * Feat(Query): OSS Bucket Has Static Website for Alicloud Terraform (#5252) * Query OSS Bucket Has Static Website * Updated metadata descriptions * changed keyvalues as suggested * feat(query): Added VPC Flow Logs Disabled for Terraform Alicloud (#5253) * + VPC Flow Logs Disabled * change description and remove check resource_id * change description * change key values * feat(query): ROS Stack Retention Disabled for Terraform Alicloud (#5258) * stage * + ROS Stack Retention Disabled * feat(query): Added ROS Stack Notifications Disabled for Terraform Alicloud (#5260) * + ROS Stack Notifications Disabled * change issueType * feay(query): Added High KMS Key Rotation Period in Alicloud Terraform (#5263) * + stage changes * + High KMS Key Rotation Period * build(deps): bump github.com/aws/aws-sdk-go from 1.44.1 to 1.44.2 (#5269) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.1 to 1.44.2. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.1...v1.44.2) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/moby/buildkit from 0.10.1 to 0.10.2 (#5270) Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.10.1 to 0.10.2. - [Release notes](https://github.com/moby/buildkit/releases) - [Commits](https://github.com/moby/buildkit/compare/v0.10.1...v0.10.2) --- updated-dependencies: - dependency-name: github.com/moby/buildkit dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * + ALB Listening on HTTP (#5272) * Feat(Query): CS Kubernetes Node Pool Auto Repair Disabled for Alicloud Terraform (#5273) * Query CS Kubernetes Node Pool Auto Repair Disabled for Alicloud Terraform * changed as suggested, updated description text for auto repair queries * Feat(Query): Log Retention Is Not Greater Than 90 Days for Alicloud Terraform (#5254) * Query Log Retention Is Not Greater Than 90 Days * changed as suggested * changed keyvalues in policies * Query ROS Stack Without Template * Delete metadata.json * Delete query.rego * Delete negative1.tf * Delete positive1.tf * Delete positive_expected_result.json * feat(query): Added No ROS Stack Policy for Terraform Alicloud (#5259) * + No ROS Stack Policy * add searchLine * change key expected value * Feat(Query): ROS Stack Without Template for Alicloud Terraform (#5262) * Query Log Retention Is Not Greater Than 90 Days * changed as suggested * changed keyvalues in policies * Query ROS Stack Without Template * Query ROS Stack Without Template * deleted extra query from other branch * changed as suggested * changed as requested * update OSS Bucket Logging Disabled (#5275) * fix(query): adjust severity of iam_access_analyzer_undefined rule to LOW (#5197) * fix(query): adjust severity of iam_access_analyzer_undefined rule to LOW * fix(query): move iam_access_analyzer_undefined rule to iam_access_analyzer_not_enabled * Apply metadata changes to CF rule too * move iam_access_analyzer_undefined CF rule to iam_access_analyzer_not_enabled * fixed E2E tests * update(query): Apt Get Install Pin Version Not Defined (#5176) * update apt_get_install_lists_were_not_deleted * add positive sample * fix bug and add negative sample * add negative sample to pin version not defined * add support for ; * fix(query): fixed searchKey rbac_roles_with_read_secrets_permissions k8s rule (#5265) * feat(query): Add Launch Template Is Not Encrypted for Terraform Alicloud (#5274) * + Launch Template Is Not Encrypted * change descriptions * change key values * build(deps): bump github.com/aws/aws-sdk-go from 1.44.2 to 1.44.3 (#5277) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.2 to 1.44.3. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.2...v1.44.3) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/open-policy-agent/opa from 0.39.0 to 0.40.0 (#5278) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.39.0 to 0.40.0. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-policy-agent/opa/compare/v0.39.0...v0.40.0) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Updated query descriptions (#5279) * feat(query): Added SLB Policy With Insecure TLS Version In Use for Terraform Alicloud (#5271) * + SLB Policy With Insecure Tls Version In Use * correct typo * correct typo * change key expected value * Feat(Query): CMK Is Unusable for Alicloud Terraform (#5280) * Query CMK Is Unusable for Alicloud Terraform * changed as suggested * Typo fix Signed-off-by: Thomas Spear <tspear@conquestcyber.com> * Use option from the docs Signed-off-by: Thomas Spear <tspear@conquestcyber.com> * feature(report): Code Climate report (#5261) * code quality report Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * renamed to code climate Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * added tests Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * fix e2e test Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * integration docs Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * added comments Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * fix comment Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * fix results.md Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * fix docs integration examples Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * Feat(e2e): adding E2E Tests to validate codeclimate reports Co-authored-by: Lucas Mendes <lucas.mendes@checkmarx.com> * update(query): Unpinned Package Version in Apk Add (#5181) * fix issue * add suport for -t * docs(kicsbot): update images digest (#5234) Co-authored-by: rogeriopeixotocx <rogeriopeixotocx@users.noreply.github.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.44.3 to 1.44.4 (#5281) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.3 to 1.44.4. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.3...v1.44.4) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(filesystem): GetExcludedPaths (#5288) * Update README.md * Update README.md * fixed GetExcludePaths * correcting log msg * docs: preparing for release 1.5.7 (#5289) * docs: preparing for release 1.5.7 * updated version Co-authored-by: rafaela-soares <rafaela-soares@users.noreply.github.com> Co-authored-by: rafaela-soares <rafaela.soares@checkmarx.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.44.4 to 1.44.5 (#5297) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.4 to 1.44.5. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.4...v1.44.5) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.44.5 to 1.44.6 (#5299) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.5 to 1.44.6. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.5...v1.44.6) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs(kicsbot): update images digest (#5300) * update Network ACL With Unrestricted Access To RDP (#5296) * update(query): Update category and severities according with issue 5220 (#5292) * Queries severity and category change * update SNS Topic is Publicly Accessible ansible * update SNS Topic is Publicly Accessible for cF * update SNS Topic is Publicly Accessible ansible * update description * change any principal check * update CloudTrail Log Files Not Encrypted With CMK * update yaml sample * change yaml sample * update line * fix issues * fixing e2e errors * Add community tag to new issues by default This change is possible as core team members mostly create PRs instead of opening issues. * build(deps): bump github.com/aws/aws-sdk-go from 1.44.6 to 1.44.7 (#5306) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.6 to 1.44.7. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.6...v1.44.7) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs(kicsbot): update images digest (#5302) Co-authored-by: rogeriopeixotocx <rogeriopeixotocx@users.noreply.github.com> * feat(query): add new k8s rule to detect port-forwarding into containers (RBAC) (#5266) * feat(query): add new k8s rule to detect account impersonation (RBAC) (#5267) * feat(query): add new k8s rule to detect bind or escalate permissions (RBAC) (#5268) * feat(query): add new k8s rule to detect exec permissions (RBAC) (#5286) * update installation options and notes (#5293) * update installation options and notes Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * fix links Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * another broken link Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * add deprecated Homebrew instructions Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * update Missing Flag From Dnf Install (#5310) * removed results report formats list from docs (#5308) Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * ci(deps): bump docker/build-push-action from 2.10.0 to 3.0.0 (#5316) Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.10.0 to 3.0.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/v2.10.0...v3.0.0) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci(deps): bump docker/login-action from 1.14.1 to 2.0.0 (#5317) Bumps [docker/login-action](https://github.com/docker/login-action) from 1.14.1 to 2.0.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/v1.14.1...v2.0.0) --- updated-dependencies: - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.44.7 to 1.44.8 (#5318) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.7 to 1.44.8. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.7...v1.44.8) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * update(query): StatefulSet Without Service Name for Kubernetes (#5303) * update check for matching labels * update label checking method & queries description * update keyExpectedValue * update description * update(query): Remote Desktop Port Open To Internet and HTTP Port Open To Internet (#5307) * docs(kicsbot): update images digest (#5302) Co-authored-by: rogeriopeixotocx <rogeriopeixotocx@users.noreply.github.com> * update open port aws queries name * add fileName Co-authored-by: rogeriopeixotocx <rogeriopeixotocx@users.noreply.github.com> * delete check for incorrect default (#5314) * doc: fix syntax (#5309) broken markdown syntax without line before list * ci(deps): bump docker/setup-qemu-action from 1 to 2 (#5315) Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 1 to 2. - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](https://github.com/docker/setup-qemu-action/compare/v1...v2) --- updated-dependencies: - dependency-name: docker/setup-qemu-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.44.8 to 1.44.9 (#5323) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.8 to 1.44.9. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.8...v1.44.9) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/moby/buildkit from 0.10.2 to 0.10.3 (#5324) Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.10.2 to 0.10.3. - [Release notes](https://github.com/moby/buildkit/releases) - [Commits](https://github.com/moby/buildkit/compare/v0.10.2...v0.10.3) --- updated-dependencies: - dependency-name: github.com/moby/buildkit dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(query): adjusted severity rating and added searchLine in rbac_wildcard_in_rule k8s rule (#5264) * fix(query): adjusted severity rating and added searchLine in rbac_wildcard_in_rule k8s rule * updated severity to HIGH * update(query): Audit Policy Not Cover Key Security Concerns for Kubernetes (#5326) * add audit policy check * empty commit * update(queries): Add check for traffic direction in port queries in some providers (#5313) * add check for inbound direction * add check for inbound direction * update alicloud queries to check for ingress * change function Name * empty commit * build(deps): bump github.com/aws/aws-sdk-go from 1.44.9 to 1.44.10 (#5329) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.9 to 1.44.10. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.9...v1.44.10) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.44.10 to 1.44.11 (#5330) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.10 to 1.44.11. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.10...v1.44.11) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/johnfercher/maroto from 0.36.1 to 0.37.0 (#5331) Bumps [github.com/johnfercher/maroto](https://github.com/johnfercher/maroto) from 0.36.1 to 0.37.0. - [Release notes](https://github.com/johnfercher/maroto/releases) - [Commits](https://github.com/johnfercher/maroto/compare/v0.36.1...v0.37.0) --- updated-dependencies: - dependency-name: github.com/johnfercher/maroto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci(deps): bump golang from 1.18.1-alpine to 1.18.2-alpine (#5332) Bumps golang from 1.18.1-alpine to 1.18.2-alpine. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs(kicsbot): update images digest (#5311) * fix(password and secrets): improve performance (#5334) * fix(cpu): fixed number of cpus available info (#5321) * fix get cpu Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * change variable name Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * removed magic number Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * change function name Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * ... Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * check error Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * requested changes Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * fix(samples): k8s queries (#5322) * docs: preparing for release 1.5.8 (#5336) Signed-off-by: João Reigota <joao.reigota@checkmarx.com> * ci(deps): bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (#5339) Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3.1.0 to 3.2.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](https://github.com/golangci/golangci-lint-action/compare/v3.1.0...v3.2.0) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump mvdan.cc/sh/v3 from 3.4.3 to 3.5.0 (#5341) Bumps [mvdan.cc/sh/v3](https://github.com/mvdan/sh) from 3.4.3 to 3.5.0. - [Release notes](https://github.com/mvdan/sh/releases) - [Changelog](https://github.com/mvdan/sh/blob/master/CHANGELOG.md) - [Commits](https://github.com/mvdan/sh/compare/v3.4.3...v3.5.0) --- updated-dependencies: - dependency-name: mvdan.cc/sh/v3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs(kicsbot): update images digest (#5342) * build(deps): bump github.com/aws/aws-sdk-go from 1.44.11 to 1.44.12 (#5340) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.11 to 1.44.12. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.11...v1.44.12) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.44.12 to 1.44.13 (#5345) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.12 to 1.44.13. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.12...v1.44.13) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs(kicsbot): update images digest (#5346) * build(deps): bump github.com/aws/aws-sdk-go from 1.44.13 to 1.44.14 (#5350) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.13 to 1.44.14. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.13...v1.44.14) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs(kicsbot): update images digest (#5351) * build(go): bump golang version to 1.18 (#5348) Signed-off-by: João Reigota <joao.reigota@checkmarx.com> Co-authored-by: rafaela-soares <rafaela.soares@checkmarx.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.44.14 to 1.44.15 (#5353) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.14 to 1.44.15. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.14...v1.44.15) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs(kicsbot): update images digest (#5354) * build(deps): bump github.com/aws/aws-sdk-go from 1.44.15 to 1.44.16 (#5366) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.15 to 1.44.16. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.15...v1.44.16) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs(kicsbot): update images digest (#5367) * build(deps): bump github.com/hashicorp/go-getter from 1.5.11 to 1.6.0 (#5372) Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.5.11 to 1.6.0. - [Release notes](https://github.com/hashicorp/go-getter/releases) - [Changelog](https://github.com/hashicorp/go-getter/blob/main/.goreleaser.yml) - [Commits](https://github.com/hashicorp/go-getter/compare/v1.5.11...v1.6.0) --- updated-dependencies: - dependency-name: github.com/hashicorp/go-getter dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.44.16 to 1.44.17 (#5373) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.16 to 1.44.17. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.16...v1.44.17) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump helm.sh/helm/v3 from 3.8.2 to 3.9.0 (#5374) Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.8.2 to 3.9.0. - [Release notes](https://github.com/helm/helm/releases) - [Commits](https://github.com/helm/helm/compare/v3.8.2...v3.9.0) --- updated-dependencies: - dependency-name: helm.sh/helm/v3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs(kicsbot): update images digest (#5375) * build(deps): bump github.com/aws/aws-sdk-go from 1.44.17 to 1.44.18 (#5377) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.17 to 1.44.18. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.17...v1.44.18) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/hashicorp/go-getter from 1.6.0 to 1.6.1 (#5378) Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.6.0 to 1.6.1. - [Release notes](https://github.com/hashicorp/go-getter/releases) - [Changelog](https://github.com/hashicorp/go-getter/blob/main/.goreleaser.yml) - [Commits](https://github.com/hashicorp/go-getter/compare/v1.6.0...v1.6.1) --- updated-dependencies: - dependency-name: github.com/hashicorp/go-getter dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs(kicsbot): update images digest (#5379) * add support to .crt file (#5360) * fix(query): Changed severity of Memcached Disabled query (#5349) * changed severity Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * fix positve results Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * fix function (#5343) Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * fix(vulnerability builder): fixed and improved DefaultVulnerabilityBuilder (#5347) * improved vulnerability_builder.go * fix SAST error * build(deps): bump github.com/aws/aws-sdk-go from 1.44.18 to 1.44.19 (#5385) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: rafaela-soares <rafaela.soares@checkmarx.com> * docs(kicsbot): update images digest (#5382) * feat(query): added Default KMS Key Usage query for CloudFormation (#5363) Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * feat(query): CNI Plugin Does Not Support Network Policies for Kubernetes (#5370) * + CNI Plugin Does Not Support Network Policies * change description * update * feat(query): Ensure Administrative Boundaries Between Resources for Kubernetes (#5368) * + Ensure Administrative Boundaries Between Res * change category * change category * update * update(kics): reduced the number of code files (#5325) * fix(cpu): fix number cpus macos (#5371) * fixed cpu number on macos Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * ... Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * ci(deps): bump goreleaser/goreleaser-action from 2.9.1 to 3.0.0 (#5390) Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.9.1 to 3.0.0. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](https://github.com/goreleaser/goreleaser-action/compare/v2.9.1...v3.0.0) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump mvdan.cc/sh/v3 from 3.5.0 to 3.5.1 (#5391) Bumps [mvdan.cc/sh/v3](https://github.com/mvdan/sh) from 3.5.0 to 3.5.1. - [Release notes](https://github.com/mvdan/sh/releases) - [Changelog](https://github.com/mvdan/sh/blob/master/CHANGELOG.md) - [Commits](https://github.com/mvdan/sh/compare/v3.5.0...v3.5.1) --- updated-dependencies: - dependency-name: mvdan.cc/sh/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/tdewolff/minify/v2 from 2.11.2 to 2.11.5 (#5392) Bumps [github.com/tdewolff/minify/v2](https://github.com/tdewolff/minify) from 2.11.2 to 2.11.5. - [Release notes](https://github.com/tdewolff/minify/releases) - [Commits](https://github.com/tdewolff/minify/compare/v2.11.2...v2.11.5) --- updated-dependencies: - dependency-name: github.com/tdewolff/minify/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.44.19 to 1.44.20 (#5393) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.19 to 1.44.20. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.19...v1.44.20) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci(deps): bump alpine from 3.15.4 to 3.16.0 (#5394) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: rafaela-soares <rafaela.soares@checkmarx.com> * fix(ci): fixed access to CIFlag (#5395) * feat(result): added resourceType and resourceName to Kubernetes queries result (#5355) * added resourceType and resourceName to k8s queries * omit ResourceType and ResourceName when empty * unknown to n/a * feat(result): added resourceType and resourceName to Azure Resource Management queries result (#5356) * added resourceType and resourceName to ARM queries * correcting * fix(query): fix/cmk rotation disabled on terraform asymmetric key creation (#5344) * fix support for AWS KMS in asymmetric keys - do not support automation key rotation * fix support for AWS KMS in asymmetric keys - do not support automation key rotation * fix support for AWS KMS in asymmetric keys - do not support automation key rotation * fix support for AWS KMS in asymmetric keys - do not support automation key rotation * fix support for AWS KMS in asymmetric keys - do not support automation key rotation * fix support for AWS KMS in asymmetric keys - do not support automation key rotation * fix support for AWS KMS in asymmetric keys - do not support automation key rotation * fix support for AWS KMS in asymmetric keys - do not support automation key rotation * fix support for AWS KMS in asymmetric keys - do not support automation key rotation * fix support for AWS KMS in asymmetric keys - do not support automation key rotation * Update assets/queries/terraform/aws/cmk_rotation_disabled/query.rego Co-authored-by: Rafaela Soares <rafaela.soares@checkmarx.com> * Update assets/queries/terraform/aws/cmk_rotation_disabled/query.rego Co-authored-by: Rafaela Soares <rafaela.soares@checkmarx.com> * Update assets/queries/terraform/aws/cmk_rotation_disabled/query.rego Co-authored-by: Rafaela Soares <rafaela.soares@checkmarx.com> * Update assets/queries/terraform/aws/cmk_rotation_disabled/query.rego Co-authored-by: Rafaela Soares <rafaela.soares@checkmarx.com> * fix support for AWS KMS in asymmetric keys - do not support automation key rotation * Update assets/queries/terraform/aws/cmk_rotation_disabled/query.rego Co-authored-by: Rafaela Soares <rafaela.soares@checkmarx.com> Co-authored-by: Rafaela Soares <rafaela.soares@checkmarx.com> * update(query): Ensure Administrative Boundaries (#5388) * docs(kicsbot): update github-action image digest (#5359) Co-authored-by: nunoocx <nunoocx@users.noreply.github.com> * feat(result): added resourceType and resourceName to Google Deployment Management queries result (#5357) * added resourceType and resourceName to GDM queries * omit ResourceType and ResourceName when empty * feat(result): added resourceType and resourceName to Ansible queries result (#5362) * added resourceType and resourceName to ANS AWS * added resourceType and resourceName to ANS AZURE * added resourceType and resourceName to ANS GCP * build(deps): bump github.com/aws/aws-sdk-go from 1.44.20 to 1.44.21 (#5397) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.20 to 1.44.21. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.20...v1.44.21) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat(resolver): added openapi file resolver for json and yaml parsers (#5396) Signed-off-by: João Reigota <joao.Reigota@checkmarx.com> * docs(kicsbot): update images digest (#5386) * update(resolver): implemented limit in resolver to 50 files (#5398) Signed-off-by: João Reigota <joao.Reigota@checkmarx.com> * fix(resolver): fixed issue with searchLine (#5399) Signed-off-by: João Reigota <joao.Reigota@checkmarx.com> * fix(helm): fixed helm filepath bug introduced by resolver (#5400) Signed-off-by: João Reigota <joao.Reigota@checkmarx.com> * docs: preparing for release 1.5.9 (#5401) Co-authored-by: joaoReigota1 <joaoreigota1@users.noreply.github.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.44.21 to 1.44.22 (#5404) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.21 to 1.44.22. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.21...v1.44.22) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/hashicorp/terraform-json (#5405) Bumps [github.com/hashicorp/terraform-json](https://github.com/hashicorp/terraform-json) from 0.13.0 to 0.14.0. - [Release notes](https://github.com/hashicorp/terraform-json/releases) - [Commits](https://github.com/hashicorp/terraform-json/compare/v0.13.0...v0.14.0) --- updated-dependencies: - dependency-name: github.com/hashicorp/terraform-json dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs(kicsbot): update images digest (#5406) * build(deps): bump github.com/aws/aws-sdk-go from 1.44.22 to 1.44.23 (#5409) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.22 to 1.44.23. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.22...v1.44.23) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/spf13/viper from 1.11.0 to 1.12.0 (#5410) Bumps [github.com/spf13/viper](https://github.com/spf13/viper) from 1.11.0 to 1.12.0. - [Release notes](https://github.com/spf13/viper/releases) - [Commits](https://github.com/spf13/viper/compare/v1.11.0...v1.12.0) --- updated-dependencies: - dependency-name: github.com/spf13/viper dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs(kicsbot): update images digest (#5411) * docs(kicsbot): update images digest (#5416) Co-authored-by: rogeriopeixotocx <rogeriopeixotocx@users.noreply.github.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.44.23 to 1.44.24 (#5414) Signed-off-by: dependabot[bot] <support@github.com> * build(deps): bump gopkg.in/yaml.v3 from 3.0.0 to 3.0.1 (#5413) Signed-off-by: dependabot[bot] <support@github.com> * build(deps): bump github.com/tdewolff/minify/v2 from 2.11.5 to 2.11.7 (#5420) Bumps [github.com/tdewolff/minify/v2](https://github.com/tdewolff/minify) from 2.11.5 to 2.11.7. - [Release notes](https://github.com/tdewolff/minify/releases) - [Commits](https://github.com/tdewolff/minify/compare/v2.11.5...v2.11.7) --- updated-dependencies: - dependency-name: github.com/tdewolff/minify/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs(kicsbot): update images digest (#5421) * build(deps): bump github.com/aws/aws-sdk-go from 1.44.24 to 1.44.25 (#5425) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.24 to 1.44.25. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.24...v1.44.25) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs(kicsbot): update images digest (#5426) * Update metadata.json (#5424) * ci(deps): bump golang from 1.18.2-alpine to 1.18.3-alpine (#5430) Bumps golang from 1.18.2-alpine to 1.18.3-alpine. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.44.25 to 1.44.26 (#5431) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.25 to 1.44.26. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.25...v1.44.26) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs(kicsbot): update images digest (#5428) * feat(query): added "App Service Without Latest PHP Version" query for Terraform Azure (#5358) * query Php Version Not Latest When Running Web App for azure terraform * changed latest php version (was not mentioned in tf docs) * updated samples * changed severity, category, and query name * correcting tflint errors Co-authored-by: rafaela-soares <rafaela.soares@checkmarx.com> * build(deps): bump github.com/open-policy-agent/opa from 0.40.0 to 0.41.0 (#5436) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.40.0 to 0.41.0. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-policy-agent/opa/compare/v0.40.0...v0.41.0) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.44.26 to 1.44.27 (#5437) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.26 to 1.44.27. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.26...v1.44.27) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/tdewolff/minify/v2 from 2.11.7 to 2.11.8 (#5439) Bumps [github.com/tdewolff/minify/v2](https://github.com/tdewolff/minify) from 2.11.7 to 2.11.8. - [Release notes](https://github.com/tdewolff/minify/releases) - [Commits](https://github.com/tdewolff/minify/compare/v2.11.7...v2.11.8) --- updated-dependencies: - dependency-name: github.com/tdewolff/minify/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * added -t flag on docker run command (#5434) Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * added 256 color to Dockerfile (#5427) * update(report): improved report message (#5418) * improved report message * standardize * correcting tests * correcting e2e * Fix(e2e): updating junit schema regex Co-authored-by: Lucas Mendes <lucas.mendes@checkmarx.com> * fix(analyzer): fixed Dockerfile analyzer approach (#5407) * fixed Dockerfile analyzer approach * correcting TestParser_SupportedExtensions * fix Code scanning results * improving * update(queries): updated S3 Bucket queries for Terraform (#4872) * updated TF S3 Bucket queries * refactored bucket queries for pre 1.4.0 * removed unnecessary line * added before/after version 1.4.0 comments * added before/after version 1.4.0 comments * 1.4.0 to 4.0 * adjusted key expected values as requested Co-authored-by: André Felicidade <andre.felicidade@checkmarx.com> * update(bom): updated AWS BOM S3 Bucket (#4873) * updated TF AWS BOM S3 Bucket * correcting positive5.tf * added more cases to get_bucket_acl, deleted deprecated function * added missing resource check and version comments * corrected comments saying 1.4.0 to 4.0 Co-authored-by: André Felicidade <andre.felicidade@checkmarx.com> * fix(inspector): fix timeout secrets inspector (#5419) * fix timeout Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * Feat(e2e): adding e2e tests for timeout flag * Fix(e2e): updating config validation in e2e tests * Fix(e2e): moving testing configs to configs folder Co-authored-by: Lucas Mendes <lucas.mendes@checkmarx.com> * feat(filesystem): double star support to exclude folders (#5408) * double start support Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * added test to double star Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * fix test Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * docs(kicsbot): update images digest (#5432) * docs(kicsbot): update github-action image digest (#5440) Co-authored-by: nunoocx <nunoocx@users.noreply.github.com> * fixed queries (#5441) * fix(query): s3 bucket policy accepts http requests (#5415) * fix support iam policy document in terraform http deny check * fix support iam policy document in terraform http deny check * fix support iam policy document in terraform http deny check * fix support iam policy document in terraform http deny check * fix support iam policy document in terraform http deny check * fix support iam policy document in terraform http deny check * fix support iam policy document in terraform http deny check * fix support iam policy document in terraform http deny check * fix support iam policy document in terraform http deny check * Update positive3.tf * Update negative3.tf * Update negative2.tf * Update negative4.tf * Update query.rego * Update query.rego * feat(query): added "Role Definition Allows Custom Role Creation" query for Ansible (#5417) * added Role Definition Allows Custom Role Creation * correcting wrong indentation * fixed function check_schemes of openapi lib (#5433) * support child modules in the tfplan payload (#5422) * docs(kicsbot): update images digest (#5442) * build(deps): bump github.com/stretchr/testify from 1.7.1 to 1.7.2 (#5443) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.7.1 to 1.7.2. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.7.1...v1.7.2) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.44.27 to 1.44.28 (#5445) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.27 to 1.44.28. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.27...v1.44.28) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/tdewolff/minify/v2 from 2.11.8 to 2.11.9 (#5444) Bumps [github.com/tdewolff/minify/v2](https://github.com/tdewolff/minify) from 2.11.8 to 2.11.9. - [Release notes](https://github.com/tdewolff/minify/releases) - [Commits](https://github.com/tdewolff/minify/compare/v2.11.8...v2.11.9) --- updated-dependencies: - dependency-name: github.com/tdewolff/minify/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/aws/aws-sdk-go from 1.44.28 to 1.44.29 (#5448) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.28 to 1.44.29. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.28...v1.44.29) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs(kicsbot): update images digest (#5450) * fix(queries): align descriptionText to similar queries across different platforms (#5446) * fix(queries): align descriptionText to similar queries across different platforms * align more descriptionText queries * resolve comments * added mutex (#5429) Signed-off-by: joaorufi <joao.rufino@checkmarx.com> * feat(result): added resourceType and resourceName to CloudFormation quer…
Checkmarx · Jun 8, 2022 · 9317311 · 9317311
1 parent 4634dde
commit 9317311
Show file tree

Hide file tree

Showing 1,110 changed files with 11,968 additions and 3,514 deletions.
diff --git a/.github/scripts/server-mock/package-lock.json b/.github/scripts/server-mock/package-lock.json
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.18.2-alpine as build_env
+FROM golang:1.18.3-alpine as build_env
 
 # Copy the source from the current directory to the Working Directory inside the container
 WORKDIR /app
@@ -35,6 +35,8 @@ HEALTHCHECK CMD wget -q --method=HEAD localhost/system-status.txt
 # kics-scan ignore-line
 FROM alpine:3.16.0
 
+ENV TERM xterm-256color
+
 # Install Terraform and Terraform plugins
 RUN wget https://releases.hashicorp.com/terraform/1.1.3/terraform_1.1.3_linux_amd64.zip \
     && unzip terraform_1.1.3_linux_amd64.zip && rm terraform_1.1.3_linux_amd64.zip \

diff --git a/assets/libraries/cloudformation.rego b/assets/libraries/cloudformation.rego
@@ -115,3 +115,107 @@ get_resource_accessibility(nameRef, type, key) = info {
 } else = info {
 	info := {"accessibility": "unknown", "policy": ""}
 }
+
+resourceFieldName = {
+	"AWS::Config::ConfigRule": "ConfigRuleName",  
+	"AWS::ElasticLoadBalancing::LoadBalancer": "LoadBalancerName",
+	"AWS::ElasticLoadBalancingV2::LoadBalancer": "Name",
+	"Alexa::ASK::Skill": "",
+	"AWS::AmazonMQ::Broker": "BrokerName",
+	"AWS::Amplify::App": "Name",
+	"AWS::ApiGateway::Stage": "StageName",
+	"AWS::ApiGatewayV2::Stage": "StageName",
+	"AWS::ApiGateway::Deployment": "StageName",
+	"AWS::ApiGateway::RestApi": "Name",
+	"AWS::ApiGateway::Method": "OperationName",
+	"AWS::ApiGateway::Authorizer": "Name", 
+	"AWS::ApiGatewayV2::Authorizer": "Name",
+	"AWS::ApiGatewayV2::Api": "Name",
+	"AWS::ApiGateway::DomainName": "DomainName",
+	"AWS::AutoScaling::AutoScalingGroup": "AutoScalingGroupName",
+	"AWS::RDS::DBInstance": "DBName",
+	"AWS::Batch::JobDefinition": "JobDefinitionName",
+	"AWS::CloudFront::Distribution": "",
+	"AWS::EC2::Instance": "",
+	"AWS::CloudTrail::Trail": "TrailName",
+	"AWS::Route53::HostedZone": "Name",
+	"AWS::KMS::Key": "",
+	"AWS::DocDB::DBCluster": "",
+	"AWS::Neptune::DBCluster": "",
+	"AWS::RDS::DBCluster": "DatabaseName",
+	"AWS::RDS::GlobalCluster": "",
+	"AWS::Redshift::Cluster": "DBName",
+	"AWS::CodeBuild::Project": "Name",
+	"AWS::Cognito::UserPool": "UserPoolName",
+	"AWS::Config::ConfigurationAggregator": "ConfigurationAggregatorName",
+	"AWS::IAM::Role": "RoleName",
+	"AWS::EC2::SecurityGroup": "GroupName",
+	"AWS::RDS::DBSecurityGroup": "",
+	"AWS::DirectoryService::MicrosoftAD": "Name",
+	"AWS::DirectoryService::SimpleAD": "Name",
+	"AWS::DMS::Endpoint": "",
+	"AWS::DynamoDB::Table": "TableName",
+	"AWS::EC2::Volume": "",
+	"AWS::EC2::NetworkAclEntry": "",
+	"AWS::EC2::Subnet": "",
+	"AWS::ECR::Repository": "RepositoryName",
+	"AWS::ECS::Service": "ServiceName",
+	"AWS::ECS::TaskDefinition": "",
+	"AWS::EFS::FileSystem": "",
+	"AWS::EKS::Nodegroup": "NodegroupName",
+	"AWS::Elasticsearch::Domain": "DomainName",
+	"AWS::ElastiCache::CacheCluster": "ClusterName",
+	"AWS::ElastiCache::ReplicationGroup": "",
+	"AWS::EMR::Cluster": "Name",
+	"AWS::EMR::SecurityConfiguration": "Name",
+	"AWS::EC2::SecurityGroupIngress": "GroupName",
+	"AWS::ECS::Cluster": "ClusterName",
+	"AWS::GameLift::Fleet": "Name",
+	"AWS::CodeStar::GitHubRepository": "RepositoryName",
+	"AWS::GuardDuty::Detector": "",
+	"AWS::Lambda::Function": "FunctionName",
+	"AWS::IAM::Group": "GroupName",
+	"AWS::IAM::ManagedPolicy": "ManagedPolicyName",
+	"AWS::IAM::User": "UserName",
+	"AWS::IAM::Policy": "PolicyName",
+	"AWS::IAM::AccessKey": "",
+	"AWS::IoT::Policy": "PolicyName",
+	"AWS::Kinesis::Stream": "Name",
+	"AWS::Lambda::Permission": "",
+	"AWS::MSK::Cluster": "ClusterName",
+	"AWS::EC2::Route": "",
+	"AWS::S3::Bucket": "BucketName",
+	"AWS::S3::BucketPolicy": "",
+	"AWS::SageMaker::NotebookInstance": "NotebookInstanceName",
+	"AWS::SageMaker::EndpointConfig": "EndpointConfigName",
+	"AWS::SDB::Domain": "",
+	"AWS::SecretsManager::Secret": "Name",
+	"AWS::EC2::SecurityGroupEgress": "",
+	"AWS::GlobalAccelerator::Accelerator": "Name",
+	"AWS::EC2::EIP": "",
+	"AWS::SNS::TopicPolicy": "",
+	"AWS::SNS::Topic": "TopicName",
+	"AWS::SQS::QueuePolicy": "",
+	"AWS::SQS::Queue": "QueueName",
+	"AWS::CloudFormation::Stack": "",
+	"AWS::CloudFormation::StackSet": "StackSetName",
+	"AWS::AutoScaling::LaunchConfiguration": "LaunchConfigurationName",
+	"AWS::EC2::VPC": "",
+	"AWS::EC2::VPCGatewayAttachment": "",
+	"AWS::EC2::FlowLog": "",
+	"AWS::NetworkFirewall::Firewall": "FirewallName",
+	"AWS::WAF::WebACL": "Name",
+	"AWS::CertificateManager::Certificate": "",
+	"AWS::Serverless::HttpApi": "",
+	"AWS::Serverless::Api": "",
+	"AWS::Serverless::Function": "FunctionName",
+}
+
+get_resource_name(resource, resourceDefinitionName) = name {
+	field := resourceFieldName[resource.Type]
+	name := resource.Properties[field]
+} else = name {
+	name := common_lib.get_tag_name_if_exists(resource)
+} else = name {
+	name := resourceDefinitionName
+}
diff --git a/assets/libraries/common.rego b/assets/libraries/common.rego
@@ -346,7 +346,9 @@ get_tag_name_if_exists(resource) = name {
     tag.Key == "Name"
 	name := tag.Value
 } else = name {
-	name := "unknown"
+	tag := resource.Properties.Tags[key]
+	key == "Name"
+	name := tag
 }
 
 get_encryption_if_exists(resource) = encryption {
@@ -776,3 +778,4 @@ get_bom_output(bom_output, policy) = output {
 is_aws_ebs_optimized_by_default(instanceType) {
 	inArray(data.common_lib.aws_ebs_optimized_by_default, instanceType)
 }
+
diff --git a/assets/libraries/openapi.rego b/assets/libraries/openapi.rego
@@ -231,24 +231,20 @@ api_key_exposed(doc, version, s) {
 	doc.securityDefinitions[s].type == "apiKey"
 }
 
-check_schemes(doc, opSchemes, version) = opScheme {
+check_scheme(doc, schemeKey, scope, version) {
 	version == "3.0"
-	operationSecurityScheme := opSchemes[opScheme]
-	secScheme := doc.components.securitySchemes[scheme]
+	secScheme := doc.components.securitySchemes[schemeKey]
 	secScheme.type == "oauth2"
 
-	opScope := operationSecurityScheme[_]
-	arr := [x | _ := secScheme.flows[flowKey].scopes[scopeName]; scopeName == opScope; x := opScope]
+	arr := [x | _ := secScheme.flows[flowKey].scopes[scopeName]; scopeName == scope; x := scope]
 
 	count(arr) == 0
-} else = opScheme {
+} else {
 	version == "2.0"
-	operationSecurityScheme := opSchemes[opScheme]
-	secScheme := doc.securityDefinitions[scheme]
+	secScheme := doc.securityDefinitions[schemeKey]
 	secScheme.type == "oauth2"
 
-	opScope := operationSecurityScheme[_]
-	arr := [x | _ := secScheme.scopes[scopeName]; scopeName == opScope; x := opScope]
+	arr := [x | _ := secScheme.scopes[scopeName]; scopeName == scope; x := scope]
 
 	count(arr) == 0
 }

diff --git a/assets/libraries/terraform.rego b/assets/libraries/terraform.rego
@@ -591,6 +591,12 @@ has_relation(related_resource_id, related_resource_type, current_resource, curre
 	regex.match(sprintf("\\${%v\\.%v\\.", [related_resource_type, related_resource_id]), value)
 }
 
+has_target_resource(bucketName, resourceName) {
+	resource := input.document[i].resource[resourceName][_]
+
+	split(resource.bucket, ".")[1] == bucketName
+}
+
 #Checks if an action is allowed for all principals
 allows_action_from_all_principals(json_policy, action) {
  	policy := common_lib.json_unmarshal(json_policy)
@@ -600,3 +606,36 @@ allows_action_from_all_principals(json_policy, action) {
     anyPrincipal(statement)
     common_lib.containsOrInArrayContains(statement.Action, action)
 }
+
+resourceFieldName = {
+	"google_bigquery_dataset": "friendly_name",
+	"alicloud_actiontrail_trail": "trail_name",
+	"alicloud_ros_stack": "stack_name",
+	"alicloud_oss_bucket": "bucket",
+	"aws_s3_bucket": "bucket",
+	"aws_msk_cluster": "cluster_name",
+	"aws_mq_broker": "broker_name",
+	"aws_elasticache_cluster": "cluster_id",
+}
+
+get_resource_name(resource, resourceDefinitionName) = name {
+	possibleNames := {"name", "display_name"}
+	targetName := possibleNames[_]
+	name := resource[targetName]
+} else = name {
+	name := resource.metadata.name
+} else = name {
+	prefix := resource.name_prefix
+	name := sprintf("%s<unknown-sufix>", [prefix])
+} else = name {
+	name := common_lib.get_tag_name_if_exists(resource)
+} else = name {
+	name := resourceDefinitionName
+}
+
+get_specific_resource_name(resource, resourceType, resourceDefinitionName) = name {
+	field := resourceFieldName[resourceType]
+	name := resource[field]
+} else = name {
+	name := get_resource_name(resource, resourceDefinitionName)
+}
diff --git a/assets/queries/ansible/aws/ebs_volume_encryption_disabled/metadata.json b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "EBS Volume Encryption Disabled",
   "severity": "MEDIUM",
   "category": "Encryption",
-  "descriptionText": "EBS Encryption should be enabled",
+  "descriptionText": "EBS volumes should be encrypted",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_vol_module.html#parameter-encrypted",
   "platform": "Ansible",
   "descriptionID": "06f72385",

diff --git a/assets/queries/ansible/aws/efs_without_kms/metadata.json b/assets/queries/ansible/aws/efs_without_kms/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "EFS Without KMS",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "Elastic File System (EFS) must have KMS Key ID",
+  "descriptionText": "Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-kms_key_id",
   "platform": "Ansible",
   "descriptionID": "a01870d5",

diff --git a/assets/queries/ansible/aws/iam_password_without_lowercase_letter/metadata.json b/assets/queries/ansible/aws/iam_password_without_lowercase_letter/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "IAM Password Without Lowercase Letter",
   "severity": "MEDIUM",
   "category": "Best Practices",
-  "descriptionText": "Check if IAM account password has at least one lowercase letter",
+  "descriptionText": "IAM Password should have at least one lowercase letter",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html",
   "platform": "Ansible",
   "descriptionID": "e229f4bd",

diff --git a/assets/queries/ansible/aws/iam_password_without_minimum_length/metadata.json b/assets/queries/ansible/aws/iam_password_without_minimum_length/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "IAM Password Without Minimum Length",
   "severity": "MEDIUM",
   "category": "Best Practices",
-  "descriptionText": "Check if IAM account password has the required minimum length",
+  "descriptionText": "IAM password should have the required minimum length",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html",
   "platform": "Ansible",
   "descriptionID": "b1066765",

diff --git a/assets/queries/ansible/aws/iam_password_without_uppercase_letter/metadata.json b/assets/queries/ansible/aws/iam_password_without_uppercase_letter/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "IAM Password Without Uppercase Letter",
   "severity": "MEDIUM",
   "category": "Best Practices",
-  "descriptionText": "Check if IAM account password has at least one uppercase letter",
+  "descriptionText": "IAM password should have at least one uppercase letter",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html",
   "platform": "Ansible",
   "descriptionID": "ab3484ee",

diff --git a/assets/queries/ansible/aws/iam_policies_with_full_privileges/metadata.json b/assets/queries/ansible/aws/iam_policies_with_full_privileges/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "IAM Policies With Full Privileges",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "IAM policies that allow full administrative privileges (for all resources)",
+  "descriptionText": "IAM policies shouldn't allow full administrative privileges (for all resources)",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html",
   "platform": "Ansible",
   "descriptionID": "3827a620",

diff --git a/...ies/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json b/...ies/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "IAM Policy Grants 'AssumeRole' Permission Across All Services",
   "severity": "LOW",
   "category": "Access Control",
-  "descriptionText": "IAM role allows All services or principals to assume it",
+  "descriptionText": "IAM Policy should not grant 'AssumeRole' permission across all services.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html",
   "platform": "Ansible",
   "descriptionID": "860cc010",

diff --git a/assets/queries/ansible/aws/iam_policy_grants_full_permissions/metadata.json b/assets/queries/ansible/aws/iam_policy_grants_full_permissions/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "IAM Policy Grants Full Permissions",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "IAM policies allow all ('*') in a statement action",
+  "descriptionText": "Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html",
   "platform": "Ansible",
   "descriptionID": "97b2a82d",

diff --git a/assets/queries/ansible/aws/instance_with_no_vpc/metadata.json b/assets/queries/ansible/aws/instance_with_no_vpc/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "Instance With No VPC",
   "severity": "MEDIUM",
   "category": "Insecure Configurations",
-  "descriptionText": "Instance should be configured in VPC (Virtual Private Cloud)",
+  "descriptionText": "EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html",
   "platform": "Ansible",
   "descriptionID": "27754eca",

diff --git a/assets/queries/ansible/aws/rds_with_backup_disabled/metadata.json b/assets/queries/ansible/aws/rds_with_backup_disabled/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "RDS With Backup Disabled",
   "severity": "MEDIUM",
   "category": "Backup",
-  "descriptionText": "RDS configured without backup",
+  "descriptionText": "Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-backup_retention_period",
   "platform": "Ansible",
   "descriptionID": "51f94eee",

diff --git a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket ACL Allows Read to All Users",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "It's not recommended to allow read access for all user groups.",
+  "descriptionText": "S3 Buckets should not be readable to all users",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html#parameter-permission",
   "platform": "Ansible",
   "descriptionID": "446af0d8",

diff --git a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion",
+  "descriptionText": "S3 Buckets should not be readable to any authenticated user",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html#parameter-permission",
   "platform": "Ansible",
   "descriptionID": "e9e4ca47",

diff --git a/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json b/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket Allows Delete Action From All Principals",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.",
+  "descriptionText": "S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html",
   "platform": "Ansible",
   "descriptionID": "7c11444e",

diff --git a/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json b/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket Allows Get Action From All Principals",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.",
+  "descriptionText": "S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html",
   "platform": "Ansible",
   "descriptionID": "de0687eb",

diff --git a/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json b/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket Allows List Action From All Principals",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.",
+  "descriptionText": "S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html",
   "platform": "Ansible",
   "descriptionID": "8232deb2",

diff --git a/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json b/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket Allows Put Action From All Principals",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.",
+  "descriptionText": "S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html",
   "platform": "Ansible",
   "descriptionID": "772b17ca",

diff --git a/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/metadata.json b/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "Security Group With Unrestricted Access To SSH",
   "severity": "HIGH",
   "category": "Networking and Firewall",
-  "descriptionText": "SSH' (TCP:22) should not be public in AWS Security Group",
+  "descriptionText": "'SSH' (TCP:22) should not be public in AWS Security Group",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html",
   "platform": "Ansible",
   "descriptionID": "ea2f2c57",

diff --git a/assets/queries/ansible/aws/sqs_policy_with_public_access/metadata.json b/assets/queries/ansible/aws/sqs_policy_with_public_access/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "SQS Policy With Public Access",
   "severity": "MEDIUM",
   "category": "Access Control",
-  "descriptionText": "SQS policy with public access",
+  "descriptionText": "Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html",
   "platform": "Ansible",
   "descriptionID": "dd40b568",

diff --git a/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json b/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "SQS with SSE disabled",
   "severity": "MEDIUM",
   "category": "Encryption",
-  "descriptionText": " SQS Queue should be protected with CMK encryption",
+  "descriptionText": "Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html#ansible-collections-community-aws-sqs-queue-module",
   "platform": "Ansible",
   "descriptionID": "7825cf30",