Skip to content

Commit

Permalink
add id field for matching policies siac/terrascan (#824)
Browse files Browse the repository at this point in the history
  • Loading branch information
@gaurav-gogia
gaurav-gogia committed Jun 1, 2021
1 parent 9ff6f2f commit 0d8bc97
Show file tree
Hide file tree
Showing 43 changed files with 98 additions and 55 deletions.
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/github_repository/accurics.gcp.IAM.145.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "Repository is Not Private.",
"reference_id": "accurics.gcp.IAM.145",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_GCP_0231"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_bigquery_dataset/accurics.gcp.IAM.106.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "BigQuery datasets may be anonymously or publicly accessible.",
"reference_id": "accurics.gcp.IAM.106",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_GCP_0230"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_compute_disk/accurics.gcp.EKM.131.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) .",
"reference_id": "accurics.gcp.EKM.131",
"category": "Data Protection",
"version": 1
"version": 1,
"id": "AC_GCP_0229"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.EKM.132.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "VM disks attached to a compute instance should be encrypted with Customer Supplied Encryption Keys (CSEK) .",
"reference_id": "accurics.gcp.EKM.132",
"category": "Data Protection",
"version": 1
"version": 1,
"id": "AC_GCP_0036"
}
5 changes: 3 additions & 2 deletions pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.IAM.124.json
View file
Expand Up @@ -4,9 +4,10 @@
"policy_type": "gcp",
"resource_type": "google_compute_instance",
"template_args": null,
"severity": "MEDIUM",
"severity": "HIGH",
"description": "Instances may have been configured to use the default service account with full access to all Cloud APIs",
"reference_id": "accurics.gcp.IAM.124",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_GCP_0040"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.IAM.128.json
View file
Expand Up @@ -11,5 +11,6 @@
"description": "Ensure that no instance in the project overrides the project setting for enabling OSLogin",
"reference_id": "accurics.gcp.IAM.128",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_GCP_0038"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.NS.125.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "Instances may have been configured to use the default service account with full access to all Cloud APIs",
"reference_id": "accurics.gcp.NS.125",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_GCP_0041"
}
5 changes: 3 additions & 2 deletions pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.NS.126.json
View file
Expand Up @@ -7,9 +7,10 @@
"metaKey": "block-project-ssh-keys",
"name": "projectWideSshKeysUsed"
},
"severity": "MEDIUM",
"severity": "HIGH",
"description": "Ensure 'Block Project-wide SSH keys' is enabled for VM instances.",
"reference_id": "accurics.gcp.NS.126",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_GCP_0039"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.NS.129.json
View file
Expand Up @@ -11,5 +11,6 @@
"description": "Ensure 'Enable connecting to serial ports' is not enabled for VM instances.",
"reference_id": "accurics.gcp.NS.129",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_GCP_0037"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.NS.130.json
View file
Expand Up @@ -12,5 +12,6 @@
"description": "Ensure IP forwarding is not enabled on Instances.",
"reference_id": "accurics.gcp.NS.130",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_GCP_0232"
}
5 changes: 3 additions & 2 deletions pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.NS.133.json
View file
Expand Up @@ -7,6 +7,7 @@
"severity": "MEDIUM",
"description": "Ensure Compute instances are launched with Shielded VM enabled.",
"reference_id": "accurics.gcp.NS.133",
"category": "Infrastructure Security ",
"version": 1
"category": "Infrastructure Security",
"version": 1,
"id": "AC_GCP_0035"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_compute_ssl_policy/accurics.gcp.EKM.134.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites.",
"reference_id": "accurics.gcp.EKM.134",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_GCP_0034"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_compute_subnetwork/accurics.gcp.LOG.118.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network.",
"reference_id": "accurics.gcp.LOG.118",
"category": "Logging and Monitoring",
"version": 1
"version": 1,
"id": "AC_GCP_0033"
}
5 changes: 3 additions & 2 deletions pkg/policies/opa/rego/gcp/google_container_cluster/accurics.gcp.IAM.104.json
View file
Expand Up @@ -4,9 +4,10 @@
"policy_type": "gcp",
"resource_type": "google_container_cluster",
"template_args": null,
"severity": "HIGH",
"severity": "MEDIUM",
"description": "Ensure Kubernetes Cluster is created with Client Certificate disabled.",
"reference_id": "accurics.gcp.IAM.104",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_GCP_0024"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_container_cluster/accurics.gcp.IAM.110.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure GKE basic auth is disabled.",
"reference_id": "accurics.gcp.IAM.110",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_GCP_0021"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_container_cluster/accurics.gcp.IAM.142.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure Legacy Authorization is set to disabled on Kubernetes Engine Clusters.",
"reference_id": "accurics.gcp.IAM.142",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_GCP_0028"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_container_cluster/accurics.gcp.LOG.100.json
View file
Expand Up @@ -11,5 +11,6 @@
"description": "Ensure Stackdriver Logging is enabled on Kubernetes Engine Clusters.",
"reference_id": "accurics.gcp.LOG.100",
"category": "Logging and Monitoring",
"version": 1
"version": 1,
"id": "AC_GCP_0030"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_container_cluster/accurics.gcp.MON.143.json
View file
Expand Up @@ -11,5 +11,6 @@
"description": "Ensure Stackdriver Monitoring is enabled on Kubernetes Engine Clusters.",
"reference_id": "accurics.gcp.MON.143",
"category": "Logging and Monitoring",
"version": 1
"version": 1,
"id": "AC_GCP_0029"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_container_cluster/accurics.gcp.NS.109.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure GKE Control Plane is not public.",
"reference_id": "accurics.gcp.NS.109",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_GCP_0023"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_container_cluster/accurics.gcp.NS.112.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure Master Authentication is set to enabled on Kubernetes Engine Clusters.",
"reference_id": "accurics.gcp.NS.112",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_GCP_0027"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_container_cluster/accurics.gcp.OPS.113.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure Kubernetes Clusters are configured with Labels.",
"reference_id": "accurics.gcp.OPS.113",
"category": "Compliance Validation",
"version": 1
"version": 1,
"id": "AC_GCP_0019"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_container_cluster/accurics.gcp.OPS.115.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure Kubernetes Cluster is created with Alias IP ranges enabled",
"reference_id": "accurics.gcp.OPS.115",
"category": "Compliance Validation",
"version": 1
"version": 1,
"id": "AC_GCP_0025"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_container_cluster/accurics.gcp.OPS.116.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters.",
"reference_id": "accurics.gcp.OPS.116",
"category": "Compliance Validation",
"version": 1
"version": 1,
"id": "AC_GCP_0022"
}
5 changes: 3 additions & 2 deletions pkg/policies/opa/rego/gcp/google_container_node_pool/accurics.gcp.OPS.101.json
View file
Expand Up @@ -7,9 +7,10 @@
"name": "autoNodeUpgradeEnabled",
"property": "auto_upgrade"
},
"severity": "HIGH",
"severity": "LOW",
"description": "Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters.",
"reference_id": "accurics.gcp.OPS.101",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_GCP_0017"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_container_node_pool/accurics.gcp.OPS.114.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image.",
"reference_id": "accurics.gcp.OPS.114",
"category": "Compliance Validation",
"version": 1
"version": 1,
"id": "AC_GCP_0016"
}
5 changes: 3 additions & 2 deletions pkg/policies/opa/rego/gcp/google_container_node_pool/accurics.gcp.OPS.144.json
View file
Expand Up @@ -7,9 +7,10 @@
"name": "autoNodeRepairEnabled",
"property": "auto_repair"
},
"severity": "MEDIUM",
"severity": "LOW",
"description": "Ensure 'Automatic node repair' is enabled for Kubernetes Clusters.",
"reference_id": "accurics.gcp.OPS.144",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_GCP_0015"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_dns_managed_zone/accurics.gcp.EKM.108.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC.",
"reference_id": "accurics.gcp.EKM.108",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_GCP_0013"
}
5 changes: 3 additions & 2 deletions pkg/policies/opa/rego/gcp/google_dns_managed_zone/accurics.gcp.NS.107.json
View file
Expand Up @@ -4,9 +4,10 @@
"policy_type": "gcp",
"resource_type": "google_dns_managed_zone",
"template_args": null,
"severity": "HIGH",
"severity": "LOW",
"description": "Ensure that DNSSEC is enabled for Cloud DNS.",
"reference_id": "accurics.gcp.NS.107",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_GCP_0014"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_kms_crypto_key/accurics.gcp.EKM.007.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure Encryption keys are rotated within a period of 365 days.",
"reference_id": "accurics.gcp.EKM.007",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_GCP_0012"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_kms_crypto_key/accurics.gcp.EKM.139.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure Encryption keys are rotated within a period of 90 days.",
"reference_id": "accurics.gcp.EKM.139",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_GCP_0011"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_project/accurics.gcp.NS.119.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure that the default network does not exist in a project.",
"reference_id": "accurics.gcp.NS.119",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_GCP_0010"
}
5 changes: 3 additions & 2 deletions pkg/policies/opa/rego/gcp/google_project_iam_audit_config/accurics.gcp.LOG.010.json
View file
Expand Up @@ -4,9 +4,10 @@
"policy_type": "gcp",
"resource_type": "google_project_iam_audit_config",
"template_args": null,
"severity": "HIGH",
"severity": "LOW",
"description": "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project.",
"reference_id": "accurics.gcp.LOG.010",
"category": "Logging and Monitoring",
"version": 1
"version": 1,
"id": "AC_GCP_0009"
}
5 changes: 3 additions & 2 deletions pkg/policies/opa/rego/gcp/google_project_iam_binding/accurics.gcp.IAM.136.json
View file
Expand Up @@ -4,9 +4,10 @@
"policy_type": "gcp",
"resource_type": "google_project_iam_binding",
"template_args": null,
"severity": "MEDIUM",
"severity": "HIGH",
"description": "Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level.",
"reference_id": "accurics.gcp.IAM.136",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_GCP_0007"
}
5 changes: 3 additions & 2 deletions pkg/policies/opa/rego/gcp/google_project_iam_binding/accurics.gcp.IAM.150.json
View file
Expand Up @@ -4,9 +4,10 @@
"policy_type": "gcp",
"resource_type": "google_project_iam_binding",
"template_args": null,
"severity": "HIGH",
"severity": "MEDIUM",
"description": "Ensure that corporate login credentials are used instead of Gmail accounts.",
"reference_id": "accurics.gcp.IAM.150",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_GCP_0008"
}
5 changes: 3 additions & 2 deletions pkg/policies/opa/rego/gcp/google_project_iam_member/accurics.gcp.IAM.137.json
View file
Expand Up @@ -4,9 +4,10 @@
"policy_type": "gcp",
"resource_type": "google_project_iam_member",
"template_args": null,
"severity": "MEDIUM",
"severity": "HIGH",
"description": "Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level.",
"reference_id": "accurics.gcp.IAM.137",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_GCP_0006"
}
5 changes: 3 additions & 2 deletions pkg/policies/opa/rego/gcp/google_project_iam_member/accurics.gcp.IAM.138.json
View file
Expand Up @@ -4,9 +4,10 @@
"policy_type": "gcp",
"resource_type": "google_project_iam_member",
"template_args": null,
"severity": "MEDIUM",
"severity": "HIGH",
"description": "Ensure that Service Account has no Admin privileges.",
"reference_id": "accurics.gcp.IAM.138",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_GCP_0005"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_sql_database_instance/accurics.gcp.BDR.105.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure all Cloud SQL database instance have backup configuration enabled.",
"reference_id": "accurics.gcp.BDR.105",
"category": "Resilience",
"version": 1
"version": 1,
"id": "AC_GCP_0001"
}
3 changes: 2 additions & 1 deletion pkg/policies/opa/rego/gcp/google_sql_database_instance/accurics.gcp.EKM.141.json
View file
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure that Cloud SQL database instance requires all incoming connections to use SSL",
"reference_id": "accurics.gcp.EKM.141",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_GCP_0003"
}

0 comments on commit 0d8bc97

Please sign in to comment.