From fc875fb877524fd24d5e6dc153c93f89b08741ba Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Mon, 5 Aug 2024 12:04:26 -0400 Subject: [PATCH 1/5] recommended rules --- .../boostsecurityio/mitre-cwe/rules.yaml | 29 ++++++++++++++++++- .../boostsecurityio/sca-cve/rules.yaml | 2 ++ .../boostsecurityio/stored-secrets/rules.yaml | 2 ++ scanners/boostsecurityio/gosec/rules.yaml | 18 ++++++++++++ scanners/boostsecurityio/modelscan/rules.yaml | 1 + scanners/boostsecurityio/scanner/rules.yaml | 8 +++++ .../boostsecurityio/trivy-image/rules.yaml | 2 ++ .../boostsecurityio/cicd/rules.yaml | 24 +++++++++++++++ .../boostsecurityio/oss-license/rules.yaml | 1 + .../boostsecurityio/sbom-sca/rules.yaml | 1 + 10 files changed, 87 insertions(+), 1 deletion(-) diff --git a/rules-realm/boostsecurityio/mitre-cwe/rules.yaml b/rules-realm/boostsecurityio/mitre-cwe/rules.yaml index 823f76b2..61854fd1 100644 --- a/rules-realm/boostsecurityio/mitre-cwe/rules.yaml +++ b/rules-realm/boostsecurityio/mitre-cwe/rules.yaml @@ -1199,6 +1199,7 @@ rules: name: CWE-116 pretty_name: 'CWE-116: Improper Encoding or Escaping of Output' ref: https://cwe.mitre.org/data/definitions/116.html + recommended: true CWE-1164: categories: - ALL @@ -3541,6 +3542,7 @@ rules: name: CWE-20 pretty_name: 'CWE-20: Improper Input Validation' ref: https://cwe.mitre.org/data/definitions/20.html + recommended: true CWE-200: categories: - ALL @@ -3750,6 +3752,7 @@ rules: pretty_name: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' ref: https://cwe.mitre.org/data/definitions/22.html + recommended: true CWE-220: categories: - ALL @@ -4433,6 +4436,7 @@ rules: name: CWE-287 pretty_name: 'CWE-287: Improper Authentication' ref: https://cwe.mitre.org/data/definitions/287.html + recommended: true CWE-288: categories: - ALL @@ -4519,6 +4523,7 @@ rules: name: CWE-295 pretty_name: 'CWE-295: Improper Certificate Validation' ref: https://cwe.mitre.org/data/definitions/295.html + recommended: true CWE-296: categories: - ALL @@ -4709,6 +4714,7 @@ rules: name: CWE-311 pretty_name: 'CWE-311: Missing Encryption of Sensitive Data' ref: https://cwe.mitre.org/data/definitions/311.html + recommended: true CWE-312: categories: - ALL @@ -4788,6 +4794,7 @@ rules: name: CWE-319 pretty_name: 'CWE-319: Cleartext Transmission of Sensitive Information' ref: https://cwe.mitre.org/data/definitions/319.html + recommended: true CWE-32: categories: - ALL @@ -4864,6 +4871,7 @@ rules: name: CWE-326 pretty_name: 'CWE-326: Inadequate Encryption Strength' ref: https://cwe.mitre.org/data/definitions/326.html + recommended: true CWE-327: categories: - ALL @@ -4876,6 +4884,7 @@ rules: name: CWE-327 pretty_name: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' ref: https://cwe.mitre.org/data/definitions/327.html + recommended: true CWE-328: categories: - ALL @@ -4892,6 +4901,7 @@ rules: name: CWE-328 pretty_name: 'CWE-328: Use of Weak Hash' ref: https://cwe.mitre.org/data/definitions/328.html + recommended: true CWE-329: categories: - ALL @@ -5189,6 +5199,7 @@ rules: name: CWE-352 pretty_name: 'CWE-352: Cross-Site Request Forgery (CSRF)' ref: https://cwe.mitre.org/data/definitions/352.html + recommended: true CWE-353: categories: - ALL @@ -6519,6 +6530,7 @@ rules: name: CWE-489 pretty_name: 'CWE-489: Active Debug Code' ref: https://cwe.mitre.org/data/definitions/489.html + recommended: true CWE-49: categories: - ALL @@ -6686,6 +6698,7 @@ rules: name: CWE-502 pretty_name: 'CWE-502: Deserialization of Untrusted Data' ref: https://cwe.mitre.org/data/definitions/502.html + recommended: true CWE-506: categories: - ALL @@ -6842,6 +6855,7 @@ rules: name: CWE-522 pretty_name: 'CWE-522: Insufficiently Protected Credentials' ref: https://cwe.mitre.org/data/definitions/522.html + recommended: true CWE-523: categories: - ALL @@ -7776,6 +7790,7 @@ rules: name: CWE-611 pretty_name: 'CWE-611: Improper Restriction of XML External Entity Reference' ref: https://cwe.mitre.org/data/definitions/611.html + recommended: true CWE-612: categories: - ALL @@ -8791,6 +8806,7 @@ rules: pretty_name: 'CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (''Injection'')' ref: https://cwe.mitre.org/data/definitions/74.html + recommended: true CWE-749: categories: - ALL @@ -9131,6 +9147,7 @@ rules: pretty_name: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' ref: https://cwe.mitre.org/data/definitions/78.html + recommended: true CWE-780: categories: - ALL @@ -9253,6 +9270,7 @@ rules: pretty_name: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' ref: https://cwe.mitre.org/data/definitions/79.html + recommended: true CWE-790: categories: - ALL @@ -9358,6 +9376,7 @@ rules: name: CWE-798 pretty_name: 'CWE-798: Use of Hard-coded Credentials' ref: https://cwe.mitre.org/data/definitions/798.html + recommended: true CWE-799: categories: - ALL @@ -9807,6 +9826,7 @@ rules: pretty_name: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' ref: https://cwe.mitre.org/data/definitions/89.html + recommended: true CWE-9: categories: - ALL @@ -9833,6 +9853,7 @@ rules: pretty_name: 'CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (''LDAP Injection'')' ref: https://cwe.mitre.org/data/definitions/90.html + recommended: true CWE-908: categories: - ALL @@ -9970,6 +9991,7 @@ rules: name: CWE-918 pretty_name: 'CWE-918: Server-Side Request Forgery (SSRF)' ref: https://cwe.mitre.org/data/definitions/918.html + recommended: true CWE-919: categories: - ALL @@ -9982,6 +10004,7 @@ rules: pretty_name: CWE-919 - Weaknesses in Mobile Applications description: The code introduces a vulnerability in the mobile application. ref: https://cwe.mitre.org/data/definitions/919.html + recommended: true CWE-920: categories: - ALL @@ -10107,6 +10130,7 @@ rules: name: CWE-94 pretty_name: 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' ref: https://cwe.mitre.org/data/definitions/94.html + recommended: true CWE-940: categories: - ALL @@ -10153,6 +10177,7 @@ rules: pretty_name: 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic' ref: https://cwe.mitre.org/data/definitions/943.html + recommended: true CWE-95: categories: - ALL @@ -10168,6 +10193,7 @@ rules: pretty_name: 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' ref: https://cwe.mitre.org/data/definitions/95.html + recommended: true CWE-96: categories: - ALL @@ -10183,6 +10209,7 @@ rules: pretty_name: 'CWE-96: Improper Neutralization of Directives in Statically Saved Code (''Static Code Injection'')' ref: https://cwe.mitre.org/data/definitions/96.html + recommended: true CWE-97: categories: - ALL @@ -10227,4 +10254,4 @@ default: name: CWE-UNKNOWN pretty_name: CWE-UNKNOWN - Original rule did not map to a known CWE rule description: The original rule could not be map to a CWE rule - ref: https://cwe.mitre.org/data/index.html \ No newline at end of file + ref: https://cwe.mitre.org/data/index.html diff --git a/rules-realm/boostsecurityio/sca-cve/rules.yaml b/rules-realm/boostsecurityio/sca-cve/rules.yaml index 3583092f..a65a9653 100644 --- a/rules-realm/boostsecurityio/sca-cve/rules.yaml +++ b/rules-realm/boostsecurityio/sca-cve/rules.yaml @@ -44,6 +44,7 @@ rules: group: top10-vulnerable-components pretty_name: Dependency with a High Risk Vulnerability ref: https://nvd.nist.gov/vuln-metrics/cvss + recommended: true cve-critical: categories: - ALL @@ -56,3 +57,4 @@ rules: group: top10-vulnerable-components pretty_name: Dependency with a Critical Vulnerability ref: https://nvd.nist.gov/vuln-metrics/cvss + recommended: true diff --git a/rules-realm/boostsecurityio/stored-secrets/rules.yaml b/rules-realm/boostsecurityio/stored-secrets/rules.yaml index e4826f49..e999fd34 100644 --- a/rules-realm/boostsecurityio/stored-secrets/rules.yaml +++ b/rules-realm/boostsecurityio/stored-secrets/rules.yaml @@ -16,3 +16,5 @@ rules: - cwe-798 - cwe-522 - owasp-top-10 + recommended: true + diff --git a/scanners/boostsecurityio/gosec/rules.yaml b/scanners/boostsecurityio/gosec/rules.yaml index 8729a3d4..1cb3406e 100644 --- a/scanners/boostsecurityio/gosec/rules.yaml +++ b/scanners/boostsecurityio/gosec/rules.yaml @@ -13,6 +13,7 @@ rules: description: The software does not properly neutralize special elements within the pathname. ref: https://cwe.mitre.org/data/definitions/22.html + recommended: true G304: categories: - ALL @@ -27,6 +28,7 @@ rules: description: The software does not properly neutralize special elements within the pathname. ref: https://cwe.mitre.org/data/definitions/22.html + recommended: true G305: categories: - ALL @@ -41,6 +43,7 @@ rules: description: The software does not properly neutralize special elements within the pathname. ref: https://cwe.mitre.org/data/definitions/22.html + recommended: true G204: categories: - ALL @@ -55,6 +58,7 @@ rules: description: The software does not eutralize or incorrectly neutralizes special elements that could modify the intended OS command. ref: https://cwe.mitre.org/data/definitions/78.html + recommended: true G203: categories: - ALL @@ -69,6 +73,7 @@ rules: description: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output. ref: https://cwe.mitre.org/data/definitions/79.html + recommended: true G107: categories: - ALL @@ -83,6 +88,7 @@ rules: description: The software does not properly delimit the intended arguments, options, or switches within that command string. ref: https://cwe.mitre.org/data/definitions/918.html + recommended: true G201: categories: - ALL @@ -97,6 +103,7 @@ rules: description: The software does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command. ref: https://cwe.mitre.org/data/definitions/89.html + recommended: true G202: categories: - ALL @@ -111,6 +118,7 @@ rules: description: The software does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command. ref: https://cwe.mitre.org/data/definitions/89.html + recommended: true G601: categories: - ALL @@ -186,6 +194,7 @@ rules: description: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. ref: https://cwe.mitre.org/data/definitions/489.html + recommended: true G103: categories: - ALL @@ -246,6 +255,7 @@ rules: pretty_name: 'G402: Look for bad TLS connection settings' description: The software does not validate, or incorrectly validates, a certificate. ref: https://cwe.mitre.org/data/definitions/295.html + recommended: true G403: categories: - ALL @@ -258,6 +268,7 @@ rules: description: The code contains a weakness related to the design and implementation of data confidentiality and integrity. ref: https://cwe.mitre.org/data/definitions/310.html + recommended: true G106: categories: - ALL @@ -271,6 +282,7 @@ rules: description: The software performs a key exchange with an actor without verifying the identity of that actor. ref: https://cwe.mitre.org/data/definitions/322.html + recommended: true G401: categories: - ALL @@ -309,6 +321,7 @@ rules: description: The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. ref: https://cwe.mitre.org/data/definitions/327.html + recommended: true G503: categories: - ALL @@ -322,6 +335,7 @@ rules: description: The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. ref: https://cwe.mitre.org/data/definitions/327.html + recommended: true G504: categories: - ALL @@ -335,6 +349,7 @@ rules: description: The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. ref: https://cwe.mitre.org/data/definitions/327.html + recommended: true G505: categories: - ALL @@ -360,6 +375,7 @@ rules: description: The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. ref: https://cwe.mitre.org/data/definitions/338.html + recommended: true G303: categories: - ALL @@ -430,6 +446,7 @@ rules: description: The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software. ref: https://cwe.mitre.org/data/definitions/703.html + recommended: true G101: categories: - ALL @@ -448,3 +465,4 @@ rules: or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. ref: https://cwe.mitre.org/data/definitions/798.html + recommended: true diff --git a/scanners/boostsecurityio/modelscan/rules.yaml b/scanners/boostsecurityio/modelscan/rules.yaml index 6754a20f..789fa9f5 100644 --- a/scanners/boostsecurityio/modelscan/rules.yaml +++ b/scanners/boostsecurityio/modelscan/rules.yaml @@ -12,3 +12,4 @@ rules: group: top10-vulnerable-components pretty_name: Serialized AI model with malicious behavior ref: https://github.com/protectai/modelscan?tab=readme-ov-file#what-models-and-frameworks-are-supported + recommended: true diff --git a/scanners/boostsecurityio/scanner/rules.yaml b/scanners/boostsecurityio/scanner/rules.yaml index 5c56b286..3b6d6be4 100644 --- a/scanners/boostsecurityio/scanner/rules.yaml +++ b/scanners/boostsecurityio/scanner/rules.yaml @@ -29,6 +29,7 @@ rules: name: cert-insecure-signing-algorithm pretty_name: Cert Insecure Signing Algorithm ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insecure-signing-algorithm.html' + recommended: true cert-insufficient-key-length: categories: - ALL @@ -40,6 +41,7 @@ rules: name: cert-insufficient-key-length pretty_name: Cert Insufficient Key Length ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insufficient-key-length.html' + recommended: true cicd-binary-artifacts-stored-in-scm: categories: - ALL @@ -55,6 +57,7 @@ rules: name: cicd-binary-artifacts-stored-in-scm pretty_name: CI/CD - Binary artifacts stored in SCM ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-binary-artifacts-stored-in-scm.html' + recommended: true cicd-circleci-unversioned-orb: categories: - ALL @@ -67,6 +70,7 @@ rules: name: cicd-circleci-unversioned-orb pretty_name: CI/CD - CircleCI Unversionned Orb ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-unversioned-orb.html' + recommended: true cicd-circleci-shell-injection: categories: - ALL @@ -79,6 +83,7 @@ rules: name: cicd-circleci-shell-injection pretty_name: CI/CD - CircleCI Shell Injection ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-shell-injection.html' + recommended: true cicd-gha-unsecure-commands: categories: - ALL @@ -92,6 +97,7 @@ rules: name: cicd-gha-unsecure-commands pretty_name: CI/CD - GitHub Action Unsecure Commands ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-unsecure-commands.html' + recommended: true cicd-unpinned-dependencies: categories: - ALL @@ -107,6 +113,7 @@ rules: name: cicd-unpinned-dependencies pretty_name: CI/CD - Using unpinned dependencies ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-unpinned-dependencies.html' + recommended: true cicd-gha-workflow-dispatch-inputs: categories: - ALL @@ -119,3 +126,4 @@ rules: name: cicd-gha-workflow-dispatch-inputs pretty_name: CI/CD - GitHub Action uses inputs ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-workflow-dispatch-inputs.html' + recommended: true diff --git a/scanners/boostsecurityio/trivy-image/rules.yaml b/scanners/boostsecurityio/trivy-image/rules.yaml index 3583092f..a65a9653 100644 --- a/scanners/boostsecurityio/trivy-image/rules.yaml +++ b/scanners/boostsecurityio/trivy-image/rules.yaml @@ -44,6 +44,7 @@ rules: group: top10-vulnerable-components pretty_name: Dependency with a High Risk Vulnerability ref: https://nvd.nist.gov/vuln-metrics/cvss + recommended: true cve-critical: categories: - ALL @@ -56,3 +57,4 @@ rules: group: top10-vulnerable-components pretty_name: Dependency with a Critical Vulnerability ref: https://nvd.nist.gov/vuln-metrics/cvss + recommended: true diff --git a/server-side-scanners/boostsecurityio/cicd/rules.yaml b/server-side-scanners/boostsecurityio/cicd/rules.yaml index f161af5b..9100b0b9 100644 --- a/server-side-scanners/boostsecurityio/cicd/rules.yaml +++ b/server-side-scanners/boostsecurityio/cicd/rules.yaml @@ -11,6 +11,7 @@ rules: name: cicd-azure-devops-missing-authz-for-project pretty_name: CI/CD - Azure DevOps Project Limit Pipelines Authorization Scope ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-azure-devops-missing-authz-for-project.html' + recommended: true cicd-azure-devops-variables-settable-at-queue-time: categories: - ALL @@ -23,6 +24,7 @@ rules: name: cicd-azure-devops-variables-settable-at-queue-time pretty_name: CI/CD - Limit Azure Pipelines Variables ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-azure-devops-variables-settable-at-queue-time.html' + recommended: true cicd-azure-devops-using-user-managed-agent-pools: categories: - ALL @@ -35,6 +37,7 @@ rules: name: cicd-azure-devops-using-user-managed-agent-pools pretty_name: CI/CD - Azure Pipeline Self-Hosted Agent Pools ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-azure-devops-using-user-managed-agent-pools.html' + recommended: true cicd-branch-protection-absent: categories: - ALL @@ -49,6 +52,7 @@ rules: name: cicd-branch-protection-absent pretty_name: CI/CD - Missing Repository Branch Protection ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-branch-protection.html' + recommended: true cicd-branch-protection-allows-deletion: categories: - ALL @@ -64,6 +68,7 @@ rules: name: cicd-branch-protection-allows-deletion pretty_name: CI/CD - Branch Protection - Allows deletions of branch ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-branch-protection.html' + recommended: true cicd-branch-protection-allows-force-pushes: categories: - ALL @@ -78,6 +83,7 @@ rules: name: cicd-branch-protection-allows-force-pushes pretty_name: CI/CD - Branch Protection - Allows force pushes ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-branch-protection.html' + recommended: true cicd-branch-protection-allows-non-linear-history: categories: - ALL @@ -116,6 +122,7 @@ rules: name: cicd-branch-protection-no-code-owners-review-required pretty_name: CI/CD - Branch Protection - No review required from Code Owners ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-branch-protection.html' + recommended: true cicd-branch-protection-no-commit-signature-required: categories: - ALL @@ -130,6 +137,7 @@ rules: name: cicd-branch-protection-no-commit-signature-required pretty_name: CI/CD - Branch Protection - No signed commits required ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-branch-protection.html' + recommended: true cicd-branch-protection-not-enforced-for-admins: categories: - ALL @@ -145,6 +153,7 @@ rules: name: cicd-branch-protection-not-enforced-for-admins pretty_name: CI/CD - Branch Protection - Not enforced for admin roles ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-branch-protection.html' + recommended: true cicd-branch-protection-stale-reviews-remain-valid: categories: - ALL @@ -159,6 +168,7 @@ rules: name: cicd-branch-protection-stale-reviews-remain-valid pretty_name: CI/CD - Branch Protection - Stale review approvals remain valid ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-branch-protection.html' + recommended: true cicd-branch-protection-zero-approval-required: categories: - ALL @@ -173,6 +183,7 @@ rules: name: cicd-branch-protection-zero-approval-required pretty_name: CI/CD - Branch Protection - No (zero) approving review required ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-branch-protection.html' + recommended: true cicd-branch-protection-zero-status-check-required: categories: - ALL @@ -187,6 +198,7 @@ rules: name: cicd-branch-protection-zero-status-check-required pretty_name: CI/CD - Branch Protection - No (zero) status check required ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-branch-protection.html' + recommended: true cicd-branch-protection-allows-self-reviewed-code: categories: - ALL @@ -202,6 +214,7 @@ rules: pretty_name: CI/CD - Branch Protection - Allows reviewer to self-review their own changes ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-branch-protection.html' + recommended: true cicd-gha-can-create-and-approve-pull-requests: categories: - ALL @@ -216,6 +229,7 @@ rules: name: cicd-gha-can-create-and-approve-pull-requests pretty_name: CI/CD - GitHub Actions can approve pull requests ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-can-create-and-approve-pull-requests.html' + recommended: true cicd-gha-org-secret-publicly-visible: categories: - ALL @@ -229,6 +243,7 @@ rules: name: cicd-gha-org-secret-publicly-visible pretty_name: CI/CD - GitHub Organization Secret visible from public repositories ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-org-secret-publicly-visible.html' + recommended: true cicd-gha-org-allows-all-actions: categories: - ALL @@ -242,6 +257,7 @@ rules: name: cicd-gha-org-allows-all-actions pretty_name: CI/CD - All GitHub Actions are allowed to run ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-org-allows-all-actions.html' + recommended: true cicd-gha-read-write-token-permissions: categories: - ALL @@ -255,6 +271,7 @@ rules: name: cicd-gha-read-write-token-permissions pretty_name: CI/CD - GitHub Actions have Read / Write permissions ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-read-write-token-permission.html' + recommended: true cicd-sca-scanning-absent: categories: - ALL @@ -269,6 +286,7 @@ rules: name: cicd-sca-scanning-absent pretty_name: CI/CD - Missing Software Composition Analysis (SCA) Scanning ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-sca-scanning-absent.html' + recommended: true cicd-scm-2fa-enforcement-absent: categories: - ALL @@ -283,6 +301,7 @@ rules: name: cicd-scm-2fa-enforcement-absent pretty_name: CI/CD - Missing SCM 2FA Enforcement ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-scm-2fa-enforcement-absent.html' + recommended: true cicd-scm-inactive-members: categories: - ALL @@ -335,6 +354,7 @@ rules: name: cicd-scm-gh-org-high-default-member-permissions pretty_name: CI/CD - Privileged Default Member Permissions ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-scm-gh-org-high-default-member-permissions.html' + recommended: true cicd-scm-gh-org-insecure-webhook: categories: - ALL @@ -349,6 +369,7 @@ rules: name: cicd-scm-gh-org-insecure-webhook pretty_name: CI/CD - Insecure GitHub Webhooks ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-scm-gh-org-insecure-webhook.html' + recommended: true cicd-scm-gh-org-number-of-owners: categories: - ALL @@ -401,6 +422,7 @@ rules: name: cicd-scm-gh-audit-log-oauth-app-restriction-disabled pretty_name: CI/CD - Audit Log - OAuth App Restriction Disabled ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-scm-gh-audit-log-oauth-app-restriction-disabled.html' + recommended: true cicd-scm-gh-audit-log-branch-protection-overriden: categories: - ALL @@ -416,6 +438,7 @@ rules: name: cicd-scm-gh-audit-log-branch-protection-overriden pretty_name: CI/CD - Audit Log - Branch Protection Overridden by Admin ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-scm-gh-audit-log-branch-protection-overriden.html' + recommended: true cicd-scm-gl-on-push-secret-detection: categories: - ALL @@ -430,6 +453,7 @@ rules: name: cicd-scm-gl-on-push-secret-detection pretty_name: CI/CD - GitLab On Push Secret File Detection Missing ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-scm-gl-on-push-secret-detection.html' + recommended: true cicd-scm-private-forks: categories: - ALL diff --git a/server-side-scanners/boostsecurityio/oss-license/rules.yaml b/server-side-scanners/boostsecurityio/oss-license/rules.yaml index 3b32c5cf..20c9f4d6 100644 --- a/server-side-scanners/boostsecurityio/oss-license/rules.yaml +++ b/server-side-scanners/boostsecurityio/oss-license/rules.yaml @@ -9,3 +9,4 @@ rules: group: license-violations pretty_name: Package with Unauthorized License ref: https://docs.boostsecurity.io/rules/index.html + recommended: true diff --git a/server-side-scanners/boostsecurityio/sbom-sca/rules.yaml b/server-side-scanners/boostsecurityio/sbom-sca/rules.yaml index 629f9ed2..269e8603 100644 --- a/server-side-scanners/boostsecurityio/sbom-sca/rules.yaml +++ b/server-side-scanners/boostsecurityio/sbom-sca/rules.yaml @@ -15,3 +15,4 @@ rules: group: top10-vulnerable-components pretty_name: Dependency with known malicious behaviour ref: https://github.com/ossf/malicious-packages/tree/main/osv/malicious + recommended: true From 167933b5e40df6cdef73fbf24e9b168e56ab485e Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Mon, 5 Aug 2024 13:16:50 -0400 Subject: [PATCH 2/5] checkov --- scanners/boostsecurityio/checkov/rules.yaml | 1030 ++++++++++++++++++- 1 file changed, 1029 insertions(+), 1 deletion(-) diff --git a/scanners/boostsecurityio/checkov/rules.yaml b/scanners/boostsecurityio/checkov/rules.yaml index 2a1b1c14..aa07e7ff 100644 --- a/scanners/boostsecurityio/checkov/rules.yaml +++ b/scanners/boostsecurityio/checkov/rules.yaml @@ -20,6 +20,7 @@ rules: group: cloud-unencrypted-resources name: CKV2_ANSIBLE_1 pretty_name: Ensure that HTTPS url is used with uri + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_ANSIBLE_2: categories: @@ -31,6 +32,7 @@ rules: group: cloud-unencrypted-resources name: CKV2_ANSIBLE_2 pretty_name: Ensure that HTTPS url is used with get_url + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_ANSIBLE_3: categories: @@ -42,6 +44,7 @@ rules: group: cloud-weak-configuration name: CKV2_ANSIBLE_3 pretty_name: Ensure block is handling task errors properly + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_ANSIBLE_4: categories: @@ -54,6 +57,7 @@ rules: name: CKV2_ANSIBLE_4 pretty_name: Ensure that packages with untrusted or missing GPG signatures are not used by dnf + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_ANSIBLE_5: categories: @@ -65,6 +69,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV2_ANSIBLE_5 pretty_name: Ensure that SSL validation isn't disabled with dnf + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_ANSIBLE_6: categories: @@ -76,6 +81,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV2_ANSIBLE_6 pretty_name: Ensure that certificate validation isn't disabled with dnf + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_1: categories: @@ -87,6 +93,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_1 pretty_name: Ensure that all NACL are attached to subnets + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_10: categories: @@ -97,6 +104,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_10 pretty_name: Ensure CloudTrail trails are integrated with CloudWatch Logs + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_11: categories: @@ -117,6 +125,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_12 pretty_name: Ensure the default security group of every VPC restricts all traffic + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_14: categories: @@ -128,6 +137,7 @@ rules: group: cloud-insecure-iam name: CKV2_AWS_14 pretty_name: Ensure that IAM groups includes at least one IAM user + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_15: categories: @@ -139,6 +149,7 @@ rules: name: CKV2_AWS_15 pretty_name: Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_16: categories: @@ -173,6 +184,7 @@ rules: name: CKV2_AWS_19 pretty_name: Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_2: categories: @@ -184,6 +196,7 @@ rules: group: cloud-unencrypted-resources name: CKV2_AWS_2 pretty_name: Ensure that only encrypted EBS volumes are attached to EC2 instances + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_20: categories: @@ -195,6 +208,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_20 pretty_name: Ensure that ALB redirects HTTP requests into HTTPS ones + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_21: categories: @@ -206,6 +220,7 @@ rules: group: cloud-insecure-iam name: CKV2_AWS_21 pretty_name: Ensure that all IAM users are members of at least one IAM group. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_22: categories: @@ -226,6 +241,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_23 pretty_name: Route53 A Record has Attached Resource + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_27: categories: @@ -292,6 +308,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_32 pretty_name: Ensure CloudFront distribution has a response headers policy attached + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_33: categories: @@ -334,6 +351,7 @@ rules: name: CKV2_AWS_36 pretty_name: Ensure terraform is not sending SSM secrets to untrusted domains over HTTP + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_37: categories: @@ -345,6 +363,7 @@ rules: group: supply-chain-scm-weak-configuration name: CKV2_AWS_37 pretty_name: Ensure Codecommit associates an approval rule + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_38: categories: @@ -378,6 +397,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_4 pretty_name: Ensure API Gateway stage have logging level defined as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_40: categories: @@ -389,6 +409,7 @@ rules: group: cloud-insecure-iam name: CKV2_AWS_40 pretty_name: Ensure AWS IAM policy does not allow full IAM privileges + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_41: categories: @@ -400,6 +421,7 @@ rules: group: cloud-insecure-iam name: CKV2_AWS_41 pretty_name: Ensure an IAM role is attached to EC2 instance + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_42: categories: @@ -411,6 +433,7 @@ rules: group: cloud-unencrypted-resources name: CKV2_AWS_42 pretty_name: Ensure AWS CloudFront distribution uses custom SSL certificate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_43: categories: @@ -422,6 +445,7 @@ rules: group: cloud-resources-public-access name: CKV2_AWS_43 pretty_name: Ensure S3 Bucket does not allow access to all Authenticated users + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_44: categories: @@ -434,6 +458,7 @@ rules: name: CKV2_AWS_44 pretty_name: Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_45: categories: @@ -445,6 +470,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_45 pretty_name: Ensure AWS Config recorder is enabled to record all supported resources + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_46: categories: @@ -457,6 +483,7 @@ rules: name: CKV2_AWS_46 pretty_name: Ensure AWS Cloudfront Distribution with S3 have Origin Access set to enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_47: categories: @@ -469,6 +496,7 @@ rules: name: CKV2_AWS_47 pretty_name: Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_48: categories: @@ -480,6 +508,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_48 pretty_name: Ensure AWS Config must record all possible resources + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_49: categories: @@ -491,6 +520,7 @@ rules: group: cloud-unencrypted-resources name: CKV2_AWS_49 pretty_name: Ensure AWS Database Migration Service endpoints have SSL configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_5: categories: @@ -502,6 +532,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_5 pretty_name: Ensure that Security Groups are attached to another resource + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_50: categories: @@ -548,6 +579,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_53 pretty_name: Ensure AWS API gateway request is validated + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_54: categories: @@ -560,6 +592,7 @@ rules: name: CKV2_AWS_54 pretty_name: Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_55: categories: @@ -571,6 +604,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_55 pretty_name: Ensure AWS EMR cluster is configured with security configuration + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_56: categories: @@ -582,6 +616,7 @@ rules: group: cloud-insecure-iam name: CKV2_AWS_56 pretty_name: Ensure AWS Managed IAMFullAccess IAM policy is not used. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_57: categories: @@ -604,6 +639,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_58 pretty_name: Ensure AWS Neptune cluster deletion protection is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_59: categories: @@ -626,6 +662,7 @@ rules: group: cloud-resources-public-access name: CKV2_AWS_6 pretty_name: Ensure that S3 bucket has a Public Access block + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_60: categories: @@ -637,6 +674,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_60 pretty_name: Ensure RDS instance with copy tags to snapshots is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_61: categories: @@ -681,6 +719,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_64 pretty_name: Ensure KMS key Policy is defined + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_65: categories: @@ -692,6 +731,7 @@ rules: group: cloud-resources-public-access name: CKV2_AWS_65 pretty_name: Ensure access control lists for S3 buckets are disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_66: categories: @@ -703,6 +743,7 @@ rules: group: cloud-resources-public-access name: CKV2_AWS_66 pretty_name: Ensure MWAA environment is not publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_67: categories: @@ -727,6 +768,7 @@ rules: name: CKV2_AWS_7 pretty_name: Ensure that Amazon EMR clusters' security groups are not open to the world + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_8: categories: @@ -738,6 +780,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_8 pretty_name: Ensure that RDS clusters has backup plan of AWS Backup + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_9: categories: @@ -771,6 +814,7 @@ rules: name: CKV2_AZURE_10 pretty_name: Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_11: categories: @@ -802,6 +846,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_13 pretty_name: Ensure that sql servers enables data security policy + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_14: categories: @@ -813,6 +858,7 @@ rules: group: cloud-unencrypted-resources name: CKV2_AZURE_14 pretty_name: Ensure that Unattached disks are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_15: categories: @@ -861,6 +907,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_19 pretty_name: Ensure that Azure Synapse workspaces have no IP firewall rules attached + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_2: categories: @@ -873,6 +920,7 @@ rules: name: CKV2_AZURE_2 pretty_name: Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_20: categories: @@ -913,6 +961,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_23 pretty_name: Ensure Azure spring cloud is configured with Virtual network (Vnet) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_24: categories: @@ -925,6 +974,7 @@ rules: name: CKV2_AZURE_24 pretty_name: Ensure Azure automation account does NOT have overly permissive network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_25: categories: @@ -936,6 +986,7 @@ rules: group: cloud-unencrypted-resources name: CKV2_AZURE_25 pretty_name: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_26: categories: @@ -948,6 +999,7 @@ rules: name: CKV2_AZURE_26 pretty_name: Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_27: categories: @@ -959,6 +1011,7 @@ rules: group: cloud-insecure-iam name: CKV2_AZURE_27 pretty_name: Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_28: categories: @@ -970,6 +1023,7 @@ rules: group: cloud-insecure-iam name: CKV2_AZURE_28 pretty_name: Ensure Container Instance is configured with managed identity + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_29: categories: @@ -981,6 +1035,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_29 pretty_name: Ensure AKS cluster has Azure CNI networking enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_3: categories: @@ -993,6 +1048,7 @@ rules: name: CKV2_AZURE_3 pretty_name: Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_30: categories: @@ -1004,6 +1060,7 @@ rules: group: cloud-unencrypted-resources name: CKV2_AZURE_30 pretty_name: Ensure Azure Container Registry (ACR) has HTTPS enabled for webhook + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_31: categories: @@ -1015,6 +1072,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_31 pretty_name: Ensure VNET subnet is configured with a Network Security Group (NSG) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_32: categories: @@ -1026,6 +1084,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_32 pretty_name: Ensure private endpoint is configured to key vault + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_33: categories: @@ -1037,6 +1096,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_33 pretty_name: Ensure storage account is configured with private endpoint + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_34: categories: @@ -1048,6 +1108,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_34 pretty_name: Ensure Azure SQL server firewall is not overly permissive + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_35: categories: @@ -1059,6 +1120,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_35 pretty_name: Ensure Azure recovery services vault is configured with managed identity + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_36: categories: @@ -1070,6 +1132,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_36 pretty_name: Ensure Azure automation account is configured with managed identity + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_37: categories: @@ -1081,6 +1144,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_37 pretty_name: Ensure Azure MariaDB server is using latest TLS (1.2) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_38: categories: @@ -1092,6 +1156,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_38 pretty_name: Ensure soft-delete is enabled on Azure storage account + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_39: categories: @@ -1104,6 +1169,7 @@ rules: name: CKV2_AZURE_39 pretty_name: Ensure Azure VM is not configured with public IP and serial console access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_4: categories: @@ -1115,6 +1181,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_4 pretty_name: Ensure Azure SQL server ADS VA Send scan reports to is configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_40: categories: @@ -1126,6 +1193,7 @@ rules: group: cloud-insecure-iam name: CKV2_AZURE_40 pretty_name: Ensure storage account is not configured with Shared Key authorization + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_41: categories: @@ -1137,6 +1205,7 @@ rules: group: cloud-weak-secrets-management name: CKV2_AZURE_41 pretty_name: Ensure storage account is configured with SAS expiration policy + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_42: categories: @@ -1148,6 +1217,7 @@ rules: group: cloud-resources-public-access name: CKV2_AZURE_42 pretty_name: Ensure Azure PostgreSQL server is configured with private endpoint + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_43: categories: @@ -1159,6 +1229,7 @@ rules: group: cloud-resources-public-access name: CKV2_AZURE_43 pretty_name: Ensure Azure MariaDB server is configured with private endpoint + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_44: categories: @@ -1170,6 +1241,7 @@ rules: group: cloud-resources-public-access name: CKV2_AZURE_44 pretty_name: Ensure Azure MySQL server is configured with private endpoint + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_45: categories: @@ -1181,6 +1253,7 @@ rules: group: cloud-resources-public-access name: CKV2_AZURE_45 pretty_name: Ensure Microsoft SQL server is configured with private endpoint + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_46: categories: @@ -1192,6 +1265,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_46 pretty_name: Ensure that Azure Synapse Workspace vulnerability assessment is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_47: categories: @@ -1203,6 +1277,7 @@ rules: group: cloud-resources-public-access name: CKV2_AZURE_47 pretty_name: Ensure storage account is configured without blob anonymous access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_48: categories: @@ -1225,6 +1300,7 @@ rules: name: CKV2_AZURE_5 pretty_name: Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_6: categories: @@ -1237,6 +1313,7 @@ rules: name: CKV2_AZURE_6 pretty_name: Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_7: categories: @@ -1248,6 +1325,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_7 pretty_name: Ensure that Azure Active Directory Admin is configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_8: categories: @@ -1260,6 +1338,7 @@ rules: name: CKV2_AZURE_8 pretty_name: Ensure the storage container storing the activity logs is not publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_9: categories: @@ -1271,6 +1350,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_9 pretty_name: Ensure Virtual Machines are utilizing Managed Disks + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_1: categories: @@ -1295,6 +1375,7 @@ rules: pretty_name: Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_11: categories: @@ -1308,6 +1389,7 @@ rules: pretty_name: Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_12: categories: @@ -1320,6 +1402,7 @@ rules: name: CKV2_DOCKER_12 pretty_name: Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_13: categories: @@ -1332,6 +1415,7 @@ rules: name: CKV2_DOCKER_13 pretty_name: Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_14: categories: @@ -1344,6 +1428,7 @@ rules: name: CKV2_DOCKER_14 pretty_name: Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_15: categories: @@ -1356,6 +1441,7 @@ rules: name: CKV2_DOCKER_15 pretty_name: Ensure that the yum and dnf package managers are not configured to disable SSL certificate validation via the 'sslverify' configuration option + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_16: categories: @@ -1368,6 +1454,7 @@ rules: name: CKV2_DOCKER_16 pretty_name: Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_17: categories: @@ -1379,6 +1466,7 @@ rules: group: cloud-weak-secrets-management name: CKV2_DOCKER_17 pretty_name: Ensure that 'chpasswd' is not used to set or remove passwords + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_2: categories: @@ -1390,6 +1478,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV2_DOCKER_2 pretty_name: Ensure that certificate validation isn't disabled with curl + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_3: categories: @@ -1401,6 +1490,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV2_DOCKER_3 pretty_name: Ensure that certificate validation isn't disabled with wget + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_4: categories: @@ -1413,6 +1503,7 @@ rules: name: CKV2_DOCKER_4 pretty_name: Ensure that certificate validation isn't disabled with the pip '--trusted-host' option + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_5: categories: @@ -1425,6 +1516,7 @@ rules: name: CKV2_DOCKER_5 pretty_name: Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_6: categories: @@ -1437,6 +1529,7 @@ rules: name: CKV2_DOCKER_6 pretty_name: Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_7: categories: @@ -1449,6 +1542,7 @@ rules: name: CKV2_DOCKER_7 pretty_name: Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_8: categories: @@ -1461,6 +1555,7 @@ rules: name: CKV2_DOCKER_8 pretty_name: Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_9: categories: @@ -1473,6 +1568,7 @@ rules: name: CKV2_DOCKER_9 pretty_name: Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_1: categories: @@ -1485,6 +1581,7 @@ rules: name: CKV2_GCP_1 pretty_name: 'Ensure GKE clusters are not running using the Compute Engine default service account ' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_10: categories: @@ -1507,6 +1604,7 @@ rules: group: cloud-weak-configuration name: CKV2_GCP_11 pretty_name: Ensure GCP GCR Container Vulnerability Scanning is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_12: categories: @@ -1519,6 +1617,7 @@ rules: name: CKV2_GCP_12 pretty_name: Ensure GCP compute firewall ingress does not allow unrestricted access to all ports + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_13: categories: @@ -1586,6 +1685,7 @@ rules: name: CKV2_GCP_18 pretty_name: Ensure GCP network defines a firewall and does not use the default firewall + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_19: categories: @@ -1609,6 +1709,7 @@ rules: group: cloud-weak-configuration name: CKV2_GCP_2 pretty_name: Ensure legacy networks do not exist for a project + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_20: categories: @@ -1620,6 +1721,7 @@ rules: group: cloud-weak-configuration name: CKV2_GCP_20 pretty_name: Ensure MySQL DB instance has point-in-time recovery backup configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_21: categories: @@ -1712,6 +1814,7 @@ rules: group: cloud-resources-public-access name: CKV2_GCP_28 pretty_name: Ensure Vertex AI workbench instances are private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_29: categories: @@ -1723,6 +1826,7 @@ rules: group: cloud-weak-configuration name: CKV2_GCP_29 pretty_name: Ensure logging is enabled for Dialogflow agents + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_3: categories: @@ -1735,6 +1839,7 @@ rules: name: CKV2_GCP_3 pretty_name: Ensure that there are only GCP-managed service account keys for each service account + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_30: categories: @@ -1746,6 +1851,7 @@ rules: group: cloud-weak-configuration name: CKV2_GCP_30 pretty_name: Ensure logging is enabled for Dialogflow CX agents + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_31: categories: @@ -1757,6 +1863,7 @@ rules: group: cloud-weak-configuration name: CKV2_GCP_31 pretty_name: Ensure logging is enabled for Dialogflow CX webhooks + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_32: categories: @@ -1768,6 +1875,7 @@ rules: group: cloud-resources-public-access name: CKV2_GCP_32 pretty_name: Ensure TPU v2 is private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_33: categories: @@ -1779,6 +1887,7 @@ rules: group: cloud-resources-public-access name: CKV2_GCP_33 pretty_name: Ensure Vertex AI endpoint is private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_34: categories: @@ -1790,6 +1899,7 @@ rules: group: cloud-resources-public-access name: CKV2_GCP_34 pretty_name: Ensure Vertex AI index endpoint is private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_35: categories: @@ -1813,6 +1923,7 @@ rules: group: cloud-resources-public-access name: CKV2_GCP_36 pretty_name: Ensure Vertex AI runtime is private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_4: categories: @@ -1836,6 +1947,7 @@ rules: name: CKV2_GCP_5 pretty_name: Ensure that Cloud Audit Logging is configured properly across all services and all users from a project + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_6: categories: @@ -1848,6 +1960,7 @@ rules: name: CKV2_GCP_6 pretty_name: Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_7: categories: @@ -1860,6 +1973,7 @@ rules: name: CKV2_GCP_7 pretty_name: Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_8: categories: @@ -1871,6 +1985,7 @@ rules: group: cloud-resources-public-access name: CKV2_GCP_8 pretty_name: Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_9: categories: @@ -1883,6 +1998,7 @@ rules: name: CKV2_GCP_9 pretty_name: Ensure that Container Registry repositories are not anonymously or publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GHA_1: categories: @@ -1894,6 +2010,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV2_GHA_1 pretty_name: Ensure top-level permissions are not set to write-all + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GIT_1: categories: @@ -1905,6 +2022,7 @@ rules: group: supply-chain-scm-weak-configuration name: CKV2_GIT_1 pretty_name: Ensure each Repository has branch protection associated + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_IBM_1: categories: @@ -1916,6 +2034,7 @@ rules: group: cloud-resources-public-access name: CKV2_IBM_1 pretty_name: Ensure load balancer for VPC is private (disable public access) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_IBM_2: categories: @@ -1927,6 +2046,7 @@ rules: group: cloud-weak-configuration name: CKV2_IBM_2 pretty_name: Ensure VPC classic access is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_IBM_3: categories: @@ -1938,6 +2058,7 @@ rules: group: cloud-weak-secrets-management name: CKV2_IBM_3 pretty_name: Ensure API key creation is restricted in account settings + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_IBM_4: categories: @@ -1950,6 +2071,7 @@ rules: name: CKV2_IBM_4 pretty_name: Ensure Multi-Factor Authentication (MFA) is enabled at the account level + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_IBM_5: categories: @@ -1961,6 +2083,7 @@ rules: group: cloud-insecure-iam name: CKV2_IBM_5 pretty_name: Ensure Service ID creation is restricted in account settings + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_IBM_6: categories: @@ -1972,6 +2095,7 @@ rules: group: cloud-weak-configuration name: CKV2_IBM_6 pretty_name: Ensure Databases network access is restricted to a specific IP range + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_IBM_7: categories: @@ -1984,6 +2108,7 @@ rules: name: CKV2_IBM_7 pretty_name: Ensure Kubernetes clusters are accessible by using private endpoint and NOT public endpoint + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_K8S_1: categories: @@ -1996,6 +2121,7 @@ rules: name: CKV2_K8S_1 pretty_name: RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_K8S_2: categories: @@ -2008,6 +2134,7 @@ rules: name: CKV2_K8S_2 pretty_name: Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_K8S_3: categories: @@ -2020,6 +2147,7 @@ rules: name: CKV2_K8S_3 pretty_name: No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_K8S_4: categories: @@ -2033,6 +2161,7 @@ rules: pretty_name: ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_K8S_5: categories: @@ -2044,6 +2173,7 @@ rules: group: cloud-insecure-iam name: CKV2_K8S_5 pretty_name: No ServiceAccount/Node should be able to read all secrets + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_K8S_6: categories: @@ -2066,6 +2196,7 @@ rules: group: cloud-insecure-iam name: CKV2_OCI_1 pretty_name: Ensure administrator users are not associated with API keys + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_OCI_2: categories: @@ -2077,6 +2208,7 @@ rules: group: cloud-weak-configuration name: CKV2_OCI_2 pretty_name: Ensure NSG does not allow all traffic on RDP port (3389) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_OCI_3: categories: @@ -2088,6 +2220,7 @@ rules: group: cloud-weak-configuration name: CKV2_OCI_3 pretty_name: Ensure Kubernetes engine cluster is configured with NSG(s) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_OCI_4: categories: @@ -2099,6 +2232,7 @@ rules: group: cloud-weak-configuration name: CKV2_OCI_4 pretty_name: Ensure File Storage File System access is restricted to root users + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_OCI_5: categories: @@ -2111,6 +2245,7 @@ rules: name: CKV2_OCI_5 pretty_name: Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_OCI_6: categories: @@ -2133,6 +2268,7 @@ rules: group: cloud-resources-public-access name: CKV_ALI_1 pretty_name: Alibaba Cloud OSS bucket accessible to public + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_10: categories: @@ -2142,6 +2278,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_10 pretty_name: Ensure OSS bucket has versioning enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_11: categories: @@ -2151,6 +2288,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_11 pretty_name: Ensure OSS bucket has transfer Acceleration enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_12: categories: @@ -2162,6 +2300,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_12 pretty_name: Ensure the OSS bucket has access logging enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_13: categories: @@ -2220,6 +2359,7 @@ rules: group: cloud-insecure-iam name: CKV_ALI_18 pretty_name: Ensure RAM password policy prevents password reuse + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_19: categories: @@ -2240,6 +2380,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_2 pretty_name: Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_20: categories: @@ -2251,6 +2392,7 @@ rules: group: cloud-unencrypted-resources name: CKV_ALI_20 pretty_name: Ensure RDS instance uses SSL + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_21: categories: @@ -2262,6 +2404,7 @@ rules: group: cloud-unencrypted-resources name: CKV_ALI_21 pretty_name: Ensure API Gateway API Protocol HTTPS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_22: categories: @@ -2273,6 +2416,7 @@ rules: group: cloud-unencrypted-resources name: CKV_ALI_22 pretty_name: Ensure Transparent Data Encryption is Enabled on instance + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_23: categories: @@ -2282,6 +2426,7 @@ rules: group: cloud-insecure-iam name: CKV_ALI_23 pretty_name: Ensure Ram Account Password Policy Max Login Attempts not > 5 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_24: categories: @@ -2293,6 +2438,7 @@ rules: group: cloud-insecure-iam name: CKV_ALI_24 pretty_name: Ensure RAM enforces MFA + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_25: categories: @@ -2314,6 +2460,7 @@ rules: name: CKV_ALI_26 pretty_name: Ensure Kubernetes installs plugin Terway or Flannel to support standard policies + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_27: categories: @@ -2325,6 +2472,7 @@ rules: group: cloud-weak-secrets-management name: CKV_ALI_27 pretty_name: Ensure KMS Key Rotation is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_28: categories: @@ -2336,6 +2484,7 @@ rules: group: cloud-weak-secrets-management name: CKV_ALI_28 pretty_name: Ensure KMS Keys are enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_29: categories: @@ -2345,6 +2494,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_29 pretty_name: Alibaba ALB ACL does not restrict Access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_3: categories: @@ -2354,6 +2504,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_3 pretty_name: Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_30: categories: @@ -2363,6 +2514,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_30 pretty_name: Ensure RDS instance auto upgrades for minor versions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_31: categories: @@ -2372,6 +2524,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_31 pretty_name: Ensure K8s nodepools are set to auto repair + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_32: categories: @@ -2381,6 +2534,7 @@ rules: group: cloud-unencrypted-resources name: CKV_ALI_32 pretty_name: Ensure launch template data disks are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_33: categories: @@ -2390,6 +2544,7 @@ rules: group: cloud-unencrypted-resources name: CKV_ALI_33 pretty_name: Alibaba Cloud Cypher Policy are secure + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_35: categories: @@ -2435,6 +2590,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_4 pretty_name: Ensure Action Trail Logging for all regions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_41: categories: @@ -2444,6 +2600,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_41 pretty_name: Ensure MongoDB is deployed inside a VPC + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_42: categories: @@ -2453,6 +2610,7 @@ rules: group: cloud-unencrypted-resources name: CKV_ALI_42 pretty_name: Ensure Mongodb instance uses SSL + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_43: categories: @@ -2462,6 +2620,7 @@ rules: group: cloud-resources-public-access name: CKV_ALI_43 pretty_name: Ensure MongoDB instance is not public + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_44: categories: @@ -2471,6 +2630,7 @@ rules: group: cloud-unencrypted-resources name: CKV_ALI_44 pretty_name: Ensure MongoDB has Transparent Data Encryption Enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_5: categories: @@ -2480,6 +2640,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_5 pretty_name: Ensure Action Trail Logging for all events + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_6: categories: @@ -2498,6 +2659,7 @@ rules: group: cloud-unencrypted-resources name: CKV_ALI_7 pretty_name: Ensure disk is encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_8: categories: @@ -2516,6 +2678,7 @@ rules: group: cloud-resources-public-access name: CKV_ALI_9 pretty_name: Ensure database instance is not public + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ANSIBLE_1: categories: @@ -2527,6 +2690,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_ANSIBLE_1 pretty_name: Ensure that certificate validation isn't disabled with uri + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ANSIBLE_2: categories: @@ -2538,6 +2702,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_ANSIBLE_2 pretty_name: Ensure that certificate validation isn't disabled with get_url + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ANSIBLE_3: categories: @@ -2549,6 +2714,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_ANSIBLE_3 pretty_name: Ensure that certificate validation isn't disabled with yum + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ANSIBLE_4: categories: @@ -2560,6 +2726,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_ANSIBLE_4 pretty_name: Ensure that SSL validation isn't disabled with yum + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ANSIBLE_5: categories: @@ -2572,6 +2739,7 @@ rules: name: CKV_ANSIBLE_5 pretty_name: Ensure that packages with untrusted or missing signatures are not used + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ANSIBLE_6: categories: @@ -2585,6 +2753,7 @@ rules: pretty_name: Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ARGO_1: categories: @@ -2596,6 +2765,7 @@ rules: group: cloud-weak-configuration name: CKV_ARGO_1 pretty_name: Ensure Workflow pods are not using the default ServiceAccount + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ARGO_2: categories: @@ -2607,6 +2777,7 @@ rules: group: cloud-weak-configuration name: CKV_ARGO_2 pretty_name: Ensure Workflow pods are running as non-root user + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_1: categories: @@ -2619,6 +2790,7 @@ rules: name: CKV_AWS_1 pretty_name: Ensure IAM policies that allow full "*-*" administrative privileges are not created + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_10: categories: @@ -2642,6 +2814,7 @@ rules: name: CKV_AWS_100 pretty_name: Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_101: categories: @@ -2663,6 +2836,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_102 pretty_name: Ensure Neptune Cluster instance is not publicly available + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_103: categories: @@ -2674,6 +2848,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_103 pretty_name: Ensure that load balancer is using at least TLS 1.2 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_104: categories: @@ -2696,6 +2871,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_105 pretty_name: Ensure Redshift uses SSL + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_106: categories: @@ -2707,6 +2883,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_106 pretty_name: Ensure EBS default encryption is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_107: categories: @@ -2718,6 +2895,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_107 pretty_name: Ensure IAM policies does not allow credentials exposure + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_108: categories: @@ -2728,6 +2906,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_108 pretty_name: Ensure IAM policies does not allow data exfiltration + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_109: categories: @@ -2740,6 +2919,7 @@ rules: name: CKV_AWS_109 pretty_name: Ensure IAM policies does not allow permissions management / resource exposure without constraints + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_11: categories: @@ -2761,6 +2941,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_110 pretty_name: Ensure IAM policies does not allow privilege escalation + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_111: categories: @@ -2772,6 +2953,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_111 pretty_name: Ensure IAM policies does not allow write access without constraints + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_112: categories: @@ -2783,6 +2965,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_112 pretty_name: Ensure Session Manager data is encrypted in transit + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_113: categories: @@ -2794,6 +2977,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_113 pretty_name: Ensure Session Manager logs are enabled and encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_114: categories: @@ -2805,6 +2989,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_114 pretty_name: Ensure that EMR clusters with Kerberos have Kerberos Realm set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_115: categories: @@ -2887,6 +3072,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_121 pretty_name: Ensure AWS Config is enabled in all regions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_122: categories: @@ -2899,6 +3085,7 @@ rules: name: CKV_AWS_122 pretty_name: Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_123: categories: @@ -2910,6 +3097,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_123 pretty_name: Ensure that VPC Endpoint Service is configured for Manual Acceptance + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_124: categories: @@ -2942,6 +3130,7 @@ rules: name: CKV_AWS_127 pretty_name: Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_128: categories: @@ -2954,6 +3143,7 @@ rules: name: CKV_AWS_128 pretty_name: Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_129: categories: @@ -2977,6 +3167,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_13 pretty_name: Ensure IAM password policy prevents password reuse + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_130: categories: @@ -2988,6 +3179,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_130 pretty_name: Ensure VPC subnets do not assign public IP by default + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_131: categories: @@ -2999,6 +3191,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_131 pretty_name: Ensure that ALB drops HTTP headers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_133: categories: @@ -3010,6 +3203,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_133 pretty_name: Ensure that RDS instances has backup policy + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_134: categories: @@ -3022,6 +3216,7 @@ rules: name: CKV_AWS_134 pretty_name: Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_135: categories: @@ -3052,6 +3247,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_137 pretty_name: Ensure that Elasticsearch is configured inside a VPC + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_138: categories: @@ -3073,6 +3269,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_139 pretty_name: Ensure that RDS clusters have deletion protection enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_14: categories: @@ -3094,6 +3291,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_140 pretty_name: Ensure that RDS global clusters are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_141: categories: @@ -3105,6 +3303,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_141 pretty_name: Ensured that redshift cluster allowing version upgrade by default + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_142: categories: @@ -3154,6 +3353,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_146 pretty_name: Ensure that RDS database cluster snapshot is encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_147: categories: @@ -3165,6 +3365,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_147 pretty_name: Ensure that CodeBuild projects are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_148: categories: @@ -3175,6 +3376,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_148 pretty_name: Ensure no default VPC is planned to be provisioned + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_149: categories: @@ -3205,6 +3407,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_150 pretty_name: Ensure that Load Balancer has deletion protection enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_152: categories: @@ -3237,6 +3440,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_154 pretty_name: Ensure Redshift is not deployed outside of a VPC + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_155: categories: @@ -3248,6 +3452,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_155 pretty_name: Ensure that Workspace user volumes are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_156: categories: @@ -3259,6 +3464,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_156 pretty_name: Ensure that Workspace root volumes are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_157: categories: @@ -3289,6 +3495,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_159 pretty_name: Ensure that Athena Workgroup is encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_16: categories: @@ -3300,6 +3507,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_16 pretty_name: Ensure all data stored in the RDS is securely encrypted at rest + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_160: categories: @@ -3342,6 +3550,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_163 pretty_name: Ensure ECR image scanning on push is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_164: categories: @@ -3353,6 +3562,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_164 pretty_name: Ensure Transfer Server is not exposed publicly. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_165: categories: @@ -3365,6 +3575,7 @@ rules: name: CKV_AWS_165 pretty_name: Ensure Dynamodb point in time recovery (backup) is enabled for global tables + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_166: categories: @@ -3386,6 +3597,7 @@ rules: name: CKV_AWS_167 pretty_name: Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_168: categories: @@ -3398,6 +3610,7 @@ rules: name: CKV_AWS_168 pretty_name: Ensure SQS queue policy is not public by only allowing specific services or principals to access it + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_169: categories: @@ -3410,6 +3623,7 @@ rules: name: CKV_AWS_169 pretty_name: Ensure SNS topic policy is not public by only allowing specific services or principals to access it + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_17: categories: @@ -3421,6 +3635,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_17 pretty_name: Ensure all data stored in RDS is not publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_170: categories: @@ -3432,6 +3647,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_170 pretty_name: Ensure QLDB ledger permissions mode is set to STANDARD + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_171: categories: @@ -3454,6 +3670,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_172 pretty_name: Ensure QLDB ledger has deletion protection enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_173: categories: @@ -3475,6 +3692,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_174 pretty_name: Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_175: categories: @@ -3645,6 +3863,7 @@ rules: name: CKV_AWS_19 pretty_name: Ensure all data stored in the S3 bucket is securely encrypted at rest + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_190: categories: @@ -3675,6 +3894,7 @@ rules: name: CKV_AWS_192 pretty_name: Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_193: categories: @@ -3686,6 +3906,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_193 pretty_name: Ensure AppSync has Logging enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_194: categories: @@ -3697,6 +3918,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_194 pretty_name: Ensure AppSync has Field-Level logs enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_195: categories: @@ -3708,6 +3930,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_195 pretty_name: Ensure Glue component has a security configuration associated + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_196: categories: @@ -3719,6 +3942,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_196 pretty_name: Ensure no aws_elasticache_security_group resources exist + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_197: categories: @@ -3730,6 +3954,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_197 pretty_name: Ensure MQ Broker Audit logging is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_198: categories: @@ -3741,6 +3966,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_198 pretty_name: Ensure no aws_db_security_group resources exist + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_199: categories: @@ -3762,6 +3988,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_2 pretty_name: Ensure ALB protocol is HTTPS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_20: categories: @@ -3773,6 +4000,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_20 pretty_name: S3 Bucket has an ACL defined which allows public READ access. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_200: categories: @@ -3802,6 +4030,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_202 pretty_name: Ensure MemoryDB data is encrypted in transit + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_203: categories: @@ -3832,6 +4061,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_205 pretty_name: Ensure to Limit AMI launch Permissions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_206: categories: @@ -3843,6 +4073,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_206 pretty_name: Ensure API Gateway Domain uses a modern security Policy + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_207: categories: @@ -3854,6 +4085,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_207 pretty_name: Ensure MQ Broker minor version updates are enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_208: categories: @@ -3865,6 +4097,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_208 pretty_name: Ensure MQBroker version is current + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_209: categories: @@ -3895,6 +4128,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_210 pretty_name: Batch job does not define a privileged container + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_211: categories: @@ -3906,6 +4140,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_211 pretty_name: Ensure RDS uses a modern CaCert + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_212: categories: @@ -3927,6 +4162,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_213 pretty_name: Ensure ELB Policy uses only secure protocols + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_214: categories: @@ -3938,6 +4174,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_214 pretty_name: Ensure Appsync API Cache is encrypted at rest + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_215: categories: @@ -3949,6 +4186,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_215 pretty_name: Ensure Appsync API Cache is encrypted in transit + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_216: categories: @@ -3969,6 +4207,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_217 pretty_name: Ensure Create before destroy for API deployments + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_218: categories: @@ -3980,6 +4219,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_218 pretty_name: Ensure that Cloudsearch is using latest TLS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_219: categories: @@ -4009,6 +4249,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_220 pretty_name: Ensure that Cloudsearch is using https + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_221: categories: @@ -4030,6 +4271,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_222 pretty_name: Ensure DMS instance gets all minor upgrade automatically + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_223: categories: @@ -4041,6 +4283,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_223 pretty_name: Ensure ECS Cluster enables logging of ECS Exec + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_224: categories: @@ -4061,6 +4304,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_225 pretty_name: Ensure API Gateway method setting caching is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_226: categories: @@ -4072,6 +4316,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_226 pretty_name: Ensure DB instance gets all minor upgrades automatically + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_227: categories: @@ -4083,6 +4328,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_227 pretty_name: Ensure KMS key is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_228: categories: @@ -4094,6 +4340,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_228 pretty_name: Verify Elasticsearch domain is using an up to date TLS policy + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_229: categories: @@ -4105,6 +4352,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_229 pretty_name: Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_23: categories: @@ -4116,6 +4364,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_23 pretty_name: Ensure every security groups rule has a description + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_230: categories: @@ -4127,6 +4376,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_230 pretty_name: Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_231: categories: @@ -4138,6 +4388,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_231 pretty_name: Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_232: categories: @@ -4149,6 +4400,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_232 pretty_name: Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_233: categories: @@ -4160,6 +4412,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_233 pretty_name: Ensure Create before destroy for ACM certificates + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_234: categories: @@ -4170,6 +4423,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_234 pretty_name: Verify logging preference for ACM certificates + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_235: categories: @@ -4181,6 +4435,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_235 pretty_name: Ensure that copied AMIs are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_236: categories: @@ -4201,6 +4456,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_237 pretty_name: Ensure Create before destroy for API GATEWAY + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_238: categories: @@ -4232,6 +4488,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_24 pretty_name: Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_240: categories: @@ -4243,6 +4500,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_240 pretty_name: Ensure Kinesis Firehose delivery stream is encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_241: categories: @@ -4264,6 +4522,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_242 pretty_name: Ensure MWAA environment has scheduler logs enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_243: categories: @@ -4275,6 +4534,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_243 pretty_name: Ensure MWAA environment has worker logs enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_244: categories: @@ -4286,6 +4546,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_244 pretty_name: Ensure MWAA environment has webserver logs enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_245: categories: @@ -4304,6 +4565,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_246 pretty_name: Ensure RDS Cluster activity streams are encrypted using KMS CMKs + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_247: categories: @@ -4313,6 +4575,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_247 pretty_name: Ensure all data stored in the Elasticsearch is encrypted with a CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_248: categories: @@ -4324,6 +4587,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_248 pretty_name: Ensure that Elasticsearch is not using the default Security Group + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_249: categories: @@ -4335,6 +4599,7 @@ rules: name: CKV_AWS_249 pretty_name: Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_25: categories: @@ -4346,6 +4611,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_25 pretty_name: Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_250: categories: @@ -4358,6 +4624,7 @@ rules: name: CKV_AWS_250 pretty_name: Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_251: categories: @@ -4369,6 +4636,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_251 pretty_name: Ensure CloudTrail logging is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_252: categories: @@ -4378,6 +4646,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_252 pretty_name: Ensure CloudTrail defines an SNS Topic + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_253: categories: @@ -4389,6 +4658,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_253 pretty_name: Ensure DLM cross region events are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_254: categories: @@ -4399,6 +4669,7 @@ rules: name: CKV_AWS_254 pretty_name: Ensure DLM cross region events are encrypted with Customer Managed Key + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_255: categories: @@ -4410,6 +4681,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_255 pretty_name: Ensure DLM cross region schedules are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_256: categories: @@ -4420,6 +4692,7 @@ rules: name: CKV_AWS_256 pretty_name: Ensure DLM cross region schedules are encrypted using a Customer Managed Key + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_257: categories: @@ -4430,6 +4703,7 @@ rules: group: supply-chain-scm-weak-configuration name: CKV_AWS_257 pretty_name: Ensure codecommit branch changes have at least 2 approvals + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_258: categories: @@ -4441,6 +4715,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_258 pretty_name: Ensure that Lambda function URLs AuthType is not None + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_259: categories: @@ -4453,6 +4728,7 @@ rules: name: CKV_AWS_259 pretty_name: Ensure CloudFront response header policy enforces Strict Transport Security + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_26: categories: @@ -4464,6 +4740,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_26 pretty_name: Ensure all data stored in the SNS topic is encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_260: categories: @@ -4475,6 +4752,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_260 pretty_name: Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_261: categories: @@ -4485,6 +4763,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_261 pretty_name: Ensure HTTP HTTPS Target group defines Healthcheck + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_262: categories: @@ -4494,6 +4773,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_262 pretty_name: Ensure Kendra index Server side encryption uses CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_263: categories: @@ -4503,6 +4783,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_263 pretty_name: Ensure App Flow flow uses CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_264: categories: @@ -4512,6 +4793,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_264 pretty_name: Ensure App Flow connector profile uses CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_265: categories: @@ -4521,6 +4803,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_265 pretty_name: Ensure Keyspaces Table uses CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_266: categories: @@ -4530,6 +4813,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_266 pretty_name: Ensure App Flow connector profile uses CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_267: categories: @@ -4540,6 +4824,7 @@ rules: name: CKV_AWS_267 pretty_name: Ensure that Comprehend Entity Recognizer's model is encrypted by KMS using a customer managed Key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_268: categories: @@ -4550,6 +4835,7 @@ rules: name: CKV_AWS_268 pretty_name: Ensure that Comprehend Entity Recognizer's volume is encrypted by KMS using a customer managed Key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_269: categories: @@ -4560,6 +4846,7 @@ rules: name: CKV_AWS_269 pretty_name: Ensure Connect Instance Kinesis Video Stream Storage Config uses CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_27: categories: @@ -4571,6 +4858,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_27 pretty_name: Ensure all data stored in the SQS queue is encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_270: categories: @@ -4580,6 +4868,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_270 pretty_name: Ensure Connect Instance S3 Storage Config uses CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_271: categories: @@ -4589,6 +4878,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_271 pretty_name: Ensure DynamoDB table replica KMS encryption uses CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_272: categories: @@ -4600,6 +4890,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_272 pretty_name: Ensure AWS Lambda function is configured to validate code-signing + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_273: categories: @@ -4610,6 +4901,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_273 pretty_name: Ensure access is controlled through SSO and not AWS IAM defined users + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_274: categories: @@ -4621,6 +4913,7 @@ rules: name: CKV_AWS_274 pretty_name: Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_275: categories: @@ -4631,6 +4924,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_275 pretty_name: Disallow policies from using the AWS AdministratorAccess policy + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_276: categories: @@ -4640,6 +4934,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_276 pretty_name: Ensure Data Trace is not enabled in API Gateway Method Settings + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_277: categories: @@ -4651,6 +4946,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_277 pretty_name: Ensure no security groups allow ingress from 0.0.0.0:0 to port -1 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_278: categories: @@ -4663,6 +4959,7 @@ rules: name: CKV_AWS_278 pretty_name: Ensure MemoryDB snapshot is encrypted by KMS using a customer managed Key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_279: categories: @@ -4674,6 +4971,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_279 pretty_name: Ensure Neptune snapshot is securely encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_28: categories: @@ -4685,6 +4983,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_28 pretty_name: Ensure Dynamodb point in time recovery (backup) is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_280: categories: @@ -4697,6 +4996,7 @@ rules: name: CKV_AWS_280 pretty_name: Ensure Neptune snapshot is encrypted by KMS using a customer managed Key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_281: categories: @@ -4709,6 +5009,7 @@ rules: name: CKV_AWS_281 pretty_name: Ensure RedShift snapshot copy is encrypted by KMS using a customer managed Key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_282: categories: @@ -4721,6 +5022,7 @@ rules: name: CKV_AWS_282 pretty_name: Ensure that Redshift Serverless namespace is encrypted by KMS using a customer managed key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_283: categories: @@ -4733,6 +5035,7 @@ rules: name: CKV_AWS_283 pretty_name: Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_284: categories: @@ -4744,6 +5047,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_284 pretty_name: Ensure State Machine has X-Ray tracing enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_285: categories: @@ -4755,6 +5059,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_285 pretty_name: Ensure State Machine has execution history logging enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_286: categories: @@ -4766,6 +5071,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_286 pretty_name: Ensure IAM policies does not allow privilege escalation + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_287: categories: @@ -4777,6 +5083,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_287 pretty_name: Ensure IAM policies does not allow credentials exposure + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_288: categories: @@ -4788,6 +5095,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_288 pretty_name: Ensure IAM policies does not allow data exfiltration + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_289: categories: @@ -4800,6 +5108,7 @@ rules: name: CKV_AWS_289 pretty_name: Ensure IAM policies does not allow permissions management / resource exposure without constraints + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_29: categories: @@ -4812,6 +5121,7 @@ rules: name: CKV_AWS_29 pretty_name: Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_290: categories: @@ -4823,6 +5133,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_290 pretty_name: Ensure IAM policies does not allow write access without constraints + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_291: categories: @@ -4834,6 +5145,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_291 pretty_name: Ensure MSK nodes are private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_292: categories: @@ -4845,6 +5157,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_292 pretty_name: Ensure DocDB Global Cluster is encrypted at rest (default is unencrypted) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_293: categories: @@ -4856,6 +5169,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_293 pretty_name: Ensure that AWS database instances have deletion protection enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_294: categories: @@ -4867,6 +5181,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_294 pretty_name: Ensure Cloud Trail Event Data Store uses CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_295: categories: @@ -4878,6 +5193,7 @@ rules: group: stored-secrets name: CKV_AWS_295 pretty_name: Ensure DataSync Location Object Storage doesn't expose secrets + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_296: categories: @@ -4889,6 +5205,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_296 pretty_name: Ensure DMS endpoint uses Customer Managed Key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_297: categories: @@ -4900,6 +5217,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_297 pretty_name: Ensure EventBridge Scheduler Schedule uses Customer Managed Key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_298: categories: @@ -4911,6 +5229,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_298 pretty_name: Ensure DMS S3 uses Customer Managed Key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_299: categories: @@ -4922,6 +5241,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_299 pretty_name: Ensure DMS S3 defines in-transit encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_3: categories: @@ -4933,6 +5253,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_3 pretty_name: Ensure all data stored in the EBS is securely encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_30: categories: @@ -4945,6 +5266,7 @@ rules: name: CKV_AWS_30 pretty_name: Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_300: categories: @@ -4957,6 +5279,7 @@ rules: name: CKV_AWS_300 pretty_name: Ensure S3 lifecycle configuration sets period for aborting failed uploads + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_301: categories: @@ -4968,6 +5291,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_301 pretty_name: Ensure that AWS Lambda function is not publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_302: categories: @@ -4979,6 +5303,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_302 pretty_name: Ensure DB Snapshots are not Public + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_303: categories: @@ -4990,6 +5315,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_303 pretty_name: Ensure SSM documents are not Public + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_304: categories: @@ -5001,6 +5327,7 @@ rules: group: cloud-weak-secrets-management name: CKV_AWS_304 pretty_name: Ensure Secrets Manager secrets should be rotated within 90 days + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_305: categories: @@ -5012,6 +5339,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_305 pretty_name: Ensure Cloudfront distribution has a default root object configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_306: categories: @@ -5024,6 +5352,7 @@ rules: name: CKV_AWS_306 pretty_name: Ensure SageMaker notebook instances should be launched into a custom VPC + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_307: categories: @@ -5036,6 +5365,7 @@ rules: name: CKV_AWS_307 pretty_name: Ensure SageMaker Users should not have root access to SageMaker notebook instances + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_308: categories: @@ -5047,6 +5377,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_308 pretty_name: Ensure API Gateway method setting caching is set to encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_309: categories: @@ -5058,6 +5389,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_309 pretty_name: Ensure API GatewayV2 routes specify an authorization type + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_31: categories: @@ -5070,6 +5402,7 @@ rules: name: CKV_AWS_31 pretty_name: Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_310: categories: @@ -5081,6 +5414,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_310 pretty_name: Ensure CloudFront distributions should have origin failover configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_311: categories: @@ -5092,6 +5426,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_311 pretty_name: Ensure that CodeBuild S3 logs are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_312: categories: @@ -5104,6 +5439,7 @@ rules: name: CKV_AWS_312 pretty_name: Ensure Elastic Beanstalk environments have enhanced health reporting enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_313: categories: @@ -5115,6 +5451,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_313 pretty_name: Ensure RDS cluster configured to copy tags to snapshots + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_314: categories: @@ -5126,6 +5463,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_314 pretty_name: Ensure CodeBuild project environments have a logging configuration + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_315: categories: @@ -5137,6 +5475,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_315 pretty_name: Ensure EC2 Auto Scaling groups use EC2 launch templates + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_316: categories: @@ -5149,6 +5488,7 @@ rules: name: CKV_AWS_316 pretty_name: Ensure CodeBuild project environments do not have privileged mode enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_317: categories: @@ -5160,6 +5500,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_317 pretty_name: Ensure Elasticsearch Domain Audit Logging is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_318: categories: @@ -5172,6 +5513,7 @@ rules: name: CKV_AWS_318 pretty_name: Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_319: categories: @@ -5183,6 +5525,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_319 pretty_name: Ensure that CloudWatch alarm actions are enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_32: categories: @@ -5194,6 +5537,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_32 pretty_name: Ensure ECR policy is not set to public + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_320: categories: @@ -5205,6 +5549,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_320 pretty_name: Ensure Redshift clusters do not use the default database name + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_321: categories: @@ -5216,6 +5561,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_321 pretty_name: Ensure Redshift clusters use enhanced VPC routing + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_322: categories: @@ -5228,6 +5574,7 @@ rules: name: CKV_AWS_322 pretty_name: Ensure ElastiCache for Redis cache clusters have auto minor version upgrades enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_323: categories: @@ -5239,6 +5586,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_323 pretty_name: Ensure ElastiCache clusters do not use the default subnet group + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_324: categories: @@ -5250,6 +5598,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_324 pretty_name: Ensure that RDS Cluster log capture is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_325: categories: @@ -5261,6 +5610,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_325 pretty_name: Ensure that RDS Cluster audit logging is enabled for MySQL engine + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_326: categories: @@ -5272,6 +5622,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_326 pretty_name: Ensure that RDS Aurora Clusters have backtracking enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_327: categories: @@ -5295,6 +5646,7 @@ rules: name: CKV_AWS_328 pretty_name: Ensure that ALB is configured with defensive or strictest desync mitigation mode + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_329: categories: @@ -5306,6 +5658,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_329 pretty_name: EFS access points should enforce a root directory + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_33: categories: @@ -5317,6 +5670,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_33 pretty_name: Ensure KMS key policy does not contain wildcard (*) principal + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_330: categories: @@ -5328,6 +5682,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_330 pretty_name: EFS access points should enforce a user identity + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_331: categories: @@ -5340,6 +5695,7 @@ rules: name: CKV_AWS_331 pretty_name: Ensure Transit Gateways do not automatically accept VPC attachment requests + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_332: categories: @@ -5351,6 +5707,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_332 pretty_name: Ensure ECS Fargate services run on the latest Fargate platform version + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_333: categories: @@ -5363,6 +5720,7 @@ rules: name: CKV_AWS_333 pretty_name: Ensure ECS services do not have public IP addresses assigned to them automatically + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_334: categories: @@ -5374,6 +5732,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_334 pretty_name: Ensure ECS containers should run as non-privileged + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_335: categories: @@ -5385,6 +5744,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_335 pretty_name: Ensure ECS task definitions should not share the host's process namespace + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_336: categories: @@ -5396,6 +5756,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_336 pretty_name: Ensure ECS containers are limited to read-only access to root filesystems + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_337: categories: @@ -5418,6 +5779,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_338 pretty_name: Ensure CloudWatch log groups retains logs for at least 1 year + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_339: categories: @@ -5429,6 +5791,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_339 pretty_name: Ensure EKS clusters run on a supported Kubernetes version + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_34: categories: @@ -5440,6 +5803,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_34 pretty_name: Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_340: categories: @@ -5451,6 +5815,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_340 pretty_name: Ensure Elastic Beanstalk managed platform updates are enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_341: categories: @@ -5463,6 +5828,7 @@ rules: name: CKV_AWS_341 pretty_name: Ensure Launch template should not have a metadata response hop limit greater than 1 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_342: categories: @@ -5474,6 +5840,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_342 pretty_name: Ensure WAF rule has any actions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_343: categories: @@ -5485,6 +5852,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_343 pretty_name: Ensure Amazon Redshift clusters should have automatic snapshots enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_344: categories: @@ -5496,6 +5864,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_344 pretty_name: Ensure that Network firewalls have deletion protection enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_345: categories: @@ -5507,6 +5876,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_345 pretty_name: Ensure that Network firewall encryption is via a CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_346: categories: @@ -5519,6 +5889,7 @@ rules: name: CKV_AWS_346 pretty_name: Ensure Network Firewall Policy defines an encryption configuration that uses a customer managed Key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_347: categories: @@ -5530,6 +5901,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_347 pretty_name: Ensure Neptune is encrypted by KMS using a customer managed Key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_348: categories: @@ -5541,6 +5913,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_348 pretty_name: Ensure IAM root user doesnt have Access keys + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_349: categories: @@ -5552,6 +5925,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_349 pretty_name: Ensure EMR Cluster security configuration encrypts local disks + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_35: categories: @@ -5561,6 +5935,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_35 pretty_name: Ensure CloudTrail logs are encrypted at rest using KMS CMKs + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_350: categories: @@ -5572,6 +5947,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_350 pretty_name: Ensure EMR Cluster security configuration encrypts EBS disks + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_351: categories: @@ -5583,6 +5959,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_351 pretty_name: Ensure EMR Cluster security configuration encrypts InTransit + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_352: categories: @@ -5594,6 +5971,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_352 pretty_name: Ensure NACL ingress does not allow all Ports + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_353: categories: @@ -5605,6 +5983,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_353 pretty_name: Ensure that RDS instances have performance insights enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_354: categories: @@ -5628,6 +6007,7 @@ rules: name: CKV_AWS_355 pretty_name: Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_356: categories: @@ -5640,6 +6020,7 @@ rules: name: CKV_AWS_356 pretty_name: Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_357: categories: @@ -5651,6 +6032,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_357 pretty_name: Ensure Transfer Server allows only secure protocols + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_358: categories: @@ -5663,6 +6045,7 @@ rules: name: CKV_AWS_358 pretty_name: Ensure GitHub Actions OIDC trust policies only allows actions from a specific known organization + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_359: categories: @@ -5674,6 +6057,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_359 pretty_name: Neptune DB clusters should have IAM database authentication enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_36: categories: @@ -5685,6 +6069,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_36 pretty_name: Ensure CloudTrail log file validation is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_360: categories: @@ -5696,6 +6081,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_360 pretty_name: Ensure DocumentDB has an adequate backup retention period + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_361: categories: @@ -5708,6 +6094,7 @@ rules: name: CKV_AWS_361 pretty_name: Ensure that Neptune DB cluster has automated backups enabled with adequate retention + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_362: categories: @@ -5719,6 +6106,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_362 pretty_name: Neptune DB clusters should be configured to copy tags to snapshots + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_363: categories: @@ -5730,6 +6118,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_363 pretty_name: Ensure Lambda Runtime is not deprecated + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_364: categories: @@ -5742,6 +6131,7 @@ rules: name: CKV_AWS_364 pretty_name: Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_365: categories: @@ -5753,6 +6143,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_365 pretty_name: Ensure SES Configuration Set enforces TLS usage + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_366: categories: @@ -5765,6 +6156,7 @@ rules: name: CKV_AWS_366 pretty_name: Ensure AWS Cognito identity pool does not allow unauthenticated guest access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_37: categories: @@ -5776,6 +6168,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_37 pretty_name: Ensure Amazon EKS control plane logging enabled for all log types + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_38: categories: @@ -5786,6 +6179,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_38 pretty_name: Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_39: categories: @@ -5796,6 +6190,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_39 pretty_name: Ensure Amazon EKS public endpoint disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_40: categories: @@ -5807,6 +6202,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_40 pretty_name: Ensure IAM policies are attached only to groups or roles + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_41: categories: @@ -5818,6 +6214,7 @@ rules: group: stored-secrets name: CKV_AWS_41 pretty_name: Ensure no hard coded AWS access key and secret key exists in provider + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_42: categories: @@ -5829,6 +6226,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_42 pretty_name: Ensure EFS is securely encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_43: categories: @@ -5840,6 +6238,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_43 pretty_name: Ensure Kinesis Stream is securely encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_44: categories: @@ -5851,6 +6250,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_44 pretty_name: Ensure Neptune storage is securely encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_45: categories: @@ -5862,6 +6262,7 @@ rules: group: stored-secrets name: CKV_AWS_45 pretty_name: Ensure no hard-coded secrets exist in lambda environment + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_46: categories: @@ -5873,6 +6274,7 @@ rules: group: stored-secrets name: CKV_AWS_46 pretty_name: Ensure no hard-coded secrets exist in EC2 user data + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_47: categories: @@ -5884,6 +6286,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_47 pretty_name: Ensure DAX is encrypted at rest (default is unencrypted) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_48: categories: @@ -5895,6 +6298,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_48 pretty_name: Ensure MQ Broker logging is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_49: categories: @@ -5906,6 +6310,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_49 pretty_name: Ensure no IAM policies documents allow "*" as a statement's actions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_5: categories: @@ -5918,6 +6323,7 @@ rules: name: CKV_AWS_5 pretty_name: Ensure all data stored in the Elasticsearch is securely encrypted at rest + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_50: categories: @@ -5928,6 +6334,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_50 pretty_name: X-ray tracing is enabled for Lambda + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_51: categories: @@ -5939,6 +6346,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_51 pretty_name: Ensure ECR Image Tags are immutable + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_53: categories: @@ -5950,6 +6358,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_53 pretty_name: Ensure S3 bucket has block public ACLS enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_54: categories: @@ -5961,6 +6370,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_54 pretty_name: Ensure S3 bucket has block public policy enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_55: categories: @@ -5972,6 +6382,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_55 pretty_name: Ensure S3 bucket has ignore public ACLs enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_56: categories: @@ -5983,6 +6394,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_56 pretty_name: Ensure S3 bucket has 'restrict_public_bucket' enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_57: categories: @@ -5994,6 +6406,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_57 pretty_name: S3 Bucket has an ACL defined which allows public WRITE access. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_58: categories: @@ -6005,6 +6418,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_58 pretty_name: Ensure EKS Cluster has Secrets Encryption Enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_59: categories: @@ -6016,6 +6430,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_59 pretty_name: Ensure there is no open access to back-end resources through API + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_6: categories: @@ -6027,6 +6442,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_6 pretty_name: Ensure all Elasticsearch has node-to-node encryption enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_60: categories: @@ -6039,6 +6455,7 @@ rules: name: CKV_AWS_60 pretty_name: Ensure IAM role allows only specific services or principals to assume it + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_61: categories: @@ -6051,6 +6468,7 @@ rules: name: CKV_AWS_61 pretty_name: Ensure AWS IAM policy does not allow assume role permission across all services + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_62: categories: @@ -6063,6 +6481,7 @@ rules: name: CKV_AWS_62 pretty_name: Ensure IAM policies that allow full "*-*" administrative privileges are not created + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_63: categories: @@ -6074,6 +6493,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_63 pretty_name: Ensure no IAM policies documents allow "*" as a statement's actions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_64: categories: @@ -6086,6 +6506,7 @@ rules: name: CKV_AWS_64 pretty_name: Ensure all data stored in the Redshift cluster is securely encrypted at rest + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_65: categories: @@ -6096,6 +6517,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_65 pretty_name: Ensure container insights are enabled on ECS cluster + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_66: categories: @@ -6107,6 +6529,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_66 pretty_name: Ensure that CloudWatch Log Group specifies retention days + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_67: categories: @@ -6118,6 +6541,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_67 pretty_name: Ensure CloudTrail is enabled in all Regions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_68: categories: @@ -6127,6 +6551,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_68 pretty_name: CloudFront Distribution should have WAF enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_69: categories: @@ -6138,6 +6563,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_69 pretty_name: Ensure MQ Broker is not publicly exposed + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_7: categories: @@ -6149,6 +6575,7 @@ rules: group: cloud-weak-secrets-management name: CKV_AWS_7 pretty_name: Ensure rotation for customer created CMKs is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_70: categories: @@ -6160,6 +6587,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_70 pretty_name: Ensure S3 bucket does not allow an action with any Principal + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_71: categories: @@ -6170,6 +6598,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_71 pretty_name: Ensure Redshift Cluster logging is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_72: categories: @@ -6181,6 +6610,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_72 pretty_name: Ensure SQS policy does not allow ALL (*) actions. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_73: categories: @@ -6191,6 +6621,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_73 pretty_name: Ensure API Gateway has X-Ray Tracing enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_74: categories: @@ -6202,6 +6633,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_74 pretty_name: Ensure DocDB is encrypted at rest (default is unencrypted) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_75: categories: @@ -6211,6 +6643,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_75 pretty_name: Ensure Global Accelerator accelerator has flow logs enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_76: categories: @@ -6222,6 +6655,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_76 pretty_name: Ensure API Gateway has Access Logging enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_77: categories: @@ -6233,6 +6667,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_77 pretty_name: Ensure Athena Database is encrypted at rest (default is unencrypted) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_78: categories: @@ -6244,6 +6679,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_78 pretty_name: Ensure that CodeBuild Project encryption is not disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_79: categories: @@ -6255,6 +6691,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_79 pretty_name: Ensure Instance Metadata Service Version 1 is not enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_8: categories: @@ -6267,6 +6704,7 @@ rules: name: CKV_AWS_8 pretty_name: Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_80: categories: @@ -6278,6 +6716,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_80 pretty_name: Ensure MSK Cluster logging is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_81: categories: @@ -6289,6 +6728,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_81 pretty_name: Ensure MSK Cluster encryption in rest and transit is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_82: categories: @@ -6301,6 +6741,7 @@ rules: name: CKV_AWS_82 pretty_name: Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_83: categories: @@ -6312,6 +6753,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_83 pretty_name: Ensure Elasticsearch Domain enforces HTTPS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_84: categories: @@ -6322,6 +6764,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_84 pretty_name: Ensure Elasticsearch Domain Logging is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_85: categories: @@ -6332,6 +6775,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_85 pretty_name: Ensure DocDB Logging is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_86: categories: @@ -6343,6 +6787,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_86 pretty_name: Ensure Cloudfront distribution has Access Logging enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_87: categories: @@ -6354,6 +6799,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_87 pretty_name: Redshift cluster should not be publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_88: categories: @@ -6365,6 +6811,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_88 pretty_name: EC2 instance should not have public IP. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_89: categories: @@ -6376,6 +6823,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_89 pretty_name: DMS replication instance should not be publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_9: categories: @@ -6396,6 +6844,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_90 pretty_name: Ensure DocDB TLS is not disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_91: categories: @@ -6407,6 +6856,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_91 pretty_name: Ensure the ELBv2 (Application/Network) has access logging enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_92: categories: @@ -6418,6 +6868,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_92 pretty_name: Ensure the ELB has access logging enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_93: categories: @@ -6430,6 +6881,7 @@ rules: name: CKV_AWS_93 pretty_name: Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_94: categories: @@ -6441,6 +6893,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_94 pretty_name: Ensure Glue Data Catalog Encryption is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_95: categories: @@ -6452,6 +6905,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_95 pretty_name: Ensure API Gateway V2 has Access Logging enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_96: categories: @@ -6463,6 +6917,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_96 pretty_name: Ensure all data stored in Aurora is securely encrypted at rest + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_97: categories: @@ -6475,6 +6930,7 @@ rules: name: CKV_AWS_97 pretty_name: Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_98: categories: @@ -6487,6 +6943,7 @@ rules: name: CKV_AWS_98 pretty_name: Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_99: categories: @@ -6498,6 +6955,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_99 pretty_name: Ensure Glue Security Configuration Encryption is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZUREPIPELINES_1: categories: @@ -6509,6 +6967,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_AZUREPIPELINES_1 pretty_name: Ensure container job uses a non latest version tag + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZUREPIPELINES_2: categories: @@ -6519,6 +6978,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_AZUREPIPELINES_2 pretty_name: Ensure container job uses a version digest + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZUREPIPELINES_3: categories: @@ -6530,6 +6990,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_AZUREPIPELINES_3 pretty_name: Ensure set variable is not marked as a secret + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_1: categories: @@ -6542,6 +7003,7 @@ rules: name: CKV_AZURE_1 pretty_name: Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_10: categories: @@ -6553,6 +7015,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_10 pretty_name: Ensure that SSH access is restricted from the internet + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_100: categories: @@ -6574,6 +7037,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_101 pretty_name: Ensure that Azure Cosmos DB disables public network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_102: categories: @@ -6584,6 +7048,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_102 pretty_name: Ensure that PostgreSQL server enables geo-redundant backups + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_103: categories: @@ -6594,6 +7059,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_103 pretty_name: Ensure that Azure Data Factory uses Git repository for source control + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_104: categories: @@ -6605,6 +7071,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_104 pretty_name: Ensure that Azure Data factory public network access is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_105: categories: @@ -6616,6 +7083,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_105 pretty_name: Ensure that Data Lake Store accounts enables encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_106: categories: @@ -6627,6 +7095,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_106 pretty_name: Ensure that Azure Event Grid Domain public network access is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_107: categories: @@ -6637,6 +7106,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_107 pretty_name: Ensure that API management services use virtual networks + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_108: categories: @@ -6646,6 +7116,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_108 pretty_name: Ensure that Azure IoT Hub disables public network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_109: categories: @@ -6657,6 +7128,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_109 pretty_name: Ensure that key vault allows firewall rules settings + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_11: categories: @@ -6668,6 +7140,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_11 pretty_name: Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_110: categories: @@ -6679,6 +7152,7 @@ rules: group: cloud-weak-secrets-management name: CKV_AZURE_110 pretty_name: Ensure that key vault enables purge protection + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_111: categories: @@ -6690,6 +7164,7 @@ rules: group: cloud-weak-secrets-management name: CKV_AZURE_111 pretty_name: Ensure that key vault enables soft delete + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_112: categories: @@ -6700,6 +7175,7 @@ rules: group: cloud-weak-secrets-management name: CKV_AZURE_112 pretty_name: Ensure that key vault key is backed by HSM + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_113: categories: @@ -6711,6 +7187,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_113 pretty_name: Ensure that SQL server disables public network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_114: categories: @@ -6721,6 +7198,7 @@ rules: group: cloud-weak-secrets-management name: CKV_AZURE_114 pretty_name: Ensure that key vault secrets have "content_type" set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_115: categories: @@ -6732,6 +7210,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_115 pretty_name: Ensure that AKS enables private clusters + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_116: categories: @@ -6743,6 +7222,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_116 pretty_name: Ensure that AKS uses Azure Policies Add-on + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_117: categories: @@ -6754,6 +7234,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_117 pretty_name: Ensure that AKS uses disk encryption set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_118: categories: @@ -6765,6 +7246,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_118 pretty_name: Ensure that Network Interfaces disable IP forwarding + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_119: categories: @@ -6776,6 +7258,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_119 pretty_name: Ensure that Network Interfaces don't use public IPs + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_12: categories: @@ -6786,6 +7269,7 @@ rules: name: CKV_AZURE_12 pretty_name: Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_120: categories: @@ -6795,6 +7279,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_120 pretty_name: Ensure that Application Gateway enables WAF + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_121: categories: @@ -6804,6 +7289,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_121 pretty_name: Ensure that Azure Front Door enables WAF + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_122: categories: @@ -6814,6 +7300,7 @@ rules: name: CKV_AZURE_122 pretty_name: Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_123: categories: @@ -6824,6 +7311,7 @@ rules: name: CKV_AZURE_123 pretty_name: Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_124: categories: @@ -6835,6 +7323,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_124 pretty_name: Ensure that Azure Cognitive Search disables public network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_125: categories: @@ -6846,6 +7335,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_125 pretty_name: Ensures that Service Fabric use three levels of protection available + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_126: categories: @@ -6858,6 +7348,7 @@ rules: name: CKV_AZURE_126 pretty_name: Ensures that Active Directory is used for authentication for Service Fabric + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_127: categories: @@ -6867,6 +7358,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_127 pretty_name: Ensure that My SQL server enables Threat detection policy + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_128: categories: @@ -6876,6 +7368,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_128 pretty_name: Ensure that PostgreSQL server enables Threat detection policy + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_129: categories: @@ -6886,6 +7379,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_129 pretty_name: Ensure that MariaDB server enables geo-redundant backups + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_13: categories: @@ -6897,6 +7391,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_13 pretty_name: Ensure App Service Authentication is set on Azure App Service + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_130: categories: @@ -6908,6 +7403,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_130 pretty_name: Ensure that PostgreSQL server enables infrastructure encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_131: categories: @@ -6919,6 +7415,7 @@ rules: group: stored-secrets name: CKV_AZURE_131 pretty_name: SecureString parameter should not have hardcoded default values + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_132: categories: @@ -6931,6 +7428,7 @@ rules: name: CKV_AZURE_132 pretty_name: Ensure cosmosdb does not allow privileged escalation by restricting management plane changes + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_133: categories: @@ -6941,6 +7439,7 @@ rules: name: CKV_AZURE_133 pretty_name: Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_134: categories: @@ -6952,6 +7451,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_134 pretty_name: Ensure that Cognitive Services accounts disable public network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_135: categories: @@ -6962,6 +7462,7 @@ rules: name: CKV_AZURE_135 pretty_name: Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_136: categories: @@ -6972,6 +7473,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_136 pretty_name: Ensure that PostgreSQL Flexible server enables geo-redundant backups + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_137: categories: @@ -6983,6 +7485,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_137 pretty_name: Ensure ACR admin account is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_138: categories: @@ -6993,6 +7496,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_138 pretty_name: Ensures that ACR disables anonymous pulling of images + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_139: categories: @@ -7004,6 +7508,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_139 pretty_name: Ensure ACR set to disable public networking + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_14: categories: @@ -7015,6 +7520,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_14 pretty_name: Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_140: categories: @@ -7026,6 +7532,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_140 pretty_name: Ensure that Local Authentication is disabled on CosmosDB + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_141: categories: @@ -7037,6 +7544,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_141 pretty_name: Ensure AKS local admin account is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_142: categories: @@ -7048,6 +7556,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_142 pretty_name: Ensure Machine Learning Compute Cluster Local Authentication is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_143: categories: @@ -7059,6 +7568,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_143 pretty_name: Ensure AKS cluster nodes do not have public IP addresses + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_144: categories: @@ -7070,6 +7580,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_144 pretty_name: Ensure that Public Access is disabled for Machine Learning Workspace + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_145: categories: @@ -7081,6 +7592,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_145 pretty_name: Ensure Function app is using the latest version of TLS encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_146: categories: @@ -7092,6 +7604,7 @@ rules: name: CKV_AZURE_146 pretty_name: Ensure server parameter 'log_retention' is set to 'ON' for PostgreSQL Database Server + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_147: categories: @@ -7103,6 +7616,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_147 pretty_name: Ensure PostgreSQL is using the latest version of TLS encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_148: categories: @@ -7114,6 +7628,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_148 pretty_name: Ensure Redis Cache is using the latest version of TLS encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_149: categories: @@ -7125,6 +7640,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_149 pretty_name: Ensure that Virtual machine does not enable password authentication + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_15: categories: @@ -7136,6 +7652,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_15 pretty_name: Ensure web app is using the latest version of TLS encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_150: categories: @@ -7147,6 +7664,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_150 pretty_name: Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_151: categories: @@ -7158,6 +7676,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_151 pretty_name: Ensure Windows VM enables encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_152: categories: @@ -7168,6 +7687,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_152 pretty_name: Ensure Client Certificates are enforced for API management + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_153: categories: @@ -7180,6 +7700,7 @@ rules: name: CKV_AZURE_153 pretty_name: Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_154: categories: @@ -7191,6 +7712,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_154 pretty_name: Ensure the App service slot is using the latest version of TLS encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_155: categories: @@ -7202,6 +7724,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_155 pretty_name: Ensure debugging is disabled for the App service slot + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_156: categories: @@ -7214,6 +7737,7 @@ rules: name: CKV_AZURE_156 pretty_name: Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_157: categories: @@ -7224,6 +7748,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_157 pretty_name: Ensure that Synapse workspace has data_exfiltration_protection_enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_158: categories: @@ -7235,6 +7760,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_158 pretty_name: Ensure that databricks workspace has not public + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_159: categories: @@ -7246,6 +7772,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_159 pretty_name: Ensure function app builtin logging is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_16: categories: @@ -7258,6 +7785,7 @@ rules: name: CKV_AZURE_16 pretty_name: Ensure that Register with Azure Active Directory is enabled on App Service + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_160: categories: @@ -7269,6 +7797,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_160 pretty_name: Ensure that HTTP (port 80) access is restricted from the internet + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_161: categories: @@ -7280,6 +7809,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_161 pretty_name: Ensures Spring Cloud API Portal is enabled on for HTTPS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_162: categories: @@ -7291,6 +7821,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_162 pretty_name: Ensures Spring Cloud API Portal Public Access Is Disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_163: categories: @@ -7302,6 +7833,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_163 pretty_name: Enable vulnerability scanning for container images. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_164: categories: @@ -7313,6 +7845,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_164 pretty_name: Ensures that ACR uses signed/trusted images + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_165: categories: @@ -7325,6 +7858,7 @@ rules: name: CKV_AZURE_165 pretty_name: Ensure geo-replicated container registries to match multi-region container deployments. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_166: categories: @@ -7336,6 +7870,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_166 pretty_name: Ensure container image quarantine, scan, and mark images verified + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_167: categories: @@ -7347,6 +7882,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_167 pretty_name: Ensure a retention policy is set to cleanup untagged manifests. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_168: categories: @@ -7359,6 +7895,7 @@ rules: name: CKV_AZURE_168 pretty_name: Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_169: categories: @@ -7370,6 +7907,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_169 pretty_name: Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_17: categories: @@ -7381,6 +7919,7 @@ rules: name: CKV_AZURE_17 pretty_name: Ensure the web app has 'Client Certificates (Incoming client certificates)' set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_170: categories: @@ -7392,6 +7931,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_170 pretty_name: Ensure that AKS use the Paid Sku for its SLA + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_171: categories: @@ -7403,6 +7943,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_171 pretty_name: Ensure AKS cluster upgrade channel is chosen + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_172: categories: @@ -7414,6 +7955,7 @@ rules: group: cloud-weak-secrets-management name: CKV_AZURE_172 pretty_name: Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_173: categories: @@ -7425,6 +7967,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_173 pretty_name: Ensure API management uses at least TLS 1.2 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_174: categories: @@ -7436,6 +7979,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_174 pretty_name: Ensure API management public access is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_175: categories: @@ -7447,6 +7991,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_175 pretty_name: Ensure Web PubSub uses a SKU with an SLA + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_176: categories: @@ -7458,6 +8003,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_176 pretty_name: Ensure Web PubSub uses managed identities to access Azure resources + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_177: categories: @@ -7469,6 +8015,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_177 pretty_name: Ensure Windows VM enables automatic updates + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_178: categories: @@ -7480,6 +8027,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_178 pretty_name: Ensure linux VM enables SSH with keys for secure communication + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_179: categories: @@ -7491,6 +8039,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_179 pretty_name: Ensure VM agent is installed + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_18: categories: @@ -7502,6 +8051,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_18 pretty_name: Ensure that 'HTTP Version' is the latest if used to run the web app + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_180: categories: @@ -7513,6 +8063,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_180 pretty_name: Ensure that data explorer uses Sku with an SLA + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_181: categories: @@ -7525,6 +8076,7 @@ rules: name: CKV_AZURE_181 pretty_name: Ensure that data explorer/Kusto uses managed identities to access Azure resources securely. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_182: categories: @@ -7536,6 +8088,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_182 pretty_name: Ensure that VNET has at least 2 connected DNS Endpoints + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_183: categories: @@ -7547,6 +8100,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_183 pretty_name: Ensure that VNET uses local DNS addresses + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_184: categories: @@ -7558,6 +8112,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_184 pretty_name: Ensure 'local_auth_enabled' is set to 'False' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_185: categories: @@ -7569,6 +8124,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_185 pretty_name: Ensure 'Public Access' is not Enabled for App configuration + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_186: categories: @@ -7580,6 +8136,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_186 pretty_name: Ensure App configuration encryption block is set. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_187: categories: @@ -7591,6 +8148,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_187 pretty_name: Ensure App configuration purge protection is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_188: categories: @@ -7602,6 +8160,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_188 pretty_name: Ensure App configuration Sku is standard + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_189: categories: @@ -7613,6 +8172,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_189 pretty_name: Ensure that Azure Key Vault disables public network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_19: categories: @@ -7622,6 +8182,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_19 pretty_name: Ensure that standard pricing tier is selected + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_190: categories: @@ -7633,6 +8194,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_190 pretty_name: Ensure that Storage blobs restrict public access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_191: categories: @@ -7645,6 +8207,7 @@ rules: name: CKV_AZURE_191 pretty_name: Ensure that Managed identity provider is enabled for Azure Event Grid Topic + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_192: categories: @@ -7656,6 +8219,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_192 pretty_name: Ensure that Azure Event Grid Topic local Authentication is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_193: categories: @@ -7667,6 +8231,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_193 pretty_name: Ensure public network access is disabled for Azure Event Grid Topic + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_194: categories: @@ -7679,6 +8244,7 @@ rules: name: CKV_AZURE_194 pretty_name: Ensure that Managed identity provider is enabled for Azure Event Grid Domain + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_195: categories: @@ -7690,6 +8256,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_195 pretty_name: Ensure that Azure Event Grid Domain local Authentication is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_196: categories: @@ -7701,6 +8268,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_196 pretty_name: Ensure that SignalR uses a Paid Sku for its SLA + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_197: categories: @@ -7712,6 +8280,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_197 pretty_name: Ensure the Azure CDN disables the HTTP endpoint + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_198: categories: @@ -7723,6 +8292,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_198 pretty_name: Ensure the Azure CDN enables the HTTPS endpoint + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_199: categories: @@ -7734,6 +8304,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_199 pretty_name: Ensure that Azure Service Bus uses double encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_2: categories: @@ -7745,6 +8316,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_2 pretty_name: Ensure Azure managed disk has encryption enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_20: categories: @@ -7756,6 +8328,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_20 pretty_name: Ensure that security contact 'Phone number' is set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_200: categories: @@ -7768,6 +8341,7 @@ rules: name: CKV_AZURE_200 pretty_name: Ensure the Azure CDN endpoint is using the latest version of TLS encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_201: categories: @@ -7792,6 +8366,7 @@ rules: name: CKV_AZURE_202 pretty_name: Ensure that Managed identity provider is enabled for Azure Service Bus + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_203: categories: @@ -7803,6 +8378,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_203 pretty_name: Ensure Azure Service Bus Local Authentication is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_204: categories: @@ -7815,6 +8391,7 @@ rules: name: CKV_AZURE_204 pretty_name: Ensure 'public network access enabled' is set to 'False' for Azure Service Bus + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_205: categories: @@ -7826,6 +8403,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_205 pretty_name: Ensure Azure Service Bus is using the latest version of TLS encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_206: categories: @@ -7837,6 +8415,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_206 pretty_name: Ensure that Storage Accounts use replication + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_207: categories: @@ -7849,6 +8428,7 @@ rules: name: CKV_AZURE_207 pretty_name: Ensure Azure Cognitive Search service uses managed identities to access Azure resources + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_208: categories: @@ -7860,6 +8440,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_208 pretty_name: Ensure that Azure Cognitive Search maintains SLA for index updates + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_209: categories: @@ -7872,6 +8453,7 @@ rules: name: CKV_AZURE_209 pretty_name: Ensure that Azure Cognitive Search maintains SLA for search index queries + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_21: categories: @@ -7884,6 +8466,7 @@ rules: name: CKV_AZURE_21 pretty_name: Ensure that 'Send email notification for high severity alerts' is set to 'On' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_210: categories: @@ -7896,6 +8479,7 @@ rules: name: CKV_AZURE_210 pretty_name: Ensure Azure Cognitive Search service allowed IPS does not give public Access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_211: categories: @@ -7907,6 +8491,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_211 pretty_name: Ensure App Service plan suitable for production use + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_212: categories: @@ -7918,6 +8503,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_212 pretty_name: Ensure App Service has a minimum number of instances for failover + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_213: categories: @@ -7929,6 +8515,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_213 pretty_name: Ensure that App Service configures health check + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_214: categories: @@ -7940,6 +8527,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_214 pretty_name: Ensure App Service is set to be always on + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_215: categories: @@ -7951,6 +8539,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_215 pretty_name: Ensure API management backend uses https + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_216: categories: @@ -7962,6 +8551,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_216 pretty_name: Ensure DenyIntelMode is set to Deny for Azure Firewalls + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_217: categories: @@ -7974,6 +8564,7 @@ rules: name: CKV_AZURE_217 pretty_name: Ensure Azure Application gateways listener that allow connection requests over HTTP + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_218: categories: @@ -7986,6 +8577,7 @@ rules: name: CKV_AZURE_218 pretty_name: Ensure Application Gateway defines secure protocols for in transit communication + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_219: categories: @@ -7997,6 +8589,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_219 pretty_name: Ensure Firewall defines a firewall policy + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_22: categories: @@ -8009,6 +8602,7 @@ rules: name: CKV_AZURE_22 pretty_name: Ensure that 'Send email notification for high severity alerts' is set to 'On' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_220: categories: @@ -8020,6 +8614,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_220 pretty_name: Ensure Firewall policy has IDPS mode as deny + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_221: categories: @@ -8031,6 +8626,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_221 pretty_name: Ensure that Azure Function App public network access is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_222: categories: @@ -8042,6 +8638,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_222 pretty_name: Ensure that Azure Web App public network access is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_223: categories: @@ -8053,6 +8650,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_223 pretty_name: Ensure Event Hub Namespace uses at least TLS 1.2 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_224: categories: @@ -8065,6 +8663,7 @@ rules: name: CKV_AZURE_224 pretty_name: Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_225: categories: @@ -8076,6 +8675,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_225 pretty_name: Ensure the App Service Plan is zone redundant + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_226: categories: @@ -8087,6 +8687,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_226 pretty_name: Ensure ephemeral disks are used for OS disks + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_227: categories: @@ -8099,6 +8700,7 @@ rules: name: CKV_AZURE_227 pretty_name: Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_228: categories: @@ -8110,6 +8712,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_228 pretty_name: Ensure the Azure Event Hub Namespace is zone redundant + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_229: categories: @@ -8121,6 +8724,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_229 pretty_name: Ensure the Azure SQL Database Namespace is zone redundant + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_23: categories: @@ -8132,6 +8736,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_23 pretty_name: Ensure that 'Auditing' is set to 'On' for SQL servers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_230: categories: @@ -8143,6 +8748,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_230 pretty_name: Standard Replication should be enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_231: categories: @@ -8154,6 +8760,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_231 pretty_name: Ensure App Service Environment is zone redundant + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_232: categories: @@ -8165,6 +8772,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_232 pretty_name: Ensure that only critical system pods run on system nodes + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_233: categories: @@ -8176,6 +8784,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_233 pretty_name: Ensure Azure Container Registry (ACR) is zone redundant + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_234: categories: @@ -8187,6 +8796,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_234 pretty_name: Ensure that Azure Defender for cloud is set to On for Resource Manager + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_235: categories: @@ -8199,6 +8809,7 @@ rules: name: CKV_AZURE_235 pretty_name: Ensure that Azure container environment variables are configured with secure values only + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_237: categories: @@ -8210,6 +8821,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_237 pretty_name: Ensure dedicated data endpoints are enabled. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_24: categories: @@ -8221,6 +8833,7 @@ rules: name: CKV_AZURE_24 pretty_name: Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_25: categories: @@ -8230,6 +8843,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_25 pretty_name: Ensure that 'Threat Detection types' is set to 'All' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_26: categories: @@ -8241,6 +8855,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_26 pretty_name: Ensure that 'Send Alerts To' is enabled for MSSQL servers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_27: categories: @@ -8253,6 +8868,7 @@ rules: name: CKV_AZURE_27 pretty_name: Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_28: categories: @@ -8265,6 +8881,7 @@ rules: name: CKV_AZURE_28 pretty_name: Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_29: categories: @@ -8276,6 +8893,7 @@ rules: name: CKV_AZURE_29 pretty_name: Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_3: categories: @@ -8287,6 +8905,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_3 pretty_name: Ensure that 'Secure transfer required' is set to 'Enabled' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_30: categories: @@ -8298,6 +8917,7 @@ rules: name: CKV_AZURE_30 pretty_name: Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_31: categories: @@ -8308,6 +8928,7 @@ rules: name: CKV_AZURE_31 pretty_name: Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_32: categories: @@ -8318,6 +8939,7 @@ rules: name: CKV_AZURE_32 pretty_name: Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_33: categories: @@ -8329,6 +8951,7 @@ rules: name: CKV_AZURE_33 pretty_name: Ensure Storage logging is enabled for Queue service for read, write and delete requests + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_34: categories: @@ -8340,6 +8963,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_34 pretty_name: Ensure that 'Public access level' is set to Private for blob containers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_35: categories: @@ -8352,6 +8976,7 @@ rules: name: CKV_AZURE_35 pretty_name: Ensure default network access rule for Storage Accounts is set to deny + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_36: categories: @@ -8364,6 +8989,7 @@ rules: name: CKV_AZURE_36 pretty_name: Ensure 'Trusted Microsoft Services' is enabled for Storage Account access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_37: categories: @@ -8374,6 +9000,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_37 pretty_name: Ensure that Activity Log Retention is set 365 days or greater + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_38: categories: @@ -8384,6 +9011,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_38 pretty_name: Ensure audit profile captures all the activities + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_39: categories: @@ -8395,6 +9023,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_39 pretty_name: Ensure that no custom subscription owner roles are created + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_4: categories: @@ -8406,6 +9035,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_4 pretty_name: Ensure AKS logging to Azure Monitoring is Configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_40: categories: @@ -8416,6 +9046,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_40 pretty_name: Ensure that the expiration date is set on all keys + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_41: categories: @@ -8426,6 +9057,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_41 pretty_name: Ensure that the expiration date is set on all secrets + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_42: categories: @@ -8437,6 +9069,7 @@ rules: group: cloud-weak-secrets-management name: CKV_AZURE_42 pretty_name: Ensure the key vault is recoverable + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_43: categories: @@ -8446,6 +9079,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_43 pretty_name: Ensure Storage Accounts adhere to the naming rules + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_44: categories: @@ -8457,6 +9091,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_44 pretty_name: Ensure Storage Account is using the latest version of TLS encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_45: categories: @@ -8468,6 +9103,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_45 pretty_name: Ensure that no sensitive credentials are exposed in VM custom_data + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_47: categories: @@ -8478,6 +9114,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_47 pretty_name: Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_48: categories: @@ -8490,6 +9127,7 @@ rules: name: CKV_AZURE_48 pretty_name: Ensure 'public network access enabled' is set to 'False' for MariaDB servers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_49: categories: @@ -8502,6 +9140,7 @@ rules: name: CKV_AZURE_49 pretty_name: Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_5: categories: @@ -8513,6 +9152,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_5 pretty_name: Ensure RBAC is enabled on AKS clusters + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_50: categories: @@ -8524,6 +9164,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_50 pretty_name: Ensure Virtual Machine Extensions are not Installed + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_52: categories: @@ -8534,6 +9175,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_52 pretty_name: Ensure MSSQL is using the latest version of TLS encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_53: categories: @@ -8546,6 +9188,7 @@ rules: name: CKV_AZURE_53 pretty_name: Ensure 'public network access enabled' is set to 'False' for mySQL servers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_54: categories: @@ -8556,6 +9199,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_54 pretty_name: Ensure MySQL is using the latest version of TLS encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_55: categories: @@ -8566,6 +9210,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_55 pretty_name: Ensure that Azure Defender is set to On for Servers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_56: categories: @@ -8577,6 +9222,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_56 pretty_name: Ensure that function apps enables Authentication + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_57: categories: @@ -8588,6 +9234,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_57 pretty_name: Ensure that CORS disallows every resource to access app services + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_58: categories: @@ -8598,6 +9245,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_58 pretty_name: Ensure that Azure Synapse workspaces enables managed virtual networks + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_59: categories: @@ -8609,6 +9257,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_59 pretty_name: Ensure that Storage accounts disallow public access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_6: categories: @@ -8619,6 +9268,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_6 pretty_name: Ensure AKS has an API Server Authorized IP Ranges enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_60: categories: @@ -8630,6 +9280,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_60 pretty_name: Ensure that storage account enables secure transfer + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_61: categories: @@ -8640,6 +9291,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_61 pretty_name: Ensure that Azure Defender is set to On for App Service + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_62: categories: @@ -8649,6 +9301,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_62 pretty_name: Ensure function apps are not accessible from all regions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_63: categories: @@ -8660,6 +9313,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_63 pretty_name: Ensure that App service enables HTTP logging + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_64: categories: @@ -8671,6 +9325,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_64 pretty_name: Ensure that Azure File Sync disables public network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_65: categories: @@ -8682,6 +9337,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_65 pretty_name: Ensure that App service enables detailed error messages + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_66: categories: @@ -8692,6 +9348,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_66 pretty_name: Ensure that App service enables failed request tracing + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_67: categories: @@ -8702,6 +9359,7 @@ rules: name: CKV_AZURE_67 pretty_name: Ensure that 'HTTP Version' is the latest, if used to run the Function app + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_68: categories: @@ -8713,6 +9371,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_68 pretty_name: Ensure that PostgreSQL server disables public network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_69: categories: @@ -8723,6 +9382,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_69 pretty_name: Ensure that Azure Defender is set to On for Azure SQL database servers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_7: categories: @@ -8733,6 +9393,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_7 pretty_name: Ensure AKS cluster has Network Policy configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_70: categories: @@ -8744,6 +9405,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_70 pretty_name: Ensure that Function apps is only accessible over HTTPS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_71: categories: @@ -8755,6 +9417,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_71 pretty_name: Ensure that Managed identity provider is enabled for app services + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_72: categories: @@ -8766,6 +9429,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_72 pretty_name: Ensure that remote debugging is not enabled for app services + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_73: categories: @@ -8777,6 +9441,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_73 pretty_name: Ensure that Automation account variables are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_74: categories: @@ -8788,6 +9453,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_74 pretty_name: Ensure that Azure Data Explorer uses disk encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_75: categories: @@ -8797,6 +9463,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_75 pretty_name: Ensure that Azure Data Explorer uses double encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_76: categories: @@ -8806,6 +9473,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_76 pretty_name: Ensure that Azure Batch account uses key vault to encrypt data + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_77: categories: @@ -8817,6 +9485,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_77 pretty_name: 'Ensure that UDP Services are restricted from the Internet ' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_78: categories: @@ -8828,6 +9497,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_78 pretty_name: Ensure FTP deployments are disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_79: categories: @@ -8838,6 +9508,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_79 pretty_name: Ensure that Azure Defender is set to On for SQL servers on machines + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_8: categories: @@ -8849,6 +9520,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_8 pretty_name: Ensure Kubernetes Dashboard is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_80: categories: @@ -8861,6 +9533,7 @@ rules: name: CKV_AZURE_80 pretty_name: Ensure that 'Net Framework' version is the latest, if used as a part of the web app + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_81: categories: @@ -8872,6 +9545,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_81 pretty_name: Ensure that 'PHP version' is the latest, if used to run the web app + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_82: categories: @@ -8884,6 +9558,7 @@ rules: name: CKV_AZURE_82 pretty_name: Ensure that 'Python version' is the latest, if used to run the web app + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_83: categories: @@ -8896,6 +9571,7 @@ rules: name: CKV_AZURE_83 pretty_name: Ensure that 'Java version' is the latest, if used to run the web app + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_84: categories: @@ -8906,6 +9582,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_84 pretty_name: Ensure that Azure Defender is set to On for Storage + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_85: categories: @@ -8916,6 +9593,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_85 pretty_name: Ensure that Azure Defender is set to On for Kubernetes + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_86: categories: @@ -8926,6 +9604,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_86 pretty_name: Ensure that Azure Defender is set to On for Container Registries + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_87: categories: @@ -8936,6 +9615,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_87 pretty_name: Ensure that Azure Defender is set to On for Key Vault + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_88: categories: @@ -8945,6 +9625,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_88 pretty_name: Ensure that app services use Azure Files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_89: categories: @@ -8956,6 +9637,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_89 pretty_name: Ensure that Azure Cache for Redis disables public network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_9: categories: @@ -8967,6 +9649,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_9 pretty_name: Ensure that RDP access is restricted from the internet + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_91: categories: @@ -8977,6 +9660,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_91 pretty_name: Ensure that only SSL are enabled for Cache for Redis + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_92: categories: @@ -8988,6 +9672,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_92 pretty_name: Ensure that Virtual Machines use managed disks + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_93: categories: @@ -9008,6 +9693,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_94 pretty_name: Ensure that My SQL server enables geo-redundant backups + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_95: categories: @@ -9020,6 +9706,7 @@ rules: name: CKV_AZURE_95 pretty_name: Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_96: categories: @@ -9030,6 +9717,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_96 pretty_name: Ensure that MySQL server enables infrastructure encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_97: categories: @@ -9041,6 +9729,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_97 pretty_name: Ensure that Virtual machine scale sets have encryption at host enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_98: categories: @@ -9052,6 +9741,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_98 pretty_name: Ensure that Azure Container group is deployed into virtual network + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_99: categories: @@ -9063,6 +9753,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_99 pretty_name: Ensure Cosmos DB accounts have restricted access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_BCW_1: categories: @@ -9074,6 +9765,7 @@ rules: group: stored-secrets name: CKV_BCW_1 pretty_name: Ensure no hard coded API token exist in the provider + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_BITBUCKETPIPELINES_1: categories: @@ -9084,6 +9776,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_BITBUCKETPIPELINES_1 pretty_name: Ensure the pipeline image uses a non latest version tag + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_BITBUCKET_1: categories: @@ -9103,6 +9796,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_CIRCLECIPIPELINES_1 pretty_name: Ensure the pipeline image uses a non latest version tag + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_CIRCLECIPIPELINES_2: categories: @@ -9124,6 +9818,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_CIRCLECIPIPELINES_3 pretty_name: Ensure mutable development orbs are not used. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_CIRCLECIPIPELINES_4: categories: @@ -9135,6 +9830,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_CIRCLECIPIPELINES_4 pretty_name: Ensure unversioned volatile orbs are not used. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_CIRCLECIPIPELINES_5: categories: @@ -9146,6 +9842,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_CIRCLECIPIPELINES_5 pretty_name: Suspicious use of netcat with IP address + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_CIRCLECIPIPELINES_6: categories: @@ -9157,6 +9854,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_CIRCLECIPIPELINES_6 pretty_name: Ensure run commands are not vulnerable to shell injection + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_CIRCLECIPIPELINES_7: categories: @@ -9168,6 +9866,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_CIRCLECIPIPELINES_7 pretty_name: Suspicious use of curl in run task + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DIO_1: categories: @@ -9189,6 +9888,7 @@ rules: group: cloud-weak-configuration name: CKV_DIO_2 pretty_name: Ensure the droplet specifies an SSH key + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DIO_3: categories: @@ -9200,6 +9900,7 @@ rules: group: cloud-resources-public-access name: CKV_DIO_3 pretty_name: Ensure the Spaces bucket is private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DIO_4: categories: @@ -9211,6 +9912,7 @@ rules: group: cloud-weak-configuration name: CKV_DIO_4 pretty_name: Ensure the firewall ingress is not wide open + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DOCKER_1: categories: @@ -9222,6 +9924,7 @@ rules: group: cloud-weak-configuration name: CKV_DOCKER_1 pretty_name: Ensure port 22 is not exposed + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DOCKER_10: categories: @@ -9233,6 +9936,7 @@ rules: group: cloud-weak-configuration name: CKV_DOCKER_10 pretty_name: Ensure that WORKDIR values are absolute paths + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DOCKER_11: categories: @@ -9244,6 +9948,7 @@ rules: group: cloud-weak-configuration name: CKV_DOCKER_11 pretty_name: Ensure From Alias are unique for multistage builds. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DOCKER_2: categories: @@ -9254,6 +9959,7 @@ rules: name: CKV_DOCKER_2 pretty_name: Ensure that HEALTHCHECK instructions have been added to container images + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DOCKER_3: categories: @@ -9263,6 +9969,7 @@ rules: group: cloud-weak-configuration name: CKV_DOCKER_3 pretty_name: Ensure that a user for the container has been created + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DOCKER_4: categories: @@ -9272,6 +9979,7 @@ rules: group: cloud-weak-configuration name: CKV_DOCKER_4 pretty_name: Ensure that COPY is used instead of ADD in Dockerfiles + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DOCKER_5: categories: @@ -9283,6 +9991,7 @@ rules: group: cloud-weak-configuration name: CKV_DOCKER_5 pretty_name: Ensure update instructions are not use alone in the Dockerfile + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DOCKER_6: categories: @@ -9292,6 +10001,7 @@ rules: group: cloud-weak-configuration name: CKV_DOCKER_6 pretty_name: Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DOCKER_7: categories: @@ -9303,6 +10013,7 @@ rules: group: cloud-weak-configuration name: CKV_DOCKER_7 pretty_name: Ensure the base image uses a non latest version tag + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DOCKER_8: categories: @@ -9334,6 +10045,7 @@ rules: name: CKV_GCP_1 pretty_name: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_10: categories: @@ -9345,6 +10057,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_10 pretty_name: Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_100: categories: @@ -9356,6 +10069,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_100 pretty_name: Ensure that BigQuery Tables are not anonymously or publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_101: categories: @@ -9368,6 +10082,7 @@ rules: name: CKV_GCP_101 pretty_name: Ensure that Artifact Registry repositories are not anonymously or publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_102: categories: @@ -9380,6 +10095,7 @@ rules: name: CKV_GCP_102 pretty_name: Ensure that GCP Cloud Run services are not anonymously or publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_103: categories: @@ -9391,6 +10107,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_103 pretty_name: Ensure Dataproc Clusters do not have public IPs + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_104: categories: @@ -9402,6 +10119,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_104 pretty_name: Ensure Datafusion has stack driver logging enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_105: categories: @@ -9413,6 +10131,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_105 pretty_name: Ensure Datafusion has stack driver monitoring enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_106: categories: @@ -9425,6 +10144,7 @@ rules: name: CKV_GCP_106 pretty_name: Ensure Google compute firewall ingress does not allow unrestricted http port 80 access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_107: categories: @@ -9445,6 +10165,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_108 pretty_name: Ensure hostnames are logged for GCP PostgreSQL databases + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_109: categories: @@ -9457,6 +10178,7 @@ rules: name: CKV_GCP_109 pretty_name: Ensure the GCP PostgreSQL database log levels are set to ERROR or lower + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_11: categories: @@ -9468,6 +10190,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_11 pretty_name: Ensure that Cloud SQL database Instances are not open to the world + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_110: categories: @@ -9498,6 +10221,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_112 pretty_name: Esnure KMS policy should not allow public access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_113: categories: @@ -9509,6 +10233,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_113 pretty_name: Ensure IAM policy should not define public access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_114: categories: @@ -9520,6 +10245,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_114 pretty_name: Ensure public access prevention is enforced on Cloud Storage bucket + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_115: categories: @@ -9531,6 +10257,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_115 pretty_name: Ensure basic roles are not used at organization level. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_116: categories: @@ -9542,6 +10269,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_116 pretty_name: Ensure basic roles are not used at folder level. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_117: categories: @@ -9553,6 +10281,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_117 pretty_name: Ensure basic roles are not used at project level. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_118: categories: @@ -9564,6 +10293,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_118 pretty_name: Ensure IAM workload identity pool provider is restricted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_119: categories: @@ -9575,6 +10305,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_119 pretty_name: Ensure Spanner Database has deletion protection enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_12: categories: @@ -9595,6 +10326,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_120 pretty_name: Ensure Spanner Database has drop protection enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_121: categories: @@ -9606,6 +10338,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_121 pretty_name: Ensure BigQuery tables have deletion protection enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_122: categories: @@ -9617,6 +10350,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_122 pretty_name: Ensure Big Table Instances have deletion protection enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_123: categories: @@ -9628,6 +10362,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_123 pretty_name: GKE Don't Use NodePools in the Cluster configuration + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_124: categories: @@ -9640,6 +10375,7 @@ rules: name: CKV_GCP_124 pretty_name: Ensure GCP Cloud Function is not configured with overly permissive Ingress setting + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_13: categories: @@ -9652,6 +10388,7 @@ rules: name: CKV_GCP_13 pretty_name: Ensure client certificate authentication to Kubernetes Engine Clusters is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_14: categories: @@ -9664,6 +10401,7 @@ rules: name: CKV_GCP_14 pretty_name: Ensure all Cloud SQL database instance have backup configuration enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_15: categories: @@ -9675,6 +10413,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_15 pretty_name: Ensure that BigQuery datasets are not anonymously or publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_16: categories: @@ -9696,6 +10435,7 @@ rules: name: CKV_GCP_17 pretty_name: Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_18: categories: @@ -9717,6 +10457,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_19 pretty_name: Ensure GKE basic auth is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_2: categories: @@ -9729,6 +10470,7 @@ rules: name: CKV_GCP_2 pretty_name: Ensure Google compute firewall ingress does not allow unrestricted ssh access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_20: categories: @@ -9760,6 +10502,7 @@ rules: name: CKV_GCP_22 pretty_name: Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_23: categories: @@ -9807,6 +10550,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_27 pretty_name: Ensure that the default network does not exist in a project + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_28: categories: @@ -9818,6 +10562,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_28 pretty_name: Ensure that Cloud Storage bucket is not anonymously or publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_29: categories: @@ -9830,6 +10575,7 @@ rules: name: CKV_GCP_29 pretty_name: Ensure that Cloud Storage buckets have uniform bucket-level access enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_3: categories: @@ -9842,6 +10588,7 @@ rules: name: CKV_GCP_3 pretty_name: Ensure Google compute firewall ingress does not allow unrestricted rdp access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_30: categories: @@ -9854,6 +10601,7 @@ rules: name: CKV_GCP_30 pretty_name: Ensure that instances are not configured to use the default service account + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_31: categories: @@ -9866,6 +10614,7 @@ rules: name: CKV_GCP_31 pretty_name: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_32: categories: @@ -9877,6 +10626,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_32 pretty_name: Ensure 'Block Project-wide SSH keys' is enabled for VM instances + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_33: categories: @@ -9888,6 +10638,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_33 pretty_name: Ensure oslogin is enabled for a Project + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_34: categories: @@ -9900,6 +10651,7 @@ rules: name: CKV_GCP_34 pretty_name: Ensure that no instance in the project overrides the project setting for enabling OSLogin + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_35: categories: @@ -9912,6 +10664,7 @@ rules: name: CKV_GCP_35 pretty_name: Ensure 'Enable connecting to serial ports' is not enabled for VM Instance + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_36: categories: @@ -9923,6 +10676,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_36 pretty_name: Ensure that IP forwarding is not enabled on Instances + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_37: categories: @@ -9965,6 +10719,7 @@ rules: name: CKV_GCP_4 pretty_name: Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_40: categories: @@ -9976,6 +10731,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_40 pretty_name: Ensure that Compute instances do not have public IP addresses + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_41: categories: @@ -9988,6 +10744,7 @@ rules: name: CKV_GCP_41 pretty_name: Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_42: categories: @@ -9999,6 +10756,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_42 pretty_name: Ensure that Service Account has no Admin privileges + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_43: categories: @@ -10021,6 +10779,7 @@ rules: name: CKV_GCP_44 pretty_name: Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_45: categories: @@ -10033,6 +10792,7 @@ rules: name: CKV_GCP_45 pretty_name: Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_46: categories: @@ -10044,6 +10804,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_46 pretty_name: Ensure Default Service account is not used at a project level + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_47: categories: @@ -10055,6 +10816,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_47 pretty_name: Ensure default service account is not used at an organization level + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_48: categories: @@ -10066,6 +10828,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_48 pretty_name: Ensure Default Service account is not used at a folder level + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_49: categories: @@ -10078,6 +10841,7 @@ rules: name: CKV_GCP_49 pretty_name: Ensure roles do not impersonate or manage Service Accounts used at project level + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_50: categories: @@ -10089,6 +10853,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_50 pretty_name: Ensure MySQL database 'local_infile' flag is set to 'off' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_51: categories: @@ -10100,6 +10865,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_51 pretty_name: Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_52: categories: @@ -10111,6 +10877,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_52 pretty_name: Ensure PostgreSQL database 'log_connections' flag is set to 'on' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_53: categories: @@ -10131,6 +10898,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_54 pretty_name: Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_55: categories: @@ -10173,6 +10941,7 @@ rules: name: CKV_GCP_58 pretty_name: Ensure SQL database 'cross db ownership chaining' flag is set to 'off' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_59: categories: @@ -10185,6 +10954,7 @@ rules: name: CKV_GCP_59 pretty_name: Ensure SQL database 'contained database authentication' flag is set to 'off' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_6: categories: @@ -10197,6 +10967,7 @@ rules: name: CKV_GCP_6 pretty_name: Ensure all Cloud SQL database instance requires all incoming connections to use SSL + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_60: categories: @@ -10208,6 +10979,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_60 pretty_name: Ensure Cloud SQL database does not have public IP + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_61: categories: @@ -10238,6 +11010,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_63 pretty_name: Bucket should not log to itself + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_64: categories: @@ -10247,6 +11020,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_64 pretty_name: Ensure clusters are created with Private Nodes + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_65: categories: @@ -10258,6 +11032,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_65 pretty_name: Manage Kubernetes RBAC users with Google Groups for GKE + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_66: categories: @@ -10279,6 +11054,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_67 pretty_name: Ensure legacy Compute Engine instance metadata APIs are Disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_68: categories: @@ -10300,6 +11076,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_69 pretty_name: Ensure the GKE Metadata Server is Enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_7: categories: @@ -10312,6 +11089,7 @@ rules: name: CKV_GCP_7 pretty_name: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_70: categories: @@ -10323,6 +11101,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_70 pretty_name: Ensure the GKE Release Channel is set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_71: categories: @@ -10355,6 +11134,7 @@ rules: name: CKV_GCP_73 pretty_name: Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_74: categories: @@ -10366,6 +11146,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_74 pretty_name: Ensure that private_ip_google_access is enabled for Subnet + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_75: categories: @@ -10378,6 +11159,7 @@ rules: name: CKV_GCP_75 pretty_name: Ensure Google compute firewall ingress does not allow unrestricted FTP access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_76: categories: @@ -10389,6 +11171,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_76 pretty_name: Ensure that Private google access is enabled for IPV6 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_77: categories: @@ -10400,6 +11183,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_77 pretty_name: Ensure Google compute firewall ingress does not allow on ftp port + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_78: categories: @@ -10420,6 +11204,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_79 pretty_name: Ensure SQL database is using latest Major version + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_8: categories: @@ -10432,6 +11217,7 @@ rules: name: CKV_GCP_8 pretty_name: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_80: categories: @@ -10463,6 +11249,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_82 pretty_name: Ensure KMS keys are protected from deletion + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_83: categories: @@ -10504,6 +11291,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_86 pretty_name: Ensure Cloud build workers are private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_87: categories: @@ -10515,6 +11303,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_87 pretty_name: Ensure Data fusion instances are private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_88: categories: @@ -10527,6 +11316,7 @@ rules: name: CKV_GCP_88 pretty_name: Ensure Google compute firewall ingress does not allow unrestricted mysql access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_89: categories: @@ -10538,6 +11328,7 @@ rules: group: cloud-weak-secrets-management name: CKV_GCP_89 pretty_name: Ensure Vertex AI instances are private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_9: categories: @@ -10547,6 +11338,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_9 pretty_name: Ensure 'Automatic node repair' is enabled for Kubernetes Clusters + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_90: categories: @@ -10597,6 +11389,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_94 pretty_name: Ensure Dataflow jobs are private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_95: categories: @@ -10608,6 +11401,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_95 pretty_name: Ensure Memorystore for Redis has AUTH enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_96: categories: @@ -10626,6 +11420,7 @@ rules: group: cloud-unencrypted-resources name: CKV_GCP_97 pretty_name: Ensure Memorystore for Redis uses intransit encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_98: categories: @@ -10637,6 +11432,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_98 pretty_name: Ensure that Dataproc clusters are not anonymously or publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_99: categories: @@ -10648,6 +11444,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_99 pretty_name: Ensure that Pub/Sub Topics are not anonymously or publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GHA_1: categories: @@ -10660,6 +11457,7 @@ rules: name: CKV_GHA_1 pretty_name: Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GHA_2: categories: @@ -10671,6 +11469,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_GHA_2 pretty_name: Ensure run commands are not vulnerable to shell injection + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GHA_3: categories: @@ -10682,6 +11481,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_GHA_3 pretty_name: Suspicious use of curl with secrets + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GHA_4: categories: @@ -10693,6 +11493,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_GHA_4 pretty_name: Suspicious use of netcat with IP address + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GHA_5: categories: @@ -10735,6 +11536,7 @@ rules: group: cloud-weak-configuration name: CKV_GITHUB_1 pretty_name: Ensure GitHub organization security settings require 2FA + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GITHUB_10: categories: @@ -10746,6 +11548,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_GITHUB_10 pretty_name: Ensure branch protection rules are enforced on administrators + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GITHUB_2: categories: @@ -10785,6 +11588,7 @@ rules: group: supply-chain-scm-weak-configuration name: CKV_GITHUB_5 pretty_name: Ensure GitHub branch protection rules does not allow force pushes + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GITHUB_6: categories: @@ -10796,6 +11600,7 @@ rules: group: cloud-unencrypted-resources name: CKV_GITHUB_6 pretty_name: Ensure GitHub organization webhooks are using HTTPS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GITHUB_7: categories: @@ -10807,6 +11612,7 @@ rules: group: cloud-unencrypted-resources name: CKV_GITHUB_7 pretty_name: Ensure GitHub repository webhooks are using HTTPS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GITHUB_8: categories: @@ -10837,6 +11643,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_GITLABCI_1 pretty_name: Suspicious use of curl with CI environment variables in script + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GITLABCI_2: categories: @@ -10848,6 +11655,7 @@ rules: group: cloud-weak-configuration name: CKV_GITLABCI_2 pretty_name: Avoid creating rules that generate double pipelines + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GITLABCI_3: categories: @@ -10877,6 +11685,7 @@ rules: group: supply-chain-scm-weak-configuration name: CKV_GITLAB_2 pretty_name: Ensure all Gitlab groups require two factor authentication + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GIT_1: categories: @@ -10897,6 +11706,7 @@ rules: group: cloud-unencrypted-resources name: CKV_GIT_2 pretty_name: Ensure GitHub repository webhooks are using HTTPS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GIT_3: categories: @@ -10908,6 +11718,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_GIT_3 pretty_name: Ensure GitHub repository has vulnerability alerts enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GIT_4: categories: @@ -10919,6 +11730,7 @@ rules: group: cloud-unencrypted-resources name: CKV_GIT_4 pretty_name: Ensure GitHub Actions secrets are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GIT_5: categories: @@ -10959,6 +11771,7 @@ rules: group: supply-chain-scm-weak-configuration name: CKV_GLB_2 pretty_name: Ensure GitLab branch protection rules does not allow force pushes + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GLB_3: categories: @@ -10970,6 +11783,7 @@ rules: group: supply-chain-scm-weak-configuration name: CKV_GLB_3 pretty_name: Ensure GitLab prevent secrets is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GLB_4: categories: @@ -10991,6 +11805,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_1 pretty_name: Do not admit containers wishing to share the host process ID namespace + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_10: categories: @@ -11013,6 +11828,7 @@ rules: name: CKV_K8S_100 pretty_name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_102: categories: @@ -11024,6 +11840,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_102 pretty_name: Ensure that the --etcd-cafile argument is set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_104: categories: @@ -11035,6 +11852,7 @@ rules: group: cloud-unencrypted-resources name: CKV_K8S_104 pretty_name: Ensure that encryption providers are appropriately configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_105: categories: @@ -11047,6 +11865,7 @@ rules: name: CKV_K8S_105 pretty_name: Ensure that the API Server only makes use of Strong Cryptographic Ciphers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_106: categories: @@ -11059,6 +11878,7 @@ rules: name: CKV_K8S_106 pretty_name: Ensure that the --terminated-pod-gc-threshold argument is set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_107: categories: @@ -11070,6 +11890,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_107 pretty_name: Ensure that the --profiling argument is set to false + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_108: categories: @@ -11082,6 +11903,7 @@ rules: name: CKV_K8S_108 pretty_name: Ensure that the --use-service-account-credentials argument is set to true + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_11: categories: @@ -11104,6 +11926,7 @@ rules: name: CKV_K8S_110 pretty_name: Ensure that the --service-account-private-key-file argument is set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_111: categories: @@ -11115,6 +11938,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_111 pretty_name: Ensure that the --root-ca-file argument is set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_112: categories: @@ -11127,6 +11951,7 @@ rules: name: CKV_K8S_112 pretty_name: Ensure that the RotateKubeletServerCertificate argument is set to true + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_113: categories: @@ -11138,6 +11963,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_113 pretty_name: Ensure that the --bind-address argument is set to 127.0.0.1 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_114: categories: @@ -11149,6 +11975,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_114 pretty_name: Ensure that the --profiling argument is set to false + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_115: categories: @@ -11160,6 +11987,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_115 pretty_name: Ensure that the --bind-address argument is set to 127.0.0.1 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_116: categories: @@ -11171,6 +11999,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_116 pretty_name: Ensure that the --cert-file and --key-file arguments are set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_117: categories: @@ -11182,6 +12011,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_117 pretty_name: Ensure that the --client-cert-auth argument is set to true + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_118: categories: @@ -11193,6 +12023,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_118 pretty_name: Ensure that the --auto-tls argument is not set to true + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_119: categories: @@ -11205,6 +12036,7 @@ rules: name: CKV_K8S_119 pretty_name: Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_12: categories: @@ -11226,6 +12058,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_121 pretty_name: Ensure that the --peer-client-cert-auth argument is set to true + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_13: categories: @@ -11247,6 +12080,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_138 pretty_name: Ensure that the --anonymous-auth argument is set to false + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_139: categories: @@ -11258,6 +12092,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_139 pretty_name: Ensure that the --authorization-mode argument is not set to AlwaysAllow + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_14: categories: @@ -11268,6 +12103,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_K8S_14 pretty_name: Image Tag should be fixed - not latest or blank + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_140: categories: @@ -11279,6 +12115,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_140 pretty_name: Ensure that the --client-ca-file argument is set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_141: categories: @@ -11290,6 +12127,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_141 pretty_name: Ensure that the --read-only-port argument is set to 0 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_143: categories: @@ -11302,6 +12140,7 @@ rules: name: CKV_K8S_143 pretty_name: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_144: categories: @@ -11313,6 +12152,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_144 pretty_name: Ensure that the --protect-kernel-defaults argument is set to true + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_145: categories: @@ -11324,6 +12164,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_145 pretty_name: Ensure that the --make-iptables-util-chains argument is set to true + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_146: categories: @@ -11335,6 +12176,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_146 pretty_name: Ensure that the --hostname-override argument is not set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_147: categories: @@ -11347,6 +12189,7 @@ rules: name: CKV_K8S_147 pretty_name: Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_148: categories: @@ -11359,6 +12202,7 @@ rules: name: CKV_K8S_148 pretty_name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_149: categories: @@ -11370,6 +12214,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_149 pretty_name: Ensure that the --rotate-certificates argument is not set to false + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_15: categories: @@ -11391,6 +12236,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_151 pretty_name: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_152: categories: @@ -11403,6 +12249,7 @@ rules: name: CKV_K8S_152 pretty_name: Prevent NGINX Ingress annotation snippets which contain LUA code execution. See CVE-2021-25742 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_153: categories: @@ -11414,6 +12261,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_153 pretty_name: Prevent All NGINX Ingress annotation snippets. See CVE-2021-25742 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_154: categories: @@ -11426,6 +12274,7 @@ rules: name: CKV_K8S_154 pretty_name: Prevent NGINX Ingress annotation snippets which contain alias statements See CVE-2021-25742 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_155: categories: @@ -11438,6 +12287,7 @@ rules: name: CKV_K8S_155 pretty_name: Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_156: categories: @@ -11449,6 +12299,7 @@ rules: group: cloud-insecure-iam name: CKV_K8S_156 pretty_name: Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_157: categories: @@ -11461,6 +12312,7 @@ rules: name: CKV_K8S_157 pretty_name: Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_158: categories: @@ -11473,6 +12325,7 @@ rules: name: CKV_K8S_158 pretty_name: Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_16: categories: @@ -11484,6 +12337,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_16 pretty_name: Do not admit privileged containers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_17: categories: @@ -11495,6 +12349,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_17 pretty_name: Do not admit containers wishing to share the host process ID namespace + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_18: categories: @@ -11506,6 +12361,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_18 pretty_name: Do not admit containers wishing to share the host IPC namespace + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_19: categories: @@ -11517,6 +12373,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_19 pretty_name: Do not admit containers wishing to share the host network namespace + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_2: categories: @@ -11528,6 +12385,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_2 pretty_name: Do not admit privileged containers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_20: categories: @@ -11539,6 +12397,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_20 pretty_name: Containers should not run with allowPrivilegeEscalation + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_21: categories: @@ -11579,6 +12438,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_24 pretty_name: Do not allow containers with added capability + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_25: categories: @@ -11590,6 +12450,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_25 pretty_name: Minimize the admission of containers with added capability + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_26: categories: @@ -11601,6 +12462,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_26 pretty_name: Do not specify hostPort unless absolutely necessary + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_27: categories: @@ -11612,6 +12474,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_27 pretty_name: Do not expose the docker daemon socket to containers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_28: categories: @@ -11623,6 +12486,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_28 pretty_name: Minimize the admission of containers with the NET_RAW capability + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_29: categories: @@ -11644,6 +12508,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_3 pretty_name: Do not admit containers wishing to share the host IPC namespace + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_30: categories: @@ -11685,6 +12550,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_33 pretty_name: Ensure the Kubernetes dashboard is not deployed + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_34: categories: @@ -11696,6 +12562,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_34 pretty_name: Ensure that Tiller (Helm v2) is not deployed + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_35: categories: @@ -11716,6 +12583,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_36 pretty_name: Minimise the admission of containers with capabilities assigned + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_37: categories: @@ -11727,6 +12595,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_37 pretty_name: Minimise the admission of containers with capabilities assigned + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_38: categories: @@ -11737,6 +12606,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_38 pretty_name: Ensure that Service Account Tokens are only mounted where necessary + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_39: categories: @@ -11748,6 +12618,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_39 pretty_name: Do not use the CAP_SYS_ADMIN linux capability + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_4: categories: @@ -11759,6 +12630,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_4 pretty_name: Do not admit containers wishing to share the host network namespace + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_40: categories: @@ -11780,6 +12652,7 @@ rules: group: cloud-insecure-iam name: CKV_K8S_41 pretty_name: Ensure that default service accounts are not actively used + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_42: categories: @@ -11791,6 +12664,7 @@ rules: group: cloud-insecure-iam name: CKV_K8S_42 pretty_name: Ensure that default service accounts are not actively used + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_43: categories: @@ -11812,6 +12686,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_44 pretty_name: Ensure that the Tiller Service (Helm v2) is deleted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_45: categories: @@ -11824,6 +12699,7 @@ rules: name: CKV_K8S_45 pretty_name: Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_49: categories: @@ -11835,6 +12711,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_49 pretty_name: Minimize wildcard use in Roles and ClusterRoles + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_5: categories: @@ -11846,6 +12723,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_5 pretty_name: Containers should not run with allowPrivilegeEscalation + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_6: categories: @@ -11857,6 +12735,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_6 pretty_name: Do not admit root containers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_68: categories: @@ -11868,6 +12747,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_68 pretty_name: Ensure that the --anonymous-auth argument is set to false + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_69: categories: @@ -11879,6 +12759,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_69 pretty_name: Ensure that the --basic-auth-file argument is not set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_7: categories: @@ -11890,6 +12771,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_7 pretty_name: Do not admit containers with the NET_RAW capability + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_70: categories: @@ -11901,6 +12783,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_70 pretty_name: Ensure that the --token-auth-file argument is not set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_71: categories: @@ -11912,6 +12795,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_71 pretty_name: Ensure that the --kubelet-https argument is set to true + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_72: categories: @@ -11924,6 +12808,7 @@ rules: name: CKV_K8S_72 pretty_name: Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_73: categories: @@ -11936,6 +12821,7 @@ rules: name: CKV_K8S_73 pretty_name: Ensure that the --kubelet-certificate-authority argument is set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_74: categories: @@ -11947,6 +12833,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_74 pretty_name: Ensure that the --authorization-mode argument is not set to AlwaysAllow + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_75: categories: @@ -11958,6 +12845,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_75 pretty_name: Ensure that the --authorization-mode argument includes Node + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_77: categories: @@ -11969,6 +12857,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_77 pretty_name: Ensure that the --authorization-mode argument includes RBAC + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_78: categories: @@ -11989,6 +12878,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_79 pretty_name: Ensure that the admission control plugin AlwaysAdmit is not set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_8: categories: @@ -11999,6 +12889,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_8 pretty_name: Liveness Probe Should be Configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_80: categories: @@ -12071,6 +12962,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_86 pretty_name: Ensure that the --insecure-bind-address argument is not set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_88: categories: @@ -12082,6 +12974,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_88 pretty_name: Ensure that the --insecure-port argument is set to 0 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_89: categories: @@ -12093,6 +12986,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_89 pretty_name: Ensure that the --secure-port argument is not set to 0 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_9: categories: @@ -12103,6 +12997,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_9 pretty_name: Readiness Probe Should be Configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_90: categories: @@ -12114,6 +13009,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_90 pretty_name: Ensure that the --profiling argument is set to false + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_91: categories: @@ -12125,6 +13021,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_91 pretty_name: Ensure that the --audit-log-path argument is set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_92: categories: @@ -12136,6 +13033,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_92 pretty_name: Ensure that the --audit-log-maxage argument is set to 30 or as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_93: categories: @@ -12148,6 +13046,7 @@ rules: name: CKV_K8S_93 pretty_name: Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_94: categories: @@ -12160,6 +13059,7 @@ rules: name: CKV_K8S_94 pretty_name: Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_95: categories: @@ -12171,6 +13071,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_95 pretty_name: Ensure that the --request-timeout argument is set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_96: categories: @@ -12182,6 +13083,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_96 pretty_name: Ensure that the --service-account-lookup argument is set to true + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_97: categories: @@ -12193,6 +13095,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_97 pretty_name: Ensure that the --service-account-key-file argument is set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_99: categories: @@ -12205,6 +13108,7 @@ rules: name: CKV_K8S_99 pretty_name: Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_LIN_1: categories: @@ -12216,6 +13120,7 @@ rules: group: stored-secrets name: CKV_LIN_1 pretty_name: Ensure no hard coded Linode tokens exist in provider + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_LIN_2: categories: @@ -12227,6 +13132,7 @@ rules: group: cloud-weak-configuration name: CKV_LIN_2 pretty_name: Ensure SSH key set in authorized_keys + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_LIN_3: categories: @@ -12238,6 +13144,7 @@ rules: group: cloud-weak-configuration name: CKV_LIN_3 pretty_name: Ensure email is set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_LIN_4: categories: @@ -12249,6 +13156,7 @@ rules: group: cloud-weak-configuration name: CKV_LIN_4 pretty_name: Ensure username is set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_LIN_5: categories: @@ -12260,6 +13168,7 @@ rules: group: cloud-weak-configuration name: CKV_LIN_5 pretty_name: Ensure Inbound Firewall Policy is not set to ACCEPT + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_LIN_6: categories: @@ -12271,6 +13180,7 @@ rules: group: cloud-weak-configuration name: CKV_LIN_6 pretty_name: Ensure Outbound Firewall Policy is not set to ACCEPT + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_1: categories: @@ -12281,6 +13191,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_1 pretty_name: Ensure HTTP HTTPS Target group defines Healthcheck + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_10: categories: @@ -12292,6 +13203,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_10 pretty_name: Ensure no NACL allow inbound from 0.0.0.0:0 to port 22 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_11: categories: @@ -12303,6 +13215,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_11 pretty_name: Ensure no NACL allow inbound from 0.0.0.0:0 to port 3389 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_12: categories: @@ -12314,6 +13227,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_12 pretty_name: An inbound Network ACL rule should not allow ALL ports. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_13: categories: @@ -12325,6 +13239,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_13 pretty_name: Ensure LB Listener uses only secure protocols + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_14: categories: @@ -12335,6 +13250,7 @@ rules: group: cloud-unencrypted-resources name: CKV_NCP_14 pretty_name: Ensure NAS is securely encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_15: categories: @@ -12346,6 +13262,7 @@ rules: group: cloud-unencrypted-resources name: CKV_NCP_15 pretty_name: Ensure Load Balancer Target Group is not using HTTP + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_16: categories: @@ -12357,6 +13274,7 @@ rules: group: cloud-resources-public-access name: CKV_NCP_16 pretty_name: Ensure Load Balancer isn't exposed to the internet + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_18: categories: @@ -12369,6 +13287,7 @@ rules: name: CKV_NCP_18 pretty_name: Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_19: categories: @@ -12380,6 +13299,7 @@ rules: group: cloud-resources-public-access name: CKV_NCP_19 pretty_name: Ensure Naver Kubernetes Service public endpoint disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_2: categories: @@ -12391,6 +13311,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_2 pretty_name: Ensure every access control groups rule has a description + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_20: categories: @@ -12403,6 +13324,7 @@ rules: name: CKV_NCP_20 pretty_name: Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_22: categories: @@ -12414,6 +13336,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_22 pretty_name: Ensure NKS control plane logging enabled for all log types + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_23: categories: @@ -12425,6 +13348,7 @@ rules: group: cloud-resources-public-access name: CKV_NCP_23 pretty_name: Ensure Server instance should not have public IP. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_24: categories: @@ -12436,6 +13360,7 @@ rules: group: cloud-unencrypted-resources name: CKV_NCP_24 pretty_name: Ensure Load Balancer Listener Using HTTPS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_25: categories: @@ -12448,6 +13373,7 @@ rules: name: CKV_NCP_25 pretty_name: Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_26: categories: @@ -12459,6 +13385,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_26 pretty_name: Ensure Access Control Group has Access Control Group Rule attached + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_3: categories: @@ -12469,6 +13396,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_3 pretty_name: Ensure no security group rules allow outbound traffic to 0.0.0.0/0 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_4: categories: @@ -12481,6 +13409,7 @@ rules: name: CKV_NCP_4 pretty_name: Ensure no access control groups allow inbound from 0.0.0.0:0 to port 22 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_5: categories: @@ -12493,6 +13422,7 @@ rules: name: CKV_NCP_5 pretty_name: Ensure no access control groups allow inbound from 0.0.0.0:0 to port 3389 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_6: categories: @@ -12504,6 +13434,7 @@ rules: group: cloud-unencrypted-resources name: CKV_NCP_6 pretty_name: Ensure Server instance is encrypted. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_7: categories: @@ -12514,6 +13445,7 @@ rules: group: cloud-unencrypted-resources name: CKV_NCP_7 pretty_name: Ensure Basic Block storage is encrypted. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_8: categories: @@ -12525,6 +13457,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_8 pretty_name: Ensure no NACL allow inbound from 0.0.0.0:0 to port 20 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_9: categories: @@ -12536,6 +13469,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_9 pretty_name: Ensure no NACL allow inbound from 0.0.0.0:0 to port 21 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_1: categories: @@ -12547,6 +13481,7 @@ rules: group: stored-secrets name: CKV_OCI_1 pretty_name: Ensure no hard coded OCI private key in provider + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_10: categories: @@ -12558,6 +13493,7 @@ rules: group: cloud-resources-public-access name: CKV_OCI_10 pretty_name: Ensure OCI Object Storage is not Public + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_11: categories: @@ -12622,6 +13558,7 @@ rules: group: cloud-weak-configuration name: CKV_OCI_16 pretty_name: Ensure VCN has an inbound security list + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_17: categories: @@ -12633,6 +13570,7 @@ rules: group: cloud-weak-configuration name: CKV_OCI_17 pretty_name: Ensure VCN inbound security lists are stateless + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_18: categories: @@ -12656,6 +13594,7 @@ rules: group: cloud-weak-configuration name: CKV_OCI_19 pretty_name: Ensure no security list allow ingress from 0.0.0.0:0 to port 22. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_2: categories: @@ -12677,6 +13616,7 @@ rules: group: cloud-weak-configuration name: CKV_OCI_20 pretty_name: Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_21: categories: @@ -12688,6 +13628,7 @@ rules: group: cloud-weak-configuration name: CKV_OCI_21 pretty_name: Ensure security group has stateless ingress security rules + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_22: categories: @@ -12700,6 +13641,7 @@ rules: name: CKV_OCI_22 pretty_name: Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_3: categories: @@ -12720,6 +13662,7 @@ rules: name: CKV_OCI_4 pretty_name: Ensure OCI Compute Instance boot volume has in-transit data encryption enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_5: categories: @@ -12732,6 +13675,7 @@ rules: name: CKV_OCI_5 pretty_name: Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_6: categories: @@ -12743,6 +13687,7 @@ rules: group: cloud-weak-configuration name: CKV_OCI_6 pretty_name: Ensure OCI Compute Instance has monitoring enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_7: categories: @@ -12782,6 +13727,7 @@ rules: name: CKV_OPENAPI_1 pretty_name: Ensure that securityDefinitions is defined and not empty - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_10: categories: @@ -12794,6 +13740,7 @@ rules: name: CKV_OPENAPI_10 pretty_name: Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_11: categories: @@ -12806,6 +13753,7 @@ rules: name: CKV_OPENAPI_11 pretty_name: Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_12: categories: @@ -12818,6 +13766,7 @@ rules: name: CKV_OPENAPI_12 pretty_name: Ensure no security definition is using implicit flow on OAuth2, which is deprecated - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_13: categories: @@ -12829,6 +13778,7 @@ rules: group: cloud-weak-configuration name: CKV_OPENAPI_13 pretty_name: Ensure security definitions do not use basic auth - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_14: categories: @@ -12841,6 +13791,7 @@ rules: name: CKV_OPENAPI_14 pretty_name: Ensure that operation objects do not use 'implicit' flow, which is deprecated - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_15: categories: @@ -12853,6 +13804,7 @@ rules: name: CKV_OPENAPI_15 pretty_name: Ensure that operation objects do not use basic auth - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_16: categories: @@ -12865,6 +13817,7 @@ rules: name: CKV_OPENAPI_16 pretty_name: Ensure that operation objects have 'produces' field defined for GET operations - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_17: categories: @@ -12877,6 +13830,7 @@ rules: name: CKV_OPENAPI_17 pretty_name: Ensure that operation objects have 'consumes' field defined for PUT, POST and PATCH operations - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_18: categories: @@ -12889,6 +13843,7 @@ rules: name: CKV_OPENAPI_18 pretty_name: Ensure that global schemes use 'https' protocol instead of 'http'- version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_19: categories: @@ -12901,6 +13856,7 @@ rules: name: CKV_OPENAPI_19 pretty_name: Ensure that global security scope is defined in securityDefinitions - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_2: categories: @@ -12913,6 +13869,7 @@ rules: name: CKV_OPENAPI_2 pretty_name: Ensure that if the security scheme is not of type 'oauth2', the array value must be empty - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_20: categories: @@ -12924,6 +13881,7 @@ rules: group: cloud-unencrypted-resources name: CKV_OPENAPI_20 pretty_name: Ensure that API keys are not sent over cleartext + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_21: categories: @@ -12935,6 +13893,7 @@ rules: group: cloud-weak-configuration name: CKV_OPENAPI_21 pretty_name: Ensure that arrays have a maximum number of items + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_3: categories: @@ -12947,6 +13906,7 @@ rules: name: CKV_OPENAPI_3 pretty_name: Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_4: categories: @@ -12958,6 +13918,7 @@ rules: group: cloud-weak-configuration name: CKV_OPENAPI_4 pretty_name: Ensure that the global security field has rules defined + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_5: categories: @@ -12969,6 +13930,7 @@ rules: group: cloud-weak-configuration name: CKV_OPENAPI_5 pretty_name: Ensure that security operations is not empty. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_6: categories: @@ -12981,6 +13943,7 @@ rules: name: CKV_OPENAPI_6 pretty_name: Ensure that security requirement defined in securityDefinitions - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_7: categories: @@ -12993,6 +13956,7 @@ rules: name: CKV_OPENAPI_7 pretty_name: Ensure that the path scheme does not support unencrypted HTTP connection - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_8: categories: @@ -13005,6 +13969,7 @@ rules: name: CKV_OPENAPI_8 pretty_name: Ensure that security is not using 'password' flow in OAuth2 authentication - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_9: categories: @@ -13017,6 +13982,7 @@ rules: name: CKV_OPENAPI_9 pretty_name: Ensure that security scopes of operations are defined in securityDefinitions - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENSTACK_1: categories: @@ -13029,6 +13995,7 @@ rules: name: CKV_OPENSTACK_1 pretty_name: Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENSTACK_2: categories: @@ -13041,6 +14008,7 @@ rules: name: CKV_OPENSTACK_2 pretty_name: Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENSTACK_3: categories: @@ -13053,6 +14021,7 @@ rules: name: CKV_OPENSTACK_3 pretty_name: Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENSTACK_4: categories: @@ -13064,6 +14033,7 @@ rules: group: cloud-weak-configuration name: CKV_OPENSTACK_4 pretty_name: Ensure that instance does not use basic credentials + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENSTACK_5: categories: @@ -13075,6 +14045,7 @@ rules: group: cloud-weak-configuration name: CKV_OPENSTACK_5 pretty_name: Ensure firewall rule set a destination IP + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_1: categories: @@ -13086,6 +14057,7 @@ rules: group: stored-secrets name: CKV_PAN_1 pretty_name: Ensure no hard coded PAN-OS credentials exist in provider + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_10: categories: @@ -13097,6 +14069,7 @@ rules: group: cloud-weak-configuration name: CKV_PAN_10 pretty_name: Ensure logging at session end is enabled within security policies + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_11: categories: @@ -13108,6 +14081,7 @@ rules: group: cloud-unencrypted-resources name: CKV_PAN_11 pretty_name: Ensure IPsec profiles do not specify use of insecure encryption algorithms + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_12: categories: @@ -13120,6 +14094,7 @@ rules: name: CKV_PAN_12 pretty_name: Ensure IPsec profiles do not specify use of insecure authentication algorithms + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_13: categories: @@ -13131,6 +14106,7 @@ rules: group: cloud-weak-configuration name: CKV_PAN_13 pretty_name: Ensure IPsec profiles do not specify use of insecure protocols + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_14: categories: @@ -13142,6 +14118,7 @@ rules: group: cloud-weak-configuration name: CKV_PAN_14 pretty_name: Ensure a Zone Protection Profile is defined within Security Zones + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_15: categories: @@ -13153,6 +14130,7 @@ rules: group: cloud-weak-configuration name: CKV_PAN_15 pretty_name: Ensure an Include ACL is defined for a Zone when User-ID is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_16: categories: @@ -13165,6 +14143,7 @@ rules: name: CKV_PAN_16 pretty_name: Ensure logging at session start is disabled within security policies except for troubleshooting and long lived GRE tunnels + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_17: categories: @@ -13177,6 +14156,7 @@ rules: name: CKV_PAN_17 pretty_name: Ensure security rules do not have 'source_zone' and 'destination_zone' both containing values of 'any' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_2: categories: @@ -13189,6 +14169,7 @@ rules: name: CKV_PAN_2 pretty_name: Ensure plain-text management HTTP is not enabled for an Interface Management Profile + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_3: categories: @@ -13201,6 +14182,7 @@ rules: name: CKV_PAN_3 pretty_name: Ensure plain-text management Telnet is not enabled for an Interface Management Profile + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_4: categories: @@ -13212,6 +14194,7 @@ rules: group: cloud-weak-configuration name: CKV_PAN_4 pretty_name: Ensure DSRI is not enabled within security policies + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_5: categories: @@ -13223,6 +14206,7 @@ rules: group: cloud-weak-configuration name: CKV_PAN_5 pretty_name: 'Ensure security rules do not have ''applications'' set to ''any'' ' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_6: categories: @@ -13234,6 +14218,7 @@ rules: group: cloud-weak-configuration name: CKV_PAN_6 pretty_name: 'Ensure security rules do not have ''services'' set to ''any'' ' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_7: categories: @@ -13246,6 +14231,7 @@ rules: name: CKV_PAN_7 pretty_name: 'Ensure security rules do not have ''source_addresses'' and ''destination_addresses'' both containing values of ''any'' ' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_8: categories: @@ -13257,6 +14243,7 @@ rules: group: cloud-weak-configuration name: CKV_PAN_8 pretty_name: Ensure description is populated within security policies + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_9: categories: @@ -13278,6 +14265,7 @@ rules: group: stored-secrets name: CKV_SECRET_1 pretty_name: Artifactory Credentials + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_10: categories: @@ -13289,6 +14277,7 @@ rules: group: stored-secrets name: CKV_SECRET_10 pretty_name: Secret Keyword + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_11: categories: @@ -13300,6 +14289,7 @@ rules: group: stored-secrets name: CKV_SECRET_11 pretty_name: Mailchimp Access Key + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_12: categories: @@ -13311,6 +14301,7 @@ rules: group: stored-secrets name: CKV_SECRET_12 pretty_name: NPM tokens + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_13: categories: @@ -13322,6 +14313,7 @@ rules: group: stored-secrets name: CKV_SECRET_13 pretty_name: Private Key + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_14: categories: @@ -13333,6 +14325,7 @@ rules: group: stored-secrets name: CKV_SECRET_14 pretty_name: Slack Token + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_15: categories: @@ -13344,6 +14337,7 @@ rules: group: stored-secrets name: CKV_SECRET_15 pretty_name: SoftLayer Credentials + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_16: categories: @@ -13355,6 +14349,7 @@ rules: group: stored-secrets name: CKV_SECRET_16 pretty_name: Square OAuth Secret + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_17: categories: @@ -13366,6 +14361,7 @@ rules: group: stored-secrets name: CKV_SECRET_17 pretty_name: Stripe Access Key + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_18: categories: @@ -13377,6 +14373,7 @@ rules: group: stored-secrets name: CKV_SECRET_18 pretty_name: Twilio API Key + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_19: categories: @@ -13395,6 +14392,7 @@ rules: group: stored-secrets name: CKV_SECRET_2 pretty_name: AWS Access Key + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_3: categories: @@ -13406,6 +14404,7 @@ rules: group: stored-secrets name: CKV_SECRET_3 pretty_name: Azure Storage Account access key + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_4: categories: @@ -13417,6 +14416,7 @@ rules: group: stored-secrets name: CKV_SECRET_4 pretty_name: Basic Auth Credentials + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_5: categories: @@ -13428,6 +14428,7 @@ rules: group: stored-secrets name: CKV_SECRET_5 pretty_name: Cloudant Credentials + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_6: categories: @@ -13448,6 +14449,7 @@ rules: group: stored-secrets name: CKV_SECRET_7 pretty_name: IBM Cloud IAM Key + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_8: categories: @@ -13459,6 +14461,7 @@ rules: group: stored-secrets name: CKV_SECRET_8 pretty_name: IBM COS HMAC Credentials + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_9: categories: @@ -13470,6 +14473,7 @@ rules: group: stored-secrets name: CKV_SECRET_9 pretty_name: JSON Web Token + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_TF_1: categories: @@ -13481,6 +14485,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_TF_1 pretty_name: Ensure Terraform module sources use a commit hash + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_TF_2: categories: @@ -13492,6 +14497,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_TF_2 pretty_name: Ensure Terraform module sources use a tag with a version number + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_1: categories: @@ -13503,6 +14509,7 @@ rules: group: cloud-weak-configuration name: CKV_YC_1 pretty_name: Ensure security group is assigned to database cluster. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_10: categories: @@ -13514,6 +14521,7 @@ rules: group: cloud-unencrypted-resources name: CKV_YC_10 pretty_name: Ensure etcd database is encrypted with KMS key. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_11: categories: @@ -13525,6 +14533,7 @@ rules: group: cloud-weak-configuration name: CKV_YC_11 pretty_name: Ensure security group is assigned to network interface. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_12: categories: @@ -13536,6 +14545,7 @@ rules: group: cloud-resources-public-access name: CKV_YC_12 pretty_name: Ensure public IP is not assigned to database cluster. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_13: categories: @@ -13547,6 +14557,7 @@ rules: group: cloud-insecure-iam name: CKV_YC_13 pretty_name: Ensure cloud member does not have elevated access. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_14: categories: @@ -13558,6 +14569,7 @@ rules: group: cloud-weak-configuration name: CKV_YC_14 pretty_name: Ensure security group is assigned to Kubernetes cluster. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_15: categories: @@ -13569,6 +14581,7 @@ rules: group: cloud-weak-configuration name: CKV_YC_15 pretty_name: Ensure security group is assigned to Kubernetes node group. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_16: categories: @@ -13590,6 +14603,7 @@ rules: group: cloud-resources-public-access name: CKV_YC_17 pretty_name: Ensure storage bucket does not have public access permissions. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_18: categories: @@ -13601,6 +14615,7 @@ rules: group: cloud-resources-public-access name: CKV_YC_18 pretty_name: Ensure compute instance group does not have public IP. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_19: categories: @@ -13612,6 +14627,7 @@ rules: group: cloud-weak-configuration name: CKV_YC_19 pretty_name: Ensure security group does not contain allow-all rules. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_2: categories: @@ -13623,6 +14639,7 @@ rules: group: cloud-resources-public-access name: CKV_YC_2 pretty_name: Ensure compute instance does not have public IP. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_20: categories: @@ -13634,6 +14651,7 @@ rules: group: cloud-weak-configuration name: CKV_YC_20 pretty_name: Ensure security group rule is not allow-all. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_21: categories: @@ -13645,6 +14663,7 @@ rules: group: cloud-insecure-iam name: CKV_YC_21 pretty_name: Ensure organization member does not have elevated access. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_22: categories: @@ -13656,6 +14675,7 @@ rules: group: cloud-weak-configuration name: CKV_YC_22 pretty_name: Ensure compute instance group has security group assigned. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_23: categories: @@ -13667,6 +14687,7 @@ rules: group: cloud-insecure-iam name: CKV_YC_23 pretty_name: Ensure folder member does not have elevated access. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_24: categories: @@ -13679,6 +14700,7 @@ rules: name: CKV_YC_24 pretty_name: Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_3: categories: @@ -13689,6 +14711,7 @@ rules: group: cloud-unencrypted-resources name: CKV_YC_3 pretty_name: Ensure storage bucket is encrypted. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_4: categories: @@ -13700,6 +14723,7 @@ rules: group: cloud-weak-configuration name: CKV_YC_4 pretty_name: Ensure compute instance does not have serial console enabled. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_5: categories: @@ -13711,6 +14735,7 @@ rules: group: cloud-resources-public-access name: CKV_YC_5 pretty_name: Ensure Kubernetes cluster does not have public IP address. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_6: categories: @@ -13722,6 +14747,7 @@ rules: group: cloud-resources-public-access name: CKV_YC_6 pretty_name: Ensure Kubernetes cluster node group does not have public IP addresses. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_7: categories: @@ -13733,6 +14759,7 @@ rules: group: cloud-weak-configuration name: CKV_YC_7 pretty_name: Ensure Kubernetes cluster auto-upgrade is enabled. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_8: categories: @@ -13744,6 +14771,7 @@ rules: group: cloud-weak-configuration name: CKV_YC_8 pretty_name: Ensure Kubernetes node group auto-upgrade is enabled. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_9: categories: @@ -13755,5 +14783,5 @@ rules: group: cloud-weak-secrets-management name: CKV_YC_9 pretty_name: Ensure KMS symmetric key is rotated. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html - From 57200656a9c683bf65d25204fb5c45d081b2ab81 Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Mon, 5 Aug 2024 13:17:47 -0400 Subject: [PATCH 3/5] checkov tf plan --- .../checkov-tf-plan/rules.yaml | 1029 +++++++++++++++++ 1 file changed, 1029 insertions(+) diff --git a/scanners/boostsecurityio/checkov-tf-plan/rules.yaml b/scanners/boostsecurityio/checkov-tf-plan/rules.yaml index 2a1b1c14..8b7cac24 100644 --- a/scanners/boostsecurityio/checkov-tf-plan/rules.yaml +++ b/scanners/boostsecurityio/checkov-tf-plan/rules.yaml @@ -20,6 +20,7 @@ rules: group: cloud-unencrypted-resources name: CKV2_ANSIBLE_1 pretty_name: Ensure that HTTPS url is used with uri + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_ANSIBLE_2: categories: @@ -31,6 +32,7 @@ rules: group: cloud-unencrypted-resources name: CKV2_ANSIBLE_2 pretty_name: Ensure that HTTPS url is used with get_url + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_ANSIBLE_3: categories: @@ -42,6 +44,7 @@ rules: group: cloud-weak-configuration name: CKV2_ANSIBLE_3 pretty_name: Ensure block is handling task errors properly + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_ANSIBLE_4: categories: @@ -54,6 +57,7 @@ rules: name: CKV2_ANSIBLE_4 pretty_name: Ensure that packages with untrusted or missing GPG signatures are not used by dnf + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_ANSIBLE_5: categories: @@ -65,6 +69,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV2_ANSIBLE_5 pretty_name: Ensure that SSL validation isn't disabled with dnf + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_ANSIBLE_6: categories: @@ -76,6 +81,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV2_ANSIBLE_6 pretty_name: Ensure that certificate validation isn't disabled with dnf + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_1: categories: @@ -87,6 +93,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_1 pretty_name: Ensure that all NACL are attached to subnets + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_10: categories: @@ -97,6 +104,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_10 pretty_name: Ensure CloudTrail trails are integrated with CloudWatch Logs + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_11: categories: @@ -117,6 +125,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_12 pretty_name: Ensure the default security group of every VPC restricts all traffic + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_14: categories: @@ -128,6 +137,7 @@ rules: group: cloud-insecure-iam name: CKV2_AWS_14 pretty_name: Ensure that IAM groups includes at least one IAM user + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_15: categories: @@ -139,6 +149,7 @@ rules: name: CKV2_AWS_15 pretty_name: Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_16: categories: @@ -173,6 +184,7 @@ rules: name: CKV2_AWS_19 pretty_name: Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_2: categories: @@ -184,6 +196,7 @@ rules: group: cloud-unencrypted-resources name: CKV2_AWS_2 pretty_name: Ensure that only encrypted EBS volumes are attached to EC2 instances + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_20: categories: @@ -195,6 +208,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_20 pretty_name: Ensure that ALB redirects HTTP requests into HTTPS ones + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_21: categories: @@ -206,6 +220,7 @@ rules: group: cloud-insecure-iam name: CKV2_AWS_21 pretty_name: Ensure that all IAM users are members of at least one IAM group. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_22: categories: @@ -226,6 +241,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_23 pretty_name: Route53 A Record has Attached Resource + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_27: categories: @@ -292,6 +308,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_32 pretty_name: Ensure CloudFront distribution has a response headers policy attached + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_33: categories: @@ -334,6 +351,7 @@ rules: name: CKV2_AWS_36 pretty_name: Ensure terraform is not sending SSM secrets to untrusted domains over HTTP + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_37: categories: @@ -345,6 +363,7 @@ rules: group: supply-chain-scm-weak-configuration name: CKV2_AWS_37 pretty_name: Ensure Codecommit associates an approval rule + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_38: categories: @@ -378,6 +397,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_4 pretty_name: Ensure API Gateway stage have logging level defined as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_40: categories: @@ -389,6 +409,7 @@ rules: group: cloud-insecure-iam name: CKV2_AWS_40 pretty_name: Ensure AWS IAM policy does not allow full IAM privileges + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_41: categories: @@ -400,6 +421,7 @@ rules: group: cloud-insecure-iam name: CKV2_AWS_41 pretty_name: Ensure an IAM role is attached to EC2 instance + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_42: categories: @@ -411,6 +433,7 @@ rules: group: cloud-unencrypted-resources name: CKV2_AWS_42 pretty_name: Ensure AWS CloudFront distribution uses custom SSL certificate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_43: categories: @@ -422,6 +445,7 @@ rules: group: cloud-resources-public-access name: CKV2_AWS_43 pretty_name: Ensure S3 Bucket does not allow access to all Authenticated users + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_44: categories: @@ -434,6 +458,7 @@ rules: name: CKV2_AWS_44 pretty_name: Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_45: categories: @@ -445,6 +470,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_45 pretty_name: Ensure AWS Config recorder is enabled to record all supported resources + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_46: categories: @@ -457,6 +483,7 @@ rules: name: CKV2_AWS_46 pretty_name: Ensure AWS Cloudfront Distribution with S3 have Origin Access set to enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_47: categories: @@ -469,6 +496,7 @@ rules: name: CKV2_AWS_47 pretty_name: Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_48: categories: @@ -480,6 +508,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_48 pretty_name: Ensure AWS Config must record all possible resources + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_49: categories: @@ -491,6 +520,7 @@ rules: group: cloud-unencrypted-resources name: CKV2_AWS_49 pretty_name: Ensure AWS Database Migration Service endpoints have SSL configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_5: categories: @@ -502,6 +532,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_5 pretty_name: Ensure that Security Groups are attached to another resource + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_50: categories: @@ -548,6 +579,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_53 pretty_name: Ensure AWS API gateway request is validated + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_54: categories: @@ -560,6 +592,7 @@ rules: name: CKV2_AWS_54 pretty_name: Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_55: categories: @@ -571,6 +604,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_55 pretty_name: Ensure AWS EMR cluster is configured with security configuration + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_56: categories: @@ -582,6 +616,7 @@ rules: group: cloud-insecure-iam name: CKV2_AWS_56 pretty_name: Ensure AWS Managed IAMFullAccess IAM policy is not used. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_57: categories: @@ -604,6 +639,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_58 pretty_name: Ensure AWS Neptune cluster deletion protection is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_59: categories: @@ -626,6 +662,7 @@ rules: group: cloud-resources-public-access name: CKV2_AWS_6 pretty_name: Ensure that S3 bucket has a Public Access block + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_60: categories: @@ -637,6 +674,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_60 pretty_name: Ensure RDS instance with copy tags to snapshots is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_61: categories: @@ -681,6 +719,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_64 pretty_name: Ensure KMS key Policy is defined + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_65: categories: @@ -692,6 +731,7 @@ rules: group: cloud-resources-public-access name: CKV2_AWS_65 pretty_name: Ensure access control lists for S3 buckets are disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_66: categories: @@ -703,6 +743,7 @@ rules: group: cloud-resources-public-access name: CKV2_AWS_66 pretty_name: Ensure MWAA environment is not publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_67: categories: @@ -727,6 +768,7 @@ rules: name: CKV2_AWS_7 pretty_name: Ensure that Amazon EMR clusters' security groups are not open to the world + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_8: categories: @@ -738,6 +780,7 @@ rules: group: cloud-weak-configuration name: CKV2_AWS_8 pretty_name: Ensure that RDS clusters has backup plan of AWS Backup + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AWS_9: categories: @@ -771,6 +814,7 @@ rules: name: CKV2_AZURE_10 pretty_name: Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_11: categories: @@ -802,6 +846,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_13 pretty_name: Ensure that sql servers enables data security policy + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_14: categories: @@ -813,6 +858,7 @@ rules: group: cloud-unencrypted-resources name: CKV2_AZURE_14 pretty_name: Ensure that Unattached disks are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_15: categories: @@ -861,6 +907,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_19 pretty_name: Ensure that Azure Synapse workspaces have no IP firewall rules attached + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_2: categories: @@ -873,6 +920,7 @@ rules: name: CKV2_AZURE_2 pretty_name: Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_20: categories: @@ -913,6 +961,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_23 pretty_name: Ensure Azure spring cloud is configured with Virtual network (Vnet) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_24: categories: @@ -925,6 +974,7 @@ rules: name: CKV2_AZURE_24 pretty_name: Ensure Azure automation account does NOT have overly permissive network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_25: categories: @@ -936,6 +986,7 @@ rules: group: cloud-unencrypted-resources name: CKV2_AZURE_25 pretty_name: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_26: categories: @@ -948,6 +999,7 @@ rules: name: CKV2_AZURE_26 pretty_name: Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_27: categories: @@ -959,6 +1011,7 @@ rules: group: cloud-insecure-iam name: CKV2_AZURE_27 pretty_name: Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_28: categories: @@ -970,6 +1023,7 @@ rules: group: cloud-insecure-iam name: CKV2_AZURE_28 pretty_name: Ensure Container Instance is configured with managed identity + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_29: categories: @@ -981,6 +1035,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_29 pretty_name: Ensure AKS cluster has Azure CNI networking enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_3: categories: @@ -993,6 +1048,7 @@ rules: name: CKV2_AZURE_3 pretty_name: Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_30: categories: @@ -1004,6 +1060,7 @@ rules: group: cloud-unencrypted-resources name: CKV2_AZURE_30 pretty_name: Ensure Azure Container Registry (ACR) has HTTPS enabled for webhook + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_31: categories: @@ -1015,6 +1072,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_31 pretty_name: Ensure VNET subnet is configured with a Network Security Group (NSG) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_32: categories: @@ -1026,6 +1084,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_32 pretty_name: Ensure private endpoint is configured to key vault + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_33: categories: @@ -1037,6 +1096,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_33 pretty_name: Ensure storage account is configured with private endpoint + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_34: categories: @@ -1048,6 +1108,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_34 pretty_name: Ensure Azure SQL server firewall is not overly permissive + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_35: categories: @@ -1059,6 +1120,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_35 pretty_name: Ensure Azure recovery services vault is configured with managed identity + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_36: categories: @@ -1070,6 +1132,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_36 pretty_name: Ensure Azure automation account is configured with managed identity + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_37: categories: @@ -1081,6 +1144,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_37 pretty_name: Ensure Azure MariaDB server is using latest TLS (1.2) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_38: categories: @@ -1092,6 +1156,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_38 pretty_name: Ensure soft-delete is enabled on Azure storage account + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_39: categories: @@ -1104,6 +1169,7 @@ rules: name: CKV2_AZURE_39 pretty_name: Ensure Azure VM is not configured with public IP and serial console access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_4: categories: @@ -1115,6 +1181,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_4 pretty_name: Ensure Azure SQL server ADS VA Send scan reports to is configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_40: categories: @@ -1126,6 +1193,7 @@ rules: group: cloud-insecure-iam name: CKV2_AZURE_40 pretty_name: Ensure storage account is not configured with Shared Key authorization + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_41: categories: @@ -1137,6 +1205,7 @@ rules: group: cloud-weak-secrets-management name: CKV2_AZURE_41 pretty_name: Ensure storage account is configured with SAS expiration policy + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_42: categories: @@ -1148,6 +1217,7 @@ rules: group: cloud-resources-public-access name: CKV2_AZURE_42 pretty_name: Ensure Azure PostgreSQL server is configured with private endpoint + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_43: categories: @@ -1159,6 +1229,7 @@ rules: group: cloud-resources-public-access name: CKV2_AZURE_43 pretty_name: Ensure Azure MariaDB server is configured with private endpoint + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_44: categories: @@ -1170,6 +1241,7 @@ rules: group: cloud-resources-public-access name: CKV2_AZURE_44 pretty_name: Ensure Azure MySQL server is configured with private endpoint + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_45: categories: @@ -1181,6 +1253,7 @@ rules: group: cloud-resources-public-access name: CKV2_AZURE_45 pretty_name: Ensure Microsoft SQL server is configured with private endpoint + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_46: categories: @@ -1192,6 +1265,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_46 pretty_name: Ensure that Azure Synapse Workspace vulnerability assessment is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_47: categories: @@ -1203,6 +1277,7 @@ rules: group: cloud-resources-public-access name: CKV2_AZURE_47 pretty_name: Ensure storage account is configured without blob anonymous access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_48: categories: @@ -1225,6 +1300,7 @@ rules: name: CKV2_AZURE_5 pretty_name: Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_6: categories: @@ -1237,6 +1313,7 @@ rules: name: CKV2_AZURE_6 pretty_name: Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_7: categories: @@ -1248,6 +1325,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_7 pretty_name: Ensure that Azure Active Directory Admin is configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_8: categories: @@ -1260,6 +1338,7 @@ rules: name: CKV2_AZURE_8 pretty_name: Ensure the storage container storing the activity logs is not publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_AZURE_9: categories: @@ -1271,6 +1350,7 @@ rules: group: cloud-weak-configuration name: CKV2_AZURE_9 pretty_name: Ensure Virtual Machines are utilizing Managed Disks + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_1: categories: @@ -1295,6 +1375,7 @@ rules: pretty_name: Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_11: categories: @@ -1308,6 +1389,7 @@ rules: pretty_name: Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_12: categories: @@ -1320,6 +1402,7 @@ rules: name: CKV2_DOCKER_12 pretty_name: Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_13: categories: @@ -1332,6 +1415,7 @@ rules: name: CKV2_DOCKER_13 pretty_name: Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_14: categories: @@ -1344,6 +1428,7 @@ rules: name: CKV2_DOCKER_14 pretty_name: Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_15: categories: @@ -1356,6 +1441,7 @@ rules: name: CKV2_DOCKER_15 pretty_name: Ensure that the yum and dnf package managers are not configured to disable SSL certificate validation via the 'sslverify' configuration option + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_16: categories: @@ -1368,6 +1454,7 @@ rules: name: CKV2_DOCKER_16 pretty_name: Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_17: categories: @@ -1379,6 +1466,7 @@ rules: group: cloud-weak-secrets-management name: CKV2_DOCKER_17 pretty_name: Ensure that 'chpasswd' is not used to set or remove passwords + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_2: categories: @@ -1390,6 +1478,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV2_DOCKER_2 pretty_name: Ensure that certificate validation isn't disabled with curl + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_3: categories: @@ -1401,6 +1490,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV2_DOCKER_3 pretty_name: Ensure that certificate validation isn't disabled with wget + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_4: categories: @@ -1413,6 +1503,7 @@ rules: name: CKV2_DOCKER_4 pretty_name: Ensure that certificate validation isn't disabled with the pip '--trusted-host' option + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_5: categories: @@ -1425,6 +1516,7 @@ rules: name: CKV2_DOCKER_5 pretty_name: Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_6: categories: @@ -1437,6 +1529,7 @@ rules: name: CKV2_DOCKER_6 pretty_name: Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_7: categories: @@ -1449,6 +1542,7 @@ rules: name: CKV2_DOCKER_7 pretty_name: Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_8: categories: @@ -1461,6 +1555,7 @@ rules: name: CKV2_DOCKER_8 pretty_name: Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_DOCKER_9: categories: @@ -1473,6 +1568,7 @@ rules: name: CKV2_DOCKER_9 pretty_name: Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_1: categories: @@ -1485,6 +1581,7 @@ rules: name: CKV2_GCP_1 pretty_name: 'Ensure GKE clusters are not running using the Compute Engine default service account ' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_10: categories: @@ -1507,6 +1604,7 @@ rules: group: cloud-weak-configuration name: CKV2_GCP_11 pretty_name: Ensure GCP GCR Container Vulnerability Scanning is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_12: categories: @@ -1519,6 +1617,7 @@ rules: name: CKV2_GCP_12 pretty_name: Ensure GCP compute firewall ingress does not allow unrestricted access to all ports + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_13: categories: @@ -1586,6 +1685,7 @@ rules: name: CKV2_GCP_18 pretty_name: Ensure GCP network defines a firewall and does not use the default firewall + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_19: categories: @@ -1609,6 +1709,7 @@ rules: group: cloud-weak-configuration name: CKV2_GCP_2 pretty_name: Ensure legacy networks do not exist for a project + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_20: categories: @@ -1620,6 +1721,7 @@ rules: group: cloud-weak-configuration name: CKV2_GCP_20 pretty_name: Ensure MySQL DB instance has point-in-time recovery backup configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_21: categories: @@ -1712,6 +1814,7 @@ rules: group: cloud-resources-public-access name: CKV2_GCP_28 pretty_name: Ensure Vertex AI workbench instances are private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_29: categories: @@ -1723,6 +1826,7 @@ rules: group: cloud-weak-configuration name: CKV2_GCP_29 pretty_name: Ensure logging is enabled for Dialogflow agents + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_3: categories: @@ -1735,6 +1839,7 @@ rules: name: CKV2_GCP_3 pretty_name: Ensure that there are only GCP-managed service account keys for each service account + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_30: categories: @@ -1746,6 +1851,7 @@ rules: group: cloud-weak-configuration name: CKV2_GCP_30 pretty_name: Ensure logging is enabled for Dialogflow CX agents + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_31: categories: @@ -1757,6 +1863,7 @@ rules: group: cloud-weak-configuration name: CKV2_GCP_31 pretty_name: Ensure logging is enabled for Dialogflow CX webhooks + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_32: categories: @@ -1768,6 +1875,7 @@ rules: group: cloud-resources-public-access name: CKV2_GCP_32 pretty_name: Ensure TPU v2 is private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_33: categories: @@ -1779,6 +1887,7 @@ rules: group: cloud-resources-public-access name: CKV2_GCP_33 pretty_name: Ensure Vertex AI endpoint is private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_34: categories: @@ -1790,6 +1899,7 @@ rules: group: cloud-resources-public-access name: CKV2_GCP_34 pretty_name: Ensure Vertex AI index endpoint is private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_35: categories: @@ -1813,6 +1923,7 @@ rules: group: cloud-resources-public-access name: CKV2_GCP_36 pretty_name: Ensure Vertex AI runtime is private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_4: categories: @@ -1836,6 +1947,7 @@ rules: name: CKV2_GCP_5 pretty_name: Ensure that Cloud Audit Logging is configured properly across all services and all users from a project + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_6: categories: @@ -1848,6 +1960,7 @@ rules: name: CKV2_GCP_6 pretty_name: Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_7: categories: @@ -1860,6 +1973,7 @@ rules: name: CKV2_GCP_7 pretty_name: Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_8: categories: @@ -1871,6 +1985,7 @@ rules: group: cloud-resources-public-access name: CKV2_GCP_8 pretty_name: Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GCP_9: categories: @@ -1883,6 +1998,7 @@ rules: name: CKV2_GCP_9 pretty_name: Ensure that Container Registry repositories are not anonymously or publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GHA_1: categories: @@ -1894,6 +2010,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV2_GHA_1 pretty_name: Ensure top-level permissions are not set to write-all + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_GIT_1: categories: @@ -1905,6 +2022,7 @@ rules: group: supply-chain-scm-weak-configuration name: CKV2_GIT_1 pretty_name: Ensure each Repository has branch protection associated + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_IBM_1: categories: @@ -1916,6 +2034,7 @@ rules: group: cloud-resources-public-access name: CKV2_IBM_1 pretty_name: Ensure load balancer for VPC is private (disable public access) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_IBM_2: categories: @@ -1927,6 +2046,7 @@ rules: group: cloud-weak-configuration name: CKV2_IBM_2 pretty_name: Ensure VPC classic access is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_IBM_3: categories: @@ -1938,6 +2058,7 @@ rules: group: cloud-weak-secrets-management name: CKV2_IBM_3 pretty_name: Ensure API key creation is restricted in account settings + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_IBM_4: categories: @@ -1950,6 +2071,7 @@ rules: name: CKV2_IBM_4 pretty_name: Ensure Multi-Factor Authentication (MFA) is enabled at the account level + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_IBM_5: categories: @@ -1961,6 +2083,7 @@ rules: group: cloud-insecure-iam name: CKV2_IBM_5 pretty_name: Ensure Service ID creation is restricted in account settings + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_IBM_6: categories: @@ -1972,6 +2095,7 @@ rules: group: cloud-weak-configuration name: CKV2_IBM_6 pretty_name: Ensure Databases network access is restricted to a specific IP range + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_IBM_7: categories: @@ -1984,6 +2108,7 @@ rules: name: CKV2_IBM_7 pretty_name: Ensure Kubernetes clusters are accessible by using private endpoint and NOT public endpoint + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_K8S_1: categories: @@ -1996,6 +2121,7 @@ rules: name: CKV2_K8S_1 pretty_name: RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_K8S_2: categories: @@ -2008,6 +2134,7 @@ rules: name: CKV2_K8S_2 pretty_name: Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_K8S_3: categories: @@ -2020,6 +2147,7 @@ rules: name: CKV2_K8S_3 pretty_name: No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_K8S_4: categories: @@ -2033,6 +2161,7 @@ rules: pretty_name: ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_K8S_5: categories: @@ -2044,6 +2173,7 @@ rules: group: cloud-insecure-iam name: CKV2_K8S_5 pretty_name: No ServiceAccount/Node should be able to read all secrets + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_K8S_6: categories: @@ -2066,6 +2196,7 @@ rules: group: cloud-insecure-iam name: CKV2_OCI_1 pretty_name: Ensure administrator users are not associated with API keys + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_OCI_2: categories: @@ -2077,6 +2208,7 @@ rules: group: cloud-weak-configuration name: CKV2_OCI_2 pretty_name: Ensure NSG does not allow all traffic on RDP port (3389) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_OCI_3: categories: @@ -2088,6 +2220,7 @@ rules: group: cloud-weak-configuration name: CKV2_OCI_3 pretty_name: Ensure Kubernetes engine cluster is configured with NSG(s) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_OCI_4: categories: @@ -2099,6 +2232,7 @@ rules: group: cloud-weak-configuration name: CKV2_OCI_4 pretty_name: Ensure File Storage File System access is restricted to root users + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_OCI_5: categories: @@ -2111,6 +2245,7 @@ rules: name: CKV2_OCI_5 pretty_name: Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV2_OCI_6: categories: @@ -2133,6 +2268,7 @@ rules: group: cloud-resources-public-access name: CKV_ALI_1 pretty_name: Alibaba Cloud OSS bucket accessible to public + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_10: categories: @@ -2142,6 +2278,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_10 pretty_name: Ensure OSS bucket has versioning enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_11: categories: @@ -2151,6 +2288,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_11 pretty_name: Ensure OSS bucket has transfer Acceleration enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_12: categories: @@ -2162,6 +2300,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_12 pretty_name: Ensure the OSS bucket has access logging enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_13: categories: @@ -2220,6 +2359,7 @@ rules: group: cloud-insecure-iam name: CKV_ALI_18 pretty_name: Ensure RAM password policy prevents password reuse + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_19: categories: @@ -2240,6 +2380,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_2 pretty_name: Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_20: categories: @@ -2251,6 +2392,7 @@ rules: group: cloud-unencrypted-resources name: CKV_ALI_20 pretty_name: Ensure RDS instance uses SSL + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_21: categories: @@ -2262,6 +2404,7 @@ rules: group: cloud-unencrypted-resources name: CKV_ALI_21 pretty_name: Ensure API Gateway API Protocol HTTPS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_22: categories: @@ -2273,6 +2416,7 @@ rules: group: cloud-unencrypted-resources name: CKV_ALI_22 pretty_name: Ensure Transparent Data Encryption is Enabled on instance + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_23: categories: @@ -2282,6 +2426,7 @@ rules: group: cloud-insecure-iam name: CKV_ALI_23 pretty_name: Ensure Ram Account Password Policy Max Login Attempts not > 5 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_24: categories: @@ -2293,6 +2438,7 @@ rules: group: cloud-insecure-iam name: CKV_ALI_24 pretty_name: Ensure RAM enforces MFA + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_25: categories: @@ -2314,6 +2460,7 @@ rules: name: CKV_ALI_26 pretty_name: Ensure Kubernetes installs plugin Terway or Flannel to support standard policies + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_27: categories: @@ -2325,6 +2472,7 @@ rules: group: cloud-weak-secrets-management name: CKV_ALI_27 pretty_name: Ensure KMS Key Rotation is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_28: categories: @@ -2336,6 +2484,7 @@ rules: group: cloud-weak-secrets-management name: CKV_ALI_28 pretty_name: Ensure KMS Keys are enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_29: categories: @@ -2345,6 +2494,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_29 pretty_name: Alibaba ALB ACL does not restrict Access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_3: categories: @@ -2354,6 +2504,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_3 pretty_name: Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_30: categories: @@ -2363,6 +2514,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_30 pretty_name: Ensure RDS instance auto upgrades for minor versions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_31: categories: @@ -2372,6 +2524,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_31 pretty_name: Ensure K8s nodepools are set to auto repair + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_32: categories: @@ -2381,6 +2534,7 @@ rules: group: cloud-unencrypted-resources name: CKV_ALI_32 pretty_name: Ensure launch template data disks are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_33: categories: @@ -2390,6 +2544,7 @@ rules: group: cloud-unencrypted-resources name: CKV_ALI_33 pretty_name: Alibaba Cloud Cypher Policy are secure + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_35: categories: @@ -2435,6 +2590,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_4 pretty_name: Ensure Action Trail Logging for all regions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_41: categories: @@ -2444,6 +2600,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_41 pretty_name: Ensure MongoDB is deployed inside a VPC + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_42: categories: @@ -2453,6 +2610,7 @@ rules: group: cloud-unencrypted-resources name: CKV_ALI_42 pretty_name: Ensure Mongodb instance uses SSL + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_43: categories: @@ -2462,6 +2620,7 @@ rules: group: cloud-resources-public-access name: CKV_ALI_43 pretty_name: Ensure MongoDB instance is not public + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_44: categories: @@ -2471,6 +2630,7 @@ rules: group: cloud-unencrypted-resources name: CKV_ALI_44 pretty_name: Ensure MongoDB has Transparent Data Encryption Enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_5: categories: @@ -2480,6 +2640,7 @@ rules: group: cloud-weak-configuration name: CKV_ALI_5 pretty_name: Ensure Action Trail Logging for all events + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_6: categories: @@ -2498,6 +2659,7 @@ rules: group: cloud-unencrypted-resources name: CKV_ALI_7 pretty_name: Ensure disk is encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ALI_8: categories: @@ -2516,6 +2678,7 @@ rules: group: cloud-resources-public-access name: CKV_ALI_9 pretty_name: Ensure database instance is not public + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ANSIBLE_1: categories: @@ -2527,6 +2690,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_ANSIBLE_1 pretty_name: Ensure that certificate validation isn't disabled with uri + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ANSIBLE_2: categories: @@ -2538,6 +2702,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_ANSIBLE_2 pretty_name: Ensure that certificate validation isn't disabled with get_url + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ANSIBLE_3: categories: @@ -2549,6 +2714,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_ANSIBLE_3 pretty_name: Ensure that certificate validation isn't disabled with yum + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ANSIBLE_4: categories: @@ -2560,6 +2726,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_ANSIBLE_4 pretty_name: Ensure that SSL validation isn't disabled with yum + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ANSIBLE_5: categories: @@ -2572,6 +2739,7 @@ rules: name: CKV_ANSIBLE_5 pretty_name: Ensure that packages with untrusted or missing signatures are not used + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ANSIBLE_6: categories: @@ -2585,6 +2753,7 @@ rules: pretty_name: Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ARGO_1: categories: @@ -2596,6 +2765,7 @@ rules: group: cloud-weak-configuration name: CKV_ARGO_1 pretty_name: Ensure Workflow pods are not using the default ServiceAccount + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_ARGO_2: categories: @@ -2607,6 +2777,7 @@ rules: group: cloud-weak-configuration name: CKV_ARGO_2 pretty_name: Ensure Workflow pods are running as non-root user + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_1: categories: @@ -2619,6 +2790,7 @@ rules: name: CKV_AWS_1 pretty_name: Ensure IAM policies that allow full "*-*" administrative privileges are not created + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_10: categories: @@ -2642,6 +2814,7 @@ rules: name: CKV_AWS_100 pretty_name: Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_101: categories: @@ -2663,6 +2836,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_102 pretty_name: Ensure Neptune Cluster instance is not publicly available + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_103: categories: @@ -2674,6 +2848,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_103 pretty_name: Ensure that load balancer is using at least TLS 1.2 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_104: categories: @@ -2696,6 +2871,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_105 pretty_name: Ensure Redshift uses SSL + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_106: categories: @@ -2707,6 +2883,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_106 pretty_name: Ensure EBS default encryption is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_107: categories: @@ -2718,6 +2895,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_107 pretty_name: Ensure IAM policies does not allow credentials exposure + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_108: categories: @@ -2728,6 +2906,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_108 pretty_name: Ensure IAM policies does not allow data exfiltration + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_109: categories: @@ -2740,6 +2919,7 @@ rules: name: CKV_AWS_109 pretty_name: Ensure IAM policies does not allow permissions management / resource exposure without constraints + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_11: categories: @@ -2761,6 +2941,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_110 pretty_name: Ensure IAM policies does not allow privilege escalation + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_111: categories: @@ -2772,6 +2953,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_111 pretty_name: Ensure IAM policies does not allow write access without constraints + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_112: categories: @@ -2783,6 +2965,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_112 pretty_name: Ensure Session Manager data is encrypted in transit + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_113: categories: @@ -2794,6 +2977,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_113 pretty_name: Ensure Session Manager logs are enabled and encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_114: categories: @@ -2805,6 +2989,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_114 pretty_name: Ensure that EMR clusters with Kerberos have Kerberos Realm set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_115: categories: @@ -2887,6 +3072,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_121 pretty_name: Ensure AWS Config is enabled in all regions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_122: categories: @@ -2899,6 +3085,7 @@ rules: name: CKV_AWS_122 pretty_name: Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_123: categories: @@ -2910,6 +3097,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_123 pretty_name: Ensure that VPC Endpoint Service is configured for Manual Acceptance + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_124: categories: @@ -2942,6 +3130,7 @@ rules: name: CKV_AWS_127 pretty_name: Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_128: categories: @@ -2954,6 +3143,7 @@ rules: name: CKV_AWS_128 pretty_name: Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_129: categories: @@ -2977,6 +3167,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_13 pretty_name: Ensure IAM password policy prevents password reuse + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_130: categories: @@ -2988,6 +3179,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_130 pretty_name: Ensure VPC subnets do not assign public IP by default + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_131: categories: @@ -2999,6 +3191,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_131 pretty_name: Ensure that ALB drops HTTP headers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_133: categories: @@ -3010,6 +3203,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_133 pretty_name: Ensure that RDS instances has backup policy + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_134: categories: @@ -3022,6 +3216,7 @@ rules: name: CKV_AWS_134 pretty_name: Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_135: categories: @@ -3052,6 +3247,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_137 pretty_name: Ensure that Elasticsearch is configured inside a VPC + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_138: categories: @@ -3073,6 +3269,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_139 pretty_name: Ensure that RDS clusters have deletion protection enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_14: categories: @@ -3094,6 +3291,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_140 pretty_name: Ensure that RDS global clusters are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_141: categories: @@ -3105,6 +3303,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_141 pretty_name: Ensured that redshift cluster allowing version upgrade by default + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_142: categories: @@ -3154,6 +3353,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_146 pretty_name: Ensure that RDS database cluster snapshot is encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_147: categories: @@ -3165,6 +3365,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_147 pretty_name: Ensure that CodeBuild projects are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_148: categories: @@ -3175,6 +3376,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_148 pretty_name: Ensure no default VPC is planned to be provisioned + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_149: categories: @@ -3205,6 +3407,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_150 pretty_name: Ensure that Load Balancer has deletion protection enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_152: categories: @@ -3237,6 +3440,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_154 pretty_name: Ensure Redshift is not deployed outside of a VPC + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_155: categories: @@ -3248,6 +3452,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_155 pretty_name: Ensure that Workspace user volumes are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_156: categories: @@ -3259,6 +3464,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_156 pretty_name: Ensure that Workspace root volumes are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_157: categories: @@ -3289,6 +3495,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_159 pretty_name: Ensure that Athena Workgroup is encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_16: categories: @@ -3300,6 +3507,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_16 pretty_name: Ensure all data stored in the RDS is securely encrypted at rest + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_160: categories: @@ -3342,6 +3550,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_163 pretty_name: Ensure ECR image scanning on push is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_164: categories: @@ -3353,6 +3562,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_164 pretty_name: Ensure Transfer Server is not exposed publicly. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_165: categories: @@ -3365,6 +3575,7 @@ rules: name: CKV_AWS_165 pretty_name: Ensure Dynamodb point in time recovery (backup) is enabled for global tables + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_166: categories: @@ -3386,6 +3597,7 @@ rules: name: CKV_AWS_167 pretty_name: Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_168: categories: @@ -3398,6 +3610,7 @@ rules: name: CKV_AWS_168 pretty_name: Ensure SQS queue policy is not public by only allowing specific services or principals to access it + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_169: categories: @@ -3410,6 +3623,7 @@ rules: name: CKV_AWS_169 pretty_name: Ensure SNS topic policy is not public by only allowing specific services or principals to access it + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_17: categories: @@ -3421,6 +3635,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_17 pretty_name: Ensure all data stored in RDS is not publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_170: categories: @@ -3432,6 +3647,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_170 pretty_name: Ensure QLDB ledger permissions mode is set to STANDARD + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_171: categories: @@ -3454,6 +3670,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_172 pretty_name: Ensure QLDB ledger has deletion protection enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_173: categories: @@ -3475,6 +3692,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_174 pretty_name: Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_175: categories: @@ -3645,6 +3863,7 @@ rules: name: CKV_AWS_19 pretty_name: Ensure all data stored in the S3 bucket is securely encrypted at rest + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_190: categories: @@ -3675,6 +3894,7 @@ rules: name: CKV_AWS_192 pretty_name: Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_193: categories: @@ -3686,6 +3906,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_193 pretty_name: Ensure AppSync has Logging enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_194: categories: @@ -3697,6 +3918,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_194 pretty_name: Ensure AppSync has Field-Level logs enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_195: categories: @@ -3708,6 +3930,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_195 pretty_name: Ensure Glue component has a security configuration associated + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_196: categories: @@ -3719,6 +3942,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_196 pretty_name: Ensure no aws_elasticache_security_group resources exist + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_197: categories: @@ -3730,6 +3954,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_197 pretty_name: Ensure MQ Broker Audit logging is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_198: categories: @@ -3741,6 +3966,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_198 pretty_name: Ensure no aws_db_security_group resources exist + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_199: categories: @@ -3762,6 +3988,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_2 pretty_name: Ensure ALB protocol is HTTPS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_20: categories: @@ -3773,6 +4000,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_20 pretty_name: S3 Bucket has an ACL defined which allows public READ access. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_200: categories: @@ -3802,6 +4030,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_202 pretty_name: Ensure MemoryDB data is encrypted in transit + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_203: categories: @@ -3832,6 +4061,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_205 pretty_name: Ensure to Limit AMI launch Permissions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_206: categories: @@ -3843,6 +4073,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_206 pretty_name: Ensure API Gateway Domain uses a modern security Policy + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_207: categories: @@ -3854,6 +4085,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_207 pretty_name: Ensure MQ Broker minor version updates are enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_208: categories: @@ -3865,6 +4097,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_208 pretty_name: Ensure MQBroker version is current + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_209: categories: @@ -3895,6 +4128,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_210 pretty_name: Batch job does not define a privileged container + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_211: categories: @@ -3906,6 +4140,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_211 pretty_name: Ensure RDS uses a modern CaCert + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_212: categories: @@ -3927,6 +4162,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_213 pretty_name: Ensure ELB Policy uses only secure protocols + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_214: categories: @@ -3938,6 +4174,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_214 pretty_name: Ensure Appsync API Cache is encrypted at rest + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_215: categories: @@ -3949,6 +4186,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_215 pretty_name: Ensure Appsync API Cache is encrypted in transit + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_216: categories: @@ -3969,6 +4207,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_217 pretty_name: Ensure Create before destroy for API deployments + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_218: categories: @@ -3980,6 +4219,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_218 pretty_name: Ensure that Cloudsearch is using latest TLS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_219: categories: @@ -4009,6 +4249,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_220 pretty_name: Ensure that Cloudsearch is using https + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_221: categories: @@ -4030,6 +4271,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_222 pretty_name: Ensure DMS instance gets all minor upgrade automatically + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_223: categories: @@ -4041,6 +4283,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_223 pretty_name: Ensure ECS Cluster enables logging of ECS Exec + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_224: categories: @@ -4061,6 +4304,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_225 pretty_name: Ensure API Gateway method setting caching is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_226: categories: @@ -4072,6 +4316,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_226 pretty_name: Ensure DB instance gets all minor upgrades automatically + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_227: categories: @@ -4083,6 +4328,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_227 pretty_name: Ensure KMS key is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_228: categories: @@ -4094,6 +4340,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_228 pretty_name: Verify Elasticsearch domain is using an up to date TLS policy + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_229: categories: @@ -4105,6 +4352,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_229 pretty_name: Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_23: categories: @@ -4116,6 +4364,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_23 pretty_name: Ensure every security groups rule has a description + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_230: categories: @@ -4127,6 +4376,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_230 pretty_name: Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_231: categories: @@ -4138,6 +4388,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_231 pretty_name: Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_232: categories: @@ -4149,6 +4400,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_232 pretty_name: Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_233: categories: @@ -4160,6 +4412,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_233 pretty_name: Ensure Create before destroy for ACM certificates + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_234: categories: @@ -4170,6 +4423,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_234 pretty_name: Verify logging preference for ACM certificates + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_235: categories: @@ -4181,6 +4435,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_235 pretty_name: Ensure that copied AMIs are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_236: categories: @@ -4201,6 +4456,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_237 pretty_name: Ensure Create before destroy for API GATEWAY + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_238: categories: @@ -4232,6 +4488,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_24 pretty_name: Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_240: categories: @@ -4243,6 +4500,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_240 pretty_name: Ensure Kinesis Firehose delivery stream is encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_241: categories: @@ -4264,6 +4522,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_242 pretty_name: Ensure MWAA environment has scheduler logs enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_243: categories: @@ -4275,6 +4534,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_243 pretty_name: Ensure MWAA environment has worker logs enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_244: categories: @@ -4286,6 +4546,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_244 pretty_name: Ensure MWAA environment has webserver logs enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_245: categories: @@ -4304,6 +4565,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_246 pretty_name: Ensure RDS Cluster activity streams are encrypted using KMS CMKs + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_247: categories: @@ -4313,6 +4575,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_247 pretty_name: Ensure all data stored in the Elasticsearch is encrypted with a CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_248: categories: @@ -4324,6 +4587,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_248 pretty_name: Ensure that Elasticsearch is not using the default Security Group + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_249: categories: @@ -4335,6 +4599,7 @@ rules: name: CKV_AWS_249 pretty_name: Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_25: categories: @@ -4346,6 +4611,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_25 pretty_name: Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_250: categories: @@ -4358,6 +4624,7 @@ rules: name: CKV_AWS_250 pretty_name: Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_251: categories: @@ -4369,6 +4636,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_251 pretty_name: Ensure CloudTrail logging is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_252: categories: @@ -4378,6 +4646,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_252 pretty_name: Ensure CloudTrail defines an SNS Topic + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_253: categories: @@ -4389,6 +4658,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_253 pretty_name: Ensure DLM cross region events are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_254: categories: @@ -4399,6 +4669,7 @@ rules: name: CKV_AWS_254 pretty_name: Ensure DLM cross region events are encrypted with Customer Managed Key + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_255: categories: @@ -4410,6 +4681,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_255 pretty_name: Ensure DLM cross region schedules are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_256: categories: @@ -4420,6 +4692,7 @@ rules: name: CKV_AWS_256 pretty_name: Ensure DLM cross region schedules are encrypted using a Customer Managed Key + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_257: categories: @@ -4430,6 +4703,7 @@ rules: group: supply-chain-scm-weak-configuration name: CKV_AWS_257 pretty_name: Ensure codecommit branch changes have at least 2 approvals + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_258: categories: @@ -4441,6 +4715,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_258 pretty_name: Ensure that Lambda function URLs AuthType is not None + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_259: categories: @@ -4453,6 +4728,7 @@ rules: name: CKV_AWS_259 pretty_name: Ensure CloudFront response header policy enforces Strict Transport Security + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_26: categories: @@ -4464,6 +4740,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_26 pretty_name: Ensure all data stored in the SNS topic is encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_260: categories: @@ -4475,6 +4752,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_260 pretty_name: Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_261: categories: @@ -4485,6 +4763,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_261 pretty_name: Ensure HTTP HTTPS Target group defines Healthcheck + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_262: categories: @@ -4494,6 +4773,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_262 pretty_name: Ensure Kendra index Server side encryption uses CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_263: categories: @@ -4503,6 +4783,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_263 pretty_name: Ensure App Flow flow uses CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_264: categories: @@ -4512,6 +4793,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_264 pretty_name: Ensure App Flow connector profile uses CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_265: categories: @@ -4521,6 +4803,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_265 pretty_name: Ensure Keyspaces Table uses CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_266: categories: @@ -4530,6 +4813,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_266 pretty_name: Ensure App Flow connector profile uses CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_267: categories: @@ -4540,6 +4824,7 @@ rules: name: CKV_AWS_267 pretty_name: Ensure that Comprehend Entity Recognizer's model is encrypted by KMS using a customer managed Key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_268: categories: @@ -4550,6 +4835,7 @@ rules: name: CKV_AWS_268 pretty_name: Ensure that Comprehend Entity Recognizer's volume is encrypted by KMS using a customer managed Key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_269: categories: @@ -4560,6 +4846,7 @@ rules: name: CKV_AWS_269 pretty_name: Ensure Connect Instance Kinesis Video Stream Storage Config uses CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_27: categories: @@ -4571,6 +4858,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_27 pretty_name: Ensure all data stored in the SQS queue is encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_270: categories: @@ -4580,6 +4868,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_270 pretty_name: Ensure Connect Instance S3 Storage Config uses CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_271: categories: @@ -4589,6 +4878,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_271 pretty_name: Ensure DynamoDB table replica KMS encryption uses CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_272: categories: @@ -4600,6 +4890,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_272 pretty_name: Ensure AWS Lambda function is configured to validate code-signing + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_273: categories: @@ -4610,6 +4901,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_273 pretty_name: Ensure access is controlled through SSO and not AWS IAM defined users + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_274: categories: @@ -4621,6 +4913,7 @@ rules: name: CKV_AWS_274 pretty_name: Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_275: categories: @@ -4631,6 +4924,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_275 pretty_name: Disallow policies from using the AWS AdministratorAccess policy + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_276: categories: @@ -4640,6 +4934,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_276 pretty_name: Ensure Data Trace is not enabled in API Gateway Method Settings + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_277: categories: @@ -4651,6 +4946,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_277 pretty_name: Ensure no security groups allow ingress from 0.0.0.0:0 to port -1 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_278: categories: @@ -4663,6 +4959,7 @@ rules: name: CKV_AWS_278 pretty_name: Ensure MemoryDB snapshot is encrypted by KMS using a customer managed Key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_279: categories: @@ -4674,6 +4971,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_279 pretty_name: Ensure Neptune snapshot is securely encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_28: categories: @@ -4685,6 +4983,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_28 pretty_name: Ensure Dynamodb point in time recovery (backup) is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_280: categories: @@ -4697,6 +4996,7 @@ rules: name: CKV_AWS_280 pretty_name: Ensure Neptune snapshot is encrypted by KMS using a customer managed Key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_281: categories: @@ -4709,6 +5009,7 @@ rules: name: CKV_AWS_281 pretty_name: Ensure RedShift snapshot copy is encrypted by KMS using a customer managed Key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_282: categories: @@ -4721,6 +5022,7 @@ rules: name: CKV_AWS_282 pretty_name: Ensure that Redshift Serverless namespace is encrypted by KMS using a customer managed key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_283: categories: @@ -4733,6 +5035,7 @@ rules: name: CKV_AWS_283 pretty_name: Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_284: categories: @@ -4744,6 +5047,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_284 pretty_name: Ensure State Machine has X-Ray tracing enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_285: categories: @@ -4755,6 +5059,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_285 pretty_name: Ensure State Machine has execution history logging enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_286: categories: @@ -4766,6 +5071,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_286 pretty_name: Ensure IAM policies does not allow privilege escalation + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_287: categories: @@ -4777,6 +5083,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_287 pretty_name: Ensure IAM policies does not allow credentials exposure + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_288: categories: @@ -4788,6 +5095,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_288 pretty_name: Ensure IAM policies does not allow data exfiltration + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_289: categories: @@ -4800,6 +5108,7 @@ rules: name: CKV_AWS_289 pretty_name: Ensure IAM policies does not allow permissions management / resource exposure without constraints + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_29: categories: @@ -4812,6 +5121,7 @@ rules: name: CKV_AWS_29 pretty_name: Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_290: categories: @@ -4823,6 +5133,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_290 pretty_name: Ensure IAM policies does not allow write access without constraints + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_291: categories: @@ -4834,6 +5145,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_291 pretty_name: Ensure MSK nodes are private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_292: categories: @@ -4845,6 +5157,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_292 pretty_name: Ensure DocDB Global Cluster is encrypted at rest (default is unencrypted) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_293: categories: @@ -4856,6 +5169,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_293 pretty_name: Ensure that AWS database instances have deletion protection enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_294: categories: @@ -4867,6 +5181,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_294 pretty_name: Ensure Cloud Trail Event Data Store uses CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_295: categories: @@ -4878,6 +5193,7 @@ rules: group: stored-secrets name: CKV_AWS_295 pretty_name: Ensure DataSync Location Object Storage doesn't expose secrets + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_296: categories: @@ -4889,6 +5205,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_296 pretty_name: Ensure DMS endpoint uses Customer Managed Key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_297: categories: @@ -4900,6 +5217,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_297 pretty_name: Ensure EventBridge Scheduler Schedule uses Customer Managed Key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_298: categories: @@ -4911,6 +5229,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_298 pretty_name: Ensure DMS S3 uses Customer Managed Key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_299: categories: @@ -4922,6 +5241,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_299 pretty_name: Ensure DMS S3 defines in-transit encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_3: categories: @@ -4933,6 +5253,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_3 pretty_name: Ensure all data stored in the EBS is securely encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_30: categories: @@ -4945,6 +5266,7 @@ rules: name: CKV_AWS_30 pretty_name: Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_300: categories: @@ -4957,6 +5279,7 @@ rules: name: CKV_AWS_300 pretty_name: Ensure S3 lifecycle configuration sets period for aborting failed uploads + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_301: categories: @@ -4968,6 +5291,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_301 pretty_name: Ensure that AWS Lambda function is not publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_302: categories: @@ -4979,6 +5303,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_302 pretty_name: Ensure DB Snapshots are not Public + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_303: categories: @@ -4990,6 +5315,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_303 pretty_name: Ensure SSM documents are not Public + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_304: categories: @@ -5001,6 +5327,7 @@ rules: group: cloud-weak-secrets-management name: CKV_AWS_304 pretty_name: Ensure Secrets Manager secrets should be rotated within 90 days + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_305: categories: @@ -5012,6 +5339,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_305 pretty_name: Ensure Cloudfront distribution has a default root object configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_306: categories: @@ -5024,6 +5352,7 @@ rules: name: CKV_AWS_306 pretty_name: Ensure SageMaker notebook instances should be launched into a custom VPC + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_307: categories: @@ -5036,6 +5365,7 @@ rules: name: CKV_AWS_307 pretty_name: Ensure SageMaker Users should not have root access to SageMaker notebook instances + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_308: categories: @@ -5047,6 +5377,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_308 pretty_name: Ensure API Gateway method setting caching is set to encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_309: categories: @@ -5058,6 +5389,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_309 pretty_name: Ensure API GatewayV2 routes specify an authorization type + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_31: categories: @@ -5070,6 +5402,7 @@ rules: name: CKV_AWS_31 pretty_name: Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_310: categories: @@ -5081,6 +5414,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_310 pretty_name: Ensure CloudFront distributions should have origin failover configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_311: categories: @@ -5092,6 +5426,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_311 pretty_name: Ensure that CodeBuild S3 logs are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_312: categories: @@ -5104,6 +5439,7 @@ rules: name: CKV_AWS_312 pretty_name: Ensure Elastic Beanstalk environments have enhanced health reporting enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_313: categories: @@ -5115,6 +5451,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_313 pretty_name: Ensure RDS cluster configured to copy tags to snapshots + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_314: categories: @@ -5126,6 +5463,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_314 pretty_name: Ensure CodeBuild project environments have a logging configuration + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_315: categories: @@ -5137,6 +5475,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_315 pretty_name: Ensure EC2 Auto Scaling groups use EC2 launch templates + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_316: categories: @@ -5149,6 +5488,7 @@ rules: name: CKV_AWS_316 pretty_name: Ensure CodeBuild project environments do not have privileged mode enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_317: categories: @@ -5160,6 +5500,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_317 pretty_name: Ensure Elasticsearch Domain Audit Logging is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_318: categories: @@ -5172,6 +5513,7 @@ rules: name: CKV_AWS_318 pretty_name: Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_319: categories: @@ -5183,6 +5525,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_319 pretty_name: Ensure that CloudWatch alarm actions are enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_32: categories: @@ -5194,6 +5537,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_32 pretty_name: Ensure ECR policy is not set to public + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_320: categories: @@ -5205,6 +5549,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_320 pretty_name: Ensure Redshift clusters do not use the default database name + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_321: categories: @@ -5216,6 +5561,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_321 pretty_name: Ensure Redshift clusters use enhanced VPC routing + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_322: categories: @@ -5228,6 +5574,7 @@ rules: name: CKV_AWS_322 pretty_name: Ensure ElastiCache for Redis cache clusters have auto minor version upgrades enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_323: categories: @@ -5239,6 +5586,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_323 pretty_name: Ensure ElastiCache clusters do not use the default subnet group + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_324: categories: @@ -5250,6 +5598,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_324 pretty_name: Ensure that RDS Cluster log capture is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_325: categories: @@ -5261,6 +5610,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_325 pretty_name: Ensure that RDS Cluster audit logging is enabled for MySQL engine + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_326: categories: @@ -5272,6 +5622,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_326 pretty_name: Ensure that RDS Aurora Clusters have backtracking enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_327: categories: @@ -5295,6 +5646,7 @@ rules: name: CKV_AWS_328 pretty_name: Ensure that ALB is configured with defensive or strictest desync mitigation mode + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_329: categories: @@ -5306,6 +5658,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_329 pretty_name: EFS access points should enforce a root directory + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_33: categories: @@ -5317,6 +5670,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_33 pretty_name: Ensure KMS key policy does not contain wildcard (*) principal + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_330: categories: @@ -5328,6 +5682,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_330 pretty_name: EFS access points should enforce a user identity + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_331: categories: @@ -5340,6 +5695,7 @@ rules: name: CKV_AWS_331 pretty_name: Ensure Transit Gateways do not automatically accept VPC attachment requests + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_332: categories: @@ -5351,6 +5707,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_332 pretty_name: Ensure ECS Fargate services run on the latest Fargate platform version + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_333: categories: @@ -5363,6 +5720,7 @@ rules: name: CKV_AWS_333 pretty_name: Ensure ECS services do not have public IP addresses assigned to them automatically + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_334: categories: @@ -5374,6 +5732,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_334 pretty_name: Ensure ECS containers should run as non-privileged + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_335: categories: @@ -5385,6 +5744,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_335 pretty_name: Ensure ECS task definitions should not share the host's process namespace + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_336: categories: @@ -5396,6 +5756,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_336 pretty_name: Ensure ECS containers are limited to read-only access to root filesystems + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_337: categories: @@ -5418,6 +5779,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_338 pretty_name: Ensure CloudWatch log groups retains logs for at least 1 year + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_339: categories: @@ -5429,6 +5791,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_339 pretty_name: Ensure EKS clusters run on a supported Kubernetes version + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_34: categories: @@ -5440,6 +5803,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_34 pretty_name: Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_340: categories: @@ -5451,6 +5815,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_340 pretty_name: Ensure Elastic Beanstalk managed platform updates are enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_341: categories: @@ -5463,6 +5828,7 @@ rules: name: CKV_AWS_341 pretty_name: Ensure Launch template should not have a metadata response hop limit greater than 1 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_342: categories: @@ -5474,6 +5840,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_342 pretty_name: Ensure WAF rule has any actions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_343: categories: @@ -5485,6 +5852,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_343 pretty_name: Ensure Amazon Redshift clusters should have automatic snapshots enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_344: categories: @@ -5496,6 +5864,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_344 pretty_name: Ensure that Network firewalls have deletion protection enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_345: categories: @@ -5507,6 +5876,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_345 pretty_name: Ensure that Network firewall encryption is via a CMK + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_346: categories: @@ -5519,6 +5889,7 @@ rules: name: CKV_AWS_346 pretty_name: Ensure Network Firewall Policy defines an encryption configuration that uses a customer managed Key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_347: categories: @@ -5530,6 +5901,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_347 pretty_name: Ensure Neptune is encrypted by KMS using a customer managed Key (CMK) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_348: categories: @@ -5541,6 +5913,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_348 pretty_name: Ensure IAM root user doesnt have Access keys + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_349: categories: @@ -5552,6 +5925,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_349 pretty_name: Ensure EMR Cluster security configuration encrypts local disks + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_35: categories: @@ -5561,6 +5935,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_35 pretty_name: Ensure CloudTrail logs are encrypted at rest using KMS CMKs + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_350: categories: @@ -5572,6 +5947,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_350 pretty_name: Ensure EMR Cluster security configuration encrypts EBS disks + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_351: categories: @@ -5583,6 +5959,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_351 pretty_name: Ensure EMR Cluster security configuration encrypts InTransit + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_352: categories: @@ -5594,6 +5971,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_352 pretty_name: Ensure NACL ingress does not allow all Ports + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_353: categories: @@ -5605,6 +5983,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_353 pretty_name: Ensure that RDS instances have performance insights enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_354: categories: @@ -5628,6 +6007,7 @@ rules: name: CKV_AWS_355 pretty_name: Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_356: categories: @@ -5640,6 +6020,7 @@ rules: name: CKV_AWS_356 pretty_name: Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_357: categories: @@ -5651,6 +6032,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_357 pretty_name: Ensure Transfer Server allows only secure protocols + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_358: categories: @@ -5663,6 +6045,7 @@ rules: name: CKV_AWS_358 pretty_name: Ensure GitHub Actions OIDC trust policies only allows actions from a specific known organization + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_359: categories: @@ -5674,6 +6057,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_359 pretty_name: Neptune DB clusters should have IAM database authentication enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_36: categories: @@ -5685,6 +6069,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_36 pretty_name: Ensure CloudTrail log file validation is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_360: categories: @@ -5696,6 +6081,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_360 pretty_name: Ensure DocumentDB has an adequate backup retention period + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_361: categories: @@ -5708,6 +6094,7 @@ rules: name: CKV_AWS_361 pretty_name: Ensure that Neptune DB cluster has automated backups enabled with adequate retention + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_362: categories: @@ -5719,6 +6106,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_362 pretty_name: Neptune DB clusters should be configured to copy tags to snapshots + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_363: categories: @@ -5730,6 +6118,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_363 pretty_name: Ensure Lambda Runtime is not deprecated + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_364: categories: @@ -5742,6 +6131,7 @@ rules: name: CKV_AWS_364 pretty_name: Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_365: categories: @@ -5753,6 +6143,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_365 pretty_name: Ensure SES Configuration Set enforces TLS usage + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_366: categories: @@ -5765,6 +6156,7 @@ rules: name: CKV_AWS_366 pretty_name: Ensure AWS Cognito identity pool does not allow unauthenticated guest access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_37: categories: @@ -5776,6 +6168,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_37 pretty_name: Ensure Amazon EKS control plane logging enabled for all log types + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_38: categories: @@ -5786,6 +6179,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_38 pretty_name: Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_39: categories: @@ -5796,6 +6190,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_39 pretty_name: Ensure Amazon EKS public endpoint disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_40: categories: @@ -5807,6 +6202,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_40 pretty_name: Ensure IAM policies are attached only to groups or roles + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_41: categories: @@ -5818,6 +6214,7 @@ rules: group: stored-secrets name: CKV_AWS_41 pretty_name: Ensure no hard coded AWS access key and secret key exists in provider + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_42: categories: @@ -5829,6 +6226,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_42 pretty_name: Ensure EFS is securely encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_43: categories: @@ -5840,6 +6238,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_43 pretty_name: Ensure Kinesis Stream is securely encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_44: categories: @@ -5851,6 +6250,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_44 pretty_name: Ensure Neptune storage is securely encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_45: categories: @@ -5862,6 +6262,7 @@ rules: group: stored-secrets name: CKV_AWS_45 pretty_name: Ensure no hard-coded secrets exist in lambda environment + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_46: categories: @@ -5873,6 +6274,7 @@ rules: group: stored-secrets name: CKV_AWS_46 pretty_name: Ensure no hard-coded secrets exist in EC2 user data + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_47: categories: @@ -5884,6 +6286,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_47 pretty_name: Ensure DAX is encrypted at rest (default is unencrypted) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_48: categories: @@ -5895,6 +6298,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_48 pretty_name: Ensure MQ Broker logging is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_49: categories: @@ -5906,6 +6310,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_49 pretty_name: Ensure no IAM policies documents allow "*" as a statement's actions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_5: categories: @@ -5918,6 +6323,7 @@ rules: name: CKV_AWS_5 pretty_name: Ensure all data stored in the Elasticsearch is securely encrypted at rest + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_50: categories: @@ -5928,6 +6334,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_50 pretty_name: X-ray tracing is enabled for Lambda + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_51: categories: @@ -5939,6 +6346,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_51 pretty_name: Ensure ECR Image Tags are immutable + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_53: categories: @@ -5950,6 +6358,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_53 pretty_name: Ensure S3 bucket has block public ACLS enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_54: categories: @@ -5961,6 +6370,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_54 pretty_name: Ensure S3 bucket has block public policy enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_55: categories: @@ -5972,6 +6382,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_55 pretty_name: Ensure S3 bucket has ignore public ACLs enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_56: categories: @@ -5983,6 +6394,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_56 pretty_name: Ensure S3 bucket has 'restrict_public_bucket' enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_57: categories: @@ -5994,6 +6406,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_57 pretty_name: S3 Bucket has an ACL defined which allows public WRITE access. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_58: categories: @@ -6005,6 +6418,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_58 pretty_name: Ensure EKS Cluster has Secrets Encryption Enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_59: categories: @@ -6016,6 +6430,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_59 pretty_name: Ensure there is no open access to back-end resources through API + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_6: categories: @@ -6027,6 +6442,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_6 pretty_name: Ensure all Elasticsearch has node-to-node encryption enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_60: categories: @@ -6039,6 +6455,7 @@ rules: name: CKV_AWS_60 pretty_name: Ensure IAM role allows only specific services or principals to assume it + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_61: categories: @@ -6051,6 +6468,7 @@ rules: name: CKV_AWS_61 pretty_name: Ensure AWS IAM policy does not allow assume role permission across all services + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_62: categories: @@ -6063,6 +6481,7 @@ rules: name: CKV_AWS_62 pretty_name: Ensure IAM policies that allow full "*-*" administrative privileges are not created + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_63: categories: @@ -6074,6 +6493,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_63 pretty_name: Ensure no IAM policies documents allow "*" as a statement's actions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_64: categories: @@ -6086,6 +6506,7 @@ rules: name: CKV_AWS_64 pretty_name: Ensure all data stored in the Redshift cluster is securely encrypted at rest + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_65: categories: @@ -6096,6 +6517,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_65 pretty_name: Ensure container insights are enabled on ECS cluster + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_66: categories: @@ -6107,6 +6529,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_66 pretty_name: Ensure that CloudWatch Log Group specifies retention days + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_67: categories: @@ -6118,6 +6541,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_67 pretty_name: Ensure CloudTrail is enabled in all Regions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_68: categories: @@ -6127,6 +6551,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_68 pretty_name: CloudFront Distribution should have WAF enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_69: categories: @@ -6138,6 +6563,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_69 pretty_name: Ensure MQ Broker is not publicly exposed + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_7: categories: @@ -6149,6 +6575,7 @@ rules: group: cloud-weak-secrets-management name: CKV_AWS_7 pretty_name: Ensure rotation for customer created CMKs is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_70: categories: @@ -6160,6 +6587,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_70 pretty_name: Ensure S3 bucket does not allow an action with any Principal + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_71: categories: @@ -6170,6 +6598,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_71 pretty_name: Ensure Redshift Cluster logging is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_72: categories: @@ -6181,6 +6610,7 @@ rules: group: cloud-insecure-iam name: CKV_AWS_72 pretty_name: Ensure SQS policy does not allow ALL (*) actions. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_73: categories: @@ -6191,6 +6621,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_73 pretty_name: Ensure API Gateway has X-Ray Tracing enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_74: categories: @@ -6202,6 +6633,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_74 pretty_name: Ensure DocDB is encrypted at rest (default is unencrypted) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_75: categories: @@ -6211,6 +6643,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_75 pretty_name: Ensure Global Accelerator accelerator has flow logs enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_76: categories: @@ -6222,6 +6655,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_76 pretty_name: Ensure API Gateway has Access Logging enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_77: categories: @@ -6233,6 +6667,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_77 pretty_name: Ensure Athena Database is encrypted at rest (default is unencrypted) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_78: categories: @@ -6244,6 +6679,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_78 pretty_name: Ensure that CodeBuild Project encryption is not disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_79: categories: @@ -6255,6 +6691,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_79 pretty_name: Ensure Instance Metadata Service Version 1 is not enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_8: categories: @@ -6267,6 +6704,7 @@ rules: name: CKV_AWS_8 pretty_name: Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_80: categories: @@ -6278,6 +6716,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_80 pretty_name: Ensure MSK Cluster logging is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_81: categories: @@ -6289,6 +6728,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_81 pretty_name: Ensure MSK Cluster encryption in rest and transit is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_82: categories: @@ -6301,6 +6741,7 @@ rules: name: CKV_AWS_82 pretty_name: Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_83: categories: @@ -6312,6 +6753,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_83 pretty_name: Ensure Elasticsearch Domain enforces HTTPS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_84: categories: @@ -6322,6 +6764,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_84 pretty_name: Ensure Elasticsearch Domain Logging is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_85: categories: @@ -6332,6 +6775,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_85 pretty_name: Ensure DocDB Logging is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_86: categories: @@ -6343,6 +6787,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_86 pretty_name: Ensure Cloudfront distribution has Access Logging enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_87: categories: @@ -6354,6 +6799,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_87 pretty_name: Redshift cluster should not be publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_88: categories: @@ -6365,6 +6811,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_88 pretty_name: EC2 instance should not have public IP. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_89: categories: @@ -6376,6 +6823,7 @@ rules: group: cloud-resources-public-access name: CKV_AWS_89 pretty_name: DMS replication instance should not be publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_9: categories: @@ -6396,6 +6844,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_90 pretty_name: Ensure DocDB TLS is not disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_91: categories: @@ -6407,6 +6856,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_91 pretty_name: Ensure the ELBv2 (Application/Network) has access logging enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_92: categories: @@ -6418,6 +6868,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_92 pretty_name: Ensure the ELB has access logging enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_93: categories: @@ -6430,6 +6881,7 @@ rules: name: CKV_AWS_93 pretty_name: Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_94: categories: @@ -6441,6 +6893,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_94 pretty_name: Ensure Glue Data Catalog Encryption is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_95: categories: @@ -6452,6 +6905,7 @@ rules: group: cloud-weak-configuration name: CKV_AWS_95 pretty_name: Ensure API Gateway V2 has Access Logging enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_96: categories: @@ -6463,6 +6917,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_96 pretty_name: Ensure all data stored in Aurora is securely encrypted at rest + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_97: categories: @@ -6475,6 +6930,7 @@ rules: name: CKV_AWS_97 pretty_name: Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_98: categories: @@ -6487,6 +6943,7 @@ rules: name: CKV_AWS_98 pretty_name: Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AWS_99: categories: @@ -6498,6 +6955,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AWS_99 pretty_name: Ensure Glue Security Configuration Encryption is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZUREPIPELINES_1: categories: @@ -6509,6 +6967,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_AZUREPIPELINES_1 pretty_name: Ensure container job uses a non latest version tag + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZUREPIPELINES_2: categories: @@ -6519,6 +6978,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_AZUREPIPELINES_2 pretty_name: Ensure container job uses a version digest + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZUREPIPELINES_3: categories: @@ -6530,6 +6990,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_AZUREPIPELINES_3 pretty_name: Ensure set variable is not marked as a secret + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_1: categories: @@ -6542,6 +7003,7 @@ rules: name: CKV_AZURE_1 pretty_name: Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_10: categories: @@ -6553,6 +7015,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_10 pretty_name: Ensure that SSH access is restricted from the internet + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_100: categories: @@ -6574,6 +7037,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_101 pretty_name: Ensure that Azure Cosmos DB disables public network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_102: categories: @@ -6584,6 +7048,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_102 pretty_name: Ensure that PostgreSQL server enables geo-redundant backups + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_103: categories: @@ -6594,6 +7059,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_103 pretty_name: Ensure that Azure Data Factory uses Git repository for source control + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_104: categories: @@ -6605,6 +7071,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_104 pretty_name: Ensure that Azure Data factory public network access is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_105: categories: @@ -6616,6 +7083,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_105 pretty_name: Ensure that Data Lake Store accounts enables encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_106: categories: @@ -6627,6 +7095,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_106 pretty_name: Ensure that Azure Event Grid Domain public network access is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_107: categories: @@ -6637,6 +7106,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_107 pretty_name: Ensure that API management services use virtual networks + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_108: categories: @@ -6646,6 +7116,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_108 pretty_name: Ensure that Azure IoT Hub disables public network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_109: categories: @@ -6657,6 +7128,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_109 pretty_name: Ensure that key vault allows firewall rules settings + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_11: categories: @@ -6668,6 +7140,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_11 pretty_name: Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_110: categories: @@ -6679,6 +7152,7 @@ rules: group: cloud-weak-secrets-management name: CKV_AZURE_110 pretty_name: Ensure that key vault enables purge protection + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_111: categories: @@ -6690,6 +7164,7 @@ rules: group: cloud-weak-secrets-management name: CKV_AZURE_111 pretty_name: Ensure that key vault enables soft delete + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_112: categories: @@ -6700,6 +7175,7 @@ rules: group: cloud-weak-secrets-management name: CKV_AZURE_112 pretty_name: Ensure that key vault key is backed by HSM + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_113: categories: @@ -6711,6 +7187,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_113 pretty_name: Ensure that SQL server disables public network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_114: categories: @@ -6721,6 +7198,7 @@ rules: group: cloud-weak-secrets-management name: CKV_AZURE_114 pretty_name: Ensure that key vault secrets have "content_type" set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_115: categories: @@ -6732,6 +7210,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_115 pretty_name: Ensure that AKS enables private clusters + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_116: categories: @@ -6743,6 +7222,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_116 pretty_name: Ensure that AKS uses Azure Policies Add-on + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_117: categories: @@ -6754,6 +7234,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_117 pretty_name: Ensure that AKS uses disk encryption set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_118: categories: @@ -6765,6 +7246,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_118 pretty_name: Ensure that Network Interfaces disable IP forwarding + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_119: categories: @@ -6776,6 +7258,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_119 pretty_name: Ensure that Network Interfaces don't use public IPs + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_12: categories: @@ -6786,6 +7269,7 @@ rules: name: CKV_AZURE_12 pretty_name: Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_120: categories: @@ -6795,6 +7279,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_120 pretty_name: Ensure that Application Gateway enables WAF + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_121: categories: @@ -6804,6 +7289,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_121 pretty_name: Ensure that Azure Front Door enables WAF + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_122: categories: @@ -6814,6 +7300,7 @@ rules: name: CKV_AZURE_122 pretty_name: Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_123: categories: @@ -6824,6 +7311,7 @@ rules: name: CKV_AZURE_123 pretty_name: Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_124: categories: @@ -6835,6 +7323,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_124 pretty_name: Ensure that Azure Cognitive Search disables public network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_125: categories: @@ -6846,6 +7335,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_125 pretty_name: Ensures that Service Fabric use three levels of protection available + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_126: categories: @@ -6858,6 +7348,7 @@ rules: name: CKV_AZURE_126 pretty_name: Ensures that Active Directory is used for authentication for Service Fabric + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_127: categories: @@ -6867,6 +7358,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_127 pretty_name: Ensure that My SQL server enables Threat detection policy + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_128: categories: @@ -6876,6 +7368,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_128 pretty_name: Ensure that PostgreSQL server enables Threat detection policy + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_129: categories: @@ -6886,6 +7379,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_129 pretty_name: Ensure that MariaDB server enables geo-redundant backups + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_13: categories: @@ -6897,6 +7391,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_13 pretty_name: Ensure App Service Authentication is set on Azure App Service + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_130: categories: @@ -6908,6 +7403,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_130 pretty_name: Ensure that PostgreSQL server enables infrastructure encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_131: categories: @@ -6919,6 +7415,7 @@ rules: group: stored-secrets name: CKV_AZURE_131 pretty_name: SecureString parameter should not have hardcoded default values + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_132: categories: @@ -6931,6 +7428,7 @@ rules: name: CKV_AZURE_132 pretty_name: Ensure cosmosdb does not allow privileged escalation by restricting management plane changes + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_133: categories: @@ -6941,6 +7439,7 @@ rules: name: CKV_AZURE_133 pretty_name: Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_134: categories: @@ -6952,6 +7451,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_134 pretty_name: Ensure that Cognitive Services accounts disable public network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_135: categories: @@ -6962,6 +7462,7 @@ rules: name: CKV_AZURE_135 pretty_name: Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_136: categories: @@ -6972,6 +7473,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_136 pretty_name: Ensure that PostgreSQL Flexible server enables geo-redundant backups + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_137: categories: @@ -6983,6 +7485,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_137 pretty_name: Ensure ACR admin account is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_138: categories: @@ -6993,6 +7496,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_138 pretty_name: Ensures that ACR disables anonymous pulling of images + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_139: categories: @@ -7004,6 +7508,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_139 pretty_name: Ensure ACR set to disable public networking + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_14: categories: @@ -7015,6 +7520,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_14 pretty_name: Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_140: categories: @@ -7026,6 +7532,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_140 pretty_name: Ensure that Local Authentication is disabled on CosmosDB + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_141: categories: @@ -7037,6 +7544,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_141 pretty_name: Ensure AKS local admin account is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_142: categories: @@ -7048,6 +7556,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_142 pretty_name: Ensure Machine Learning Compute Cluster Local Authentication is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_143: categories: @@ -7059,6 +7568,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_143 pretty_name: Ensure AKS cluster nodes do not have public IP addresses + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_144: categories: @@ -7070,6 +7580,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_144 pretty_name: Ensure that Public Access is disabled for Machine Learning Workspace + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_145: categories: @@ -7081,6 +7592,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_145 pretty_name: Ensure Function app is using the latest version of TLS encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_146: categories: @@ -7092,6 +7604,7 @@ rules: name: CKV_AZURE_146 pretty_name: Ensure server parameter 'log_retention' is set to 'ON' for PostgreSQL Database Server + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_147: categories: @@ -7103,6 +7616,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_147 pretty_name: Ensure PostgreSQL is using the latest version of TLS encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_148: categories: @@ -7114,6 +7628,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_148 pretty_name: Ensure Redis Cache is using the latest version of TLS encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_149: categories: @@ -7125,6 +7640,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_149 pretty_name: Ensure that Virtual machine does not enable password authentication + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_15: categories: @@ -7136,6 +7652,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_15 pretty_name: Ensure web app is using the latest version of TLS encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_150: categories: @@ -7147,6 +7664,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_150 pretty_name: Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_151: categories: @@ -7158,6 +7676,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_151 pretty_name: Ensure Windows VM enables encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_152: categories: @@ -7168,6 +7687,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_152 pretty_name: Ensure Client Certificates are enforced for API management + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_153: categories: @@ -7180,6 +7700,7 @@ rules: name: CKV_AZURE_153 pretty_name: Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_154: categories: @@ -7191,6 +7712,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_154 pretty_name: Ensure the App service slot is using the latest version of TLS encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_155: categories: @@ -7202,6 +7724,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_155 pretty_name: Ensure debugging is disabled for the App service slot + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_156: categories: @@ -7214,6 +7737,7 @@ rules: name: CKV_AZURE_156 pretty_name: Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_157: categories: @@ -7224,6 +7748,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_157 pretty_name: Ensure that Synapse workspace has data_exfiltration_protection_enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_158: categories: @@ -7235,6 +7760,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_158 pretty_name: Ensure that databricks workspace has not public + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_159: categories: @@ -7246,6 +7772,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_159 pretty_name: Ensure function app builtin logging is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_16: categories: @@ -7258,6 +7785,7 @@ rules: name: CKV_AZURE_16 pretty_name: Ensure that Register with Azure Active Directory is enabled on App Service + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_160: categories: @@ -7269,6 +7797,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_160 pretty_name: Ensure that HTTP (port 80) access is restricted from the internet + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_161: categories: @@ -7280,6 +7809,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_161 pretty_name: Ensures Spring Cloud API Portal is enabled on for HTTPS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_162: categories: @@ -7291,6 +7821,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_162 pretty_name: Ensures Spring Cloud API Portal Public Access Is Disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_163: categories: @@ -7302,6 +7833,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_163 pretty_name: Enable vulnerability scanning for container images. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_164: categories: @@ -7313,6 +7845,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_164 pretty_name: Ensures that ACR uses signed/trusted images + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_165: categories: @@ -7325,6 +7858,7 @@ rules: name: CKV_AZURE_165 pretty_name: Ensure geo-replicated container registries to match multi-region container deployments. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_166: categories: @@ -7336,6 +7870,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_166 pretty_name: Ensure container image quarantine, scan, and mark images verified + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_167: categories: @@ -7347,6 +7882,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_167 pretty_name: Ensure a retention policy is set to cleanup untagged manifests. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_168: categories: @@ -7359,6 +7895,7 @@ rules: name: CKV_AZURE_168 pretty_name: Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_169: categories: @@ -7370,6 +7907,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_169 pretty_name: Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_17: categories: @@ -7381,6 +7919,7 @@ rules: name: CKV_AZURE_17 pretty_name: Ensure the web app has 'Client Certificates (Incoming client certificates)' set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_170: categories: @@ -7392,6 +7931,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_170 pretty_name: Ensure that AKS use the Paid Sku for its SLA + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_171: categories: @@ -7403,6 +7943,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_171 pretty_name: Ensure AKS cluster upgrade channel is chosen + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_172: categories: @@ -7414,6 +7955,7 @@ rules: group: cloud-weak-secrets-management name: CKV_AZURE_172 pretty_name: Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_173: categories: @@ -7425,6 +7967,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_173 pretty_name: Ensure API management uses at least TLS 1.2 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_174: categories: @@ -7436,6 +7979,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_174 pretty_name: Ensure API management public access is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_175: categories: @@ -7447,6 +7991,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_175 pretty_name: Ensure Web PubSub uses a SKU with an SLA + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_176: categories: @@ -7458,6 +8003,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_176 pretty_name: Ensure Web PubSub uses managed identities to access Azure resources + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_177: categories: @@ -7469,6 +8015,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_177 pretty_name: Ensure Windows VM enables automatic updates + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_178: categories: @@ -7480,6 +8027,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_178 pretty_name: Ensure linux VM enables SSH with keys for secure communication + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_179: categories: @@ -7491,6 +8039,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_179 pretty_name: Ensure VM agent is installed + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_18: categories: @@ -7502,6 +8051,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_18 pretty_name: Ensure that 'HTTP Version' is the latest if used to run the web app + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_180: categories: @@ -7513,6 +8063,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_180 pretty_name: Ensure that data explorer uses Sku with an SLA + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_181: categories: @@ -7525,6 +8076,7 @@ rules: name: CKV_AZURE_181 pretty_name: Ensure that data explorer/Kusto uses managed identities to access Azure resources securely. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_182: categories: @@ -7536,6 +8088,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_182 pretty_name: Ensure that VNET has at least 2 connected DNS Endpoints + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_183: categories: @@ -7547,6 +8100,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_183 pretty_name: Ensure that VNET uses local DNS addresses + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_184: categories: @@ -7558,6 +8112,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_184 pretty_name: Ensure 'local_auth_enabled' is set to 'False' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_185: categories: @@ -7569,6 +8124,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_185 pretty_name: Ensure 'Public Access' is not Enabled for App configuration + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_186: categories: @@ -7580,6 +8136,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_186 pretty_name: Ensure App configuration encryption block is set. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_187: categories: @@ -7591,6 +8148,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_187 pretty_name: Ensure App configuration purge protection is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_188: categories: @@ -7602,6 +8160,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_188 pretty_name: Ensure App configuration Sku is standard + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_189: categories: @@ -7613,6 +8172,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_189 pretty_name: Ensure that Azure Key Vault disables public network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_19: categories: @@ -7622,6 +8182,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_19 pretty_name: Ensure that standard pricing tier is selected + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_190: categories: @@ -7633,6 +8194,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_190 pretty_name: Ensure that Storage blobs restrict public access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_191: categories: @@ -7645,6 +8207,7 @@ rules: name: CKV_AZURE_191 pretty_name: Ensure that Managed identity provider is enabled for Azure Event Grid Topic + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_192: categories: @@ -7656,6 +8219,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_192 pretty_name: Ensure that Azure Event Grid Topic local Authentication is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_193: categories: @@ -7667,6 +8231,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_193 pretty_name: Ensure public network access is disabled for Azure Event Grid Topic + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_194: categories: @@ -7679,6 +8244,7 @@ rules: name: CKV_AZURE_194 pretty_name: Ensure that Managed identity provider is enabled for Azure Event Grid Domain + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_195: categories: @@ -7690,6 +8256,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_195 pretty_name: Ensure that Azure Event Grid Domain local Authentication is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_196: categories: @@ -7701,6 +8268,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_196 pretty_name: Ensure that SignalR uses a Paid Sku for its SLA + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_197: categories: @@ -7712,6 +8280,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_197 pretty_name: Ensure the Azure CDN disables the HTTP endpoint + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_198: categories: @@ -7723,6 +8292,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_198 pretty_name: Ensure the Azure CDN enables the HTTPS endpoint + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_199: categories: @@ -7734,6 +8304,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_199 pretty_name: Ensure that Azure Service Bus uses double encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_2: categories: @@ -7745,6 +8316,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_2 pretty_name: Ensure Azure managed disk has encryption enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_20: categories: @@ -7756,6 +8328,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_20 pretty_name: Ensure that security contact 'Phone number' is set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_200: categories: @@ -7768,6 +8341,7 @@ rules: name: CKV_AZURE_200 pretty_name: Ensure the Azure CDN endpoint is using the latest version of TLS encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_201: categories: @@ -7792,6 +8366,7 @@ rules: name: CKV_AZURE_202 pretty_name: Ensure that Managed identity provider is enabled for Azure Service Bus + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_203: categories: @@ -7803,6 +8378,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_203 pretty_name: Ensure Azure Service Bus Local Authentication is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_204: categories: @@ -7815,6 +8391,7 @@ rules: name: CKV_AZURE_204 pretty_name: Ensure 'public network access enabled' is set to 'False' for Azure Service Bus + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_205: categories: @@ -7826,6 +8403,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_205 pretty_name: Ensure Azure Service Bus is using the latest version of TLS encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_206: categories: @@ -7837,6 +8415,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_206 pretty_name: Ensure that Storage Accounts use replication + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_207: categories: @@ -7849,6 +8428,7 @@ rules: name: CKV_AZURE_207 pretty_name: Ensure Azure Cognitive Search service uses managed identities to access Azure resources + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_208: categories: @@ -7860,6 +8440,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_208 pretty_name: Ensure that Azure Cognitive Search maintains SLA for index updates + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_209: categories: @@ -7872,6 +8453,7 @@ rules: name: CKV_AZURE_209 pretty_name: Ensure that Azure Cognitive Search maintains SLA for search index queries + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_21: categories: @@ -7884,6 +8466,7 @@ rules: name: CKV_AZURE_21 pretty_name: Ensure that 'Send email notification for high severity alerts' is set to 'On' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_210: categories: @@ -7896,6 +8479,7 @@ rules: name: CKV_AZURE_210 pretty_name: Ensure Azure Cognitive Search service allowed IPS does not give public Access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_211: categories: @@ -7907,6 +8491,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_211 pretty_name: Ensure App Service plan suitable for production use + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_212: categories: @@ -7918,6 +8503,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_212 pretty_name: Ensure App Service has a minimum number of instances for failover + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_213: categories: @@ -7929,6 +8515,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_213 pretty_name: Ensure that App Service configures health check + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_214: categories: @@ -7940,6 +8527,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_214 pretty_name: Ensure App Service is set to be always on + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_215: categories: @@ -7951,6 +8539,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_215 pretty_name: Ensure API management backend uses https + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_216: categories: @@ -7962,6 +8551,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_216 pretty_name: Ensure DenyIntelMode is set to Deny for Azure Firewalls + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_217: categories: @@ -7974,6 +8564,7 @@ rules: name: CKV_AZURE_217 pretty_name: Ensure Azure Application gateways listener that allow connection requests over HTTP + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_218: categories: @@ -7986,6 +8577,7 @@ rules: name: CKV_AZURE_218 pretty_name: Ensure Application Gateway defines secure protocols for in transit communication + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_219: categories: @@ -7997,6 +8589,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_219 pretty_name: Ensure Firewall defines a firewall policy + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_22: categories: @@ -8009,6 +8602,7 @@ rules: name: CKV_AZURE_22 pretty_name: Ensure that 'Send email notification for high severity alerts' is set to 'On' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_220: categories: @@ -8020,6 +8614,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_220 pretty_name: Ensure Firewall policy has IDPS mode as deny + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_221: categories: @@ -8031,6 +8626,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_221 pretty_name: Ensure that Azure Function App public network access is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_222: categories: @@ -8042,6 +8638,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_222 pretty_name: Ensure that Azure Web App public network access is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_223: categories: @@ -8053,6 +8650,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_223 pretty_name: Ensure Event Hub Namespace uses at least TLS 1.2 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_224: categories: @@ -8065,6 +8663,7 @@ rules: name: CKV_AZURE_224 pretty_name: Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_225: categories: @@ -8076,6 +8675,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_225 pretty_name: Ensure the App Service Plan is zone redundant + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_226: categories: @@ -8087,6 +8687,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_226 pretty_name: Ensure ephemeral disks are used for OS disks + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_227: categories: @@ -8099,6 +8700,7 @@ rules: name: CKV_AZURE_227 pretty_name: Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_228: categories: @@ -8110,6 +8712,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_228 pretty_name: Ensure the Azure Event Hub Namespace is zone redundant + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_229: categories: @@ -8121,6 +8724,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_229 pretty_name: Ensure the Azure SQL Database Namespace is zone redundant + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_23: categories: @@ -8132,6 +8736,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_23 pretty_name: Ensure that 'Auditing' is set to 'On' for SQL servers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_230: categories: @@ -8143,6 +8748,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_230 pretty_name: Standard Replication should be enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_231: categories: @@ -8154,6 +8760,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_231 pretty_name: Ensure App Service Environment is zone redundant + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_232: categories: @@ -8165,6 +8772,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_232 pretty_name: Ensure that only critical system pods run on system nodes + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_233: categories: @@ -8176,6 +8784,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_233 pretty_name: Ensure Azure Container Registry (ACR) is zone redundant + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_234: categories: @@ -8187,6 +8796,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_234 pretty_name: Ensure that Azure Defender for cloud is set to On for Resource Manager + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_235: categories: @@ -8199,6 +8809,7 @@ rules: name: CKV_AZURE_235 pretty_name: Ensure that Azure container environment variables are configured with secure values only + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_237: categories: @@ -8210,6 +8821,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_237 pretty_name: Ensure dedicated data endpoints are enabled. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_24: categories: @@ -8221,6 +8833,7 @@ rules: name: CKV_AZURE_24 pretty_name: Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_25: categories: @@ -8230,6 +8843,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_25 pretty_name: Ensure that 'Threat Detection types' is set to 'All' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_26: categories: @@ -8241,6 +8855,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_26 pretty_name: Ensure that 'Send Alerts To' is enabled for MSSQL servers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_27: categories: @@ -8253,6 +8868,7 @@ rules: name: CKV_AZURE_27 pretty_name: Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_28: categories: @@ -8265,6 +8881,7 @@ rules: name: CKV_AZURE_28 pretty_name: Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_29: categories: @@ -8276,6 +8893,7 @@ rules: name: CKV_AZURE_29 pretty_name: Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_3: categories: @@ -8287,6 +8905,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_3 pretty_name: Ensure that 'Secure transfer required' is set to 'Enabled' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_30: categories: @@ -8298,6 +8917,7 @@ rules: name: CKV_AZURE_30 pretty_name: Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_31: categories: @@ -8308,6 +8928,7 @@ rules: name: CKV_AZURE_31 pretty_name: Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_32: categories: @@ -8318,6 +8939,7 @@ rules: name: CKV_AZURE_32 pretty_name: Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_33: categories: @@ -8329,6 +8951,7 @@ rules: name: CKV_AZURE_33 pretty_name: Ensure Storage logging is enabled for Queue service for read, write and delete requests + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_34: categories: @@ -8340,6 +8963,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_34 pretty_name: Ensure that 'Public access level' is set to Private for blob containers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_35: categories: @@ -8352,6 +8976,7 @@ rules: name: CKV_AZURE_35 pretty_name: Ensure default network access rule for Storage Accounts is set to deny + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_36: categories: @@ -8364,6 +8989,7 @@ rules: name: CKV_AZURE_36 pretty_name: Ensure 'Trusted Microsoft Services' is enabled for Storage Account access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_37: categories: @@ -8374,6 +9000,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_37 pretty_name: Ensure that Activity Log Retention is set 365 days or greater + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_38: categories: @@ -8384,6 +9011,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_38 pretty_name: Ensure audit profile captures all the activities + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_39: categories: @@ -8395,6 +9023,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_39 pretty_name: Ensure that no custom subscription owner roles are created + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_4: categories: @@ -8406,6 +9035,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_4 pretty_name: Ensure AKS logging to Azure Monitoring is Configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_40: categories: @@ -8416,6 +9046,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_40 pretty_name: Ensure that the expiration date is set on all keys + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_41: categories: @@ -8426,6 +9057,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_41 pretty_name: Ensure that the expiration date is set on all secrets + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_42: categories: @@ -8437,6 +9069,7 @@ rules: group: cloud-weak-secrets-management name: CKV_AZURE_42 pretty_name: Ensure the key vault is recoverable + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_43: categories: @@ -8446,6 +9079,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_43 pretty_name: Ensure Storage Accounts adhere to the naming rules + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_44: categories: @@ -8457,6 +9091,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_44 pretty_name: Ensure Storage Account is using the latest version of TLS encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_45: categories: @@ -8468,6 +9103,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_45 pretty_name: Ensure that no sensitive credentials are exposed in VM custom_data + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_47: categories: @@ -8478,6 +9114,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_47 pretty_name: Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_48: categories: @@ -8490,6 +9127,7 @@ rules: name: CKV_AZURE_48 pretty_name: Ensure 'public network access enabled' is set to 'False' for MariaDB servers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_49: categories: @@ -8502,6 +9140,7 @@ rules: name: CKV_AZURE_49 pretty_name: Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_5: categories: @@ -8513,6 +9152,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_5 pretty_name: Ensure RBAC is enabled on AKS clusters + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_50: categories: @@ -8524,6 +9164,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_50 pretty_name: Ensure Virtual Machine Extensions are not Installed + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_52: categories: @@ -8534,6 +9175,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_52 pretty_name: Ensure MSSQL is using the latest version of TLS encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_53: categories: @@ -8546,6 +9188,7 @@ rules: name: CKV_AZURE_53 pretty_name: Ensure 'public network access enabled' is set to 'False' for mySQL servers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_54: categories: @@ -8556,6 +9199,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_54 pretty_name: Ensure MySQL is using the latest version of TLS encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_55: categories: @@ -8566,6 +9210,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_55 pretty_name: Ensure that Azure Defender is set to On for Servers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_56: categories: @@ -8577,6 +9222,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_56 pretty_name: Ensure that function apps enables Authentication + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_57: categories: @@ -8588,6 +9234,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_57 pretty_name: Ensure that CORS disallows every resource to access app services + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_58: categories: @@ -8598,6 +9245,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_58 pretty_name: Ensure that Azure Synapse workspaces enables managed virtual networks + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_59: categories: @@ -8609,6 +9257,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_59 pretty_name: Ensure that Storage accounts disallow public access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_6: categories: @@ -8619,6 +9268,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_6 pretty_name: Ensure AKS has an API Server Authorized IP Ranges enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_60: categories: @@ -8630,6 +9280,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_60 pretty_name: Ensure that storage account enables secure transfer + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_61: categories: @@ -8640,6 +9291,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_61 pretty_name: Ensure that Azure Defender is set to On for App Service + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_62: categories: @@ -8649,6 +9301,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_62 pretty_name: Ensure function apps are not accessible from all regions + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_63: categories: @@ -8660,6 +9313,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_63 pretty_name: Ensure that App service enables HTTP logging + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_64: categories: @@ -8671,6 +9325,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_64 pretty_name: Ensure that Azure File Sync disables public network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_65: categories: @@ -8682,6 +9337,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_65 pretty_name: Ensure that App service enables detailed error messages + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_66: categories: @@ -8692,6 +9348,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_66 pretty_name: Ensure that App service enables failed request tracing + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_67: categories: @@ -8702,6 +9359,7 @@ rules: name: CKV_AZURE_67 pretty_name: Ensure that 'HTTP Version' is the latest, if used to run the Function app + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_68: categories: @@ -8713,6 +9371,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_68 pretty_name: Ensure that PostgreSQL server disables public network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_69: categories: @@ -8723,6 +9382,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_69 pretty_name: Ensure that Azure Defender is set to On for Azure SQL database servers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_7: categories: @@ -8733,6 +9393,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_7 pretty_name: Ensure AKS cluster has Network Policy configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_70: categories: @@ -8744,6 +9405,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_70 pretty_name: Ensure that Function apps is only accessible over HTTPS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_71: categories: @@ -8755,6 +9417,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_71 pretty_name: Ensure that Managed identity provider is enabled for app services + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_72: categories: @@ -8766,6 +9429,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_72 pretty_name: Ensure that remote debugging is not enabled for app services + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_73: categories: @@ -8777,6 +9441,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_73 pretty_name: Ensure that Automation account variables are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_74: categories: @@ -8788,6 +9453,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_74 pretty_name: Ensure that Azure Data Explorer uses disk encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_75: categories: @@ -8797,6 +9463,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_75 pretty_name: Ensure that Azure Data Explorer uses double encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_76: categories: @@ -8806,6 +9473,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_76 pretty_name: Ensure that Azure Batch account uses key vault to encrypt data + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_77: categories: @@ -8817,6 +9485,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_77 pretty_name: 'Ensure that UDP Services are restricted from the Internet ' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_78: categories: @@ -8828,6 +9497,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_78 pretty_name: Ensure FTP deployments are disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_79: categories: @@ -8838,6 +9508,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_79 pretty_name: Ensure that Azure Defender is set to On for SQL servers on machines + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_8: categories: @@ -8849,6 +9520,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_8 pretty_name: Ensure Kubernetes Dashboard is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_80: categories: @@ -8861,6 +9533,7 @@ rules: name: CKV_AZURE_80 pretty_name: Ensure that 'Net Framework' version is the latest, if used as a part of the web app + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_81: categories: @@ -8872,6 +9545,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_81 pretty_name: Ensure that 'PHP version' is the latest, if used to run the web app + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_82: categories: @@ -8884,6 +9558,7 @@ rules: name: CKV_AZURE_82 pretty_name: Ensure that 'Python version' is the latest, if used to run the web app + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_83: categories: @@ -8896,6 +9571,7 @@ rules: name: CKV_AZURE_83 pretty_name: Ensure that 'Java version' is the latest, if used to run the web app + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_84: categories: @@ -8906,6 +9582,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_84 pretty_name: Ensure that Azure Defender is set to On for Storage + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_85: categories: @@ -8916,6 +9593,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_85 pretty_name: Ensure that Azure Defender is set to On for Kubernetes + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_86: categories: @@ -8926,6 +9604,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_86 pretty_name: Ensure that Azure Defender is set to On for Container Registries + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_87: categories: @@ -8936,6 +9615,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_87 pretty_name: Ensure that Azure Defender is set to On for Key Vault + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_88: categories: @@ -8945,6 +9625,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_88 pretty_name: Ensure that app services use Azure Files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_89: categories: @@ -8956,6 +9637,7 @@ rules: group: cloud-resources-public-access name: CKV_AZURE_89 pretty_name: Ensure that Azure Cache for Redis disables public network access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_9: categories: @@ -8967,6 +9649,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_9 pretty_name: Ensure that RDP access is restricted from the internet + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_91: categories: @@ -8977,6 +9660,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_91 pretty_name: Ensure that only SSL are enabled for Cache for Redis + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_92: categories: @@ -8988,6 +9672,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_92 pretty_name: Ensure that Virtual Machines use managed disks + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_93: categories: @@ -9008,6 +9693,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_94 pretty_name: Ensure that My SQL server enables geo-redundant backups + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_95: categories: @@ -9020,6 +9706,7 @@ rules: name: CKV_AZURE_95 pretty_name: Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_96: categories: @@ -9030,6 +9717,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_96 pretty_name: Ensure that MySQL server enables infrastructure encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_97: categories: @@ -9041,6 +9729,7 @@ rules: group: cloud-unencrypted-resources name: CKV_AZURE_97 pretty_name: Ensure that Virtual machine scale sets have encryption at host enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_98: categories: @@ -9052,6 +9741,7 @@ rules: group: cloud-weak-configuration name: CKV_AZURE_98 pretty_name: Ensure that Azure Container group is deployed into virtual network + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_AZURE_99: categories: @@ -9063,6 +9753,7 @@ rules: group: cloud-insecure-iam name: CKV_AZURE_99 pretty_name: Ensure Cosmos DB accounts have restricted access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_BCW_1: categories: @@ -9074,6 +9765,7 @@ rules: group: stored-secrets name: CKV_BCW_1 pretty_name: Ensure no hard coded API token exist in the provider + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_BITBUCKETPIPELINES_1: categories: @@ -9084,6 +9776,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_BITBUCKETPIPELINES_1 pretty_name: Ensure the pipeline image uses a non latest version tag + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_BITBUCKET_1: categories: @@ -9103,6 +9796,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_CIRCLECIPIPELINES_1 pretty_name: Ensure the pipeline image uses a non latest version tag + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_CIRCLECIPIPELINES_2: categories: @@ -9124,6 +9818,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_CIRCLECIPIPELINES_3 pretty_name: Ensure mutable development orbs are not used. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_CIRCLECIPIPELINES_4: categories: @@ -9135,6 +9830,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_CIRCLECIPIPELINES_4 pretty_name: Ensure unversioned volatile orbs are not used. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_CIRCLECIPIPELINES_5: categories: @@ -9146,6 +9842,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_CIRCLECIPIPELINES_5 pretty_name: Suspicious use of netcat with IP address + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_CIRCLECIPIPELINES_6: categories: @@ -9157,6 +9854,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_CIRCLECIPIPELINES_6 pretty_name: Ensure run commands are not vulnerable to shell injection + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_CIRCLECIPIPELINES_7: categories: @@ -9168,6 +9866,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_CIRCLECIPIPELINES_7 pretty_name: Suspicious use of curl in run task + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DIO_1: categories: @@ -9189,6 +9888,7 @@ rules: group: cloud-weak-configuration name: CKV_DIO_2 pretty_name: Ensure the droplet specifies an SSH key + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DIO_3: categories: @@ -9200,6 +9900,7 @@ rules: group: cloud-resources-public-access name: CKV_DIO_3 pretty_name: Ensure the Spaces bucket is private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DIO_4: categories: @@ -9211,6 +9912,7 @@ rules: group: cloud-weak-configuration name: CKV_DIO_4 pretty_name: Ensure the firewall ingress is not wide open + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DOCKER_1: categories: @@ -9222,6 +9924,7 @@ rules: group: cloud-weak-configuration name: CKV_DOCKER_1 pretty_name: Ensure port 22 is not exposed + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DOCKER_10: categories: @@ -9233,6 +9936,7 @@ rules: group: cloud-weak-configuration name: CKV_DOCKER_10 pretty_name: Ensure that WORKDIR values are absolute paths + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DOCKER_11: categories: @@ -9244,6 +9948,7 @@ rules: group: cloud-weak-configuration name: CKV_DOCKER_11 pretty_name: Ensure From Alias are unique for multistage builds. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DOCKER_2: categories: @@ -9254,6 +9959,7 @@ rules: name: CKV_DOCKER_2 pretty_name: Ensure that HEALTHCHECK instructions have been added to container images + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DOCKER_3: categories: @@ -9263,6 +9969,7 @@ rules: group: cloud-weak-configuration name: CKV_DOCKER_3 pretty_name: Ensure that a user for the container has been created + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DOCKER_4: categories: @@ -9272,6 +9979,7 @@ rules: group: cloud-weak-configuration name: CKV_DOCKER_4 pretty_name: Ensure that COPY is used instead of ADD in Dockerfiles + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DOCKER_5: categories: @@ -9283,6 +9991,7 @@ rules: group: cloud-weak-configuration name: CKV_DOCKER_5 pretty_name: Ensure update instructions are not use alone in the Dockerfile + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DOCKER_6: categories: @@ -9292,6 +10001,7 @@ rules: group: cloud-weak-configuration name: CKV_DOCKER_6 pretty_name: Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DOCKER_7: categories: @@ -9303,6 +10013,7 @@ rules: group: cloud-weak-configuration name: CKV_DOCKER_7 pretty_name: Ensure the base image uses a non latest version tag + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_DOCKER_8: categories: @@ -9334,6 +10045,7 @@ rules: name: CKV_GCP_1 pretty_name: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_10: categories: @@ -9345,6 +10057,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_10 pretty_name: Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_100: categories: @@ -9356,6 +10069,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_100 pretty_name: Ensure that BigQuery Tables are not anonymously or publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_101: categories: @@ -9368,6 +10082,7 @@ rules: name: CKV_GCP_101 pretty_name: Ensure that Artifact Registry repositories are not anonymously or publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_102: categories: @@ -9380,6 +10095,7 @@ rules: name: CKV_GCP_102 pretty_name: Ensure that GCP Cloud Run services are not anonymously or publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_103: categories: @@ -9391,6 +10107,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_103 pretty_name: Ensure Dataproc Clusters do not have public IPs + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_104: categories: @@ -9402,6 +10119,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_104 pretty_name: Ensure Datafusion has stack driver logging enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_105: categories: @@ -9413,6 +10131,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_105 pretty_name: Ensure Datafusion has stack driver monitoring enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_106: categories: @@ -9425,6 +10144,7 @@ rules: name: CKV_GCP_106 pretty_name: Ensure Google compute firewall ingress does not allow unrestricted http port 80 access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_107: categories: @@ -9445,6 +10165,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_108 pretty_name: Ensure hostnames are logged for GCP PostgreSQL databases + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_109: categories: @@ -9457,6 +10178,7 @@ rules: name: CKV_GCP_109 pretty_name: Ensure the GCP PostgreSQL database log levels are set to ERROR or lower + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_11: categories: @@ -9468,6 +10190,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_11 pretty_name: Ensure that Cloud SQL database Instances are not open to the world + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_110: categories: @@ -9498,6 +10221,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_112 pretty_name: Esnure KMS policy should not allow public access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_113: categories: @@ -9509,6 +10233,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_113 pretty_name: Ensure IAM policy should not define public access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_114: categories: @@ -9520,6 +10245,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_114 pretty_name: Ensure public access prevention is enforced on Cloud Storage bucket + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_115: categories: @@ -9531,6 +10257,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_115 pretty_name: Ensure basic roles are not used at organization level. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_116: categories: @@ -9542,6 +10269,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_116 pretty_name: Ensure basic roles are not used at folder level. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_117: categories: @@ -9553,6 +10281,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_117 pretty_name: Ensure basic roles are not used at project level. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_118: categories: @@ -9564,6 +10293,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_118 pretty_name: Ensure IAM workload identity pool provider is restricted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_119: categories: @@ -9575,6 +10305,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_119 pretty_name: Ensure Spanner Database has deletion protection enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_12: categories: @@ -9595,6 +10326,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_120 pretty_name: Ensure Spanner Database has drop protection enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_121: categories: @@ -9606,6 +10338,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_121 pretty_name: Ensure BigQuery tables have deletion protection enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_122: categories: @@ -9617,6 +10350,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_122 pretty_name: Ensure Big Table Instances have deletion protection enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_123: categories: @@ -9628,6 +10362,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_123 pretty_name: GKE Don't Use NodePools in the Cluster configuration + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_124: categories: @@ -9640,6 +10375,7 @@ rules: name: CKV_GCP_124 pretty_name: Ensure GCP Cloud Function is not configured with overly permissive Ingress setting + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_13: categories: @@ -9652,6 +10388,7 @@ rules: name: CKV_GCP_13 pretty_name: Ensure client certificate authentication to Kubernetes Engine Clusters is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_14: categories: @@ -9664,6 +10401,7 @@ rules: name: CKV_GCP_14 pretty_name: Ensure all Cloud SQL database instance have backup configuration enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_15: categories: @@ -9675,6 +10413,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_15 pretty_name: Ensure that BigQuery datasets are not anonymously or publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_16: categories: @@ -9696,6 +10435,7 @@ rules: name: CKV_GCP_17 pretty_name: Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_18: categories: @@ -9717,6 +10457,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_19 pretty_name: Ensure GKE basic auth is disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_2: categories: @@ -9729,6 +10470,7 @@ rules: name: CKV_GCP_2 pretty_name: Ensure Google compute firewall ingress does not allow unrestricted ssh access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_20: categories: @@ -9760,6 +10502,7 @@ rules: name: CKV_GCP_22 pretty_name: Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_23: categories: @@ -9807,6 +10550,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_27 pretty_name: Ensure that the default network does not exist in a project + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_28: categories: @@ -9818,6 +10562,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_28 pretty_name: Ensure that Cloud Storage bucket is not anonymously or publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_29: categories: @@ -9830,6 +10575,7 @@ rules: name: CKV_GCP_29 pretty_name: Ensure that Cloud Storage buckets have uniform bucket-level access enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_3: categories: @@ -9842,6 +10588,7 @@ rules: name: CKV_GCP_3 pretty_name: Ensure Google compute firewall ingress does not allow unrestricted rdp access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_30: categories: @@ -9854,6 +10601,7 @@ rules: name: CKV_GCP_30 pretty_name: Ensure that instances are not configured to use the default service account + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_31: categories: @@ -9866,6 +10614,7 @@ rules: name: CKV_GCP_31 pretty_name: Ensure that instances are not configured to use the default service account with full access to all Cloud APIs + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_32: categories: @@ -9877,6 +10626,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_32 pretty_name: Ensure 'Block Project-wide SSH keys' is enabled for VM instances + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_33: categories: @@ -9888,6 +10638,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_33 pretty_name: Ensure oslogin is enabled for a Project + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_34: categories: @@ -9900,6 +10651,7 @@ rules: name: CKV_GCP_34 pretty_name: Ensure that no instance in the project overrides the project setting for enabling OSLogin + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_35: categories: @@ -9912,6 +10664,7 @@ rules: name: CKV_GCP_35 pretty_name: Ensure 'Enable connecting to serial ports' is not enabled for VM Instance + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_36: categories: @@ -9923,6 +10676,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_36 pretty_name: Ensure that IP forwarding is not enabled on Instances + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_37: categories: @@ -9965,6 +10719,7 @@ rules: name: CKV_GCP_4 pretty_name: Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_40: categories: @@ -9976,6 +10731,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_40 pretty_name: Ensure that Compute instances do not have public IP addresses + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_41: categories: @@ -9988,6 +10744,7 @@ rules: name: CKV_GCP_41 pretty_name: Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_42: categories: @@ -9999,6 +10756,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_42 pretty_name: Ensure that Service Account has no Admin privileges + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_43: categories: @@ -10021,6 +10779,7 @@ rules: name: CKV_GCP_44 pretty_name: Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_45: categories: @@ -10033,6 +10792,7 @@ rules: name: CKV_GCP_45 pretty_name: Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_46: categories: @@ -10044,6 +10804,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_46 pretty_name: Ensure Default Service account is not used at a project level + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_47: categories: @@ -10055,6 +10816,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_47 pretty_name: Ensure default service account is not used at an organization level + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_48: categories: @@ -10066,6 +10828,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_48 pretty_name: Ensure Default Service account is not used at a folder level + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_49: categories: @@ -10078,6 +10841,7 @@ rules: name: CKV_GCP_49 pretty_name: Ensure roles do not impersonate or manage Service Accounts used at project level + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_50: categories: @@ -10089,6 +10853,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_50 pretty_name: Ensure MySQL database 'local_infile' flag is set to 'off' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_51: categories: @@ -10100,6 +10865,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_51 pretty_name: Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_52: categories: @@ -10111,6 +10877,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_52 pretty_name: Ensure PostgreSQL database 'log_connections' flag is set to 'on' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_53: categories: @@ -10131,6 +10898,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_54 pretty_name: Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_55: categories: @@ -10173,6 +10941,7 @@ rules: name: CKV_GCP_58 pretty_name: Ensure SQL database 'cross db ownership chaining' flag is set to 'off' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_59: categories: @@ -10185,6 +10954,7 @@ rules: name: CKV_GCP_59 pretty_name: Ensure SQL database 'contained database authentication' flag is set to 'off' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_6: categories: @@ -10197,6 +10967,7 @@ rules: name: CKV_GCP_6 pretty_name: Ensure all Cloud SQL database instance requires all incoming connections to use SSL + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_60: categories: @@ -10208,6 +10979,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_60 pretty_name: Ensure Cloud SQL database does not have public IP + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_61: categories: @@ -10238,6 +11010,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_63 pretty_name: Bucket should not log to itself + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_64: categories: @@ -10247,6 +11020,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_64 pretty_name: Ensure clusters are created with Private Nodes + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_65: categories: @@ -10258,6 +11032,7 @@ rules: group: cloud-insecure-iam name: CKV_GCP_65 pretty_name: Manage Kubernetes RBAC users with Google Groups for GKE + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_66: categories: @@ -10279,6 +11054,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_67 pretty_name: Ensure legacy Compute Engine instance metadata APIs are Disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_68: categories: @@ -10300,6 +11076,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_69 pretty_name: Ensure the GKE Metadata Server is Enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_7: categories: @@ -10312,6 +11089,7 @@ rules: name: CKV_GCP_7 pretty_name: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_70: categories: @@ -10323,6 +11101,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_70 pretty_name: Ensure the GKE Release Channel is set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_71: categories: @@ -10355,6 +11134,7 @@ rules: name: CKV_GCP_73 pretty_name: Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_74: categories: @@ -10366,6 +11146,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_74 pretty_name: Ensure that private_ip_google_access is enabled for Subnet + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_75: categories: @@ -10378,6 +11159,7 @@ rules: name: CKV_GCP_75 pretty_name: Ensure Google compute firewall ingress does not allow unrestricted FTP access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_76: categories: @@ -10389,6 +11171,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_76 pretty_name: Ensure that Private google access is enabled for IPV6 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_77: categories: @@ -10400,6 +11183,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_77 pretty_name: Ensure Google compute firewall ingress does not allow on ftp port + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_78: categories: @@ -10420,6 +11204,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_79 pretty_name: Ensure SQL database is using latest Major version + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_8: categories: @@ -10432,6 +11217,7 @@ rules: name: CKV_GCP_8 pretty_name: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_80: categories: @@ -10463,6 +11249,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_82 pretty_name: Ensure KMS keys are protected from deletion + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_83: categories: @@ -10504,6 +11291,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_86 pretty_name: Ensure Cloud build workers are private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_87: categories: @@ -10515,6 +11303,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_87 pretty_name: Ensure Data fusion instances are private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_88: categories: @@ -10527,6 +11316,7 @@ rules: name: CKV_GCP_88 pretty_name: Ensure Google compute firewall ingress does not allow unrestricted mysql access + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_89: categories: @@ -10538,6 +11328,7 @@ rules: group: cloud-weak-secrets-management name: CKV_GCP_89 pretty_name: Ensure Vertex AI instances are private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_9: categories: @@ -10547,6 +11338,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_9 pretty_name: Ensure 'Automatic node repair' is enabled for Kubernetes Clusters + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_90: categories: @@ -10597,6 +11389,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_94 pretty_name: Ensure Dataflow jobs are private + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_95: categories: @@ -10608,6 +11401,7 @@ rules: group: cloud-weak-configuration name: CKV_GCP_95 pretty_name: Ensure Memorystore for Redis has AUTH enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_96: categories: @@ -10626,6 +11420,7 @@ rules: group: cloud-unencrypted-resources name: CKV_GCP_97 pretty_name: Ensure Memorystore for Redis uses intransit encryption + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_98: categories: @@ -10637,6 +11432,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_98 pretty_name: Ensure that Dataproc clusters are not anonymously or publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GCP_99: categories: @@ -10648,6 +11444,7 @@ rules: group: cloud-resources-public-access name: CKV_GCP_99 pretty_name: Ensure that Pub/Sub Topics are not anonymously or publicly accessible + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GHA_1: categories: @@ -10660,6 +11457,7 @@ rules: name: CKV_GHA_1 pretty_name: Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GHA_2: categories: @@ -10671,6 +11469,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_GHA_2 pretty_name: Ensure run commands are not vulnerable to shell injection + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GHA_3: categories: @@ -10682,6 +11481,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_GHA_3 pretty_name: Suspicious use of curl with secrets + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GHA_4: categories: @@ -10693,6 +11493,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_GHA_4 pretty_name: Suspicious use of netcat with IP address + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GHA_5: categories: @@ -10735,6 +11536,7 @@ rules: group: cloud-weak-configuration name: CKV_GITHUB_1 pretty_name: Ensure GitHub organization security settings require 2FA + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GITHUB_10: categories: @@ -10746,6 +11548,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_GITHUB_10 pretty_name: Ensure branch protection rules are enforced on administrators + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GITHUB_2: categories: @@ -10785,6 +11588,7 @@ rules: group: supply-chain-scm-weak-configuration name: CKV_GITHUB_5 pretty_name: Ensure GitHub branch protection rules does not allow force pushes + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GITHUB_6: categories: @@ -10796,6 +11600,7 @@ rules: group: cloud-unencrypted-resources name: CKV_GITHUB_6 pretty_name: Ensure GitHub organization webhooks are using HTTPS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GITHUB_7: categories: @@ -10807,6 +11612,7 @@ rules: group: cloud-unencrypted-resources name: CKV_GITHUB_7 pretty_name: Ensure GitHub repository webhooks are using HTTPS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GITHUB_8: categories: @@ -10837,6 +11643,7 @@ rules: group: supply-chain-cicd-vulnerable-pipeline name: CKV_GITLABCI_1 pretty_name: Suspicious use of curl with CI environment variables in script + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GITLABCI_2: categories: @@ -10848,6 +11655,7 @@ rules: group: cloud-weak-configuration name: CKV_GITLABCI_2 pretty_name: Avoid creating rules that generate double pipelines + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GITLABCI_3: categories: @@ -10877,6 +11685,7 @@ rules: group: supply-chain-scm-weak-configuration name: CKV_GITLAB_2 pretty_name: Ensure all Gitlab groups require two factor authentication + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GIT_1: categories: @@ -10897,6 +11706,7 @@ rules: group: cloud-unencrypted-resources name: CKV_GIT_2 pretty_name: Ensure GitHub repository webhooks are using HTTPS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GIT_3: categories: @@ -10908,6 +11718,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_GIT_3 pretty_name: Ensure GitHub repository has vulnerability alerts enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GIT_4: categories: @@ -10919,6 +11730,7 @@ rules: group: cloud-unencrypted-resources name: CKV_GIT_4 pretty_name: Ensure GitHub Actions secrets are encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GIT_5: categories: @@ -10959,6 +11771,7 @@ rules: group: supply-chain-scm-weak-configuration name: CKV_GLB_2 pretty_name: Ensure GitLab branch protection rules does not allow force pushes + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GLB_3: categories: @@ -10970,6 +11783,7 @@ rules: group: supply-chain-scm-weak-configuration name: CKV_GLB_3 pretty_name: Ensure GitLab prevent secrets is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_GLB_4: categories: @@ -10991,6 +11805,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_1 pretty_name: Do not admit containers wishing to share the host process ID namespace + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_10: categories: @@ -11013,6 +11828,7 @@ rules: name: CKV_K8S_100 pretty_name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_102: categories: @@ -11024,6 +11840,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_102 pretty_name: Ensure that the --etcd-cafile argument is set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_104: categories: @@ -11035,6 +11852,7 @@ rules: group: cloud-unencrypted-resources name: CKV_K8S_104 pretty_name: Ensure that encryption providers are appropriately configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_105: categories: @@ -11047,6 +11865,7 @@ rules: name: CKV_K8S_105 pretty_name: Ensure that the API Server only makes use of Strong Cryptographic Ciphers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_106: categories: @@ -11059,6 +11878,7 @@ rules: name: CKV_K8S_106 pretty_name: Ensure that the --terminated-pod-gc-threshold argument is set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_107: categories: @@ -11070,6 +11890,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_107 pretty_name: Ensure that the --profiling argument is set to false + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_108: categories: @@ -11082,6 +11903,7 @@ rules: name: CKV_K8S_108 pretty_name: Ensure that the --use-service-account-credentials argument is set to true + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_11: categories: @@ -11104,6 +11926,7 @@ rules: name: CKV_K8S_110 pretty_name: Ensure that the --service-account-private-key-file argument is set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_111: categories: @@ -11115,6 +11938,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_111 pretty_name: Ensure that the --root-ca-file argument is set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_112: categories: @@ -11127,6 +11951,7 @@ rules: name: CKV_K8S_112 pretty_name: Ensure that the RotateKubeletServerCertificate argument is set to true + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_113: categories: @@ -11138,6 +11963,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_113 pretty_name: Ensure that the --bind-address argument is set to 127.0.0.1 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_114: categories: @@ -11149,6 +11975,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_114 pretty_name: Ensure that the --profiling argument is set to false + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_115: categories: @@ -11160,6 +11987,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_115 pretty_name: Ensure that the --bind-address argument is set to 127.0.0.1 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_116: categories: @@ -11171,6 +11999,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_116 pretty_name: Ensure that the --cert-file and --key-file arguments are set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_117: categories: @@ -11182,6 +12011,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_117 pretty_name: Ensure that the --client-cert-auth argument is set to true + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_118: categories: @@ -11193,6 +12023,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_118 pretty_name: Ensure that the --auto-tls argument is not set to true + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_119: categories: @@ -11205,6 +12036,7 @@ rules: name: CKV_K8S_119 pretty_name: Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_12: categories: @@ -11226,6 +12058,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_121 pretty_name: Ensure that the --peer-client-cert-auth argument is set to true + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_13: categories: @@ -11247,6 +12080,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_138 pretty_name: Ensure that the --anonymous-auth argument is set to false + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_139: categories: @@ -11258,6 +12092,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_139 pretty_name: Ensure that the --authorization-mode argument is not set to AlwaysAllow + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_14: categories: @@ -11268,6 +12103,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_K8S_14 pretty_name: Image Tag should be fixed - not latest or blank + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_140: categories: @@ -11279,6 +12115,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_140 pretty_name: Ensure that the --client-ca-file argument is set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_141: categories: @@ -11290,6 +12127,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_141 pretty_name: Ensure that the --read-only-port argument is set to 0 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_143: categories: @@ -11302,6 +12140,7 @@ rules: name: CKV_K8S_143 pretty_name: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_144: categories: @@ -11313,6 +12152,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_144 pretty_name: Ensure that the --protect-kernel-defaults argument is set to true + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_145: categories: @@ -11324,6 +12164,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_145 pretty_name: Ensure that the --make-iptables-util-chains argument is set to true + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_146: categories: @@ -11335,6 +12176,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_146 pretty_name: Ensure that the --hostname-override argument is not set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_147: categories: @@ -11347,6 +12189,7 @@ rules: name: CKV_K8S_147 pretty_name: Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_148: categories: @@ -11359,6 +12202,7 @@ rules: name: CKV_K8S_148 pretty_name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_149: categories: @@ -11370,6 +12214,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_149 pretty_name: Ensure that the --rotate-certificates argument is not set to false + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_15: categories: @@ -11391,6 +12236,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_151 pretty_name: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_152: categories: @@ -11403,6 +12249,7 @@ rules: name: CKV_K8S_152 pretty_name: Prevent NGINX Ingress annotation snippets which contain LUA code execution. See CVE-2021-25742 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_153: categories: @@ -11414,6 +12261,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_153 pretty_name: Prevent All NGINX Ingress annotation snippets. See CVE-2021-25742 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_154: categories: @@ -11426,6 +12274,7 @@ rules: name: CKV_K8S_154 pretty_name: Prevent NGINX Ingress annotation snippets which contain alias statements See CVE-2021-25742 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_155: categories: @@ -11438,6 +12287,7 @@ rules: name: CKV_K8S_155 pretty_name: Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_156: categories: @@ -11449,6 +12299,7 @@ rules: group: cloud-insecure-iam name: CKV_K8S_156 pretty_name: Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_157: categories: @@ -11461,6 +12312,7 @@ rules: name: CKV_K8S_157 pretty_name: Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_158: categories: @@ -11473,6 +12325,7 @@ rules: name: CKV_K8S_158 pretty_name: Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_16: categories: @@ -11484,6 +12337,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_16 pretty_name: Do not admit privileged containers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_17: categories: @@ -11495,6 +12349,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_17 pretty_name: Do not admit containers wishing to share the host process ID namespace + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_18: categories: @@ -11506,6 +12361,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_18 pretty_name: Do not admit containers wishing to share the host IPC namespace + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_19: categories: @@ -11517,6 +12373,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_19 pretty_name: Do not admit containers wishing to share the host network namespace + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_2: categories: @@ -11528,6 +12385,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_2 pretty_name: Do not admit privileged containers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_20: categories: @@ -11539,6 +12397,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_20 pretty_name: Containers should not run with allowPrivilegeEscalation + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_21: categories: @@ -11579,6 +12438,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_24 pretty_name: Do not allow containers with added capability + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_25: categories: @@ -11590,6 +12450,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_25 pretty_name: Minimize the admission of containers with added capability + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_26: categories: @@ -11601,6 +12462,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_26 pretty_name: Do not specify hostPort unless absolutely necessary + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_27: categories: @@ -11612,6 +12474,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_27 pretty_name: Do not expose the docker daemon socket to containers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_28: categories: @@ -11623,6 +12486,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_28 pretty_name: Minimize the admission of containers with the NET_RAW capability + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_29: categories: @@ -11644,6 +12508,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_3 pretty_name: Do not admit containers wishing to share the host IPC namespace + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_30: categories: @@ -11685,6 +12550,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_33 pretty_name: Ensure the Kubernetes dashboard is not deployed + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_34: categories: @@ -11696,6 +12562,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_34 pretty_name: Ensure that Tiller (Helm v2) is not deployed + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_35: categories: @@ -11716,6 +12583,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_36 pretty_name: Minimise the admission of containers with capabilities assigned + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_37: categories: @@ -11727,6 +12595,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_37 pretty_name: Minimise the admission of containers with capabilities assigned + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_38: categories: @@ -11737,6 +12606,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_38 pretty_name: Ensure that Service Account Tokens are only mounted where necessary + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_39: categories: @@ -11748,6 +12618,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_39 pretty_name: Do not use the CAP_SYS_ADMIN linux capability + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_4: categories: @@ -11759,6 +12630,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_4 pretty_name: Do not admit containers wishing to share the host network namespace + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_40: categories: @@ -11780,6 +12652,7 @@ rules: group: cloud-insecure-iam name: CKV_K8S_41 pretty_name: Ensure that default service accounts are not actively used + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_42: categories: @@ -11791,6 +12664,7 @@ rules: group: cloud-insecure-iam name: CKV_K8S_42 pretty_name: Ensure that default service accounts are not actively used + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_43: categories: @@ -11812,6 +12686,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_44 pretty_name: Ensure that the Tiller Service (Helm v2) is deleted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_45: categories: @@ -11824,6 +12699,7 @@ rules: name: CKV_K8S_45 pretty_name: Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_49: categories: @@ -11835,6 +12711,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_49 pretty_name: Minimize wildcard use in Roles and ClusterRoles + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_5: categories: @@ -11846,6 +12723,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_5 pretty_name: Containers should not run with allowPrivilegeEscalation + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_6: categories: @@ -11857,6 +12735,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_6 pretty_name: Do not admit root containers + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_68: categories: @@ -11868,6 +12747,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_68 pretty_name: Ensure that the --anonymous-auth argument is set to false + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_69: categories: @@ -11879,6 +12759,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_69 pretty_name: Ensure that the --basic-auth-file argument is not set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_7: categories: @@ -11890,6 +12771,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_7 pretty_name: Do not admit containers with the NET_RAW capability + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_70: categories: @@ -11901,6 +12783,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_70 pretty_name: Ensure that the --token-auth-file argument is not set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_71: categories: @@ -11912,6 +12795,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_71 pretty_name: Ensure that the --kubelet-https argument is set to true + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_72: categories: @@ -11924,6 +12808,7 @@ rules: name: CKV_K8S_72 pretty_name: Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_73: categories: @@ -11936,6 +12821,7 @@ rules: name: CKV_K8S_73 pretty_name: Ensure that the --kubelet-certificate-authority argument is set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_74: categories: @@ -11947,6 +12833,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_74 pretty_name: Ensure that the --authorization-mode argument is not set to AlwaysAllow + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_75: categories: @@ -11958,6 +12845,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_75 pretty_name: Ensure that the --authorization-mode argument includes Node + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_77: categories: @@ -11969,6 +12857,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_77 pretty_name: Ensure that the --authorization-mode argument includes RBAC + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_78: categories: @@ -11989,6 +12878,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_79 pretty_name: Ensure that the admission control plugin AlwaysAdmit is not set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_8: categories: @@ -11999,6 +12889,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_8 pretty_name: Liveness Probe Should be Configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_80: categories: @@ -12071,6 +12962,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_86 pretty_name: Ensure that the --insecure-bind-address argument is not set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_88: categories: @@ -12082,6 +12974,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_88 pretty_name: Ensure that the --insecure-port argument is set to 0 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_89: categories: @@ -12093,6 +12986,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_89 pretty_name: Ensure that the --secure-port argument is not set to 0 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_9: categories: @@ -12103,6 +12997,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_9 pretty_name: Readiness Probe Should be Configured + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_90: categories: @@ -12114,6 +13009,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_90 pretty_name: Ensure that the --profiling argument is set to false + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_91: categories: @@ -12125,6 +13021,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_91 pretty_name: Ensure that the --audit-log-path argument is set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_92: categories: @@ -12136,6 +13033,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_92 pretty_name: Ensure that the --audit-log-maxage argument is set to 30 or as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_93: categories: @@ -12148,6 +13046,7 @@ rules: name: CKV_K8S_93 pretty_name: Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_94: categories: @@ -12160,6 +13059,7 @@ rules: name: CKV_K8S_94 pretty_name: Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_95: categories: @@ -12171,6 +13071,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_95 pretty_name: Ensure that the --request-timeout argument is set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_96: categories: @@ -12182,6 +13083,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_96 pretty_name: Ensure that the --service-account-lookup argument is set to true + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_97: categories: @@ -12193,6 +13095,7 @@ rules: group: cloud-weak-configuration name: CKV_K8S_97 pretty_name: Ensure that the --service-account-key-file argument is set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_K8S_99: categories: @@ -12205,6 +13108,7 @@ rules: name: CKV_K8S_99 pretty_name: Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_LIN_1: categories: @@ -12216,6 +13120,7 @@ rules: group: stored-secrets name: CKV_LIN_1 pretty_name: Ensure no hard coded Linode tokens exist in provider + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_LIN_2: categories: @@ -12227,6 +13132,7 @@ rules: group: cloud-weak-configuration name: CKV_LIN_2 pretty_name: Ensure SSH key set in authorized_keys + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_LIN_3: categories: @@ -12238,6 +13144,7 @@ rules: group: cloud-weak-configuration name: CKV_LIN_3 pretty_name: Ensure email is set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_LIN_4: categories: @@ -12249,6 +13156,7 @@ rules: group: cloud-weak-configuration name: CKV_LIN_4 pretty_name: Ensure username is set + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_LIN_5: categories: @@ -12260,6 +13168,7 @@ rules: group: cloud-weak-configuration name: CKV_LIN_5 pretty_name: Ensure Inbound Firewall Policy is not set to ACCEPT + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_LIN_6: categories: @@ -12271,6 +13180,7 @@ rules: group: cloud-weak-configuration name: CKV_LIN_6 pretty_name: Ensure Outbound Firewall Policy is not set to ACCEPT + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_1: categories: @@ -12281,6 +13191,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_1 pretty_name: Ensure HTTP HTTPS Target group defines Healthcheck + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_10: categories: @@ -12292,6 +13203,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_10 pretty_name: Ensure no NACL allow inbound from 0.0.0.0:0 to port 22 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_11: categories: @@ -12303,6 +13215,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_11 pretty_name: Ensure no NACL allow inbound from 0.0.0.0:0 to port 3389 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_12: categories: @@ -12314,6 +13227,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_12 pretty_name: An inbound Network ACL rule should not allow ALL ports. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_13: categories: @@ -12325,6 +13239,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_13 pretty_name: Ensure LB Listener uses only secure protocols + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_14: categories: @@ -12335,6 +13250,7 @@ rules: group: cloud-unencrypted-resources name: CKV_NCP_14 pretty_name: Ensure NAS is securely encrypted + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_15: categories: @@ -12346,6 +13262,7 @@ rules: group: cloud-unencrypted-resources name: CKV_NCP_15 pretty_name: Ensure Load Balancer Target Group is not using HTTP + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_16: categories: @@ -12357,6 +13274,7 @@ rules: group: cloud-resources-public-access name: CKV_NCP_16 pretty_name: Ensure Load Balancer isn't exposed to the internet + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_18: categories: @@ -12369,6 +13287,7 @@ rules: name: CKV_NCP_18 pretty_name: Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_19: categories: @@ -12380,6 +13299,7 @@ rules: group: cloud-resources-public-access name: CKV_NCP_19 pretty_name: Ensure Naver Kubernetes Service public endpoint disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_2: categories: @@ -12391,6 +13311,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_2 pretty_name: Ensure every access control groups rule has a description + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_20: categories: @@ -12403,6 +13324,7 @@ rules: name: CKV_NCP_20 pretty_name: Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_22: categories: @@ -12414,6 +13336,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_22 pretty_name: Ensure NKS control plane logging enabled for all log types + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_23: categories: @@ -12425,6 +13348,7 @@ rules: group: cloud-resources-public-access name: CKV_NCP_23 pretty_name: Ensure Server instance should not have public IP. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_24: categories: @@ -12436,6 +13360,7 @@ rules: group: cloud-unencrypted-resources name: CKV_NCP_24 pretty_name: Ensure Load Balancer Listener Using HTTPS + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_25: categories: @@ -12448,6 +13373,7 @@ rules: name: CKV_NCP_25 pretty_name: Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_26: categories: @@ -12459,6 +13385,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_26 pretty_name: Ensure Access Control Group has Access Control Group Rule attached + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_3: categories: @@ -12469,6 +13396,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_3 pretty_name: Ensure no security group rules allow outbound traffic to 0.0.0.0/0 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_4: categories: @@ -12481,6 +13409,7 @@ rules: name: CKV_NCP_4 pretty_name: Ensure no access control groups allow inbound from 0.0.0.0:0 to port 22 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_5: categories: @@ -12493,6 +13422,7 @@ rules: name: CKV_NCP_5 pretty_name: Ensure no access control groups allow inbound from 0.0.0.0:0 to port 3389 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_6: categories: @@ -12504,6 +13434,7 @@ rules: group: cloud-unencrypted-resources name: CKV_NCP_6 pretty_name: Ensure Server instance is encrypted. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_7: categories: @@ -12514,6 +13445,7 @@ rules: group: cloud-unencrypted-resources name: CKV_NCP_7 pretty_name: Ensure Basic Block storage is encrypted. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_8: categories: @@ -12525,6 +13457,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_8 pretty_name: Ensure no NACL allow inbound from 0.0.0.0:0 to port 20 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_NCP_9: categories: @@ -12536,6 +13469,7 @@ rules: group: cloud-weak-configuration name: CKV_NCP_9 pretty_name: Ensure no NACL allow inbound from 0.0.0.0:0 to port 21 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_1: categories: @@ -12547,6 +13481,7 @@ rules: group: stored-secrets name: CKV_OCI_1 pretty_name: Ensure no hard coded OCI private key in provider + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_10: categories: @@ -12558,6 +13493,7 @@ rules: group: cloud-resources-public-access name: CKV_OCI_10 pretty_name: Ensure OCI Object Storage is not Public + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_11: categories: @@ -12622,6 +13558,7 @@ rules: group: cloud-weak-configuration name: CKV_OCI_16 pretty_name: Ensure VCN has an inbound security list + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_17: categories: @@ -12633,6 +13570,7 @@ rules: group: cloud-weak-configuration name: CKV_OCI_17 pretty_name: Ensure VCN inbound security lists are stateless + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_18: categories: @@ -12656,6 +13594,7 @@ rules: group: cloud-weak-configuration name: CKV_OCI_19 pretty_name: Ensure no security list allow ingress from 0.0.0.0:0 to port 22. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_2: categories: @@ -12677,6 +13616,7 @@ rules: group: cloud-weak-configuration name: CKV_OCI_20 pretty_name: Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_21: categories: @@ -12688,6 +13628,7 @@ rules: group: cloud-weak-configuration name: CKV_OCI_21 pretty_name: Ensure security group has stateless ingress security rules + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_22: categories: @@ -12700,6 +13641,7 @@ rules: name: CKV_OCI_22 pretty_name: Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_3: categories: @@ -12720,6 +13662,7 @@ rules: name: CKV_OCI_4 pretty_name: Ensure OCI Compute Instance boot volume has in-transit data encryption enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_5: categories: @@ -12732,6 +13675,7 @@ rules: name: CKV_OCI_5 pretty_name: Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_6: categories: @@ -12743,6 +13687,7 @@ rules: group: cloud-weak-configuration name: CKV_OCI_6 pretty_name: Ensure OCI Compute Instance has monitoring enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OCI_7: categories: @@ -12782,6 +13727,7 @@ rules: name: CKV_OPENAPI_1 pretty_name: Ensure that securityDefinitions is defined and not empty - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_10: categories: @@ -12794,6 +13740,7 @@ rules: name: CKV_OPENAPI_10 pretty_name: Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_11: categories: @@ -12806,6 +13753,7 @@ rules: name: CKV_OPENAPI_11 pretty_name: Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_12: categories: @@ -12818,6 +13766,7 @@ rules: name: CKV_OPENAPI_12 pretty_name: Ensure no security definition is using implicit flow on OAuth2, which is deprecated - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_13: categories: @@ -12829,6 +13778,7 @@ rules: group: cloud-weak-configuration name: CKV_OPENAPI_13 pretty_name: Ensure security definitions do not use basic auth - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_14: categories: @@ -12841,6 +13791,7 @@ rules: name: CKV_OPENAPI_14 pretty_name: Ensure that operation objects do not use 'implicit' flow, which is deprecated - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_15: categories: @@ -12853,6 +13804,7 @@ rules: name: CKV_OPENAPI_15 pretty_name: Ensure that operation objects do not use basic auth - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_16: categories: @@ -12865,6 +13817,7 @@ rules: name: CKV_OPENAPI_16 pretty_name: Ensure that operation objects have 'produces' field defined for GET operations - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_17: categories: @@ -12877,6 +13830,7 @@ rules: name: CKV_OPENAPI_17 pretty_name: Ensure that operation objects have 'consumes' field defined for PUT, POST and PATCH operations - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_18: categories: @@ -12889,6 +13843,7 @@ rules: name: CKV_OPENAPI_18 pretty_name: Ensure that global schemes use 'https' protocol instead of 'http'- version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_19: categories: @@ -12901,6 +13856,7 @@ rules: name: CKV_OPENAPI_19 pretty_name: Ensure that global security scope is defined in securityDefinitions - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_2: categories: @@ -12913,6 +13869,7 @@ rules: name: CKV_OPENAPI_2 pretty_name: Ensure that if the security scheme is not of type 'oauth2', the array value must be empty - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_20: categories: @@ -12924,6 +13881,7 @@ rules: group: cloud-unencrypted-resources name: CKV_OPENAPI_20 pretty_name: Ensure that API keys are not sent over cleartext + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_21: categories: @@ -12935,6 +13893,7 @@ rules: group: cloud-weak-configuration name: CKV_OPENAPI_21 pretty_name: Ensure that arrays have a maximum number of items + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_3: categories: @@ -12947,6 +13906,7 @@ rules: name: CKV_OPENAPI_3 pretty_name: Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_4: categories: @@ -12958,6 +13918,7 @@ rules: group: cloud-weak-configuration name: CKV_OPENAPI_4 pretty_name: Ensure that the global security field has rules defined + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_5: categories: @@ -12969,6 +13930,7 @@ rules: group: cloud-weak-configuration name: CKV_OPENAPI_5 pretty_name: Ensure that security operations is not empty. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_6: categories: @@ -12981,6 +13943,7 @@ rules: name: CKV_OPENAPI_6 pretty_name: Ensure that security requirement defined in securityDefinitions - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_7: categories: @@ -12993,6 +13956,7 @@ rules: name: CKV_OPENAPI_7 pretty_name: Ensure that the path scheme does not support unencrypted HTTP connection - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_8: categories: @@ -13005,6 +13969,7 @@ rules: name: CKV_OPENAPI_8 pretty_name: Ensure that security is not using 'password' flow in OAuth2 authentication - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENAPI_9: categories: @@ -13017,6 +13982,7 @@ rules: name: CKV_OPENAPI_9 pretty_name: Ensure that security scopes of operations are defined in securityDefinitions - version 2.0 files + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENSTACK_1: categories: @@ -13029,6 +13995,7 @@ rules: name: CKV_OPENSTACK_1 pretty_name: Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENSTACK_2: categories: @@ -13041,6 +14008,7 @@ rules: name: CKV_OPENSTACK_2 pretty_name: Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENSTACK_3: categories: @@ -13053,6 +14021,7 @@ rules: name: CKV_OPENSTACK_3 pretty_name: Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENSTACK_4: categories: @@ -13064,6 +14033,7 @@ rules: group: cloud-weak-configuration name: CKV_OPENSTACK_4 pretty_name: Ensure that instance does not use basic credentials + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_OPENSTACK_5: categories: @@ -13075,6 +14045,7 @@ rules: group: cloud-weak-configuration name: CKV_OPENSTACK_5 pretty_name: Ensure firewall rule set a destination IP + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_1: categories: @@ -13086,6 +14057,7 @@ rules: group: stored-secrets name: CKV_PAN_1 pretty_name: Ensure no hard coded PAN-OS credentials exist in provider + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_10: categories: @@ -13097,6 +14069,7 @@ rules: group: cloud-weak-configuration name: CKV_PAN_10 pretty_name: Ensure logging at session end is enabled within security policies + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_11: categories: @@ -13108,6 +14081,7 @@ rules: group: cloud-unencrypted-resources name: CKV_PAN_11 pretty_name: Ensure IPsec profiles do not specify use of insecure encryption algorithms + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_12: categories: @@ -13120,6 +14094,7 @@ rules: name: CKV_PAN_12 pretty_name: Ensure IPsec profiles do not specify use of insecure authentication algorithms + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_13: categories: @@ -13131,6 +14106,7 @@ rules: group: cloud-weak-configuration name: CKV_PAN_13 pretty_name: Ensure IPsec profiles do not specify use of insecure protocols + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_14: categories: @@ -13142,6 +14118,7 @@ rules: group: cloud-weak-configuration name: CKV_PAN_14 pretty_name: Ensure a Zone Protection Profile is defined within Security Zones + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_15: categories: @@ -13153,6 +14130,7 @@ rules: group: cloud-weak-configuration name: CKV_PAN_15 pretty_name: Ensure an Include ACL is defined for a Zone when User-ID is enabled + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_16: categories: @@ -13165,6 +14143,7 @@ rules: name: CKV_PAN_16 pretty_name: Ensure logging at session start is disabled within security policies except for troubleshooting and long lived GRE tunnels + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_17: categories: @@ -13177,6 +14156,7 @@ rules: name: CKV_PAN_17 pretty_name: Ensure security rules do not have 'source_zone' and 'destination_zone' both containing values of 'any' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_2: categories: @@ -13189,6 +14169,7 @@ rules: name: CKV_PAN_2 pretty_name: Ensure plain-text management HTTP is not enabled for an Interface Management Profile + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_3: categories: @@ -13201,6 +14182,7 @@ rules: name: CKV_PAN_3 pretty_name: Ensure plain-text management Telnet is not enabled for an Interface Management Profile + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_4: categories: @@ -13212,6 +14194,7 @@ rules: group: cloud-weak-configuration name: CKV_PAN_4 pretty_name: Ensure DSRI is not enabled within security policies + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_5: categories: @@ -13223,6 +14206,7 @@ rules: group: cloud-weak-configuration name: CKV_PAN_5 pretty_name: 'Ensure security rules do not have ''applications'' set to ''any'' ' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_6: categories: @@ -13234,6 +14218,7 @@ rules: group: cloud-weak-configuration name: CKV_PAN_6 pretty_name: 'Ensure security rules do not have ''services'' set to ''any'' ' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_7: categories: @@ -13246,6 +14231,7 @@ rules: name: CKV_PAN_7 pretty_name: 'Ensure security rules do not have ''source_addresses'' and ''destination_addresses'' both containing values of ''any'' ' + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_8: categories: @@ -13257,6 +14243,7 @@ rules: group: cloud-weak-configuration name: CKV_PAN_8 pretty_name: Ensure description is populated within security policies + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_PAN_9: categories: @@ -13278,6 +14265,7 @@ rules: group: stored-secrets name: CKV_SECRET_1 pretty_name: Artifactory Credentials + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_10: categories: @@ -13289,6 +14277,7 @@ rules: group: stored-secrets name: CKV_SECRET_10 pretty_name: Secret Keyword + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_11: categories: @@ -13300,6 +14289,7 @@ rules: group: stored-secrets name: CKV_SECRET_11 pretty_name: Mailchimp Access Key + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_12: categories: @@ -13311,6 +14301,7 @@ rules: group: stored-secrets name: CKV_SECRET_12 pretty_name: NPM tokens + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_13: categories: @@ -13322,6 +14313,7 @@ rules: group: stored-secrets name: CKV_SECRET_13 pretty_name: Private Key + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_14: categories: @@ -13333,6 +14325,7 @@ rules: group: stored-secrets name: CKV_SECRET_14 pretty_name: Slack Token + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_15: categories: @@ -13344,6 +14337,7 @@ rules: group: stored-secrets name: CKV_SECRET_15 pretty_name: SoftLayer Credentials + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_16: categories: @@ -13355,6 +14349,7 @@ rules: group: stored-secrets name: CKV_SECRET_16 pretty_name: Square OAuth Secret + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_17: categories: @@ -13366,6 +14361,7 @@ rules: group: stored-secrets name: CKV_SECRET_17 pretty_name: Stripe Access Key + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_18: categories: @@ -13377,6 +14373,7 @@ rules: group: stored-secrets name: CKV_SECRET_18 pretty_name: Twilio API Key + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_19: categories: @@ -13395,6 +14392,7 @@ rules: group: stored-secrets name: CKV_SECRET_2 pretty_name: AWS Access Key + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_3: categories: @@ -13406,6 +14404,7 @@ rules: group: stored-secrets name: CKV_SECRET_3 pretty_name: Azure Storage Account access key + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_4: categories: @@ -13417,6 +14416,7 @@ rules: group: stored-secrets name: CKV_SECRET_4 pretty_name: Basic Auth Credentials + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_5: categories: @@ -13428,6 +14428,7 @@ rules: group: stored-secrets name: CKV_SECRET_5 pretty_name: Cloudant Credentials + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_6: categories: @@ -13448,6 +14449,7 @@ rules: group: stored-secrets name: CKV_SECRET_7 pretty_name: IBM Cloud IAM Key + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_8: categories: @@ -13459,6 +14461,7 @@ rules: group: stored-secrets name: CKV_SECRET_8 pretty_name: IBM COS HMAC Credentials + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_SECRET_9: categories: @@ -13470,6 +14473,7 @@ rules: group: stored-secrets name: CKV_SECRET_9 pretty_name: JSON Web Token + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_TF_1: categories: @@ -13481,6 +14485,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_TF_1 pretty_name: Ensure Terraform module sources use a commit hash + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_TF_2: categories: @@ -13492,6 +14497,7 @@ rules: group: supply-chain-cicd-weak-configuration name: CKV_TF_2 pretty_name: Ensure Terraform module sources use a tag with a version number + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_1: categories: @@ -13503,6 +14509,7 @@ rules: group: cloud-weak-configuration name: CKV_YC_1 pretty_name: Ensure security group is assigned to database cluster. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_10: categories: @@ -13514,6 +14521,7 @@ rules: group: cloud-unencrypted-resources name: CKV_YC_10 pretty_name: Ensure etcd database is encrypted with KMS key. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_11: categories: @@ -13525,6 +14533,7 @@ rules: group: cloud-weak-configuration name: CKV_YC_11 pretty_name: Ensure security group is assigned to network interface. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_12: categories: @@ -13536,6 +14545,7 @@ rules: group: cloud-resources-public-access name: CKV_YC_12 pretty_name: Ensure public IP is not assigned to database cluster. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_13: categories: @@ -13547,6 +14557,7 @@ rules: group: cloud-insecure-iam name: CKV_YC_13 pretty_name: Ensure cloud member does not have elevated access. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_14: categories: @@ -13558,6 +14569,7 @@ rules: group: cloud-weak-configuration name: CKV_YC_14 pretty_name: Ensure security group is assigned to Kubernetes cluster. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_15: categories: @@ -13569,6 +14581,7 @@ rules: group: cloud-weak-configuration name: CKV_YC_15 pretty_name: Ensure security group is assigned to Kubernetes node group. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_16: categories: @@ -13590,6 +14603,7 @@ rules: group: cloud-resources-public-access name: CKV_YC_17 pretty_name: Ensure storage bucket does not have public access permissions. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_18: categories: @@ -13601,6 +14615,7 @@ rules: group: cloud-resources-public-access name: CKV_YC_18 pretty_name: Ensure compute instance group does not have public IP. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_19: categories: @@ -13612,6 +14627,7 @@ rules: group: cloud-weak-configuration name: CKV_YC_19 pretty_name: Ensure security group does not contain allow-all rules. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_2: categories: @@ -13623,6 +14639,7 @@ rules: group: cloud-resources-public-access name: CKV_YC_2 pretty_name: Ensure compute instance does not have public IP. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_20: categories: @@ -13634,6 +14651,7 @@ rules: group: cloud-weak-configuration name: CKV_YC_20 pretty_name: Ensure security group rule is not allow-all. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_21: categories: @@ -13645,6 +14663,7 @@ rules: group: cloud-insecure-iam name: CKV_YC_21 pretty_name: Ensure organization member does not have elevated access. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_22: categories: @@ -13656,6 +14675,7 @@ rules: group: cloud-weak-configuration name: CKV_YC_22 pretty_name: Ensure compute instance group has security group assigned. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_23: categories: @@ -13667,6 +14687,7 @@ rules: group: cloud-insecure-iam name: CKV_YC_23 pretty_name: Ensure folder member does not have elevated access. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_24: categories: @@ -13679,6 +14700,7 @@ rules: name: CKV_YC_24 pretty_name: Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_3: categories: @@ -13689,6 +14711,7 @@ rules: group: cloud-unencrypted-resources name: CKV_YC_3 pretty_name: Ensure storage bucket is encrypted. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_4: categories: @@ -13700,6 +14723,7 @@ rules: group: cloud-weak-configuration name: CKV_YC_4 pretty_name: Ensure compute instance does not have serial console enabled. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_5: categories: @@ -13711,6 +14735,7 @@ rules: group: cloud-resources-public-access name: CKV_YC_5 pretty_name: Ensure Kubernetes cluster does not have public IP address. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_6: categories: @@ -13722,6 +14747,7 @@ rules: group: cloud-resources-public-access name: CKV_YC_6 pretty_name: Ensure Kubernetes cluster node group does not have public IP addresses. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_7: categories: @@ -13733,6 +14759,7 @@ rules: group: cloud-weak-configuration name: CKV_YC_7 pretty_name: Ensure Kubernetes cluster auto-upgrade is enabled. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_8: categories: @@ -13744,6 +14771,7 @@ rules: group: cloud-weak-configuration name: CKV_YC_8 pretty_name: Ensure Kubernetes node group auto-upgrade is enabled. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html CKV_YC_9: categories: @@ -13755,5 +14783,6 @@ rules: group: cloud-weak-secrets-management name: CKV_YC_9 pretty_name: Ensure KMS symmetric key is rotated. + recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html From 1d6401c0a0b757fa2c1a0aad917e918ab95750ed Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Mon, 5 Aug 2024 13:22:40 -0400 Subject: [PATCH 4/5] checkmarx --- .../checkmarx-provider/rules.yaml | 4079 ++++++++++++++++- 1 file changed, 4078 insertions(+), 1 deletion(-) diff --git a/server-side-scanners/boostsecurityio/checkmarx-provider/rules.yaml b/server-side-scanners/boostsecurityio/checkmarx-provider/rules.yaml index a57ce8ef..c5d98a5e 100644 --- a/server-side-scanners/boostsecurityio/checkmarx-provider/rules.yaml +++ b/server-side-scanners/boostsecurityio/checkmarx-provider/rules.yaml @@ -18,6 +18,7 @@ rules: group: top10-insecure-design name: 0008c003-79aa-42d8-95b8-1c2fe37dbfe6 pretty_name: Multiple RUN, ADD, COPY, Instructions Listed + recommended: true ref: https://sysdig.com/blog/dockerfile-best-practices/ 00481784-25aa-4a55-8633-3136dfcf4f37: categories: @@ -28,6 +29,7 @@ rules: group: supply-chain-scm-weak-configuration name: 00481784-25aa-4a55-8633-3136dfcf4f37 pretty_name: Yum Clean All Missing + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run 00603add-7f72-448f-a6c0-9e456a7a3f94: categories: @@ -39,6 +41,7 @@ rules: group: cloud-resources-public-access name: 00603add-7f72-448f-a6c0-9e456a7a3f94 pretty_name: Elasticsearch with HTTPS disabled + recommended: true ref: https://www.pulumi.com/registry/packages/aws/api-docs/elasticsearch/domain/#enforcehttps_yaml 00b78adf-b83f-419c-8ed8-c6018441dd3a: categories: @@ -48,6 +51,7 @@ rules: group: cloud-weak-configuration name: 00b78adf-b83f-419c-8ed8-c6018441dd3a pretty_name: Pattern Undefined (v3) + recommended: true ref: https://swagger.io/specification/#schema-object 00e5e55e-c2ff-46b3-a757-a7a1cd802456: categories: @@ -58,6 +62,7 @@ rules: group: cloud-weak-configuration name: 00e5e55e-c2ff-46b3-a757-a7a1cd802456 pretty_name: CloudFront Without Minimum Protocol TLS 1.2 + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution 0104165b-02d5-426f-abc9-91fb48189899: categories: @@ -69,6 +74,7 @@ rules: group: cloud-resources-public-access name: 0104165b-02d5-426f-abc9-91fb48189899 pretty_name: DB Security Group Open To Large Scope + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html 013bdb4b-9246-4248-b0c3-7fb0fee42a29: categories: @@ -79,6 +85,7 @@ rules: group: top10-insecure-design name: 013bdb4b-9246-4248-b0c3-7fb0fee42a29 pretty_name: Required Property With Default Value (v3) + recommended: true ref: https://swagger.io/specification/#schema-object 015eac96-6313-43c0-84e5-81b1374fa637: categories: @@ -88,6 +95,7 @@ rules: group: top10-insecure-design name: 015eac96-6313-43c0-84e5-81b1374fa637 pretty_name: Schema JSON Reference Does Not Exists (v3) + recommended: true ref: https://swagger.io/specification/#components-object 01986452-bdd8-4aaa-b5df-d6bf61d616ff: categories: @@ -99,6 +107,7 @@ rules: group: cloud-insecure-iam name: 01986452-bdd8-4aaa-b5df-d6bf61d616ff pretty_name: ECS Service Admin Role Is Present + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html 01aec7c2-3e4d-4274-ae47-2b8fea22fd1f: categories: @@ -111,6 +120,7 @@ rules: group: cloud-weak-configuration name: 01aec7c2-3e4d-4274-ae47-2b8fea22fd1f pretty_name: ECS Task Definition Network Mode Not Recommended + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_taskdefinition_module.html#parameter-network_mode 01d50b14-e933-4c99-b314-6d08cd37ad35: categories: @@ -122,6 +132,7 @@ rules: group: top10-crypto-failures name: 01d50b14-e933-4c99-b314-6d08cd37ad35 pretty_name: Glue Data Catalog Encryption Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/glue_data_catalog_encryption_settings#data_catalog_encryption_settings 01d5a458-a6c4-452a-ac50-054d59275b7c: categories: @@ -132,6 +143,7 @@ rules: group: cloud-resources-public-access name: 01d5a458-a6c4-452a-ac50-054d59275b7c pretty_name: ELB With Security Group Without Outbound Rules + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#cfn-ec2-securitygroup-securitygroupegress 0220e1c5-65d1-49dd-b7c2-cef6d6cb5283: categories: @@ -141,6 +153,7 @@ rules: group: top10-insecure-design name: 0220e1c5-65d1-49dd-b7c2-cef6d6cb5283 pretty_name: Schema Object Incorrect Ref (v2) + recommended: true ref: https://swagger.io/specification/v2/#schema-object 02323c00-cdc3-4fdc-a310-4f2b3e7a1660: categories: @@ -151,6 +164,7 @@ rules: group: top10-insecure-design name: 02323c00-cdc3-4fdc-a310-4f2b3e7a1660 pretty_name: Container Running With Low UID + recommended: true ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ 02474449-71aa-40a1-87ae-e14497747b00: categories: @@ -161,6 +175,7 @@ rules: group: top10-crypto-failures name: 02474449-71aa-40a1-87ae-e14497747b00 pretty_name: SQL DB Instance With SSL Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#require_ssl 0264093f-6791-4475-af34-4b8102dcbcd0: categories: @@ -171,6 +186,7 @@ rules: group: top10-security-logging-monitoring-failures name: 0264093f-6791-4475-af34-4b8102dcbcd0 pretty_name: EC2 Instance Monitoring Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-monitoring 027a4b7a-8a59-4938-a04f-ed532512cf45: categories: @@ -183,6 +199,7 @@ rules: group: cloud-weak-configuration name: 027a4b7a-8a59-4938-a04f-ed532512cf45 pretty_name: ECS Task Definition Network Mode Not Recommended + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html#cfn-ecs-taskdefinition-networkmode 02d9c71f-3ee8-4986-9c27-1a20d0d19bfc: categories: @@ -193,6 +210,7 @@ rules: group: supply-chain-scm-weak-configuration name: 02d9c71f-3ee8-4986-9c27-1a20d0d19bfc pretty_name: Unpinned Package Version in Pip Install + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ 030d3b18-1821-45b4-9e08-50efbe7becbb: categories: @@ -205,6 +223,7 @@ rules: group: cloud-insecure-iam name: 030d3b18-1821-45b4-9e08-50efbe7becbb pretty_name: Amazon DMS Replication Instance Is Publicly Accessible + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dms_replication_instance 034d0aee-620f-4bf7-b7fb-efdf661fdb9e: categories: @@ -217,6 +236,7 @@ rules: name: 034d0aee-620f-4bf7-b7fb-efdf661fdb9e pretty_name: Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy 03856cb2-e46c-4daf-bfbf-214ec93c882b: categories: @@ -227,6 +247,7 @@ rules: group: top10-insecure-design name: 03856cb2-e46c-4daf-bfbf-214ec93c882b pretty_name: Schema Enum Invalid (v3) + recommended: true ref: https://swagger.io/specification/#schema-object 03879981-efa2-47a0-a818-c843e1441b88: categories: @@ -238,6 +259,7 @@ rules: group: cloud-resources-public-access name: 03879981-efa2-47a0-a818-c843e1441b88 pretty_name: EC2 Permissive Network ACL Protocols + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html 03aabc8c-35d6-481e-9c85-20139cf72d23: categories: @@ -249,6 +271,7 @@ rules: group: cloud-resources-public-access name: 03aabc8c-35d6-481e-9c85-20139cf72d23 pretty_name: CNI Plugin Does Not Support Network Policies + recommended: true ref: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ 03b38885-8f4e-480c-a0e4-12c1affd15db: categories: @@ -259,6 +282,7 @@ rules: group: cloud-weak-secrets-management name: 03b38885-8f4e-480c-a0e4-12c1affd15db pretty_name: Amplify App OAuth Token Exposed + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-amplify-app-basicauthconfig.html 0401f71b-9c1e-4821-ab15-a955caa621be: categories: @@ -268,6 +292,7 @@ rules: group: cloud-resources-public-access name: 0401f71b-9c1e-4821-ab15-a955caa621be pretty_name: Pod Misconfigured Network Policy + recommended: true ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ 0437633b-daa6-4bbc-8526-c0d2443b946e: categories: @@ -279,6 +304,7 @@ rules: group: top10-crypto-failures name: 0437633b-daa6-4bbc-8526-c0d2443b946e pretty_name: SSL Enforce Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server 045ddb54-cfc5-4abb-9e05-e427b2bc96fe: categories: @@ -289,6 +315,7 @@ rules: group: cloud-resources-public-access name: 045ddb54-cfc5-4abb-9e05-e427b2bc96fe pretty_name: EC2 Network ACL Duplicate Rule + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html#cfn-ec2-networkaclentry-rulenumber 0461b4fd-21ef-4687-929e-484ee4796785: categories: @@ -299,6 +326,7 @@ rules: group: top10-security-logging-monitoring-failures name: 0461b4fd-21ef-4687-929e-484ee4796785 pretty_name: Log Retention Is Not Set + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html 04c686f1-e0cd-4812-88e1-4e038410074c: categories: @@ -309,6 +337,7 @@ rules: group: cloud-insecure-iam name: 04c686f1-e0cd-4812-88e1-4e038410074c pretty_name: Group With Privilege Escalation By Actions 'iam:CreateLoginProfile' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy 050a9ba8-d1cb-4c61-a5e8-8805a70d3b85: categories: @@ -319,6 +348,7 @@ rules: group: top10-crypto-failures name: 050a9ba8-d1cb-4c61-a5e8-8805a70d3b85 pretty_name: CloudTrail Log Files Not Encrypted With KMS + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-kmskeyid 050f085f-a8db-4072-9010-2cca235cc02f: categories: @@ -330,6 +360,7 @@ rules: group: top10-insecure-design name: 050f085f-a8db-4072-9010-2cca235cc02f pretty_name: Auto Scaling Group With No Associated ELB + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_asg_module.html#parameter-load_balancers 051f2063-2517-4295-ad8e-ba88c1bf5cfc: categories: @@ -350,6 +381,7 @@ rules: group: top10-security-logging-monitoring-failures name: 054d07b5-941b-4c28-8eef-18989dc62323 pretty_name: PostgreSQL Log Disconnections Not Set + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html 05505192-ba2c-4a81-9b25-dcdbcc973746: categories: @@ -360,6 +392,7 @@ rules: group: top10-insecure-design name: 05505192-ba2c-4a81-9b25-dcdbcc973746 pretty_name: Parameter Objects Headers With Duplicated Name (v3) + recommended: true ref: https://swagger.io/specification/#parameter-object 056ac60e-fe07-4acc-9b34-8e1d51716ab9: categories: @@ -370,6 +403,7 @@ rules: group: cloud-weak-secrets-management name: 056ac60e-fe07-4acc-9b34-8e1d51716ab9 pretty_name: ServiceAccount Allows Access Secrets + recommended: true ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ 058ac855-989f-4378-ba4d-52d004020da7: categories: @@ -380,6 +414,7 @@ rules: group: top10-security-logging-monitoring-failures name: 058ac855-989f-4378-ba4d-52d004020da7 pretty_name: CloudTrail Multi Region Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-ismultiregiontrail 05db341e-de7d-4972-a106-3e2bd5ee53e1: categories: @@ -390,6 +425,7 @@ rules: group: top10-security-logging-monitoring-failures name: 05db341e-de7d-4972-a106-3e2bd5ee53e1 pretty_name: OSS Bucket Logging Disabled + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#logging 05fb986f-ac73-4ebb-a5b2-7faafa93d882: categories: @@ -400,6 +436,7 @@ rules: group: top10-crypto-failures name: 05fb986f-ac73-4ebb-a5b2-7faafa93d882 pretty_name: Root CA File Not Defined + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ 063234c0-91c0-4ab5-bbd0-47ddb5f23786: categories: @@ -410,6 +447,7 @@ rules: group: cloud-weak-secrets-management name: 063234c0-91c0-4ab5-bbd0-47ddb5f23786 pretty_name: Ram Account Password Policy Not Required Numbers + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#require_numbers 0632d0db-9190-450a-8bb3-c283bffea445: categories: @@ -421,6 +459,7 @@ rules: group: cloud-resources-public-access name: 0632d0db-9190-450a-8bb3-c283bffea445 pretty_name: Redis Publicly Accessible + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscachefirewallrule_module.html#parameter-start_ip_address 06764426-3c56-407e-981f-caa25db1c149: categories: @@ -431,6 +470,7 @@ rules: group: cloud-insecure-iam name: 06764426-3c56-407e-981f-caa25db1c149 pretty_name: Security Scheme HTTP Unknown Scheme + recommended: true ref: https://swagger.io/specification/#security-scheme-object 06933df4-0ea7-461c-b9b5-104d27390e0e: categories: @@ -440,6 +480,7 @@ rules: group: cloud-insecure-iam name: 06933df4-0ea7-461c-b9b5-104d27390e0e pretty_name: IAM User With No Group + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-policy 069a5378-2091-43f0-aa3b-ee8f20996e99: categories: @@ -449,6 +490,7 @@ rules: group: top10-insecure-design name: 069a5378-2091-43f0-aa3b-ee8f20996e99 pretty_name: Responses With Wrong HTTP Status Code (v2) + recommended: true ref: https://swagger.io/specification/v2/#parameterObject 06adef8c-c284-4de7-aad2-af43b07a8ca1: categories: @@ -458,6 +500,7 @@ rules: group: cloud-weak-configuration name: 06adef8c-c284-4de7-aad2-af43b07a8ca1 pretty_name: IAM User LoginProfile Password Is In Plaintext + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html 06b9f52a-8cd5-459b-bdc6-21a22521e1be: categories: @@ -469,6 +512,7 @@ rules: name: 06b9f52a-8cd5-459b-bdc6-21a22521e1be pretty_name: Directory Service Microsoft AD Password Set to Plaintext or Default Ref + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-directoryservice-microsoftad.html 06ec63e3-9f72-4fe2-a218-2eb9200b8db5: categories: @@ -479,6 +523,7 @@ rules: group: top10-security-logging-monitoring-failures name: 06ec63e3-9f72-4fe2-a218-2eb9200b8db5 pretty_name: API Gateway Deployment Without Access Log Setting + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-deployment.html 071a71ff-f868-47a4-ac0b-3c59e4ab5443: categories: @@ -488,6 +533,7 @@ rules: group: cloud-insecure-iam name: 071a71ff-f868-47a4-ac0b-3c59e4ab5443 pretty_name: Shared Host Network Namespace + recommended: true ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#network_mode 075ca296-6768-4322-aea2-ba5063b969a9: categories: @@ -499,6 +545,7 @@ rules: group: cloud-resources-public-access name: 075ca296-6768-4322-aea2-ba5063b969a9 pretty_name: Etcd TLS Certificate Files Not Properly Set + recommended: true ref: https://etcd.io/docs/v3.4/op-guide/security/ 07dda8de-d90d-469e-9b37-1aca53526ced: categories: @@ -509,6 +556,7 @@ rules: group: cloud-insecure-iam name: 07dda8de-d90d-469e-9b37-1aca53526ced pretty_name: S3 Bucket ACL Allows Read Or Write to All Users + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html 07f7134f-9f37-476e-8664-670c218e4702: categories: @@ -519,6 +567,7 @@ rules: group: top10-security-logging-monitoring-failures name: 07f7134f-9f37-476e-8664-670c218e4702 pretty_name: PostgreSQL Log Disconnections Not Set + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration 07fc3413-e572-42f7-9877-5c8fc6fccfb5: categories: @@ -529,6 +578,7 @@ rules: group: cloud-weak-secrets-management name: 07fc3413-e572-42f7-9877-5c8fc6fccfb5 pretty_name: Service Account Allows Access Secrets + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding#subject 081069cb-588b-4ce1-884c-2a1ce3029fe5: categories: @@ -538,6 +588,7 @@ rules: group: top10-security-logging-monitoring-failures name: 081069cb-588b-4ce1-884c-2a1ce3029fe5 pretty_name: CloudWatch Metrics Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_settings#metrics_enabled 084c6686-2a70-4710-91b1-000393e54c12: categories: @@ -550,6 +601,7 @@ rules: group: cloud-resources-public-access name: 084c6686-2a70-4710-91b1-000393e54c12 pretty_name: Shield Advanced Not In Use + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/shield_protection#resource_arn 086031e1-9d4a-4249-acb3-5bfe4c363db2: categories: @@ -561,6 +613,7 @@ rules: group: cloud-insecure-iam name: 086031e1-9d4a-4249-acb3-5bfe4c363db2 pretty_name: Cloud Storage Anonymous or Publicly Accessible + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_storage_bucket_module.html 086ea2eb-14a6-4fd4-914b-38e0bc8703e8: categories: @@ -570,6 +623,7 @@ rules: group: top10-security-logging-monitoring-failures name: 086ea2eb-14a6-4fd4-914b-38e0bc8703e8 pretty_name: ElasticSearch Without Slow Logs + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-logpublishingoptions 08b81bb3-0985-4023-8602-b606ad81d279: categories: @@ -579,6 +633,7 @@ rules: group: cloud-insecure-iam name: 08b81bb3-0985-4023-8602-b606ad81d279 pretty_name: EC2 Instance Using Default Security Group + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-securitygroups 08bd0760-8752-44e1-9779-7bb369b2b4e4: categories: @@ -590,6 +645,7 @@ rules: group: top10-crypto-failures name: 08bd0760-8752-44e1-9779-7bb369b2b4e4 pretty_name: DB Instance Storage Not Encrypted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#storage_encrypted 08e39832-5e42-4304-98a0-aa5b43393162: categories: @@ -599,6 +655,7 @@ rules: group: supply-chain-cicd-weak-configuration name: 08e39832-5e42-4304-98a0-aa5b43393162 pretty_name: EFS Without Tags + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html 092bae86-6105-4802-99d2-99cd7e7431f3: categories: @@ -611,6 +668,7 @@ rules: group: top10-crypto-failures name: 092bae86-6105-4802-99d2-99cd7e7431f3 pretty_name: Disk Encryption Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_disk_module.html 0956aedf-6a7a-478b-ab56-63e2b19923ad: categories: @@ -622,6 +680,7 @@ rules: group: cloud-resources-public-access name: 0956aedf-6a7a-478b-ab56-63e2b19923ad pretty_name: DB Security Group With Public Scope + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html 099b4411-d11e-4537-a0fc-146b19762a79: categories: @@ -631,6 +690,7 @@ rules: group: cloud-weak-secrets-management name: 099b4411-d11e-4537-a0fc-146b19762a79 pretty_name: Project-wide SSH Keys Are Enabled In VM Instances + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html 09bb9e96-8da3-4736-b89a-b36814acca60: categories: @@ -642,6 +702,7 @@ rules: group: cloud-resources-public-access name: 09bb9e96-8da3-4736-b89a-b36814acca60 pretty_name: Etcd Peer TLS Certificate Files Not Properly Set + recommended: true ref: https://etcd.io/docs/v3.4/op-guide/security/ 09c35abf-5852-4622-ac7a-b987b331232e: categories: @@ -652,6 +713,7 @@ rules: group: cloud-insecure-iam name: 09c35abf-5852-4622-ac7a-b987b331232e pretty_name: Cross-Account IAM Assume Role Policy Without ExternalId or MFA + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role#assume_role_policy 0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3: categories: @@ -661,6 +723,7 @@ rules: group: cloud-weak-configuration name: 0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3 pretty_name: Redshift Cluster Without VPC + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#vpc_security_group_ids 0a592060-8166-49f5-8e65-99ac6dce9871: categories: @@ -672,6 +735,7 @@ rules: name: 0a592060-8166-49f5-8e65-99ac6dce9871 pretty_name: Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy 0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1: categories: @@ -681,6 +745,7 @@ rules: group: top10-software-data-integrity-failures name: 0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1 pretty_name: MariaDB Server Geo-redundant Backup Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mariadb_server#geo_redundant_backup_enabled 0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0: categories: @@ -690,6 +755,7 @@ rules: group: top10-security-logging-monitoring-failures name: 0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0 pretty_name: CloudWatch Changes To NACL Alarm Missing + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern 0a96ce49-4163-4ee6-8169-eb3b0797d694: categories: @@ -699,6 +765,7 @@ rules: group: cloud-insecure-iam name: 0a96ce49-4163-4ee6-8169-eb3b0797d694 pretty_name: API Gateway Without Configured Authorizer + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_authorizer 0a994e04-c6dc-471d-817e-d37451d18a3b: categories: @@ -709,6 +776,7 @@ rules: group: top10-security-logging-monitoring-failures name: 0a994e04-c6dc-471d-817e-d37451d18a3b pretty_name: Serverless API Access Logging Setting Undefined + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-stage-accesslogsetting.html 0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc: categories: @@ -720,6 +788,7 @@ rules: group: cloud-resources-public-access name: 0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc pretty_name: Sensitive Port Is Exposed To Entire Network + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_securitygroup_module.html#parameter-rules 0ad60203-c050-4115-83b6-b94bde92541d: categories: @@ -731,6 +800,7 @@ rules: group: cloud-weak-configuration name: 0ad60203-c050-4115-83b6-b94bde92541d pretty_name: Container Runs Unmasked + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_proc_mount_types 0afa6ab8-a047-48cf-be07-93a2f8c34cf7: categories: @@ -741,6 +811,7 @@ rules: group: cloud-resources-public-access name: 0afa6ab8-a047-48cf-be07-93a2f8c34cf7 pretty_name: ALB Is Not Integrated With WAF + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafregional_web_acl_association 0afbcfe9-d341-4b92-a64c-7e6de0543879: categories: @@ -750,6 +821,7 @@ rules: group: top10-crypto-failures name: 0afbcfe9-d341-4b92-a64c-7e6de0543879 pretty_name: CloudWatch Log Group Without KMS + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group 0b0556ea-9cd9-476f-862e-20679dda752b: categories: @@ -769,6 +841,7 @@ rules: group: cloud-weak-configuration name: 0b4869fc-a842-4597-aa00-1294df425440 pretty_name: API Gateway Without SSL Certificate + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#client_certificate_id 0b530315-0ea4-497f-b34c-4ff86268f59d: categories: @@ -779,6 +852,7 @@ rules: group: top10-security-logging-monitoring-failures name: 0b530315-0ea4-497f-b34c-4ff86268f59d pretty_name: KMS Key With No Deletion Window + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key 0b76d993-ee52-43e0-8b39-3787d2ddabf1: categories: @@ -788,6 +862,7 @@ rules: group: top10-insecure-design name: 0b76d993-ee52-43e0-8b39-3787d2ddabf1 pretty_name: Global Responses Definition Not Being Used + recommended: true ref: https://swagger.io/specification/v2/#responsesDefinitionsObject 0b93729a-d882-4803-bdc3-ac429a21f158: categories: @@ -798,6 +873,7 @@ rules: group: cloud-insecure-iam name: 0b93729a-d882-4803-bdc3-ac429a21f158 pretty_name: EC2 Instance Using API Keys + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#iam_instance_profile 0bc1477d-0922-478b-ae16-674a7634a1a8: categories: @@ -808,6 +884,7 @@ rules: group: top10-insecure-design name: 0bc1477d-0922-478b-ae16-674a7634a1a8 pretty_name: Property 'allowEmptyValue' Improperly Defined (v2) + recommended: true ref: https://swagger.io/specification/v2/#parameterObject 0bc534c5-13d1-4353-a7fe-b8665d5c1d7d: categories: @@ -817,6 +894,7 @@ rules: group: cloud-resources-public-access name: 0bc534c5-13d1-4353-a7fe-b8665d5c1d7d pretty_name: Dynamodb VPC Endpoint Without Route Table Association + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint#vpc_id 0c10d7da-85c4-4d62-b2a8-d6c104f1bd77: categories: @@ -827,6 +905,7 @@ rules: group: cloud-insecure-iam name: 0c10d7da-85c4-4d62-b2a8-d6c104f1bd77 pretty_name: User With Privilege Escalation By Actions 'iam:PutUserPolicy' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy 0c79e50e-b3cf-490c-b8f6-587c644d4d0c: categories: @@ -837,6 +916,7 @@ rules: group: cloud-weak-configuration name: 0c79e50e-b3cf-490c-b8f6-587c644d4d0c pretty_name: Operation Object Without 'consumes' + recommended: true ref: https://swagger.io/specification/v2/#operation-object 0c82eae2-aca0-401f-93e4-fb37a0f9e5e8: categories: @@ -848,6 +928,7 @@ rules: group: top10-software-data-integrity-failures name: 0c82eae2-aca0-401f-93e4-fb37a0f9e5e8 pretty_name: SQL DB Instance Backup Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/backup_configuration/enabled 0ca1017d-3b80-423e-bb9c-6cd5898d34bd: categories: @@ -858,6 +939,7 @@ rules: group: top10-insecure-design name: 0ca1017d-3b80-423e-bb9c-6cd5898d34bd pretty_name: Lambda IAM InvokeFunction Misconfigured + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission 0ce1ba20-8ba8-4364-836f-40c24b8cb0ab: categories: @@ -870,6 +952,7 @@ rules: group: cloud-insecure-iam name: 0ce1ba20-8ba8-4364-836f-40c24b8cb0ab pretty_name: MSK Broker Is Publicly Accessible + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-msk-cluster-publicaccess.html 0d0c12b9-edce-4510-9065-13f6a758750c: categories: @@ -880,6 +963,7 @@ rules: group: cloud-resources-public-access name: 0d0c12b9-edce-4510-9065-13f6a758750c pretty_name: Redis Entirely Accessible + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscachefirewallrule_module.html#parameter-start_ip_address 0d7ef70f-e176-44e6-bdba-add3e429788d: categories: @@ -890,6 +974,7 @@ rules: group: top10-security-logging-monitoring-failures name: 0d7ef70f-e176-44e6-bdba-add3e429788d pretty_name: Serverless Function Without X-Ray Tracing + recommended: true ref: https://www.serverless.com/framework/docs/providers/aws/guide/functions#aws-x-ray-tracing 0de50145-e845-47f4-9a15-23bcf2125710: categories: @@ -901,6 +986,7 @@ rules: group: top10-insecure-design name: 0de50145-e845-47f4-9a15-23bcf2125710 pretty_name: Path Parameter Not Required (v3) + recommended: true ref: https://swagger.io/specification/#parameter-object 0e32d561-4b5a-4664-a6e3-a3fa85649157: categories: @@ -912,6 +998,7 @@ rules: group: top10-crypto-failures name: 0e32d561-4b5a-4664-a6e3-a3fa85649157 pretty_name: ECR Repository Not Encrypted With CMK + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration 0e5872b4-19a0-4165-8b2f-56d9e14b909f: categories: @@ -922,6 +1009,7 @@ rules: group: top10-insecure-design name: 0e5872b4-19a0-4165-8b2f-56d9e14b909f pretty_name: IAM Managed Policy Applied to a User + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-groups 0e59d33e-bba2-4037-8f88-9765647ca7ad: categories: @@ -943,6 +1031,7 @@ rules: group: top10-crypto-failures name: 0ed012a4-9199-43d2-b9e4-9bd049a48aa4 pretty_name: IAM Database Auth Not Enabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html 0f0fb06b-0f2f-4374-8588-f2c7c348c7a0: categories: @@ -952,6 +1041,7 @@ rules: group: top10-security-logging-monitoring-failures name: 0f0fb06b-0f2f-4374-8588-f2c7c348c7a0 pretty_name: CloudWatch Logging Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53-hostedzone.html#cfn-route53-hostedzone-queryloggingconfig 0f139403-303f-467c-96bd-e717e6cfd62d: categories: @@ -962,6 +1052,7 @@ rules: group: cloud-resources-public-access name: 0f139403-303f-467c-96bd-e717e6cfd62d pretty_name: CloudFront Without WAF + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-webaclid 0f6cbf69-41bb-47dc-93f3-3844640bf480: categories: @@ -972,6 +1063,7 @@ rules: group: top10-security-logging-monitoring-failures name: 0f6cbf69-41bb-47dc-93f3-3844640bf480 pretty_name: Cloudwatch Cloudtrail Configuration Changes Alarm Missing + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern 0f6cd0ab-c366-4595-84fc-fbd8b9901e4d: categories: @@ -981,6 +1073,7 @@ rules: group: top10-insecure-design name: 0f6cd0ab-c366-4595-84fc-fbd8b9901e4d pretty_name: Request Body With Incorrect Ref + recommended: true ref: https://swagger.io/specification/#request-body-object 0fd7d920-4711-46bd-aff2-d307d82cd8b7: categories: @@ -991,6 +1084,7 @@ rules: group: cloud-insecure-iam name: 0fd7d920-4711-46bd-aff2-d307d82cd8b7 pretty_name: User With Privilege Escalation By Actions 'iam:CreateLoginProfile' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy 1056dfbb-5802-4762-bf2b-8b9b9684b1b0: categories: @@ -1001,6 +1095,7 @@ rules: group: cloud-weak-configuration name: 1056dfbb-5802-4762-bf2b-8b9b9684b1b0 pretty_name: API Gateway With Open Access + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-method.html 105ba098-1e34-48cd-b0f2-a8a43a51bf9b: categories: @@ -1011,6 +1106,7 @@ rules: group: cloud-resources-public-access name: 105ba098-1e34-48cd-b0f2-a8a43a51bf9b pretty_name: ALB Is Not Integrated With WAF + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafregional-webaclassociation.html 105e20dd-8449-4d71-95c6-d5dac96639af: categories: @@ -1020,6 +1116,7 @@ rules: group: cloud-resources-public-access name: 105e20dd-8449-4d71-95c6-d5dac96639af pretty_name: Success Response Code Undefined for Trace Operation + recommended: true ref: https://swagger.io/specification/#operation-object 10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa: categories: @@ -1030,6 +1127,7 @@ rules: group: top10-insecure-design name: 10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa pretty_name: Schema Object Properties With Duplicated Keys (v3) + recommended: true ref: https://swagger.io/specification/#schema-object 10efce34-5af6-4d83-b414-9e096d5a06a9: categories: @@ -1040,6 +1138,7 @@ rules: group: top10-crypto-failures name: 10efce34-5af6-4d83-b414-9e096d5a06a9 pretty_name: Encryption Provider Not Properly Configured + recommended: true ref: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#understanding-the-encryption-at-rest-configuration 1123031a-f921-4c5b-bd86-ef354ecfd37a: categories: @@ -1049,6 +1148,7 @@ rules: group: top10-insecure-design name: 1123031a-f921-4c5b-bd86-ef354ecfd37a pretty_name: Metadata Label Is Invalid + recommended: true ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ 113208f2-a886-4526-9ecc-f3218600e12c: categories: @@ -1059,6 +1159,7 @@ rules: group: cloud-insecure-iam name: 113208f2-a886-4526-9ecc-f3218600e12c pretty_name: User With Privilege Escalation By Actions 'iam:CreateAccessKey' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy 118281d0-6471-422e-a7c5-051bc667926e: categories: @@ -1069,6 +1170,7 @@ rules: group: cloud-insecure-iam name: 118281d0-6471-422e-a7c5-051bc667926e pretty_name: Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy 11bd3554-cd56-4257-8e25-7aaf30cf8f5f: categories: @@ -1079,6 +1181,7 @@ rules: group: cloud-resources-public-access name: 11bd3554-cd56-4257-8e25-7aaf30cf8f5f pretty_name: IP Forwarding Enabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html 11e7550e-c4b6-472e-adff-c698f157cdd7: categories: @@ -1091,6 +1194,7 @@ rules: group: cloud-weak-configuration name: 11e7550e-c4b6-472e-adff-c698f157cdd7 pretty_name: Network Policy Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster 11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe: categories: @@ -1101,6 +1205,7 @@ rules: group: cloud-weak-configuration name: 11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe pretty_name: Web App Accepting Traffic Other Than HTTPS + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#https_only 1239f54b-33de-482a-8132-faebe288e6a6: categories: @@ -1110,6 +1215,7 @@ rules: group: cloud-weak-configuration name: 1239f54b-33de-482a-8132-faebe288e6a6 pretty_name: Google Storage Bucket Level Access Disabled + recommended: true ref: https://cloud.google.com/storage/docs/json_api/v1/buckets 124b173b-e06d-48a6-8acd-f889443d97a4: categories: @@ -1133,6 +1239,7 @@ rules: group: top10-crypto-failures name: 126c1788-23c2-4a10-906c-ef179f4f96ec pretty_name: ELB Using Insecure Protocols + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/load_balancer_policy 12726829-93ed-4d51-9cbe-13423f4299e1: categories: @@ -1143,6 +1250,7 @@ rules: group: top10-crypto-failures name: 12726829-93ed-4d51-9cbe-13423f4299e1 pretty_name: SQS With SSE Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-sqs-queue-kmsmasterkeyid 128df7ec-f185-48bc-8913-ce756a3ccb85: categories: @@ -1154,6 +1262,7 @@ rules: group: top10-insecure-design name: 128df7ec-f185-48bc-8913-ce756a3ccb85 pretty_name: Outdated GKE Version + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#master_version 12933609-c5bf-44b4-9a41-a6467c3b685b: categories: @@ -1174,6 +1283,7 @@ rules: group: top10-crypto-failures name: 12944ec4-1fa0-47be-8b17-42a034f937c2 pretty_name: Storage Account Not Forcing HTTPS + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account 12a7210b-f4b4-47d0-acac-0a819e2a0ca3: categories: @@ -1185,6 +1295,7 @@ rules: name: 12a7210b-f4b4-47d0-acac-0a819e2a0ca3 pretty_name: Response on operations that should not have a body has declared content (v3) + recommended: true ref: https://swagger.io/docs/specification/describing-responses/ 12a7a7ce-39d6-49dd-923d-aeb4564eb66c: categories: @@ -1195,6 +1306,7 @@ rules: group: cloud-insecure-iam name: 12a7a7ce-39d6-49dd-923d-aeb4564eb66c pretty_name: IAM Policy Grants 'AssumeRole' Permission Across All Services + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html 12b7e704-37f0-4d1e-911a-44bf60c48c21: categories: @@ -1204,6 +1316,7 @@ rules: group: cloud-insecure-iam name: 12b7e704-37f0-4d1e-911a-44bf60c48c21 pretty_name: IAM Role Allows All Principals To Assume + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role 132a8c31-9837-4203-9fd1-15ca210c7b73: categories: @@ -1216,6 +1329,7 @@ rules: group: cloud-insecure-iam name: 132a8c31-9837-4203-9fd1-15ca210c7b73 pretty_name: SSO Policy with full privileges + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy 133fee21-37ef-45df-a563-4d07edc169f4: categories: @@ -1227,6 +1341,7 @@ rules: group: top10-insecure-design name: 133fee21-37ef-45df-a563-4d07edc169f4 pretty_name: CMK Is Unusable + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_kms_module.html#parameter-enabled 1367dd13-2c90-4020-80b7-e4339a3dc2c4: categories: @@ -1237,6 +1352,7 @@ rules: group: top10-crypto-failures name: 1367dd13-2c90-4020-80b7-e4339a3dc2c4 pretty_name: Storage Account Allows Unsecure Transfer + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json#storageaccountpropertiescreateparameters-object 13a49a2e-488e-4309-a7c0-d6b05577a5fb: categories: @@ -1247,6 +1363,7 @@ rules: group: top10-security-logging-monitoring-failures name: 13a49a2e-488e-4309-a7c0-d6b05577a5fb pretty_name: Audit Policy File Not Defined + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ 1402afd8-a95c-4e84-8b0b-6fb43758e6ce: categories: @@ -1256,6 +1373,7 @@ rules: group: cloud-weak-secrets-management name: 1402afd8-a95c-4e84-8b0b-6fb43758e6ce pretty_name: Hardcoded AWS Access Key In Lambda + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function 140869ea-25f2-40d4-a595-0c0da135114e: categories: @@ -1265,6 +1383,7 @@ rules: group: top10-security-logging-monitoring-failures name: 140869ea-25f2-40d4-a595-0c0da135114e pretty_name: RDS Instance Log Connections Disabled + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters 1419b4c6-6d5c-4534-9cf6-6a5266085333: categories: @@ -1275,6 +1394,7 @@ rules: group: cloud-resources-public-access name: 1419b4c6-6d5c-4534-9cf6-6a5266085333 pretty_name: CloudFront Without WAF + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution 1455cb21-1d48-46d6-8ae3-cef911b71fd5: categories: @@ -1286,6 +1406,7 @@ rules: group: top10-crypto-failures name: 1455cb21-1d48-46d6-8ae3-cef911b71fd5 pretty_name: Launch Template Is Not Encrypted + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/launch_template#encrypted 149fa56c-4404-4f90-9e25-d34b676d5b39: categories: @@ -1296,6 +1417,7 @@ rules: group: cloud-insecure-iam name: 149fa56c-4404-4f90-9e25-d34b676d5b39 pretty_name: AKS RBAC Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_aks_module.html 14a457f0-473d-4d1d-9e37-6d99b355b336: categories: @@ -1307,6 +1429,7 @@ rules: group: top10-crypto-failures name: 14a457f0-473d-4d1d-9e37-6d99b355b336 pretty_name: Google Compute SSL Policy Weak Cipher In Use + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_ssl_policy 14abda69-8e91-4acb-9931-76e2bee90284: categories: @@ -1318,6 +1441,7 @@ rules: group: supply-chain-cicd-weak-configuration name: 14abda69-8e91-4acb-9931-76e2bee90284 pretty_name: Image Policy Webhook Admission Control Plugin Not Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ 151187cb-0efc-481c-babd-ad24e3c9bc22: categories: @@ -1328,6 +1452,7 @@ rules: group: cloud-resources-public-access name: 151187cb-0efc-481c-babd-ad24e3c9bc22 pretty_name: Remote Desktop Port Open To Internet + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 151331e2-11f4-4bb6-bd35-9a005e695087: categories: @@ -1339,6 +1464,7 @@ rules: group: top10-insecure-design name: 151331e2-11f4-4bb6-bd35-9a005e695087 pretty_name: Components Object Fixed Field Key Improperly Named + recommended: true ref: https://swagger.io/specification/#components-object 15ccec05-5476-4890-ad19-53991eba1db8: categories: @@ -1349,6 +1475,7 @@ rules: group: cloud-weak-configuration name: 15ccec05-5476-4890-ad19-53991eba1db8 pretty_name: API Gateway With Open Access + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method 15d8a7fd-465a-4d15-a868-add86552f17b: categories: @@ -1360,6 +1487,7 @@ rules: group: cloud-weak-configuration name: 15d8a7fd-465a-4d15-a868-add86552f17b pretty_name: GitHub Repository Set To Public + recommended: true ref: https://www.terraform.io/docs/providers/github/r/repository.html 15e6ad8c-f420-49a6-bafb-074f5eb1ec74: categories: @@ -1371,6 +1499,7 @@ rules: name: 15e6ad8c-f420-49a6-bafb-074f5eb1ec74 pretty_name: Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy 15ffbacc-fa42-4f6f-a57d-2feac7365caa: categories: @@ -1380,6 +1509,7 @@ rules: group: top10-security-logging-monitoring-failures name: 15ffbacc-fa42-4f6f-a57d-2feac7365caa pretty_name: Redshift Cluster Logging Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#enable 165aae3b-a56a-48f3-b76d-d2b5083f5b8f: categories: @@ -1390,6 +1520,7 @@ rules: group: cloud-weak-configuration name: 165aae3b-a56a-48f3-b76d-d2b5083f5b8f pretty_name: Serverless Function Without Unique IAM Role + recommended: true ref: https://www.serverless.com/framework/docs/providers/aws/guide/serverless.yml#functions 16732649-4ff6-4cd2-8746-e72c13fae4b8: categories: @@ -1400,6 +1531,7 @@ rules: group: cloud-resources-public-access name: 16732649-4ff6-4cd2-8746-e72c13fae4b8 pretty_name: RDS Associated with Public Subnet + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-db_subnet_group_name 16c4216a-50d3-4785-bfb2-4adb5144a8ba: categories: @@ -1410,6 +1542,7 @@ rules: group: cloud-insecure-iam name: 16c4216a-50d3-4785-bfb2-4adb5144a8ba pretty_name: Elasticsearch Domain With Vulnerable Policy + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain_policy#access_policies 16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5: categories: @@ -1422,6 +1555,7 @@ rules: group: top10-crypto-failures name: 16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5 pretty_name: KMS Crypto Key is Publicly Accessible + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_kms_crypto_key_iam#google_kms_crypto_key_iam_policy 16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f: categories: @@ -1432,6 +1566,7 @@ rules: group: top10-security-logging-monitoring-failures name: 16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f pretty_name: PostgreSQL Log Duration Not Set + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration 17172bc2-56fb-4f17-916f-a014147706cd: categories: @@ -1441,6 +1576,7 @@ rules: group: cloud-insecure-iam name: 17172bc2-56fb-4f17-916f-a014147706cd pretty_name: Cluster Admin Rolebinding With Superuser Permissions + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding#name 1743f5f1-0bb0-4934-acef-c80baa5dadfa: categories: @@ -1451,6 +1587,7 @@ rules: group: cloud-insecure-iam name: 1743f5f1-0bb0-4934-acef-c80baa5dadfa pretty_name: User With Privilege Escalation By Actions 'iam:CreatePolicyVersion' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy 17b30f8f-8dfb-4597-adf6-57600b6cf25e: categories: @@ -1460,6 +1597,7 @@ rules: group: top10-security-logging-monitoring-failures name: 17b30f8f-8dfb-4597-adf6-57600b6cf25e pretty_name: CloudTrail Not Integrated With CloudWatch + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail 17d5ba1d-7667-4729-b1a6-b11fde3db7f7: categories: @@ -1470,6 +1608,7 @@ rules: group: top10-software-data-integrity-failures name: 17d5ba1d-7667-4729-b1a6-b11fde3db7f7 pretty_name: Stack Retention Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudformation_stack_set_module.html#parameter-purge_stacks 17e52ca3-ddd0-4610-9d56-ce107442e110: categories: @@ -1479,6 +1618,7 @@ rules: group: top10-insecure-design name: 17e52ca3-ddd0-4610-9d56-ce107442e110 pretty_name: HPA Targets Invalid Object + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/horizontal_pod_autoscaler#metric 17f75827-0684-48f4-8747-61129c7e4198: categories: @@ -1490,6 +1630,7 @@ rules: group: cloud-insecure-iam name: 17f75827-0684-48f4-8747-61129c7e4198 pretty_name: Public Storage Account + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account 1819ac03-542b-4026-976b-f37addd59f3b: categories: @@ -1500,6 +1641,7 @@ rules: group: top10-insecure-design name: 1819ac03-542b-4026-976b-f37addd59f3b pretty_name: EBS Volume Not Attached To Instances + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volumeattachment.html 181bd815-767e-4e95-a24d-bb3c87328e19: categories: @@ -1510,6 +1652,7 @@ rules: group: cloud-weak-configuration name: 181bd815-767e-4e95-a24d-bb3c87328e19 pretty_name: Numeric Schema Without Minimum (v3) + recommended: true ref: https://swagger.io/specification/#schema-object 1828a670-5957-4bc5-9974-47da228f75e2: categories: @@ -1520,6 +1663,7 @@ rules: group: top10-security-logging-monitoring-failures name: 1828a670-5957-4bc5-9974-47da228f75e2 pretty_name: Audit Policy Not Cover Key Security Concerns + recommended: true ref: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ 18d3a83d-4414-49dc-90ea-f0387b2856cc: categories: @@ -1532,6 +1676,7 @@ rules: group: cloud-weak-configuration name: 18d3a83d-4414-49dc-90ea-f0387b2856cc pretty_name: Shielded VM Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html 1908a8ee-927d-4166-8f18-241152170cc1: categories: @@ -1542,6 +1687,7 @@ rules: group: cloud-resources-public-access name: 1908a8ee-927d-4166-8f18-241152170cc1 pretty_name: Success Response Code Undefined for Patch Operation (v3) + recommended: true ref: https://swagger.io/specification/#operation-object 192fe40b-b1c3-448a-aba2-6cc19a300fe3: categories: @@ -1552,6 +1698,7 @@ rules: group: cloud-insecure-iam name: 192fe40b-b1c3-448a-aba2-6cc19a300fe3 pretty_name: CronJob Deadline Not Configured + recommended: true ref: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ 194ef1f8-360e-4c14-8ed2-e83e2bafa142: categories: @@ -1562,6 +1709,7 @@ rules: group: top10-insecure-design name: 194ef1f8-360e-4c14-8ed2-e83e2bafa142 pretty_name: Path Parameter With No Corresponding Template Path (v2) + recommended: true ref: https://swagger.io/specification/v2/#pathTemplating 19c9e2a0-fc33-4264-bba1-e3682661e8f7: categories: @@ -1574,6 +1722,7 @@ rules: group: top10-security-logging-monitoring-failures name: 19c9e2a0-fc33-4264-bba1-e3682661e8f7 pretty_name: Stackdriver Logging Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html 19ebaa28-fc86-4a58-bcfa-015c9e22fe40: categories: @@ -1583,6 +1732,7 @@ rules: group: cloud-weak-configuration name: 19ebaa28-fc86-4a58-bcfa-015c9e22fe40 pretty_name: Containers With Added Capabilities + recommended: true ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ 19ffbe31-9d72-4379-9768-431195eae328: categories: @@ -1594,6 +1744,7 @@ rules: name: 19ffbe31-9d72-4379-9768-431195eae328 pretty_name: User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy 1a07a446-8e61-4e4d-bc16-b0781fcb8211: categories: @@ -1604,6 +1755,7 @@ rules: group: top10-security-logging-monitoring-failures name: 1a07a446-8e61-4e4d-bc16-b0781fcb8211 pretty_name: Kubelet Event QPS Not Properly Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ 1a1aea94-745b-40a7-b860-0702ea6ee636: categories: @@ -1614,6 +1766,7 @@ rules: group: top10-insecure-design name: 1a1aea94-745b-40a7-b860-0702ea6ee636 pretty_name: Schema Object With Circular Ref (v3) + recommended: true ref: https://swagger.io/specification/#schema-object 1a427b25-2e9e-4298-9530-0499a55e736b: categories: @@ -1624,6 +1777,7 @@ rules: group: cloud-resources-public-access name: 1a427b25-2e9e-4298-9530-0499a55e736b pretty_name: Security Group Ingress With All Protocols + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html 1a4bc881-9f69-4d44-8c9a-d37d08f54c50: categories: @@ -1634,6 +1788,7 @@ rules: group: cloud-insecure-iam name: 1a4bc881-9f69-4d44-8c9a-d37d08f54c50 pretty_name: S3 Bucket Allows Public Policy + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block 1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e: categories: @@ -1645,6 +1800,7 @@ rules: group: top10-crypto-failures name: 1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e pretty_name: Aurora With Disabled at Rest Encryption + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#storage_encrypted 1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e: categories: @@ -1655,6 +1811,7 @@ rules: group: cloud-insecure-iam name: 1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e pretty_name: Authorization Mode RBAC Not Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ 1acd93f1-5a37-45c0-aaac-82ece818be7d: categories: @@ -1666,6 +1823,7 @@ rules: group: cloud-insecure-iam name: 1acd93f1-5a37-45c0-aaac-82ece818be7d pretty_name: Use Service Account Credentials Not Set To True + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ 1afbb3fa-cf6c-4a3d-b730-95e9f4df343e: categories: @@ -1675,6 +1833,7 @@ rules: group: top10-crypto-failures name: 1afbb3fa-cf6c-4a3d-b730-95e9f4df343e pretty_name: ElastiCache Replication Group Not Encrypted At Transit + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group#transit_encryption_enabled 1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2: categories: @@ -1686,6 +1845,7 @@ rules: group: cloud-weak-configuration name: 1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2 pretty_name: Lambda Function With Privileged Role + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function 1b44e234-3d73-41a8-9954-0b154135280e: categories: @@ -1698,6 +1858,7 @@ rules: group: cloud-weak-configuration name: 1b44e234-3d73-41a8-9954-0b154135280e pretty_name: Shielded VM Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#shielded_instance_config 1b4565c0-4877-49ac-ab03-adebbccd42ae: categories: @@ -1708,6 +1869,7 @@ rules: group: cloud-weak-configuration name: 1b4565c0-4877-49ac-ab03-adebbccd42ae pretty_name: RDS DB Instance Publicly Accessible + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#security_ips 1b6322d9-c755-4f8c-b804-32c19250f2d9: categories: @@ -1718,6 +1880,7 @@ rules: group: top10-crypto-failures name: 1b6322d9-c755-4f8c-b804-32c19250f2d9 pretty_name: Config Rule For Encrypted Volumes Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configrule.html#cfn-config-configrule-source 1b6799eb-4a7a-4b04-9001-8cceb9999326: categories: @@ -1727,6 +1890,7 @@ rules: group: top10-security-logging-monitoring-failures name: 1b6799eb-4a7a-4b04-9001-8cceb9999326 pretty_name: API Gateway Access Logging Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#access_log_settings 1bc1c685-e593-450e-88fb-19db4c82aa1d: categories: @@ -1736,6 +1900,7 @@ rules: group: top10-insecure-design name: 1bc1c685-e593-450e-88fb-19db4c82aa1d pretty_name: IAM Password Without Minimum Length + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy 1bc3205c-0d60-44e6-84f3-44fbf4dac5b3: categories: @@ -1745,6 +1910,7 @@ rules: group: cloud-insecure-iam name: 1bc3205c-0d60-44e6-84f3-44fbf4dac5b3 pretty_name: Security Scheme Using Oauth 1.0 + recommended: true ref: https://swagger.io/specification/#security-scheme-object 1bc367f6-901d-4870-ad0c-71d79762ef52: categories: @@ -1756,6 +1922,7 @@ rules: group: top10-insecure-design name: 1bc367f6-901d-4870-ad0c-71d79762ef52 pretty_name: CDN Configuration Is Missing + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution 1bc398a8-d274-47de-a4c8-6ac867b353de: categories: @@ -1767,6 +1934,7 @@ rules: group: cloud-resources-public-access name: 1bc398a8-d274-47de-a4c8-6ac867b353de pretty_name: Trusted Microsoft Services Not Enabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-network_acls/bypass 1bcdf9f0-b1aa-40a4-b8c6-cd7785836843: categories: @@ -1777,6 +1945,7 @@ rules: group: cloud-resources-public-access name: 1bcdf9f0-b1aa-40a4-b8c6-cd7785836843 pretty_name: API Gateway API Protocol Not HTTPS + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/api_gateway_api#protocol 1bf3b3d4-f373-4d7c-afbb-7d85948a67a5: categories: @@ -1786,6 +1955,7 @@ rules: group: top10-security-logging-monitoring-failures name: 1bf3b3d4-f373-4d7c-afbb-7d85948a67a5 pretty_name: DocDB Logging Is Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-docdb-dbcluster.html#cfn-docdb-dbcluster-enablecloudwatchlogsexports 1c07bfaf-663c-4f6f-b22b-8e2d481e4df5: categories: @@ -1798,6 +1968,7 @@ rules: group: top10-security-logging-monitoring-failures name: 1c07bfaf-663c-4f6f-b22b-8e2d481e4df5 pretty_name: CMK Rotation Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html 1c1325ff-831d-43a1-973e-839ae57dfcc0: categories: @@ -1808,6 +1979,7 @@ rules: group: supply-chain-cicd-weak-configuration name: 1c1325ff-831d-43a1-973e-839ae57dfcc0 pretty_name: Volume Has Sensitive Host Directory + recommended: true ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#volume-configuration-reference 1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2: categories: @@ -1817,6 +1989,7 @@ rules: group: cloud-weak-secrets-management name: 1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2 pretty_name: Rotate Kubelet Server Certificate Not Active + recommended: true ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ 1c8eef02-17b1-4a3e-b01d-dcc3292d2c38: categories: @@ -1827,6 +2000,7 @@ rules: group: cloud-weak-configuration name: 1c8eef02-17b1-4a3e-b01d-dcc3292d2c38 pretty_name: GKE Using Default Service Account + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#node_config 1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a: categories: @@ -1836,6 +2010,7 @@ rules: group: cloud-resources-public-access name: 1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a pretty_name: Security Group Egress CIDR Open To World + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-egress.html 1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7: categories: @@ -1845,6 +2020,7 @@ rules: group: cloud-insecure-iam name: 1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7 pretty_name: Lambda Permission Principal Is Wildcard + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html 1d972c56-8ec2-48c1-a578-887adb09c57a: categories: @@ -1854,6 +2030,7 @@ rules: group: cloud-insecure-iam name: 1d972c56-8ec2-48c1-a578-887adb09c57a pretty_name: Lambda Permission Principal Is Wildcard + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_policy_module.html 1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5: categories: @@ -1864,6 +2041,7 @@ rules: group: top10-insecure-design name: 1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5 pretty_name: StatefulSet Without PodDisruptionBudget + recommended: true ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ 1dc73fb4-5b51-430c-8c5f-25dcf9090b02: categories: @@ -1874,6 +2052,7 @@ rules: group: top10-software-data-integrity-failures name: 1dc73fb4-5b51-430c-8c5f-25dcf9090b02 pretty_name: RDS With Backup Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance 1de5cc51-f376-4638-a940-20f2e85ae238: categories: @@ -1884,6 +2063,7 @@ rules: group: cloud-insecure-iam name: 1de5cc51-f376-4638-a940-20f2e85ae238 pretty_name: Anonymous Auth Is Not Set To False + recommended: true ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ 1df37f4b-7197-45ce-83f8-9994d2fcf885: categories: @@ -1897,6 +2077,7 @@ rules: group: cloud-insecure-iam name: 1df37f4b-7197-45ce-83f8-9994d2fcf885 pretty_name: S3 Bucket Allows Get Action From All Principals + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy 1e0ef61b-ad85-4518-a3d3-85eaad164885: categories: @@ -1908,6 +2089,7 @@ rules: group: cloud-resources-public-access name: 1e0ef61b-ad85-4518-a3d3-85eaad164885 pretty_name: DB Security Group With Public Scope + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_security_group 1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89: categories: @@ -1918,6 +2100,7 @@ rules: group: top10-crypto-failures name: 1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89 pretty_name: User Data Shell Script Is Encoded + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_lc_module.html 1e434b25-8763-4b00-a5ca-ca03b7abbb66: categories: @@ -1927,6 +2110,7 @@ rules: group: top10-insecure-design name: 1e434b25-8763-4b00-a5ca-ca03b7abbb66 pretty_name: Name Is Not Snake Case + recommended: true ref: https://www.terraform.io/docs/extend/best-practices/naming.html#naming 1e5f5307-3e01-438d-8da6-985307ed25ce: categories: @@ -1937,6 +2121,7 @@ rules: group: cloud-weak-configuration name: 1e5f5307-3e01-438d-8da6-985307ed25ce pretty_name: VM Not Attached To Network + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_virtualmachine_module.html#parameter-network_interface_names 1e749bc9-fde8-471c-af0c-8254efd2dee5: categories: @@ -1947,6 +2132,7 @@ rules: group: cloud-weak-configuration name: 1e749bc9-fde8-471c-af0c-8254efd2dee5 pretty_name: Role Binding To Default Service Account + recommended: true ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ 1ec253ab-c220-4d63-b2de-5b40e0af9293: categories: @@ -1957,6 +2143,7 @@ rules: group: cloud-weak-configuration name: 1ec253ab-c220-4d63-b2de-5b40e0af9293 pretty_name: S3 Bucket Without Restriction Of Public Bucket + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block 1fe9d958-ddce-4228-a124-05265a959a8b: categories: @@ -1969,6 +2156,7 @@ rules: group: cloud-resources-public-access name: 1fe9d958-ddce-4228-a124-05265a959a8b pretty_name: RDS Using Default Port + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-port 1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37: categories: @@ -1979,6 +2167,7 @@ rules: group: supply-chain-cicd-weak-configuration name: 1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37 pretty_name: Namespace Lifecycle Admission Control Plugin Disabled + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ 20018359-6fd7-4d05-ab26-d4dffccbdf79: categories: @@ -1988,6 +2177,7 @@ rules: group: top10-security-logging-monitoring-failures name: 20018359-6fd7-4d05-ab26-d4dffccbdf79 pretty_name: ELB Access Log Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elb#enabled 20180133-a0d0-4745-bfe0-94049fbb12a9: categories: @@ -2000,6 +2190,7 @@ rules: group: cloud-weak-configuration name: 20180133-a0d0-4745-bfe0-94049fbb12a9 pretty_name: Client Certificate Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html 2034fb37-bc23-4ca0-8d95-2b9f15829ab5: categories: @@ -2013,6 +2204,7 @@ rules: group: top10-crypto-failures name: 2034fb37-bc23-4ca0-8d95-2b9f15829ab5 pretty_name: ELB Using Weak Ciphers + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html 203eee11-15b6-4d47-b888-4c7f534967ee: categories: @@ -2023,6 +2215,7 @@ rules: group: cloud-weak-configuration name: 203eee11-15b6-4d47-b888-4c7f534967ee pretty_name: Numeric Schema Without Maximum (v2) + recommended: true ref: https://swagger.io/specification/v2/#schemaObject 2059155b-27fd-441e-b616-6966c468561f: categories: @@ -2032,6 +2225,7 @@ rules: group: top10-security-logging-monitoring-failures name: 2059155b-27fd-441e-b616-6966c468561f pretty_name: API Gateway X-Ray Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_api_gateway_module.html#parameter-tracing_enabled 2081c7d6-2851-4cce-bda5-cb49d462da42: categories: @@ -2042,6 +2236,7 @@ rules: group: cloud-resources-public-access name: 2081c7d6-2851-4cce-bda5-cb49d462da42 pretty_name: Standard Price Is Not Selected + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.security/pricings?tabs=json#pricingproperties-object 209189f3-c879-48a7-9703-fbcfa96d0cef: categories: @@ -2061,6 +2256,7 @@ rules: group: top10-insecure-design name: 20a482d5-c5d9-4a7a-b7a4-60d0805047b4 pretty_name: Security Operation Field Undefined + recommended: true ref: https://swagger.io/specification/#operation-object 20cb3159-b219-496b-8dac-54ae3ab2021a: categories: @@ -2070,6 +2266,7 @@ rules: group: top10-insecure-design name: 20cb3159-b219-496b-8dac-54ae3ab2021a pretty_name: Non-Array Schema With Items (v3) + recommended: true ref: https://swagger.io/specification/#schema-object 20dcd953-a8b8-4892-9026-9afa6d05a525: categories: @@ -2082,6 +2279,7 @@ rules: group: top10-security-logging-monitoring-failures name: 20dcd953-a8b8-4892-9026-9afa6d05a525 pretty_name: Stackdriver Monitoring Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html 21245007-91c4-40e5-964e-40c85d1e5aa6: categories: @@ -2091,6 +2289,7 @@ rules: group: top10-insecure-design name: 21245007-91c4-40e5-964e-40c85d1e5aa6 pretty_name: OperationId Not Unique (v2) + recommended: true ref: https://swagger.io/specification/v2/#operationObject 2134641d-30a4-4b16-8ffc-2cd4c4ffd15d: categories: @@ -2101,6 +2300,7 @@ rules: group: top10-crypto-failures name: 2134641d-30a4-4b16-8ffc-2cd4c4ffd15d pretty_name: DOCDB Cluster Encrypted With AWS Managed Key + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#kms_key_id 21719347-d02b-497d-bda4-04a03c8e5b61: categories: @@ -2112,6 +2312,7 @@ rules: group: cloud-insecure-iam name: 21719347-d02b-497d-bda4-04a03c8e5b61 pretty_name: Memory Requests Not Defined + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#requests 218413a0-c716-4b94-9e08-0bb70d854709: categories: @@ -2122,6 +2323,7 @@ rules: group: top10-crypto-failures name: 218413a0-c716-4b94-9e08-0bb70d854709 pretty_name: Secure Ciphers Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html 219f4c95-aa50-44e0-97de-cf71f4641170: categories: @@ -2132,6 +2334,7 @@ rules: group: cloud-insecure-iam name: 219f4c95-aa50-44e0-97de-cf71f4641170 pretty_name: S3 Bucket ACL Allows Read to All Users + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html 21cef75f-289f-470e-8038-c7cee0664164: categories: @@ -2142,6 +2345,7 @@ rules: group: top10-insecure-design name: 21cef75f-289f-470e-8038-c7cee0664164 pretty_name: No Drop Capabilities for Containers + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#drop 221015a8-aa2a-43f5-b00b-ad7d2b1d47a8: categories: @@ -2151,6 +2355,7 @@ rules: group: cloud-insecure-iam name: 221015a8-aa2a-43f5-b00b-ad7d2b1d47a8 pretty_name: Security Definitions Using Basic Auth + recommended: true ref: https://swagger.io/specification/v2/#securitySchemeObject 221e0658-cb2a-44e3-b08a-db96a341d6fa: categories: @@ -2160,6 +2365,7 @@ rules: group: cloud-insecure-iam name: 221e0658-cb2a-44e3-b08a-db96a341d6fa pretty_name: Pids Limit Not Set + recommended: true ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir 2263b286-2fe9-4747-a0ae-8b4768a2bbd2: categories: @@ -2170,6 +2376,7 @@ rules: group: cloud-insecure-iam name: 2263b286-2fe9-4747-a0ae-8b4768a2bbd2 pretty_name: BigQuery Dataset Is Public + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_bigquery_dataset_module.html#parameter-access/special_group 2270987f-bb51-479f-b8be-3ca73e5ad648: categories: @@ -2179,6 +2386,7 @@ rules: group: cloud-weak-configuration name: 2270987f-bb51-479f-b8be-3ca73e5ad648 pretty_name: NET_RAW Capabilities Disabled for PSP + recommended: true ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ 227c2f58-70c6-4432-8e9a-a89c1a548cf5: categories: @@ -2188,6 +2396,7 @@ rules: group: top10-security-logging-monitoring-failures name: 227c2f58-70c6-4432-8e9a-a89c1a548cf5 pretty_name: Bucket Without Versioning + recommended: true ref: https://cloud.google.com/storage/docs/json_api/v1/buckets 2285e608-ddbc-47f3-ba54-ce7121e31216: categories: @@ -2197,6 +2406,7 @@ rules: group: top10-security-logging-monitoring-failures name: 2285e608-ddbc-47f3-ba54-ce7121e31216 pretty_name: CloudWatch Route Table Changes Alarm Missing + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern 228c4c19-feeb-4c18-848c-800ac70fdfb7: categories: @@ -2207,6 +2417,7 @@ rules: group: cloud-weak-configuration name: 228c4c19-feeb-4c18-848c-800ac70fdfb7 pretty_name: Image Without Digest + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image 229588ef-8fde-40c8-8756-f4f2b5825ded: categories: @@ -2218,6 +2429,7 @@ rules: group: cloud-insecure-iam name: 229588ef-8fde-40c8-8756-f4f2b5825ded pretty_name: Memory Requests Not Defined + recommended: true ref: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/ 22c80725-e390-4055-8d14-a872230f6607: categories: @@ -2228,6 +2440,7 @@ rules: group: cloud-resources-public-access name: 22c80725-e390-4055-8d14-a872230f6607 pretty_name: CloudFront Without WAF + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html 22cd11f7-9c6c-4f6e-84c0-02058120b341: categories: @@ -2237,6 +2450,7 @@ rules: group: supply-chain-scm-weak-configuration name: 22cd11f7-9c6c-4f6e-84c0-02058120b341 pretty_name: Gem Install Without Version + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run 22ef1d26-80f8-4a6c-8c15-f35aab3cac78: categories: @@ -2247,6 +2461,7 @@ rules: group: cloud-resources-public-access name: 22ef1d26-80f8-4a6c-8c15-f35aab3cac78 pretty_name: Google Compute Network Using Firewall Rule that Allows All Ports + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall#allow 22fbfeac-7b5a-421a-8a27-7a2178bb910b: categories: @@ -2259,6 +2474,7 @@ rules: group: top10-security-logging-monitoring-failures name: 22fbfeac-7b5a-421a-8a27-7a2178bb910b pretty_name: CMK Rotation Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#enable_key_rotation 235236ee-ad78-4065-bd29-61b061f28ce0: categories: @@ -2268,6 +2484,7 @@ rules: group: cloud-weak-configuration name: 235236ee-ad78-4065-bd29-61b061f28ce0 pretty_name: Containers With Sys Admin Capabilities + recommended: true ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ 235ca980-eb71-48f4-9030-df0c371029eb: categories: @@ -2277,6 +2494,7 @@ rules: group: top10-crypto-failures name: 235ca980-eb71-48f4-9030-df0c371029eb pretty_name: KMS Key Rotation Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html 237402e2-c2f0-46c9-9cf5-286160cf7bfc: categories: @@ -2287,6 +2505,7 @@ rules: group: top10-insecure-design name: 237402e2-c2f0-46c9-9cf5-286160cf7bfc pretty_name: Path Is Ambiguous (v3) + recommended: true ref: https://swagger.io/specification/#path-item-object 23a4dc83-4959-4d99-8056-8e051a82bc1e: categories: @@ -2296,6 +2515,7 @@ rules: group: supply-chain-cicd-weak-configuration name: 23a4dc83-4959-4d99-8056-8e051a82bc1e pretty_name: Cosmos DB Account Without Tags + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_cosmosdbaccount_module.html 23a9e2d9-8738-4556-a71c-2802b6ffa022: categories: @@ -2306,6 +2526,7 @@ rules: group: cloud-insecure-iam name: 23a9e2d9-8738-4556-a71c-2802b6ffa022 pretty_name: Undefined Scope 'securityScheme' On Global 'security' Field + recommended: true ref: https://swagger.io/specification/#oauth-flow-object 23b70e32-032e-4fa6-ba5c-82f56b9980e6: categories: @@ -2316,6 +2537,7 @@ rules: group: top10-security-logging-monitoring-failures name: 23b70e32-032e-4fa6-ba5c-82f56b9980e6 pretty_name: EC2 Instance Monitoring Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#monitoring 23edf35f-7c22-4ff9-87e6-0ca74261cfbf: categories: @@ -2335,6 +2557,7 @@ rules: group: cloud-insecure-iam name: 249328b8-5f0f-409f-b1dd-029f07882e11 pretty_name: Cluster Admin Rolebinding With Superuser Permissions + recommended: true ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles 24b132df-5cc7-4823-8029-f898e1c50b72: categories: @@ -2346,6 +2569,7 @@ rules: group: cloud-weak-configuration name: 24b132df-5cc7-4823-8029-f898e1c50b72 pretty_name: Service Account Name Undefined Or Empty + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#service_account_name 24d932e1-91f0-46ea-836f-fdbd81694151: categories: @@ -2356,6 +2580,7 @@ rules: group: cloud-resources-public-access name: 24d932e1-91f0-46ea-836f-fdbd81694151 pretty_name: Route53 Record Undefined + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53-hostedzone.html 24e16922-4330-4e9d-be8a-caa90299466a: categories: @@ -2365,6 +2590,7 @@ rules: group: top10-crypto-failures name: 24e16922-4330-4e9d-be8a-caa90299466a pretty_name: ElasticSearch Not Encrypted At Rest + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain 254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4: categories: @@ -2376,6 +2602,7 @@ rules: group: top10-crypto-failures name: 254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4 pretty_name: Redis Not Compliant + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#engine_version 255b0fcc-9f82-41fe-9229-01b163e3376b: categories: @@ -2386,6 +2613,7 @@ rules: group: cloud-weak-configuration name: 255b0fcc-9f82-41fe-9229-01b163e3376b pretty_name: CloudFront Without Minimum Protocol TLS 1.2 + recommended: true ref: https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-viewerCertificate-minimumProtocolVersion 25635c31-ee32-4708-88e5-fced87516f51: categories: @@ -2395,6 +2623,7 @@ rules: group: top10-insecure-design name: 25635c31-ee32-4708-88e5-fced87516f51 pretty_name: Invalid Operation External Documentation URL (v2) + recommended: true ref: https://swagger.io/specification/v2/#externalDocumentationObject 2564172f-c92b-4261-9acd-464aed511696: categories: @@ -2404,6 +2633,7 @@ rules: group: cloud-weak-secrets-management name: 2564172f-c92b-4261-9acd-464aed511696 pretty_name: Hardcoded AWS Access Key In Lambda + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-environment 25684eac-daaa-4c2c-94b4-8d2dbb627909: categories: @@ -2415,6 +2645,7 @@ rules: group: top10-security-logging-monitoring-failures name: 25684eac-daaa-4c2c-94b4-8d2dbb627909 pretty_name: Unrecommended Log Profile Retention Policy + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2016-03-01/logprofiles?tabs=json#retentionpolicy-object 2583fab1-953b-4fae-bd02-4a136a6c21f9: categories: @@ -2425,6 +2656,7 @@ rules: group: cloud-resources-public-access name: 2583fab1-953b-4fae-bd02-4a136a6c21f9 pretty_name: AKS With Authorized IP Ranges Disabled + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json#managedclusterapiserveraccessprofile-object 2596545e-1757-4ff7-a15a-8a9a180a42f3: categories: @@ -2434,6 +2666,7 @@ rules: group: top10-insecure-design name: 2596545e-1757-4ff7-a15a-8a9a180a42f3 pretty_name: Parameter Object With Incorrect Ref (v2) + recommended: true ref: https://swagger.io/specification/v2/#parameter-object 25c0228e-4444-459b-a2df-93c7df40b7ed: categories: @@ -2443,6 +2676,7 @@ rules: group: cloud-weak-configuration name: 25c0228e-4444-459b-a2df-93c7df40b7ed pretty_name: AKS Cluster Network Policy Not Configured + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json#containerservicenetworkprofile-object 25c0ea09-f1c5-4380-b055-3b83863f2bb8: categories: @@ -2453,6 +2687,7 @@ rules: group: cloud-resources-public-access name: 25c0ea09-f1c5-4380-b055-3b83863f2bb8 pretty_name: SQLServer Ingress From Any IP + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_firewall_rule 25d251f3-f348-4f95-845c-1090e41a615c: categories: @@ -2464,6 +2699,7 @@ rules: group: top10-crypto-failures name: 25d251f3-f348-4f95-845c-1090e41a615c pretty_name: EFS Without KMS + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system#kms_key_id 25db74bf-fa3b-44da-934e-8c3e005c0453: categories: @@ -2474,6 +2710,7 @@ rules: group: cloud-resources-public-access name: 25db74bf-fa3b-44da-934e-8c3e005c0453 pretty_name: Route53 Record Undefined + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record 261a83f8-dd72-4e8c-b5e1-ebf06e8fe606: categories: @@ -2484,6 +2721,7 @@ rules: group: top10-security-logging-monitoring-failures name: 261a83f8-dd72-4e8c-b5e1-ebf06e8fe606 pretty_name: Small PostgreSQL DB Server Log Retention Period + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration 2623d682-dccb-44cd-99d0-54d9fd62f8f2: categories: @@ -2494,6 +2732,7 @@ rules: group: cloud-insecure-iam name: 2623d682-dccb-44cd-99d0-54d9fd62f8f2 pretty_name: EC2 Network ACL Ineffective Denied Traffic + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html 265d9725-2fb8-42a2-bc57-3279c5db82d5: categories: @@ -2503,6 +2742,7 @@ rules: group: cloud-weak-configuration name: 265d9725-2fb8-42a2-bc57-3279c5db82d5 pretty_name: Lambda Function Without Tags + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_module.html 26763a1c-5dda-4772-b507-5fca7fb5f165: categories: @@ -2513,6 +2753,7 @@ rules: group: cloud-resources-public-access name: 26763a1c-5dda-4772-b507-5fca7fb5f165 pretty_name: Service With External Load Balancer + recommended: true ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ 268c65a8-58ad-43e4-9019-1a9bbc56749f: categories: @@ -2533,6 +2774,7 @@ rules: group: top10-insecure-design name: 268ca686-7fb7-4ae9-b129-955a2a89064e pretty_name: No Drop Capabilities for Containers + recommended: true ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ 268defd2-2839-4e15-8cbc-de86eb38c231: categories: @@ -2544,6 +2786,7 @@ rules: name: 268defd2-2839-4e15-8cbc-de86eb38c231 pretty_name: Response on operations that should not have a body has declared content (v2) + recommended: true ref: https://swagger.io/docs/specification/2-0/describing-responses/ 26b047a9-0329-48fd-8fb7-05bbe5ba80ee: categories: @@ -2554,6 +2797,7 @@ rules: group: supply-chain-cicd-weak-configuration name: 26b047a9-0329-48fd-8fb7-05bbe5ba80ee pretty_name: Incorrect Volume Claim Access Mode ReadWriteOnce + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#volume_claim_template 26f06397-36d8-4ce7-b993-17711261d777: categories: @@ -2564,6 +2808,7 @@ rules: group: top10-insecure-design name: 26f06397-36d8-4ce7-b993-17711261d777 pretty_name: Invalid Content Type For Multiple Files Upload + recommended: true ref: https://swagger.io/docs/specification/describing-request-body/file-upload/ 2730c169-51d7-4ae7-99b5-584379eff1bb: categories: @@ -2584,6 +2829,7 @@ rules: group: cloud-insecure-iam name: 274f910a-0665-4f08-b66d-7058fe927dba pretty_name: Invalid OAuth2 Token URL (v2) + recommended: true ref: https://swagger.io/specification/v2/#security-scheme-object 275a3217-ca37-40c1-a6cf-bb57d245ab32: categories: @@ -2594,6 +2840,7 @@ rules: group: cloud-resources-public-access name: 275a3217-ca37-40c1-a6cf-bb57d245ab32 pretty_name: ALB Listening on HTTP + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb-listener.html#cfn-ec2-elb-listener-protocol 2775e169-e708-42a9-9305-b58aadd2c4dd: categories: @@ -2606,6 +2853,7 @@ rules: group: cloud-weak-configuration name: 2775e169-e708-42a9-9305-b58aadd2c4dd pretty_name: Using Default Service Account + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html 27c6a499-895a-4dc7-9617-5c485218db13: categories: @@ -2616,6 +2864,7 @@ rules: group: top10-security-logging-monitoring-failures name: 27c6a499-895a-4dc7-9617-5c485218db13 pretty_name: CloudWatch S3 policy Change Alarm Missing + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern 27fcc7d6-c49b-46e0-98f1-6c082a6a2750: categories: @@ -2627,6 +2876,7 @@ rules: group: cloud-insecure-iam name: 27fcc7d6-c49b-46e0-98f1-6c082a6a2750 pretty_name: No New Privileges Not Set + recommended: true ref: https://docs.docker.com/engine/reference/run/#security-configuration 281b8071-6226-4a43-911d-fec246d422c2: categories: @@ -2636,6 +2886,7 @@ rules: group: cloud-insecure-iam name: 281b8071-6226-4a43-911d-fec246d422c2 pretty_name: API Key Exposed In Operation Security (v3) + recommended: true ref: https://swagger.io/specification/#security-scheme-object 2844c749-bd78-4cd1-90e8-b179df827602: categories: @@ -2647,6 +2898,7 @@ rules: group: top10-insecure-design name: 2844c749-bd78-4cd1-90e8-b179df827602 pretty_name: CMK Is Unusable + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html 28545147-2fc6-42d5-a1f9-cf226658e591: categories: @@ -2656,6 +2908,7 @@ rules: group: top10-crypto-failures name: 28545147-2fc6-42d5-a1f9-cf226658e591 pretty_name: SNS Topic Not Encrypted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#kms_master_key_id 28727987-e398-49b8-aef1-8a3e7789d111: categories: @@ -2668,6 +2921,7 @@ rules: group: cloud-weak-configuration name: 28727987-e398-49b8-aef1-8a3e7789d111 pretty_name: IP Aliasing Disabled + recommended: true ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters 28a757fc-3d8f-424a-90c0-4233363b2711: categories: @@ -2678,6 +2932,7 @@ rules: group: top10-security-logging-monitoring-failures name: 28a757fc-3d8f-424a-90c0-4233363b2711 pretty_name: PostgreSQL Misconfigured Log Messages Flag + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags 292919fb-7b26-4454-bee9-ce29094768dd: categories: @@ -2688,6 +2943,7 @@ rules: group: cloud-insecure-iam name: 292919fb-7b26-4454-bee9-ce29094768dd pretty_name: Global security field has an empty object (v2) + recommended: true ref: https://swagger.io/specification/v2/#security-requirement-object 2940d48a-dc5e-4178-a3f8-bfbd80720b41: categories: @@ -2698,6 +2954,7 @@ rules: group: cloud-resources-public-access name: 2940d48a-dc5e-4178-a3f8-bfbd80720b41 pretty_name: Kubelet Read Only Port Is Not Set To Zero + recommended: true ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ 295acb63-9246-4b21-b441-7c1f1fb62dc0: categories: @@ -2708,6 +2965,7 @@ rules: group: supply-chain-scm-weak-configuration name: 295acb63-9246-4b21-b441-7c1f1fb62dc0 pretty_name: Missing Dnf Clean All + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ 29b8224a-60e9-4011-8ac2-7916a659841f: categories: @@ -2717,6 +2975,7 @@ rules: group: cloud-resources-public-access name: 29b8224a-60e9-4011-8ac2-7916a659841f pretty_name: Google Compute Network Using Default Firewall Rule + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html#parameter-name 29f35127-98e6-43af-8ec1-201b79f99604: categories: @@ -2727,6 +2986,7 @@ rules: group: cloud-insecure-iam name: 29f35127-98e6-43af-8ec1-201b79f99604 pretty_name: Admin User Enabled For Container Registry + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_containerregistry_module.html 2a153952-2544-4687-bcc9-cc8fea814a9b: categories: @@ -2736,6 +2996,7 @@ rules: group: top10-insecure-design name: 2a153952-2544-4687-bcc9-cc8fea814a9b pretty_name: Variable Without Description + recommended: true ref: https://www.terraform.io/docs/language/values/variables.html#input-variable-documentation 2a3560fe-52ca-4443-b34f-bf0ed5eb74c8: categories: @@ -2746,6 +3007,7 @@ rules: group: top10-security-logging-monitoring-failures name: 2a3560fe-52ca-4443-b34f-bf0ed5eb74c8 pretty_name: CloudTrail Log File Validation Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-enablelogfilevalidation 2a52567c-abb8-4651-a038-52fa27c77aed: categories: @@ -2756,6 +3018,7 @@ rules: group: cloud-resources-public-access name: 2a52567c-abb8-4651-a038-52fa27c77aed pretty_name: Service With External Load Balancer + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service 2a901825-0f3b-4655-a0fe-e0470e50f8e6: categories: @@ -2767,6 +3030,7 @@ rules: group: top10-crypto-failures name: 2a901825-0f3b-4655-a0fe-e0470e50f8e6 pretty_name: MySQL SSL Connection Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_mysqlserver_module.html 2ab6de9a-0136-415c-be92-79d2e4fd750f: categories: @@ -2778,6 +3042,7 @@ rules: group: top10-insecure-design name: 2ab6de9a-0136-415c-be92-79d2e4fd750f pretty_name: SQL Server Predictable Admin Account Name + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server 2acb555f-f4ad-4b1b-b984-84e6588f4b05: categories: @@ -2788,6 +3053,7 @@ rules: group: cloud-weak-configuration name: 2acb555f-f4ad-4b1b-b984-84e6588f4b05 pretty_name: Not Limited Capabilities For Pod Security Policy + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#required_drop_capabilities 2ade1579-4b2c-4590-bebb-f99bf597f612: categories: @@ -2798,6 +3064,7 @@ rules: group: cloud-resources-public-access name: 2ade1579-4b2c-4590-bebb-f99bf597f612 pretty_name: Network Security Group With Unrestricted Access To SSH + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2020-07-01/networksecuritygroups?tabs=json#securityrulepropertiesformat-object 2ae9d554-23fb-4065-bfd1-fe43d5f7c419: categories: @@ -2809,6 +3076,7 @@ rules: group: cloud-resources-public-access name: 2ae9d554-23fb-4065-bfd1-fe43d5f7c419 pretty_name: Public Security Group Rule Sensitive Port + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/security_group_rule#port_range 2b13c6ff-b87a-484d-86fd-21ef6e97d426: categories: @@ -2820,6 +3088,7 @@ rules: group: cloud-weak-configuration name: 2b13c6ff-b87a-484d-86fd-21ef6e97d426 pretty_name: OSS Bucket Has Static Website + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#website 2b1836f1-dcce-416e-8e16-da8c71920633: categories: @@ -2829,6 +3098,7 @@ rules: group: cloud-resources-public-access name: 2b1836f1-dcce-416e-8e16-da8c71920633 pretty_name: Workload Host Port Not Specified + recommended: true ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#exposing-the-service 2b1d4935-9acf-48a7-8466-10d18bf51a69: categories: @@ -2838,6 +3108,7 @@ rules: group: top10-software-data-integrity-failures name: 2b1d4935-9acf-48a7-8466-10d18bf51a69 pretty_name: RDS Multi-AZ Deployment Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html 2b3c671f-1b76-4741-8789-ed1fe0785dc4: categories: @@ -2847,6 +3118,7 @@ rules: group: top10-security-logging-monitoring-failures name: 2b3c671f-1b76-4741-8789-ed1fe0785dc4 pretty_name: PostgreSQL Server Without Connection Throttling + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration 2b3c8a6d-9856-43e6-ab1d-d651094f03b4: categories: @@ -2857,6 +3129,7 @@ rules: group: cloud-resources-public-access name: 2b3c8a6d-9856-43e6-ab1d-d651094f03b4 pretty_name: EMR Without VPC + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/emr_cluster#subnet_id 2b856bf9-8e8c-4005-875f-303a8cba3918: categories: @@ -2866,6 +3139,7 @@ rules: group: top10-security-logging-monitoring-failures name: 2b856bf9-8e8c-4005-875f-303a8cba3918 pretty_name: Small Activity Log Retention Period + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_log_profile 2bb13841-7575-439e-8e0a-cccd9ede2fa8: categories: @@ -2876,6 +3150,7 @@ rules: group: cloud-weak-secrets-management name: 2bb13841-7575-439e-8e0a-cccd9ede2fa8 pretty_name: Ram Account Password Policy Max Password Age Unrecommended + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#max_password_age 2bc626a8-0751-446f-975d-8139214fc790: categories: @@ -2886,6 +3161,7 @@ rules: group: cloud-insecure-iam name: 2bc626a8-0751-446f-975d-8139214fc790 pretty_name: Role Assignment Of Guest Users + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment 2bd608ae-8a1f-457f-b710-c237883cb313: categories: @@ -2896,6 +3172,7 @@ rules: group: top10-insecure-design name: 2bd608ae-8a1f-457f-b710-c237883cb313 pretty_name: Schema Has A Required Property Undefined (v3) + recommended: true ref: https://swagger.io/specification/#schema-object 2bff9906-4e9b-4f71-9346-8ebedfdf43ef: categories: @@ -2905,6 +3182,7 @@ rules: group: cloud-weak-configuration name: 2bff9906-4e9b-4f71-9346-8ebedfdf43ef pretty_name: PSP Allows Privilege Escalation + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allow_privilege_escalation 2c161e58-cb52-454f-abea-6470c37b5e6e: categories: @@ -2914,6 +3192,7 @@ rules: group: top10-software-data-integrity-failures name: 2c161e58-cb52-454f-abea-6470c37b5e6e pretty_name: RDS DB Instance With Deletion Protection Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-deletionprotection 2c99a474-2a3c-4c17-8294-53ffa5ed0522: categories: @@ -2924,6 +3203,7 @@ rules: group: top10-crypto-failures name: 2c99a474-2a3c-4c17-8294-53ffa5ed0522 pretty_name: Storage Account Not Forcing HTTPS + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-https_only 2ca87964-fe7e-4cdc-899c-427f0f3525f8: categories: @@ -2933,6 +3213,7 @@ rules: group: top10-security-logging-monitoring-failures name: 2ca87964-fe7e-4cdc-899c-427f0f3525f8 pretty_name: DocDB Logging Is Disabled + recommended: true ref: https://www.pulumi.com/registry/packages/aws/api-docs/docdb/cluster/#enabledcloudwatchlogsexports_yaml 2cb674f6-32f9-40be-97f2-62c0dc38f0d5: categories: @@ -2945,6 +3226,7 @@ rules: group: cloud-resources-public-access name: 2cb674f6-32f9-40be-97f2-62c0dc38f0d5 pretty_name: RDS Using Default Port + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-port 2cf35b40-ded3-43d6-9633-c8dcc8bcc822: categories: @@ -2956,6 +3238,7 @@ rules: group: top10-insecure-design name: 2cf35b40-ded3-43d6-9633-c8dcc8bcc822 pretty_name: Operation Example Mismatch Produces MimeType + recommended: true ref: https://swagger.io/specification/v2/#exampleObject 2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045: categories: @@ -2975,6 +3258,7 @@ rules: group: top10-crypto-failures name: 2d55ef88-b616-4890-b822-47f280763e89 pretty_name: Memcached Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/elasticache_module.html#parameter-engine 2d6646f4-2946-420f-8c14-3232d49ae0cb: categories: @@ -2984,6 +3268,7 @@ rules: group: top10-insecure-design name: 2d6646f4-2946-420f-8c14-3232d49ae0cb pretty_name: Header Object With Incorrect Ref + recommended: true ref: https://swagger.io/specification/#responses-object 2d8c175a-6d90-412b-8b0e-e034ea49a1fe: categories: @@ -2994,6 +3279,7 @@ rules: group: top10-crypto-failures name: 2d8c175a-6d90-412b-8b0e-e034ea49a1fe pretty_name: Global Server Object Uses HTTP + recommended: true ref: https://swagger.io/specification/#server-object 2da46be4-4317-4650-9285-56d7103c4f93: categories: @@ -3003,6 +3289,7 @@ rules: group: cloud-insecure-iam name: 2da46be4-4317-4650-9285-56d7103c4f93 pretty_name: Global Security Using Password Flow + recommended: true ref: https://swagger.io/specification/v2/#securityRequirementObject 2e275f16-b627-4d3f-ae73-a6153a23ae8f: categories: @@ -3012,6 +3299,7 @@ rules: group: top10-insecure-design name: 2e275f16-b627-4d3f-ae73-a6153a23ae8f pretty_name: Parameter JSON Reference Does Not Exists (v3) + recommended: true ref: https://swagger.io/specification/#components-object 2e44e632-d617-43cb-b294-6bfe72a08938: categories: @@ -3021,6 +3309,7 @@ rules: group: cloud-insecure-iam name: 2e44e632-d617-43cb-b294-6bfe72a08938 pretty_name: Operation Using Password Flow + recommended: true ref: https://swagger.io/specification/v2/#operation-object 2e48d91c-50e4-45c8-9312-27b625868a72: categories: @@ -3031,6 +3320,7 @@ rules: group: cloud-resources-public-access name: 2e48d91c-50e4-45c8-9312-27b625868a72 pretty_name: WAF Is Disabled For Azure Application Gateway + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway 2e9b6612-8f69-42e0-a5b8-ed17739c2f3a: categories: @@ -3041,6 +3331,7 @@ rules: group: top10-insecure-design name: 2e9b6612-8f69-42e0-a5b8-ed17739c2f3a pretty_name: Object Using Enum With Keyword (v3) + recommended: true ref: https://swagger.io/specification/#schema-object 2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e: categories: @@ -3052,6 +3343,7 @@ rules: group: cloud-resources-public-access name: 2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e pretty_name: Elasticsearch with HTTPS disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#enforce_https 2ea04bef-c769-409e-9179-ee3a50b5c0ac: categories: @@ -3062,6 +3354,7 @@ rules: group: cloud-weak-configuration name: 2ea04bef-c769-409e-9179-ee3a50b5c0ac pretty_name: Numeric Schema Without Maximum (v3) + recommended: true ref: https://swagger.io/specification/#schema-object 2ec86e48-ab90-4cb6-a131-0502afd1f442: categories: @@ -3071,6 +3364,7 @@ rules: group: cloud-weak-configuration name: 2ec86e48-ab90-4cb6-a131-0502afd1f442 pretty_name: Maximum Length Undefined (v2) + recommended: true ref: https://swagger.io/specification/v2/#schemaObject 2f01fb2d-828a-499d-b98e-b83747305052: categories: @@ -3081,6 +3375,7 @@ rules: group: cloud-insecure-iam name: 2f01fb2d-828a-499d-b98e-b83747305052 pretty_name: No Stack Policy + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack 2f06d22c-56bd-4f73-8a51-db001fcf2150: categories: @@ -3100,6 +3395,7 @@ rules: group: cloud-weak-configuration name: 2f1a0619-b12b-48a0-825f-993bb6f01d58 pretty_name: Not Limited Capabilities For Container + recommended: true ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ 2f37c4a3-58b9-4afe-8a87-d7f1d2286f84: categories: @@ -3111,6 +3407,7 @@ rules: group: cloud-insecure-iam name: 2f37c4a3-58b9-4afe-8a87-d7f1d2286f84 pretty_name: IAM Policies With Full Privileges + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy 2f491173-6375-4a84-b28e-a4e2b9a58a69: categories: @@ -3121,6 +3418,7 @@ rules: group: top10-security-logging-monitoring-failures name: 2f491173-6375-4a84-b28e-a4e2b9a58a69 pretty_name: Profiling Not Set To False + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ 2f56b7ab-7fba-4e93-82f0-247e5ddeb239: categories: @@ -3130,6 +3428,7 @@ rules: group: top10-security-logging-monitoring-failures name: 2f56b7ab-7fba-4e93-82f0-247e5ddeb239 pretty_name: MSK Cluster Logging Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster#broker_logs 2f652c42-619d-4361-b361-9f599688f8ca: categories: @@ -3139,6 +3438,7 @@ rules: group: top10-insecure-design name: 2f652c42-619d-4361-b361-9f599688f8ca pretty_name: HPA Targets Invalid Object + recommended: true ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/ 2f737336-b18a-4602-8ea0-b200312e1ac1: categories: @@ -3149,6 +3449,7 @@ rules: group: cloud-resources-public-access name: 2f737336-b18a-4602-8ea0-b200312e1ac1 pretty_name: RDS Associated with Public Subnet + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#db_subnet_group_name 2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255: categories: @@ -3159,6 +3460,7 @@ rules: group: cloud-resources-public-access name: 2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255 pretty_name: WAF Is Disabled For Azure Application Gateway + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_appgateway_module.html 2fc99041-ddad-49d5-853f-e35e70a48391: categories: @@ -3169,6 +3471,7 @@ rules: group: supply-chain-cicd-weak-configuration name: 2fc99041-ddad-49d5-853f-e35e70a48391 pretty_name: Restart Policy On Failure Not Set To 5 + recommended: true ref: https://docs.docker.com/config/containers/start-containers-automatically/#use-a-restart-policy 2ff8e83c-90e1-4d68-a300-6d652112e622: categories: @@ -3179,6 +3482,7 @@ rules: group: top10-crypto-failures name: 2ff8e83c-90e1-4d68-a300-6d652112e622 pretty_name: EFS Not Encrypted + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html 300a9964-b086-41f7-9378-b6de3ba1c32b: categories: @@ -3190,6 +3494,7 @@ rules: group: cloud-weak-configuration name: 300a9964-b086-41f7-9378-b6de3ba1c32b pretty_name: GKE Legacy Authorization Enabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html 302736f4-b16c-41b8-befe-c0baffa0bd9d: categories: @@ -3200,6 +3505,7 @@ rules: group: cloud-weak-configuration name: 302736f4-b16c-41b8-befe-c0baffa0bd9d pretty_name: Shared Host PID Namespace + recommended: true ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ 309edc5b-5a59-42b4-a357-d4d098311fd4: categories: @@ -3211,6 +3517,7 @@ rules: group: top10-crypto-failures name: 309edc5b-5a59-42b4-a357-d4d098311fd4 pretty_name: S3 Bucket SSE Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-encryption_key_id 30b88745-eebe-4ecb-a3a9-5cf886e96204: categories: @@ -3222,6 +3529,7 @@ rules: name: 30b88745-eebe-4ecb-a3a9-5cf886e96204 pretty_name: Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy 30e8dfd2-3591-4d19-8d11-79e93106c93d: categories: @@ -3234,6 +3542,7 @@ rules: group: top10-security-logging-monitoring-failures name: 30e8dfd2-3591-4d19-8d11-79e93106c93d pretty_name: Stackdriver Monitoring Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#monitoring_service 31245f98-a6a9-4182-9fc1-45482b9d030a: categories: @@ -3244,6 +3553,7 @@ rules: group: top10-security-logging-monitoring-failures name: 31245f98-a6a9-4182-9fc1-45482b9d030a pretty_name: MQ Broker Logging Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker 313d6deb-3b67-4948-b41d-35b699c2492e: categories: @@ -3253,6 +3563,7 @@ rules: group: cloud-weak-configuration name: 313d6deb-3b67-4948-b41d-35b699c2492e pretty_name: Cloud DNS Without DNSSEC + recommended: true ref: https://cloud.google.com/dns/docs/reference/v1/managedZones 316278b3-87ac-444c-8f8f-a733a28da60f: categories: @@ -3262,6 +3573,7 @@ rules: group: top10-crypto-failures name: 316278b3-87ac-444c-8f8f-a733a28da60f pretty_name: AmazonMQ Broker Encryption Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amazonmq-broker.html#cfn-amazonmq-broker-encryptionoptions 31733ee2-fef0-4e87-9778-65da22a8ecf1: categories: @@ -3272,6 +3584,7 @@ rules: group: top10-crypto-failures name: 31733ee2-fef0-4e87-9778-65da22a8ecf1 pretty_name: Cloudfront Viewer Protocol Policy Allows HTTP + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html 3199c26c-7871-4cb3-99c2-10a59244ce7f: categories: @@ -3283,6 +3596,7 @@ rules: group: top10-crypto-failures name: 3199c26c-7871-4cb3-99c2-10a59244ce7f pretty_name: RDS Storage Not Encrypted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#storage_encrypted 31afbcb7-70e0-48bb-a31a-3374f95cf859: categories: @@ -3294,6 +3608,7 @@ rules: name: 31afbcb7-70e0-48bb-a31a-3374f95cf859 pretty_name: Response on operations that should have a body has undefined schema (v2) + recommended: true ref: https://swagger.io/specification/v2/#responses-object 31dd6fc0-f274-493b-9614-e063086c19fc: categories: @@ -3304,6 +3619,7 @@ rules: group: top10-insecure-design name: 31dd6fc0-f274-493b-9614-e063086c19fc pretty_name: Parameter Object With Schema And Content + recommended: true ref: https://swagger.io/specification/#parameter-object 3206240f-2e87-4e58-8d24-3e19e7c83d7c: categories: @@ -3315,6 +3631,7 @@ rules: group: cloud-insecure-iam name: 3206240f-2e87-4e58-8d24-3e19e7c83d7c pretty_name: ECS Service Admin Role Is Present + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service 323db967-c68e-44e6-916c-a777f95af34b: categories: @@ -3326,6 +3643,7 @@ rules: group: cloud-resources-public-access name: 323db967-c68e-44e6-916c-a777f95af34b pretty_name: ElastiCache Using Default Port + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticache-replicationgroup.html#cfn-elasticache-replicationgroup-port 327b0729-4c5c-4c44-8b5c-e476cd9c7290: categories: @@ -3336,6 +3654,7 @@ rules: group: top10-insecure-design name: 327b0729-4c5c-4c44-8b5c-e476cd9c7290 pretty_name: DynamoDB Table Point In Time Recovery Disabled + recommended: true ref: https://www.pulumi.com/registry/packages/aws/api-docs/dynamodb/table/#pointintimerecovery_yaml 32d31f1f-0f83-4721-b7ec-1e6948c60145: categories: @@ -3346,6 +3665,7 @@ rules: group: supply-chain-cicd-weak-configuration name: 32d31f1f-0f83-4721-b7ec-1e6948c60145 pretty_name: Stack Without Template + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudformation_module.html 32ecd6eb-0711-421f-9627-1a28d9eff217: categories: @@ -3356,6 +3676,7 @@ rules: group: cloud-insecure-iam name: 32ecd6eb-0711-421f-9627-1a28d9eff217 pretty_name: OSLogin Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_project_metadata#metadata 32ecd76e-7bbf-402e-bf48-8b9485749558: categories: @@ -3367,6 +3688,7 @@ rules: group: cloud-insecure-iam name: 32ecd76e-7bbf-402e-bf48-8b9485749558 pretty_name: Token Auth File Is Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ 332cf2ad-380d-4b90-b436-46f8e635cf38: categories: @@ -3376,6 +3698,7 @@ rules: group: top10-insecure-design name: 332cf2ad-380d-4b90-b436-46f8e635cf38 pretty_name: Invalid Contact URL (v3) + recommended: true ref: https://swagger.io/specification/#contact-object 3360c01e-c8c0-4812-96a2-a6329b9b7f9f: categories: @@ -3386,6 +3709,7 @@ rules: group: cloud-weak-configuration name: 3360c01e-c8c0-4812-96a2-a6329b9b7f9f pretty_name: Role Binding To Default Service Account + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding#subject 33627268-1445-4385-988a-318fd9d1a512: categories: @@ -3397,6 +3721,7 @@ rules: name: 33627268-1445-4385-988a-318fd9d1a512 pretty_name: User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy 338b6cab-961d-4998-bb49-e5b6a11c9a5c: categories: @@ -3409,6 +3734,7 @@ rules: group: top10-insecure-design name: 338b6cab-961d-4998-bb49-e5b6a11c9a5c pretty_name: EC2 Not EBS Optimized + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-ebs_optimized 33d96c65-977d-4c33-943f-440baca49185: categories: @@ -3419,6 +3745,7 @@ rules: group: cloud-insecure-iam name: 33d96c65-977d-4c33-943f-440baca49185 pretty_name: Invalid OAuth2 Authorization URL (v2) + recommended: true ref: https://swagger.io/specification/v2/#securitySchemeObject 33f41d31-86b1-46a4-81f7-9c9a671f59ac: categories: @@ -3429,6 +3756,7 @@ rules: group: cloud-weak-configuration name: 33f41d31-86b1-46a4-81f7-9c9a671f59ac pretty_name: ECR Image Tag Not Immutable + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html 33fc6923-6553-4fe6-9d3a-4efa51eb874b: categories: @@ -3441,6 +3769,7 @@ rules: group: cloud-insecure-iam name: 33fc6923-6553-4fe6-9d3a-4efa51eb874b pretty_name: Node Restriction Admission Control Plugin Not Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ 344bf8ab-9308-462b-a6b2-697432e40ba1: categories: @@ -3453,6 +3782,7 @@ rules: group: cloud-weak-configuration name: 344bf8ab-9308-462b-a6b2-697432e40ba1 pretty_name: GKE Basic Authentication Enabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html 34664094-59e0-4524-b69f-deaa1a68cce3: categories: @@ -3462,6 +3792,7 @@ rules: group: top10-insecure-design name: 34664094-59e0-4524-b69f-deaa1a68cce3 pretty_name: Security Contact Email + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_contact#email 34b921bd-90a0-402e-a0a5-dc73371fd963: categories: @@ -3471,6 +3802,7 @@ rules: group: cloud-insecure-iam name: 34b921bd-90a0-402e-a0a5-dc73371fd963 pretty_name: SES Policy With Allowed IAM Actions + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_identity_policy#policy 3505094c-f77c-4ba0-95da-f83db712f86c: categories: @@ -3482,6 +3814,7 @@ rules: group: cloud-weak-configuration name: 3505094c-f77c-4ba0-95da-f83db712f86c pretty_name: S3 Bucket with Unsecured CORS Rule + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_s3_cors_module.html#parameter-rules 350cd468-0e2c-44ef-9d22-cfb73a62523c: categories: @@ -3492,6 +3825,7 @@ rules: group: cloud-weak-configuration name: 350cd468-0e2c-44ef-9d22-cfb73a62523c pretty_name: S3 Bucket Without Restriction Of Public Bucket + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html 350f3955-b5be-436f-afaa-3d2be2fa6cdd: categories: @@ -3502,6 +3836,7 @@ rules: group: top10-crypto-failures name: 350f3955-b5be-436f-afaa-3d2be2fa6cdd pretty_name: Azure Managed Disk Without Encryption + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/disks?tabs=json#encryptionsettingscollection-object 35113e6f-2c6b-414d-beec-7a9482d3b2d1: categories: @@ -3513,6 +3848,7 @@ rules: group: cloud-weak-configuration name: 35113e6f-2c6b-414d-beec-7a9482d3b2d1 pretty_name: RDS DB Instance Publicly Accessible + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#publicly_accessible 3561130e-9c5f-485b-9e16-2764c82763e5: categories: @@ -3523,6 +3859,7 @@ rules: group: cloud-weak-configuration name: 3561130e-9c5f-485b-9e16-2764c82763e5 pretty_name: IAM User Has Too Many Access Keys + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key#user 35c0a471-f7c8-4993-aa2c-503a3c712a66: categories: @@ -3533,6 +3870,7 @@ rules: group: top10-security-logging-monitoring-failures name: 35c0a471-f7c8-4993-aa2c-503a3c712a66 pretty_name: Audit Log Maxsize Not Properly Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ 35ccf766-0e4d-41ed-9ec4-2dab155082b4: categories: @@ -3543,6 +3881,7 @@ rules: group: cloud-insecure-iam name: 35ccf766-0e4d-41ed-9ec4-2dab155082b4 pretty_name: Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy 35e2f133-a395-40de-a79d-b260d973d1bd: categories: @@ -3554,6 +3893,7 @@ rules: group: cloud-insecure-iam name: 35e2f133-a395-40de-a79d-b260d973d1bd pretty_name: Public Storage Account + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-network_acls 3602d273-3290-47b2-80fa-720162b1a8af: categories: @@ -3564,6 +3904,7 @@ rules: group: cloud-resources-public-access name: 3602d273-3290-47b2-80fa-720162b1a8af pretty_name: Google Compute Network Using Firewall Rule that Allows All Ports + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html#parameter-allowed 3609d27c-3698-483a-9402-13af6ae80583: categories: @@ -3575,6 +3916,7 @@ rules: group: cloud-weak-configuration name: 3609d27c-3698-483a-9402-13af6ae80583 pretty_name: S3 Bucket With Unsecured CORS Rule + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-cors.html 3641d5b4-d339-4bc2-bfb9-208fe8d3477f: categories: @@ -3584,6 +3926,7 @@ rules: group: cloud-insecure-iam name: 3641d5b4-d339-4bc2-bfb9-208fe8d3477f pretty_name: API Gateway Method Does Not Contains An API Key + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-method.html 36a27826-1bf5-49da-aeb0-a60a30c0e834: categories: @@ -3594,6 +3937,7 @@ rules: group: cloud-weak-secrets-management name: 36a27826-1bf5-49da-aeb0-a60a30c0e834 pretty_name: Kubelet Client Certificate Or Key Not Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ 37140f7f-724a-4c87-a536-e9cee1d61533: categories: @@ -3604,6 +3948,7 @@ rules: group: top10-insecure-design name: 37140f7f-724a-4c87-a536-e9cee1d61533 pretty_name: Security Requirement Object With Wrong Scopes + recommended: true ref: https://swagger.io/specification/#security-requirement-object 37304d3f-f852-40b8-ae3f-725e87a7cedf: categories: @@ -3613,6 +3958,7 @@ rules: group: top10-security-logging-monitoring-failures name: 37304d3f-f852-40b8-ae3f-725e87a7cedf pretty_name: EKS cluster logging is not enabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabled_cluster_log_types 376c9390-7e9e-4cb8-a067-fd31c05451fd: categories: @@ -3622,6 +3968,7 @@ rules: group: top10-insecure-design name: 376c9390-7e9e-4cb8-a067-fd31c05451fd pretty_name: Header JSON Reference Does Not Exists + recommended: true ref: https://swagger.io/specification/#components-object 3790d386-be81-4dcf-9850-eaa7df6c10d9: categories: @@ -3632,6 +3979,7 @@ rules: group: top10-security-logging-monitoring-failures name: 3790d386-be81-4dcf-9850-eaa7df6c10d9 pretty_name: PostgreSQL Log Checkpoints Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration 37cca703-b74c-48ba-ac81-595b53398e9b: categories: @@ -3643,6 +3991,7 @@ rules: group: top10-crypto-failures name: 37cca703-b74c-48ba-ac81-595b53398e9b pretty_name: API Gateway Cache Encrypted Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-deployment-stagedescription.html 37fa8188-738b-42c8-bf82-6334ea567738: categories: @@ -3653,6 +4002,7 @@ rules: group: cloud-weak-configuration name: 37fa8188-738b-42c8-bf82-6334ea567738 pretty_name: S3 Bucket Should Have Bucket Policy + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html 37fafbea-dedb-4e0d-852e-d16ee0589326: categories: @@ -3662,6 +4012,7 @@ rules: group: top10-security-logging-monitoring-failures name: 37fafbea-dedb-4e0d-852e-d16ee0589326 pretty_name: Small Activity Log Retention Period + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_monitorlogprofile_module.html 381c3f2a-ef6f-4eff-99f7-b169cda3422c: categories: @@ -3673,6 +4024,7 @@ rules: group: cloud-resources-public-access name: 381c3f2a-ef6f-4eff-99f7-b169cda3422c pretty_name: Sensitive Port Is Exposed To Entire Network + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 38300d1a-feb2-4a48-936a-d1ef1cd24313: categories: @@ -3683,6 +4035,7 @@ rules: group: supply-chain-scm-weak-configuration name: 38300d1a-feb2-4a48-936a-d1ef1cd24313 pretty_name: Missing Zypper Clean + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run 3847280c-9193-40bc-8009-76168e822ce2: categories: @@ -3693,6 +4046,7 @@ rules: group: cloud-insecure-iam name: 3847280c-9193-40bc-8009-76168e822ce2 pretty_name: Undefined Scope 'securityDefinition' On 'security' Field On Operations + recommended: true ref: https://swagger.io/specification/v2/#security-scheme-object 3878dc92-8e5d-47cf-9cdd-7590f71d21b9: categories: @@ -3703,6 +4057,7 @@ rules: group: supply-chain-cicd-weak-configuration name: 3878dc92-8e5d-47cf-9cdd-7590f71d21b9 pretty_name: Incorrect Volume Claim Access Mode ReadWriteOnce + recommended: true ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ 38b85c45-e772-4de8-a247-69619ca137b3: categories: @@ -3713,6 +4068,7 @@ rules: group: top10-security-logging-monitoring-failures name: 38b85c45-e772-4de8-a247-69619ca137b3 pretty_name: CloudWatch AWS Organizations Changes Missing Alarm + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern 38c5ee0d-7f22-4260-ab72-5073048df100: categories: @@ -3723,6 +4079,7 @@ rules: group: cloud-insecure-iam name: 38c5ee0d-7f22-4260-ab72-5073048df100 pretty_name: S3 Bucket ACL Allows Read Or Write to All Users + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket 38c64e76-c71e-4d92-a337-60174d1de1c9: categories: @@ -3734,6 +4091,7 @@ rules: group: top10-crypto-failures name: 38c64e76-c71e-4d92-a337-60174d1de1c9 pretty_name: S3 Bucket Without SSL In Write Actions + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html 38c71c00-c177-4cd7-8d36-cd1007cdb190: categories: @@ -3744,6 +4102,7 @@ rules: group: top10-security-logging-monitoring-failures name: 38c71c00-c177-4cd7-8d36-cd1007cdb190 pretty_name: Vault Auditing Disabled + recommended: true ref: https://www.terraform.io/docs/providers/azurerm/r/key_vault.html 38fa11ef-dbcc-4da8-9680-7e1fd855b6fb: categories: @@ -3756,6 +4115,7 @@ rules: group: cloud-insecure-iam name: 38fa11ef-dbcc-4da8-9680-7e1fd855b6fb pretty_name: RBAC Roles with Port-Forwarding Permission + recommended: true ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ 392599e4-a4e2-403d-bc56-3fe05755782d: categories: @@ -3765,6 +4125,7 @@ rules: group: cloud-insecure-iam name: 392599e4-a4e2-403d-bc56-3fe05755782d pretty_name: API Key Exposed In Operation Security (v2) + recommended: true ref: https://swagger.io/specification/v2/#securityDefinitionsObject 39423ce4-9011-46cd-b6b1-009edcd9385d: categories: @@ -3775,6 +4136,7 @@ rules: group: cloud-weak-secrets-management name: 39423ce4-9011-46cd-b6b1-009edcd9385d pretty_name: DocDB Cluster Master Password In Plaintext + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-docdb-dbcluster.html 39750e32-3fe9-453b-8c33-dd277acdb2cc: categories: @@ -3784,6 +4146,7 @@ rules: group: top10-crypto-failures name: 39750e32-3fe9-453b-8c33-dd277acdb2cc pretty_name: Disk Encryption Disabled + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/disk#encrypted 3979b0a4-532c-4ea7-86e4-34c090eaa4f2: categories: @@ -3794,6 +4157,7 @@ rules: group: cloud-insecure-iam name: 3979b0a4-532c-4ea7-86e4-34c090eaa4f2 pretty_name: OAuth2 With Password Flow + recommended: true ref: https://swagger.io/specification/#oauth-flows-object 39cb32f2-3a42-4af0-8037-82a7a9654b6c: categories: @@ -3804,6 +4168,7 @@ rules: group: cloud-insecure-iam name: 39cb32f2-3a42-4af0-8037-82a7a9654b6c pretty_name: OAuth2 With Implicit Flow + recommended: true ref: https://swagger.io/specification/#oauth-flows-object 3a01790c-ebee-4da6-8fd3-e78657383b75: categories: @@ -3814,6 +4179,7 @@ rules: group: top10-insecure-design name: 3a01790c-ebee-4da6-8fd3-e78657383b75 pretty_name: Schema with 'additionalProperties' set as Boolean + recommended: true ref: https://swagger.io/specification/v2/#schema-object 3a1e94df-6847-4c0e-a3b6-6c6af4e128ef: categories: @@ -3826,6 +4192,7 @@ rules: group: cloud-weak-configuration name: 3a1e94df-6847-4c0e-a3b6-6c6af4e128ef pretty_name: Vulnerable Default SSL Certificate + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution 3a81fc06-566f-492a-91dd-7448e409e2cd: categories: @@ -3835,6 +4202,7 @@ rules: group: top10-insecure-design name: 3a81fc06-566f-492a-91dd-7448e409e2cd pretty_name: Generic Git Module Without Revision + recommended: true ref: https://www.terraform.io/docs/language/modules/sources.html#selecting-a-revision 3ab1f27d-52cc-4943-af1d-43c1939e739a: categories: @@ -3845,6 +4213,7 @@ rules: group: cloud-insecure-iam name: 3ab1f27d-52cc-4943-af1d-43c1939e739a pretty_name: S3 Bucket Access to Any Principal + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#ansible-collections-amazon-aws-s3-bucket-module 3ac3e75c-6374-4a32-8ba0-6ed69bda404e: categories: @@ -3855,6 +4224,7 @@ rules: group: cloud-insecure-iam name: 3ac3e75c-6374-4a32-8ba0-6ed69bda404e pretty_name: Storage Table Allows All ACL Permissions + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_table#permissions 3ae83918-7ec7-4cb8-80db-b91ef0f94002: categories: @@ -3865,6 +4235,7 @@ rules: group: cloud-resources-public-access name: 3ae83918-7ec7-4cb8-80db-b91ef0f94002 pretty_name: Security Group Unrestricted Access To RDP + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html 3af7f2fd-06e6-4dab-b996-2912bea19ba4: categories: @@ -3875,6 +4246,7 @@ rules: group: cloud-resources-public-access name: 3af7f2fd-06e6-4dab-b996-2912bea19ba4 pretty_name: Network ACL With Unrestricted Access To SSH + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl 3b02569b-fc6f-4153-b3a3-ba91022fed68: categories: @@ -3886,6 +4258,7 @@ rules: group: top10-crypto-failures name: 3b02569b-fc6f-4153-b3a3-ba91022fed68 pretty_name: ElastiCache With Disabled Transit Encryption + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticache-replicationgroup.html 3b066059-f411-4554-ac8d-96f32bff90da: categories: @@ -3895,6 +4268,7 @@ rules: group: cloud-resources-public-access name: 3b066059-f411-4554-ac8d-96f32bff90da pretty_name: Success Response Code Undefined for Head Operation (v3) + recommended: true ref: https://swagger.io/specification/#operation-object 3b30e3d6-c99b-4318-b38f-b99db74578b5: categories: @@ -3907,6 +4281,7 @@ rules: group: cloud-weak-configuration name: 3b30e3d6-c99b-4318-b38f-b99db74578b5 pretty_name: Private Cluster Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html 3b316b05-564c-44a7-9c3f-405bb95e211e: categories: @@ -3918,6 +4293,7 @@ rules: group: top10-crypto-failures name: 3b316b05-564c-44a7-9c3f-405bb95e211e pretty_name: Redshift Not Encrypted + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html 3b3b4411-ad1f-40e7-b257-a78a6bb9673a: categories: @@ -3928,6 +4304,7 @@ rules: group: cloud-insecure-iam name: 3b3b4411-ad1f-40e7-b257-a78a6bb9673a pretty_name: VPC Without Attached Subnet + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html 3b497874-ae59-46dd-8d72-1868a3b8f150: categories: @@ -3938,6 +4315,7 @@ rules: group: cloud-resources-public-access name: 3b497874-ae59-46dd-8d72-1868a3b8f150 pretty_name: Success Response Code Undefined for Delete Operation (v3) + recommended: true ref: https://swagger.io/specification/#operation-object 3b615f00-c443-4ba9-acc4-7c308716917d: categories: @@ -3949,6 +4327,7 @@ rules: group: top10-insecure-design name: 3b615f00-c443-4ba9-acc4-7c308716917d pretty_name: Unknown Prefix (v2) + recommended: true ref: https://swagger.io/specification/v2/#swagger-object 3b6d777b-76e3-4133-80a3-0d6f667ade7f: categories: @@ -3959,6 +4338,7 @@ rules: group: top10-insecure-design name: 3b6d777b-76e3-4133-80a3-0d6f667ade7f pretty_name: Automatic Minor Upgrades Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#auto_minor_version_upgrade 3ba0cca1-b815-47bf-ac62-1e584eb64a05: categories: @@ -3969,6 +4349,7 @@ rules: group: cloud-insecure-iam name: 3ba0cca1-b815-47bf-ac62-1e584eb64a05 pretty_name: Invalid OAuth2 Token URL (v3) + recommended: true ref: https://swagger.io/specification/#oauth-flow-object 3c3b7a58-b018-4d07-9444-d9ee7156e111: categories: @@ -3980,6 +4361,7 @@ rules: group: top10-crypto-failures name: 3c3b7a58-b018-4d07-9444-d9ee7156e111 pretty_name: Alexa Skill Plaintext Client Secret Exposed + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ask-skill.html#cfn-ask-skill-authenticationconfiguration 3ca03a61-3249-4c16-8427-6f8e47dda729: categories: @@ -3989,6 +4371,7 @@ rules: group: cloud-weak-configuration name: 3ca03a61-3249-4c16-8427-6f8e47dda729 pretty_name: Service Does Not Target Pod + recommended: true ref: https://kubernetes.io/docs/concepts/services-networking/service/ 3cb4af0b-056d-4fb1-8b95-fdc4593625ff: categories: @@ -4001,6 +4384,7 @@ rules: group: cloud-weak-configuration name: 3cb4af0b-056d-4fb1-8b95-fdc4593625ff pretty_name: Using Default Service Account + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance 3d24b204-b73d-42cb-b0bf-1a5438c5f71e: categories: @@ -4012,6 +4396,7 @@ rules: group: cloud-resources-public-access name: 3d24b204-b73d-42cb-b0bf-1a5438c5f71e pretty_name: Secure Port Set To Zero + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ 3d28f751-bc18-4f83-ace0-216b6086410b: categories: @@ -4022,6 +4407,7 @@ rules: group: cloud-weak-configuration name: 3d28f751-bc18-4f83-ace0-216b6086410b pretty_name: JSON Object Schema Without Properties (v2) + recommended: true ref: https://swagger.io/specification/v2/#schemaObject 3d3f6270-546b-443c-adb4-bb6fb2187ca6: categories: @@ -4032,6 +4418,7 @@ rules: group: top10-crypto-failures name: 3d3f6270-546b-443c-adb4-bb6fb2187ca6 pretty_name: EBS Default Encryption Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default 3d658f8b-d988-41a0-a841-40043121de1e: categories: @@ -4041,6 +4428,7 @@ rules: group: cloud-weak-secrets-management name: 3d658f8b-d988-41a0-a841-40043121de1e pretty_name: Secrets As Environment Variables + recommended: true ref: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables 3d7d7b6c-fb0a-475e-8a28-c125e30d15f0: categories: @@ -4050,6 +4438,7 @@ rules: group: top10-insecure-design name: 3d7d7b6c-fb0a-475e-8a28-c125e30d15f0 pretty_name: Host With Invalid Pattern + recommended: true ref: https://swagger.io/specification/v2/#swagger-object 3db3f534-e3a3-487f-88c7-0a9fbf64b702: categories: @@ -4059,6 +4448,7 @@ rules: group: top10-crypto-failures name: 3db3f534-e3a3-487f-88c7-0a9fbf64b702 pretty_name: AmazonMQ Broker Encryption Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker 3dd96caa-0b5f-4a85-b929-acfac4646cc2: categories: @@ -4069,6 +4459,7 @@ rules: group: cloud-insecure-iam name: 3dd96caa-0b5f-4a85-b929-acfac4646cc2 pretty_name: Group With Privilege Escalation By Actions 'iam:AttachRolePolicy' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy 3ddd74cc-6582-486c-8b0c-2b48cb38e0a3: categories: @@ -4079,6 +4470,7 @@ rules: group: top10-insecure-design name: 3ddd74cc-6582-486c-8b0c-2b48cb38e0a3 pretty_name: Header Parameter Named as 'Accept' (v2) + recommended: true ref: https://swagger.io/specification/v2/#parameterObject 3ddf3417-424d-420d-8275-0724dc426520: categories: @@ -4089,6 +4481,7 @@ rules: group: top10-insecure-design name: 3ddf3417-424d-420d-8275-0724dc426520 pretty_name: Lambda Permission Misconfigured + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_policy_module.html 3ddfa124-6407-4845-a501-179f90c65097: categories: @@ -4100,6 +4493,7 @@ rules: group: cloud-insecure-iam name: 3ddfa124-6407-4845-a501-179f90c65097 pretty_name: Authentication Without MFA + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy 3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6: categories: @@ -4109,6 +4503,7 @@ rules: group: top10-security-logging-monitoring-failures name: 3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6 pretty_name: Redshift Cluster Logging Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html#cfn-redshift-cluster-loggingproperties 3deec14b-03d2-4d27-9670-7d79322e3340: categories: @@ -4120,6 +4515,7 @@ rules: group: top10-crypto-failures name: 3deec14b-03d2-4d27-9670-7d79322e3340 pretty_name: CodeBuild Project Encrypted With AWS Managed Key + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project#encryption_key 3e09413f-471e-40f3-8626-990c79ae63f3: categories: @@ -4129,6 +4525,7 @@ rules: group: top10-security-logging-monitoring-failures name: 3e09413f-471e-40f3-8626-990c79ae63f3 pretty_name: CloudTrail SNS Topic Name Undefined + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-snstopicname 3e293410-d5b8-411f-85fd-7d26294f20c9: categories: @@ -4138,6 +4535,7 @@ rules: group: cloud-resources-public-access name: 3e293410-d5b8-411f-85fd-7d26294f20c9 pretty_name: VPC Without Network Firewall + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-firewall.html#cfn-networkfirewall-firewall-vpcid 3e3c175e-aadf-4e2b-a464-3fdac5748d24: categories: @@ -4148,6 +4546,7 @@ rules: group: cloud-resources-public-access name: 3e3c175e-aadf-4e2b-a464-3fdac5748d24 pretty_name: SSH Is Exposed To The Internet + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule 3e4d34d2-36cf-4449-976d-6c256db8fc49: categories: @@ -4158,6 +4557,7 @@ rules: group: top10-insecure-design name: 3e4d34d2-36cf-4449-976d-6c256db8fc49 pretty_name: Items Undefined (v2) + recommended: true ref: https://swagger.io/specification/v2/#schema-object 3e4d5ce6-3280-4027-8010-c26eeea1ec01: categories: @@ -4167,6 +4567,7 @@ rules: group: cloud-weak-secrets-management name: 3e4d5ce6-3280-4027-8010-c26eeea1ec01 pretty_name: Project-wide SSH Keys Are Enabled In VM Instances + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance 3e6c7b1c-8a8d-43ab-98b9-65159f44db4a: categories: @@ -4177,6 +4578,7 @@ rules: group: top10-insecure-design name: 3e6c7b1c-8a8d-43ab-98b9-65159f44db4a pretty_name: Paths Object is Empty (v2) + recommended: true ref: https://swagger.io/specification/v2/#pathsObject 3e9fcc67-1f64-405f-b2f9-0a6be17598f0: categories: @@ -4186,6 +4588,7 @@ rules: group: top10-insecure-design name: 3e9fcc67-1f64-405f-b2f9-0a6be17598f0 pretty_name: Phone Number Not Set For Security Contacts + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.security/securitycontacts?tabs=json 3ed8fc82-c2bb-49e0-811f-c53923674c49: categories: @@ -4196,6 +4599,7 @@ rules: group: cloud-weak-configuration name: 3ed8fc82-c2bb-49e0-811f-c53923674c49 pretty_name: Numeric Schema Without Format (v2) + recommended: true ref: https://swagger.io/specification/v2/#schemaObject 3ef8696c-e4ae-4872-92c7-520bb44dfe77: categories: @@ -4205,6 +4609,7 @@ rules: group: cloud-insecure-iam name: 3ef8696c-e4ae-4872-92c7-520bb44dfe77 pretty_name: Public Lambda via API Gateway + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission 3f23c96c-f9f5-488d-9b17-605b8da5842f: categories: @@ -4217,6 +4622,7 @@ rules: group: cloud-resources-public-access name: 3f23c96c-f9f5-488d-9b17-605b8da5842f pretty_name: Unrestricted SQL Server Access + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlfirewallrule_module.html 3f2cf811-88fa-4eda-be45-7a191a18aba9: categories: @@ -4226,6 +4632,7 @@ rules: group: top10-insecure-design name: 3f2cf811-88fa-4eda-be45-7a191a18aba9 pretty_name: Misconfigured Password Policy Expiration + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html 3f55386d-75cd-4e9a-ac47-167b26c04724: categories: @@ -4235,6 +4642,7 @@ rules: group: cloud-weak-configuration name: 3f55386d-75cd-4e9a-ac47-167b26c04724 pretty_name: Containers With Sys Admin Capabilities + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#capabilities-1 3f5ff8a7-5ad6-4d02-86f5-666307da1b20: categories: @@ -4245,6 +4653,7 @@ rules: group: cloud-weak-secrets-management name: 3f5ff8a7-5ad6-4d02-86f5-666307da1b20 pretty_name: Etcd Client Certificate File Not Defined + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ 3fa5900f-9aac-4982-96b2-a6143d9c99fb: categories: @@ -4254,6 +4663,7 @@ rules: group: cloud-insecure-iam name: 3fa5900f-9aac-4982-96b2-a6143d9c99fb pretty_name: Role Definition Allows Custom Role Creation + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition#actions 3fb03214-25d4-4bd4-867c-c2d8d708a483: categories: @@ -4263,6 +4673,7 @@ rules: group: top10-insecure-design name: 3fb03214-25d4-4bd4-867c-c2d8d708a483 pretty_name: Properties Missing Required Property (v3) + recommended: true ref: https://swagger.io/specification/#schema-object 4003118b-046b-4640-b200-b8c7a4c8b89f: categories: @@ -4276,6 +4687,7 @@ rules: group: cloud-insecure-iam name: 4003118b-046b-4640-b200-b8c7a4c8b89f pretty_name: SSO Identity User Unsafe Creation + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_user 40430747-442d-450a-a34f-dc57149f4609: categories: @@ -4286,6 +4698,7 @@ rules: group: top10-security-logging-monitoring-failures name: 40430747-442d-450a-a34f-dc57149f4609 pretty_name: Google Compute Subnetwork Logging Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork 404fde2c-bc4b-4371-9747-7054132ac953: categories: @@ -4296,6 +4709,7 @@ rules: group: cloud-insecure-iam name: 404fde2c-bc4b-4371-9747-7054132ac953 pretty_name: Default Seccomp Profile Disabled + recommended: true ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt 40abce54-95b1-478c-8e5f-ea0bf0bb0e33: categories: @@ -4305,6 +4719,7 @@ rules: group: cloud-resources-public-access name: 40abce54-95b1-478c-8e5f-ea0bf0bb0e33 pretty_name: Google Compute Network Using Default Firewall Rule + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall#name 40d3df21-c170-4dbe-9c02-4289b51f994f: categories: @@ -4314,6 +4729,7 @@ rules: group: top10-insecure-design name: 40d3df21-c170-4dbe-9c02-4289b51f994f pretty_name: Schema Discriminator Mismatch Defined Properties (v3) + recommended: true ref: https://swagger.io/specification/#schema-object 40e1d1bf-11a9-4f63-a3a2-a8b84c602839: categories: @@ -4323,6 +4739,7 @@ rules: group: cloud-insecure-iam name: 40e1d1bf-11a9-4f63-a3a2-a8b84c602839 pretty_name: API Key Exposed In Global Security Scheme + recommended: true ref: https://swagger.io/specification/#security-scheme-object 4190dda7-af03-4cf0-a128-70ac1661ca09: categories: @@ -4334,6 +4751,7 @@ rules: group: top10-insecure-design name: 4190dda7-af03-4cf0-a128-70ac1661ca09 pretty_name: Property 'allowReserved' of Encoding Object Ignored + recommended: true ref: https://swagger.io/specification/#encoding-object 41a38329-d81b-4be4-aef4-55b2615d3282: categories: @@ -4343,6 +4761,7 @@ rules: group: cloud-weak-secrets-management name: 41a38329-d81b-4be4-aef4-55b2615d3282 pretty_name: RAM Account Password Policy Not Required Symbols + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#require_symbols 41abc6cc-dde1-4217-83d3-fb5f0cc09d8f: categories: @@ -4353,6 +4772,7 @@ rules: group: cloud-resources-public-access name: 41abc6cc-dde1-4217-83d3-fb5f0cc09d8f pretty_name: Redshift Using Default Port + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#port 41c195f4-fc31-4a5c-8a1b-90605538d49f: categories: @@ -4363,6 +4783,7 @@ rules: group: supply-chain-cicd-weak-configuration name: 41c195f4-fc31-4a5c-8a1b-90605538d49f pretty_name: Multiple CMD Instructions Listed + recommended: true ref: https://docs.docker.com/engine/reference/builder/#cmd 420e6360-47bb-46f6-9072-b20ed22c842d: categories: @@ -4373,6 +4794,7 @@ rules: group: top10-insecure-design name: 420e6360-47bb-46f6-9072-b20ed22c842d pretty_name: StatefulSet Without Service Name + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#selector 4216ebac-d74c-4423-b437-35025cb88af5: categories: @@ -4382,6 +4804,7 @@ rules: group: cloud-resources-public-access name: 4216ebac-d74c-4423-b437-35025cb88af5 pretty_name: Network Interfaces IP Forwarding Enabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface#enable_ip_forwarding 429b2106-ba37-43ba-9727-7f699cc611e1: categories: @@ -4391,6 +4814,7 @@ rules: group: top10-insecure-design name: 429b2106-ba37-43ba-9727-7f699cc611e1 pretty_name: Unknown Property (v2) + recommended: true ref: https://swagger.io/specification/v2/ 42bb6b7f-6d54-4428-b707-666f669d94fb: categories: @@ -4402,6 +4826,7 @@ rules: group: cloud-weak-configuration name: 42bb6b7f-6d54-4428-b707-666f669d94fb pretty_name: S3 Static Website Host Enabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#website 42e7dca3-8cce-4325-8df0-108888259136: categories: @@ -4421,6 +4846,7 @@ rules: group: cloud-weak-configuration name: 42f4b905-3736-4213-bfe9-c0660518cda8 pretty_name: EKS Cluster Has Public Access + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster 43356255-495d-4148-ad8d-f6af5eac09dd: categories: @@ -4430,6 +4856,7 @@ rules: group: cloud-resources-public-access name: 43356255-495d-4148-ad8d-f6af5eac09dd pretty_name: GameLift Fleet EC2 InboundPermissions With Port Range + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-gamelift-fleet.html 434945e5-4dfd-41b1-aba1-47075ccd9265: categories: @@ -4439,6 +4866,7 @@ rules: group: top10-security-logging-monitoring-failures name: 434945e5-4dfd-41b1-aba1-47075ccd9265 pretty_name: Serverless API X-Ray Tracing Disabled + recommended: true ref: https://www.serverless.com/framework/docs/providers/aws/events/apigateway#aws-x-ray-tracing 43789711-161b-4708-b5bb-9d1c626f7492: categories: @@ -4448,6 +4876,7 @@ rules: group: top10-insecure-design name: 43789711-161b-4708-b5bb-9d1c626f7492 pretty_name: AKS Uses Azure Policies Add-On Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#azure_policy 43a41523-386a-4cb1-becb-42af6b414433: categories: @@ -4458,6 +4887,7 @@ rules: group: cloud-insecure-iam name: 43a41523-386a-4cb1-becb-42af6b414433 pretty_name: User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy 43f6e60c-9cdb-4e77-864d-a66595d26518: categories: @@ -4467,6 +4897,7 @@ rules: group: top10-security-logging-monitoring-failures name: 43f6e60c-9cdb-4e77-864d-a66595d26518 pretty_name: Storage Logging For Read Write And Delete Requests Disabled + recommended: true ref: https://docs.microsoft.com/pt-pt/azure/azure-monitor/essentials/resource-manager-diagnostic-settings#diagnostic-setting-for-azure-storage 44034eda-1c3f-486a-831d-e09a7dd94354: categories: @@ -4476,6 +4907,7 @@ rules: group: top10-crypto-failures name: 44034eda-1c3f-486a-831d-e09a7dd94354 pretty_name: SageMaker EndPoint Config Should Specify KmsKeyId Attribute + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sagemaker-endpointconfig.html 443488f5-c734-460b-a36d-5b3f330174dc: categories: @@ -4487,6 +4919,7 @@ rules: group: top10-crypto-failures name: 443488f5-c734-460b-a36d-5b3f330174dc pretty_name: User Data Contains Encoded Private Key + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#user_data_base64 445020f6-b69e-4484-847f-02d4b7768902: categories: @@ -4496,6 +4929,7 @@ rules: group: top10-insecure-design name: 445020f6-b69e-4484-847f-02d4b7768902 pretty_name: IAM Password Without Uppercase Letter + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user 445dce51-7e53-4e50-80ef-7f94f14169e4: categories: @@ -4506,6 +4940,7 @@ rules: group: cloud-resources-public-access name: 445dce51-7e53-4e50-80ef-7f94f14169e4 pretty_name: Route53 Record Undefined + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/route53_module.html#parameter-value 448db771-06ea-4dee-b48c-1689cbfb4b43: categories: @@ -4515,6 +4950,7 @@ rules: group: top10-insecure-design name: 448db771-06ea-4dee-b48c-1689cbfb4b43 pretty_name: Example Not Compliant With Schema Type (v2) + recommended: true ref: https://swagger.io/specification/v2/#example-object 4495bc5d-4d1e-4a26-ae92-152d18195648: categories: @@ -4525,6 +4961,7 @@ rules: group: top10-crypto-failures name: 4495bc5d-4d1e-4a26-ae92-152d18195648 pretty_name: Serverless Function Environment Variables Not Encrypted + recommended: true ref: https://www.serverless.com/framework/docs/providers/aws/guide/functions#kms-keys 44ceb4fa-0897-4fd2-b676-30e7a58f2933: categories: @@ -4536,6 +4973,7 @@ rules: group: top10-security-logging-monitoring-failures name: 44ceb4fa-0897-4fd2-b676-30e7a58f2933 pretty_name: CloudWatch Console Sign-in Without MFA Alarm Missing + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern 44d434ca-a9bf-4203-8828-4c81a8d5a598: categories: @@ -4546,6 +4984,7 @@ rules: group: top10-crypto-failures name: 44d434ca-a9bf-4203-8828-4c81a8d5a598 pretty_name: RDS Instance TDE Status Disabled + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#tde_status 451d79dc-0588-476a-ad03-3c7f0320abb3: categories: @@ -4555,6 +4994,7 @@ rules: group: cloud-resources-public-access name: 451d79dc-0588-476a-ad03-3c7f0320abb3 pretty_name: Container Traffic Not Bound To Host Interface + recommended: true ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#ports 4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c: categories: @@ -4565,6 +5005,7 @@ rules: group: top10-security-logging-monitoring-failures name: 4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c pretty_name: S3 Bucket Logging Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#cfn-s3-bucket-loggingconfig 455f2e0c-686d-4fcb-8b5f-3f953f12c43c: categories: @@ -4575,6 +5016,7 @@ rules: group: cloud-weak-configuration name: 455f2e0c-686d-4fcb-8b5f-3f953f12c43c pretty_name: Seccomp Profile Is Not Configured + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#annotations 456b00a3-1072-4149-9740-6b8bb60251b0: categories: @@ -4588,6 +5030,7 @@ rules: group: cloud-insecure-iam name: 456b00a3-1072-4149-9740-6b8bb60251b0 pretty_name: S3 Bucket Allows Restore Actions From All Principals + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html 45cff7b6-3b80-40c1-ba7b-2cf480678bb8: categories: @@ -4597,6 +5040,7 @@ rules: group: top10-security-logging-monitoring-failures name: 45cff7b6-3b80-40c1-ba7b-2cf480678bb8 pretty_name: Neptune Logging Is Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster#enable_cloudwatch_logs_exports 45e1fca5-f90e-465d-825f-c2cb63fa3944: categories: @@ -4607,6 +5051,7 @@ rules: group: supply-chain-scm-weak-configuration name: 45e1fca5-f90e-465d-825f-c2cb63fa3944 pretty_name: Missing Zypper Non-interactive Switch + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run 45fc717a-bd86-415c-bdd8-677901be1aa6: categories: @@ -4617,6 +5062,7 @@ rules: group: top10-crypto-failures name: 45fc717a-bd86-415c-bdd8-677901be1aa6 pretty_name: Function App Not Using Latest TLS Encryption Version + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#min_tls_version 461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3: categories: @@ -4627,6 +5073,7 @@ rules: group: cloud-insecure-iam name: 461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3 pretty_name: Deployment Has No PodAntiAffinity + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment#affinity 462d6a1d-fed9-4d75-bb9e-3de902f35e6e: categories: @@ -4637,6 +5084,7 @@ rules: group: cloud-insecure-iam name: 462d6a1d-fed9-4d75-bb9e-3de902f35e6e pretty_name: Undefined Scope 'securityScheme' On 'security' Field On Operations + recommended: true ref: https://swagger.io/specification/#oauth-flow-object 46883ce1-dc3e-4b17-9195-c6a601624c73: categories: @@ -4648,6 +5096,7 @@ rules: group: cloud-resources-public-access name: 46883ce1-dc3e-4b17-9195-c6a601624c73 pretty_name: Default Security Groups With Unrestricted Traffic + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group 46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2: categories: @@ -4659,6 +5108,7 @@ rules: group: cloud-resources-public-access name: 46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2 pretty_name: Bind Address Not Properly Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ 46d3b74d-9fe9-45bf-9e9e-efb7f701ee28: categories: @@ -4668,6 +5118,7 @@ rules: group: top10-insecure-design name: 46d3b74d-9fe9-45bf-9e9e-efb7f701ee28 pretty_name: Invalid Global External Documentation URL (v2) + recommended: true ref: https://swagger.io/specification/v2/#externalDocumentationObject 46facedc-f243-4108-ab33-583b807d50b0: categories: @@ -4678,6 +5129,7 @@ rules: group: top10-insecure-design name: 46facedc-f243-4108-ab33-583b807d50b0 pretty_name: Parameter Object With Undefined Type + recommended: true ref: https://swagger.io/specification/#parameter-object 4728cd65-a20c-49da-8b31-9c08b423e4db: categories: @@ -4688,6 +5140,7 @@ rules: group: cloud-resources-public-access name: 4728cd65-a20c-49da-8b31-9c08b423e4db pretty_name: Unrestricted Security Group Ingress + recommended: true ref: https://www.terraform.io/docs/providers/aws/r/security_group.html 4766d3ea-241c-4ee6-93ff-c380c996bd1a: categories: @@ -4698,6 +5151,7 @@ rules: group: top10-crypto-failures name: 4766d3ea-241c-4ee6-93ff-c380c996bd1a pretty_name: DOCDB Cluster Without KMS + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#kms_key_id 48207659-729f-4b5c-9402-f884257d794f: categories: @@ -4708,6 +5162,7 @@ rules: group: top10-crypto-failures name: 48207659-729f-4b5c-9402-f884257d794f pretty_name: EFS Not Encrypted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system#encrypted 482b7d26-0bdb-4b5f-bf6f-545826c0a3dd: categories: @@ -4717,6 +5172,7 @@ rules: group: top10-security-logging-monitoring-failures name: 482b7d26-0bdb-4b5f-bf6f-545826c0a3dd pretty_name: CloudTrail SNS Topic Name Undefined + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail 48388bd2-7201-4dcc-b56d-e8a9efa58fad: categories: @@ -4726,6 +5182,7 @@ rules: group: cloud-weak-configuration name: 48388bd2-7201-4dcc-b56d-e8a9efa58fad pretty_name: PSP With Added Capabilities + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_capabilities 48471392-d4d0-47c0-b135-cdec95eb3eef: categories: @@ -4735,6 +5192,7 @@ rules: group: cloud-weak-configuration name: 48471392-d4d0-47c0-b135-cdec95eb3eef pretty_name: Service Account Token Automount Not Disabled + recommended: true ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server 4849211b-ac39-479e-ae78-5694d506cb24: categories: @@ -4744,6 +5202,7 @@ rules: group: cloud-insecure-iam name: 4849211b-ac39-479e-ae78-5694d506cb24 pretty_name: Security Group Not Used + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 48677914-6fdf-40ec-80c4-2b0e94079f54: categories: @@ -4754,6 +5213,7 @@ rules: group: cloud-weak-configuration name: 48677914-6fdf-40ec-80c4-2b0e94079f54 pretty_name: IAM User Has Too Many Access Keys + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html 488847ff-6031-487c-bf42-98fd6ac5c9a0: categories: @@ -4764,6 +5224,7 @@ rules: group: cloud-weak-configuration name: 488847ff-6031-487c-bf42-98fd6ac5c9a0 pretty_name: Website Not Forcing HTTPS + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites?tabs=json#siteproperties-object 48a5beba-e4c0-4584-a2aa-e6894e4cf424: categories: @@ -4775,6 +5236,7 @@ rules: group: cloud-weak-configuration name: 48a5beba-e4c0-4584-a2aa-e6894e4cf424 pretty_name: Pod or Container Without ResourceQuota + recommended: true ref: https://kubernetes.io/docs/concepts/policy/resource-quotas/ 48af92a5-c89b-4936-bc62-1086fe2bab23: categories: @@ -4784,6 +5246,7 @@ rules: group: cloud-weak-configuration name: 48af92a5-c89b-4936-bc62-1086fe2bab23 pretty_name: EMR Cluster Without Security Configuration + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticmapreduce-cluster.html#cfn-elasticmapreduce-cluster-securityconfiguration 48bbe0fd-57e4-4678-a4a1-119e79c90fc3: categories: @@ -4794,6 +5257,7 @@ rules: group: cloud-insecure-iam name: 48bbe0fd-57e4-4678-a4a1-119e79c90fc3 pretty_name: Storage Share File Allows All ACL Permissions + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_share_file 48c3bc58-6959-4f27-b647-4fedeace23be: categories: @@ -4804,6 +5268,7 @@ rules: group: top10-crypto-failures name: 48c3bc58-6959-4f27-b647-4fedeace23be pretty_name: User Data Shell Script Is Encoded + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-userdata 48c61fbd-09c9-46cc-a521-012e0c325412: categories: @@ -4816,6 +5281,7 @@ rules: group: cloud-weak-configuration name: 48c61fbd-09c9-46cc-a521-012e0c325412 pretty_name: Private Cluster Disabled + recommended: true ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters 48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd: categories: @@ -4826,6 +5292,7 @@ rules: group: top10-insecure-design name: 48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd pretty_name: Operation Without Successful HTTP Status Code (v3) + recommended: true ref: https://swagger.io/specification/#operation-object 48f100d9-f499-4c6d-b2b8-deafe47ffb26: categories: @@ -4835,6 +5302,7 @@ rules: group: cloud-insecure-iam name: 48f100d9-f499-4c6d-b2b8-deafe47ffb26 pretty_name: S3 Bucket Allows Public ACL + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html 48f7e44d-d1d1-44c2-b336-9f11b65c4fb0: categories: @@ -4845,6 +5313,7 @@ rules: group: top10-security-logging-monitoring-failures name: 48f7e44d-d1d1-44c2-b336-9f11b65c4fb0 pretty_name: Cloud Storage Bucket Logging Not Enabled + recommended: true ref: https://www.pulumi.com/registry/packages/gcp/api-docs/storage/bucket/#logging_yaml 49113af4-29ca-458e-b8d4-724c01a4a24f: categories: @@ -4855,6 +5324,7 @@ rules: group: top10-insecure-design name: 49113af4-29ca-458e-b8d4-724c01a4a24f pretty_name: Terminated Pod Garbage Collector Threshold Not Properly Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ 492c6cbb-f3f8-4807-aa4f-42b8b1c46b59: categories: @@ -4865,6 +5335,7 @@ rules: group: top10-insecure-design name: 492c6cbb-f3f8-4807-aa4f-42b8b1c46b59 pretty_name: Type Has Invalid Keyword (v2) + recommended: true ref: https://swagger.io/specification/v2/#schemaObject 493d9591-6249-47bf-8dc0-5c10161cc558: categories: @@ -4874,6 +5345,7 @@ rules: group: cloud-resources-public-access name: 493d9591-6249-47bf-8dc0-5c10161cc558 pretty_name: Security Groups Without VPC Attached + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html 494b03d3-bf40-4464-8524-7c56ad0700ed: categories: @@ -4885,6 +5357,7 @@ rules: group: cloud-resources-public-access name: 494b03d3-bf40-4464-8524-7c56ad0700ed pretty_name: EC2 Sensitive Port Is Publicly Exposed + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html 4950837c-0ce5-4e42-9bee-a25eae73740b: categories: @@ -4896,6 +5369,7 @@ rules: group: cloud-weak-configuration name: 4950837c-0ce5-4e42-9bee-a25eae73740b pretty_name: PSP Allows Containers To Share The Host Network Namespace + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#host_network 49e30ac8-f58e-4222-b488-3dcb90158ec1: categories: @@ -4905,6 +5379,7 @@ rules: group: top10-crypto-failures name: 49e30ac8-f58e-4222-b488-3dcb90158ec1 pretty_name: Redis Cache Allows Non SSL Connections + recommended: true ref: https://www.pulumi.com/registry/packages/azure-native/api-docs/cache/redis/#enablenonsslport_yaml 4a1e6b34-1008-4e61-a5f2-1f7c276f8d14: categories: @@ -4915,6 +5390,7 @@ rules: group: cloud-resources-public-access name: 4a1e6b34-1008-4e61-a5f2-1f7c276f8d14 pretty_name: Unrestricted Security Group Ingress + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html 4a1f3d75-ab73-41b2-83e7-06a93dc3a75a: categories: @@ -4925,6 +5401,7 @@ rules: group: cloud-insecure-iam name: 4a1f3d75-ab73-41b2-83e7-06a93dc3a75a pretty_name: Implicit Flow in OAuth2 (v3) + recommended: true ref: https://swagger.io/specification/#oauth-flow-object 4a20ebac-1060-4c81-95d1-1f7f620e983b: categories: @@ -4936,6 +5413,7 @@ rules: group: cloud-weak-configuration name: 4a20ebac-1060-4c81-95d1-1f7f620e983b pretty_name: Pod or Container Without LimitRange + recommended: true ref: https://kubernetes.io/docs/concepts/policy/limit-range/ 4a800e14-c94a-442d-9067-5a2e9f6c0a4c: categories: @@ -4949,6 +5427,7 @@ rules: group: top10-crypto-failures name: 4a800e14-c94a-442d-9067-5a2e9f6c0a4c pretty_name: ELB Using Weak Ciphers + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/load_balancer_policy 4a8daf95-709d-4a36-9132-d3e19878fa34: categories: @@ -4959,6 +5438,7 @@ rules: group: cloud-resources-public-access name: 4a8daf95-709d-4a36-9132-d3e19878fa34 pretty_name: API Gateway Endpoint Config is Not Private + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-restapi-endpointconfiguration.html#cfn-apigateway-restapi-endpointconfiguration-types 4a8fc9a2-2b2f-4b3f-aa8d-401425872034: categories: @@ -4970,6 +5450,7 @@ rules: group: cloud-insecure-iam name: 4a8fc9a2-2b2f-4b3f-aa8d-401425872034 pretty_name: SQS Queue Policy Allows NotPrincipal + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-policy.html 4a9e0f00-0765-4f72-a0d4-d31110b78279: categories: @@ -4979,6 +5460,7 @@ rules: group: cloud-resources-public-access name: 4a9e0f00-0765-4f72-a0d4-d31110b78279 pretty_name: Azure Cognitive Search Public Network Access Enabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/search_service#public_network_access_enabled 4ab10c48-bedb-4deb-8f3b-ff12783b61de: categories: @@ -4988,6 +5470,7 @@ rules: group: top10-security-logging-monitoring-failures name: 4ab10c48-bedb-4deb-8f3b-ff12783b61de pretty_name: API Gateway X-Ray Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html#cfn-apigateway-stage-tracingenabled 4ac0e2b7-d2d2-4af7-8799-e8de6721ccda: categories: @@ -4998,6 +5481,7 @@ rules: group: cloud-insecure-iam name: 4ac0e2b7-d2d2-4af7-8799-e8de6721ccda pretty_name: CPU Limits Not Set + recommended: true ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ 4ae8af91-5108-42cb-9471-3bdbe596eac9: categories: @@ -5011,6 +5495,7 @@ rules: group: cloud-insecure-iam name: 4ae8af91-5108-42cb-9471-3bdbe596eac9 pretty_name: S3 Bucket With All Permissions + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html 4b410d24-1cbe-4430-a632-62c9a931cf1c: categories: @@ -5021,6 +5506,7 @@ rules: group: top10-insecure-design name: 4b410d24-1cbe-4430-a632-62c9a931cf1c pretty_name: Curl or Wget Instead of Add + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ 4b6012e7-7176-46e4-8108-e441785eae57: categories: @@ -5030,6 +5516,7 @@ rules: group: top10-crypto-failures name: 4b6012e7-7176-46e4-8108-e441785eae57 pretty_name: EBS Volume Encryption Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_vol_module.html#parameter-encrypted 4b82202a-b18e-4891-a1eb-a0989850bbb3: categories: @@ -5051,6 +5538,7 @@ rules: group: cloud-weak-configuration name: 4ba74f01-aba5-4be2-83bc-be79ff1a3b92 pretty_name: Serverless Function Without Unique IAM Role + recommended: true ref: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-role 4bb06fa1-2114-4a00-b7b5-6aeab8b896f0: categories: @@ -5061,6 +5549,7 @@ rules: group: top10-software-data-integrity-failures name: 4bb06fa1-2114-4a00-b7b5-6aeab8b896f0 pretty_name: ROS Stack Retention Disabled + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ros_stack_instance#retain_stacks 4bb76f17-3d63-4529-bdca-2b454529d774: categories: @@ -5071,6 +5560,7 @@ rules: group: top10-security-logging-monitoring-failures name: 4bb76f17-3d63-4529-bdca-2b454529d774 pretty_name: CloudTrail Logging Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#enable_logging 4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9: categories: @@ -5080,6 +5570,7 @@ rules: group: top10-crypto-failures name: 4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9 pretty_name: S3 Bucket Policy Accepts HTTP Requests + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy#policy 4bcbcd52-3028-469f-bc14-02c7dbba2df2: categories: @@ -5090,6 +5581,7 @@ rules: group: top10-insecure-design name: 4bcbcd52-3028-469f-bc14-02c7dbba2df2 pretty_name: Property 'allowEmptyValue' Improperly Defined (v3) + recommended: true ref: https://swagger.io/specification/#parameter-object 4bd15dd9-8d5e-4008-8532-27eb0c3706d3: categories: @@ -5101,6 +5593,7 @@ rules: group: top10-crypto-failures name: 4bd15dd9-8d5e-4008-8532-27eb0c3706d3 pretty_name: Redis Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#engine 4bd21e68-38c1-4d58-acdc-6a14b203237f: categories: @@ -5110,6 +5603,7 @@ rules: group: top10-crypto-failures name: 4bd21e68-38c1-4d58-acdc-6a14b203237f pretty_name: DynamoDB Table Not Encrypted + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-table-ssespecification.html 4beaf898-9f8b-4237-89e2-5ffdc7ee6006: categories: @@ -5119,6 +5613,7 @@ rules: group: top10-security-logging-monitoring-failures name: 4beaf898-9f8b-4237-89e2-5ffdc7ee6006 pretty_name: Cloudwatch Security Group Changes Alarm Missing + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern 4c137350-7307-4803-8c04-17c09a7a9fcf: categories: @@ -5131,6 +5626,7 @@ rules: group: cloud-weak-configuration name: 4c137350-7307-4803-8c04-17c09a7a9fcf pretty_name: Root Account Has Active Access Keys + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html 4c18a45b-4ab1-4790-9f83-399ac695f1e5: categories: @@ -5142,6 +5638,7 @@ rules: group: top10-security-logging-monitoring-failures name: 4c18a45b-4ab1-4790-9f83-399ac695f1e5 pretty_name: CloudWatch Unauthorized Access Alarm Missing + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern 4c415497-7410-4559-90e8-f2c8ac64ee38: categories: @@ -5154,6 +5651,7 @@ rules: group: top10-insecure-design name: 4c415497-7410-4559-90e8-f2c8ac64ee38 pretty_name: Root Containers Admitted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#run_as_user 4c7ebcb2-eae2-461e-bc83-456ee2d4f694: categories: @@ -5166,6 +5664,7 @@ rules: group: top10-security-logging-monitoring-failures name: 4c7ebcb2-eae2-461e-bc83-456ee2d4f694 pretty_name: Stackdriver Logging Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#logging_service 4cac7ace-b0fb-477d-830d-65395d9109d9: categories: @@ -5175,6 +5674,7 @@ rules: group: top10-insecure-design name: 4cac7ace-b0fb-477d-830d-65395d9109d9 pretty_name: Schema Object Incorrect Ref (v3) + recommended: true ref: https://swagger.io/specification/#schema-object 4cd8de87-b595-48b6-ab3c-1904567135ab: categories: @@ -5185,6 +5685,7 @@ rules: group: top10-insecure-design name: 4cd8de87-b595-48b6-ab3c-1904567135ab pretty_name: Encoding Header 'Content-Type' Improperly Defined + recommended: true ref: https://swagger.io/specification/#media-type-object 4cdc88e6-c0c8-4081-a639-bb3a557cbedf: categories: @@ -5196,6 +5697,7 @@ rules: group: cloud-resources-public-access name: 4cdc88e6-c0c8-4081-a639-bb3a557cbedf pretty_name: Elasticsearch with HTTPS disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticsearch-domain-domainendpointoptions.html 4d080822-5ee2-49a4-8984-68f3d4c890fc: categories: @@ -5206,6 +5708,7 @@ rules: group: cloud-weak-secrets-management name: 4d080822-5ee2-49a4-8984-68f3d4c890fc pretty_name: Key Expiration Not Set + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key 4d2cf896-c053-4be5-9c95-8b4771112f29: categories: @@ -5215,6 +5718,7 @@ rules: group: cloud-weak-secrets-management name: 4d2cf896-c053-4be5-9c95-8b4771112f29 pretty_name: Hardcoded SecureString Parameter Default Value + recommended: true ref: https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-test-cases#secure-parameters-cant-have-hardcoded-default 4d32780f-43a4-424a-a06d-943c543576a5: categories: @@ -5224,6 +5728,7 @@ rules: group: cloud-insecure-iam name: 4d32780f-43a4-424a-a06d-943c543576a5 pretty_name: IoT Policy Allows Action as Wildcard + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iot-policy.html 4d3817db-dd35-4de4-a80d-3867157e7f7f: categories: @@ -5235,6 +5740,7 @@ rules: group: cloud-insecure-iam name: 4d3817db-dd35-4de4-a80d-3867157e7f7f pretty_name: Storage Container Is Publicly Accessible + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageblob_module.html#parameter-public_access 4d424558-c6d1-453c-be98-9a7f877abd9a: categories: @@ -5245,6 +5751,7 @@ rules: group: cloud-resources-public-access name: 4d424558-c6d1-453c-be98-9a7f877abd9a pretty_name: Serverless API Endpoint Config Not Private + recommended: true ref: https://www.serverless.com/framework/docs/providers/aws/events/apigateway#configuring-endpoint-types 4d46ff3b-7160-41d1-a310-71d6d370b08f: categories: @@ -5256,6 +5763,7 @@ rules: group: top10-crypto-failures name: 4d46ff3b-7160-41d1-a310-71d6d370b08f pretty_name: ECS Task Definition Volume Not Encrypted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#transit_encryption 4d522e7b-f938-4d51-a3b1-974ada528bd3: categories: @@ -5266,6 +5774,7 @@ rules: group: top10-security-logging-monitoring-failures name: 4d522e7b-f938-4d51-a3b1-974ada528bd3 pretty_name: Log Profile Incorrect Category + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2016-03-01/logprofiles?tabs=json#logprofileproperties-object 4d7ee40f-fc5d-427d-8cac-dffbe22d42d1: categories: @@ -5276,6 +5785,7 @@ rules: group: cloud-weak-configuration name: 4d7ee40f-fc5d-427d-8cac-dffbe22d42d1 pretty_name: Authorization Mode Node Not Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ 4d8681a2-3d30-4c89-8070-08acd142748e: categories: @@ -5286,6 +5796,7 @@ rules: group: top10-security-logging-monitoring-failures name: 4d8681a2-3d30-4c89-8070-08acd142748e pretty_name: CloudTrail Log File Validation Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html 4d9f44c6-2f4a-4317-9bb5-267adbea0232: categories: @@ -5297,6 +5808,7 @@ rules: group: supply-chain-cicd-weak-configuration name: 4d9f44c6-2f4a-4317-9bb5-267adbea0232 pretty_name: Cgroup Not Default + recommended: true ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#cgroup_parent 4de9de27-254e-424f-bd70-4c1e95790838: categories: @@ -5309,6 +5821,7 @@ rules: group: top10-crypto-failures name: 4de9de27-254e-424f-bd70-4c1e95790838 pretty_name: Launch Configuration Is Not Encrypted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#encrypted 4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b: categories: @@ -5319,6 +5832,7 @@ rules: group: cloud-weak-configuration name: 4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b pretty_name: API Gateway Without Security Policy + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_domain_name#security_policy 4e203a65-c8d8-49a2-b749-b124d43c9dc1: categories: @@ -5328,6 +5842,7 @@ rules: group: cloud-insecure-iam name: 4e203a65-c8d8-49a2-b749-b124d43c9dc1 pretty_name: Docker Daemon Socket is Exposed to Containers + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_path 4e67c0ae-38a0-47f4-a50c-f0c9b75826df: categories: @@ -5347,6 +5862,7 @@ rules: group: cloud-resources-public-access name: 4e74cf4f-ff65-4c1a-885c-67ab608206ce pretty_name: Workload Host Port Not Specified + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_port 4e88adee-a8eb-4605-a78d-9fb1096e3091: categories: @@ -5357,6 +5873,7 @@ rules: group: cloud-resources-public-access name: 4e88adee-a8eb-4605-a78d-9fb1096e3091 pretty_name: RDS Associated with Public Subnet + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsubnetgroupname 4eb5f791-c861-4afd-9f94-f2a6a3fe49cb: categories: @@ -5366,6 +5883,7 @@ rules: group: cloud-weak-configuration name: 4eb5f791-c861-4afd-9f94-f2a6a3fe49cb pretty_name: MQ Broker Is Publicly Accessible + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker 4f0908b9-eb66-433f-9145-134274e1e944: categories: @@ -5376,6 +5894,7 @@ rules: group: cloud-weak-configuration name: 4f0908b9-eb66-433f-9145-134274e1e944 pretty_name: RouterTable with Default Routing + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route-table.html 4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a: categories: @@ -5385,6 +5904,7 @@ rules: group: cloud-resources-public-access name: 4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a pretty_name: Success Response Code Undefined for Head Operation (v2) + recommended: true ref: https://swagger.io/specification/v2/#operation-object 4f31dd9f-2cc3-4751-9b53-67e4af83dac0: categories: @@ -5394,6 +5914,7 @@ rules: group: cloud-insecure-iam name: 4f31dd9f-2cc3-4751-9b53-67e4af83dac0 pretty_name: Host Namespace is Shared + recommended: true ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#pid 4f615f3e-fb9c-4fad-8b70-2e9f781806ce: categories: @@ -5405,6 +5926,7 @@ rules: group: cloud-resources-public-access name: 4f615f3e-fb9c-4fad-8b70-2e9f781806ce pretty_name: DB Security Group Open To Large Scope + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_security_group 4fa66806-0dd9-4f8d-9480-3174d39c7c91: categories: @@ -5414,6 +5936,7 @@ rules: group: cloud-weak-configuration name: 4fa66806-0dd9-4f8d-9480-3174d39c7c91 pretty_name: S3 Bucket Without Ignore Public ACL + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block 4fbfee74-8186-40d5-a24e-4baa76a855de: categories: @@ -5424,6 +5947,7 @@ rules: group: cloud-insecure-iam name: 4fbfee74-8186-40d5-a24e-4baa76a855de pretty_name: SQS Queue Policy Allows NotAction + recommended: true ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html 500ce696-d501-41dd-86eb-eceb011a386f: categories: @@ -5434,6 +5958,7 @@ rules: group: cloud-weak-configuration name: 500ce696-d501-41dd-86eb-eceb011a386f pretty_name: Schema Object is Empty (v3) + recommended: true ref: https://swagger.io/specification/#schema-object 507df964-ad97-4035-ab14-94a82eabdfdd: categories: @@ -5444,6 +5969,7 @@ rules: group: top10-security-logging-monitoring-failures name: 507df964-ad97-4035-ab14-94a82eabdfdd pretty_name: Cloud Storage Bucket Logging Not Enabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_storage_bucket_module.html#parameter-logging 5089d055-53ff-421b-9482-a5267bdce629: categories: @@ -5455,6 +5981,7 @@ rules: group: cloud-resources-public-access name: 5089d055-53ff-421b-9482-a5267bdce629 pretty_name: Redis Publicly Accessible + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_firewall_rule 50cb6c3b-c878-4b88-b50e-d1421bada9e8: categories: @@ -5465,6 +5992,7 @@ rules: group: cloud-resources-public-access name: 50cb6c3b-c878-4b88-b50e-d1421bada9e8 pretty_name: RDP Access Is Not Restricted + recommended: true ref: https://cloud.google.com/compute/docs/reference/rest/v1/firewalls 50de3b5b-6465-4e06-a9b0-b4c2ba34326b: categories: @@ -5474,6 +6002,7 @@ rules: group: cloud-resources-public-access name: 50de3b5b-6465-4e06-a9b0-b4c2ba34326b pretty_name: Header Object Without Schema + recommended: true ref: https://swagger.io/specification/#header-object 510d5810-9a30-443a-817d-5c1fa527b110: categories: @@ -5483,6 +6012,7 @@ rules: group: top10-crypto-failures name: 510d5810-9a30-443a-817d-5c1fa527b110 pretty_name: Weak TLS Cipher Suites + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ 51978067-3b22-4c29-aaf3-96bf0bc28897: categories: @@ -5493,6 +6023,7 @@ rules: group: top10-insecure-design name: 51978067-3b22-4c29-aaf3-96bf0bc28897 pretty_name: Header Parameter Named as 'Content-Type' (v2) + recommended: true ref: https://swagger.io/specification/v2/#parameterObject 51bed0ac-a8ae-407a-895e-90c6cb0610ce: categories: @@ -5502,6 +6033,7 @@ rules: group: cloud-weak-configuration name: 51bed0ac-a8ae-407a-895e-90c6cb0610ce pretty_name: PSP Allows Sharing Host IPC + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#host_ipc 522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba: categories: @@ -5512,6 +6044,7 @@ rules: group: cloud-insecure-iam name: 522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba pretty_name: Permissive Access to Create Pods + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role#rule 525b53be-62ed-4244-b4df-41aecfcb4071: categories: @@ -5521,6 +6054,7 @@ rules: group: cloud-weak-configuration name: 525b53be-62ed-4244-b4df-41aecfcb4071 pretty_name: App Service HTTP2 Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled 52790cad-d60d-41d5-8483-146f9f21208d: categories: @@ -5530,6 +6064,7 @@ rules: group: cloud-weak-configuration name: 52790cad-d60d-41d5-8483-146f9f21208d pretty_name: API Gateway Cache Cluster Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html#cfn-apigateway-stage-cacheclusterenabled 52c0d841-60d6-4a81-88dd-c35fef36d315: categories: @@ -5540,6 +6075,7 @@ rules: group: cloud-insecure-iam name: 52c0d841-60d6-4a81-88dd-c35fef36d315 pretty_name: Invalid OAuth2 Authorization URL (v3) + recommended: true ref: https://swagger.io/specification/#oauth-flow-object 52d70f2e-3257-474c-b3dc-8ad9ba6a061a: categories: @@ -5549,6 +6085,7 @@ rules: group: cloud-weak-secrets-management name: 52d70f2e-3257-474c-b3dc-8ad9ba6a061a pretty_name: Kubelet Client Periodic Certificate Switch Disabled + recommended: true ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ 52f04a44-6bfa-4c41-b1d3-4ae99a2de05c: categories: @@ -5558,6 +6095,7 @@ rules: group: cloud-resources-public-access name: 52f04a44-6bfa-4c41-b1d3-4ae99a2de05c pretty_name: VPC Subnet Assigns Public IP + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch 52ffcfa6-6c70-4ea6-8376-d828d3961669: categories: @@ -5568,6 +6106,7 @@ rules: group: top10-security-logging-monitoring-failures name: 52ffcfa6-6c70-4ea6-8376-d828d3961669 pretty_name: CloudTrail Log File Validation Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#enable_log_file_validation 5308a7a8-06f8-45ac-bf10-791fe21de46e: categories: @@ -5577,6 +6116,7 @@ rules: group: cloud-weak-configuration name: 5308a7a8-06f8-45ac-bf10-791fe21de46e pretty_name: Workload Mounting With Sensitive OS Directory + recommended: true ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ 530e8291-2f22-4bab-b7ea-306f1bc2a308: categories: @@ -5588,6 +6128,7 @@ rules: group: top10-insecure-design name: 530e8291-2f22-4bab-b7ea-306f1bc2a308 pretty_name: SQL Server Predictable Active Directory Account Name + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_adserviceprincipal_module.html 5330b503-3319-44ff-9b1c-00ee873f728a: categories: @@ -5598,6 +6139,7 @@ rules: group: cloud-weak-configuration name: 5330b503-3319-44ff-9b1c-00ee873f728a pretty_name: EC2 Group Has Public Interface + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html 533a0d13-6e89-4551-ae33-bce14e5849c1: categories: @@ -5607,6 +6149,7 @@ rules: group: cloud-insecure-iam name: 533a0d13-6e89-4551-ae33-bce14e5849c1 pretty_name: API Key Exposed In Global Security (v2) + recommended: true ref: https://swagger.io/specification/v2/#securityDefinitionsObject 53bce6a8-5492-4b1b-81cf-664385f0c4bf: categories: @@ -5620,6 +6163,7 @@ rules: group: cloud-insecure-iam name: 53bce6a8-5492-4b1b-81cf-664385f0c4bf pretty_name: S3 Bucket Allows Get Action From All Principals + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html 5400f379-a347-4bdd-a032-446465fdcc6f: categories: @@ -5631,6 +6175,7 @@ rules: group: cloud-resources-public-access name: 5400f379-a347-4bdd-a032-446465fdcc6f pretty_name: Trusted Microsoft Services Not Enabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass 54229498-850b-4f78-b3a7-218d24ef2c37: categories: @@ -5656,6 +6201,7 @@ rules: group: cloud-insecure-iam name: 54378d69-dd7c-4b08-a43e-80d563396857 pretty_name: MSK Broker Is Publicly Accessible + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster#public_access 543e38f4-1eee-479e-8eb0-15257013aa0a: categories: @@ -5666,6 +6212,7 @@ rules: group: cloud-insecure-iam name: 543e38f4-1eee-479e-8eb0-15257013aa0a pretty_name: Global security field has an empty object (v3) + recommended: true ref: https://swagger.io/specification/#security-requirement-object 54c417bf-c762-48b9-9d31-b3d87047e3f0: categories: @@ -5676,6 +6223,7 @@ rules: group: cloud-resources-public-access name: 54c417bf-c762-48b9-9d31-b3d87047e3f0 pretty_name: SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 5527dcfc-94f9-4bf6-b7d4-1b78850cf41f: categories: @@ -5685,6 +6233,7 @@ rules: group: cloud-resources-public-access name: 5527dcfc-94f9-4bf6-b7d4-1b78850cf41f pretty_name: ElastiCache Without VPC + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/elasticache_module.html#parameter-cache_subnet_group 5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d: categories: @@ -5696,6 +6245,7 @@ rules: group: cloud-weak-configuration name: 5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d pretty_name: Privilege Escalation Allowed + recommended: true ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ 559439b2-3e9c-4739-ac46-17e3b24ec215: categories: @@ -5706,6 +6256,7 @@ rules: group: cloud-resources-public-access name: 559439b2-3e9c-4739-ac46-17e3b24ec215 pretty_name: API Gateway Endpoint Config is Not Private + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_api_gateway_module.html 55975007-f6e7-4134-83c3-298f1fe4b519: categories: @@ -5715,6 +6266,7 @@ rules: group: top10-insecure-design name: 55975007-f6e7-4134-83c3-298f1fe4b519 pretty_name: SQL Server Alert Email Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_security_alert_policy#email_account_admins 55af1353-2f62-4fa0-a8e1-a210ca2708f5: categories: @@ -5725,6 +6277,7 @@ rules: group: top10-crypto-failures name: 55af1353-2f62-4fa0-a8e1-a210ca2708f5 pretty_name: Cloudfront Viewer Protocol Policy Allows HTTP + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution 561710b1-b845-4562-95ce-2397a05ccef4: categories: @@ -5735,6 +6288,7 @@ rules: group: top10-insecure-design name: 561710b1-b845-4562-95ce-2397a05ccef4 pretty_name: Template Path With No Corresponding Path Parameter (v3) + recommended: true ref: https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#pathTemplating 562952e4-0348-4dea-9826-44f3a2c6117b: categories: @@ -5745,6 +6299,7 @@ rules: group: supply-chain-scm-weak-configuration name: 562952e4-0348-4dea-9826-44f3a2c6117b pretty_name: Zypper Install Without Version + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run 564b70f8-41cd-4690-aff8-bb53add86bc9: categories: @@ -5755,6 +6310,7 @@ rules: group: top10-security-logging-monitoring-failures name: 564b70f8-41cd-4690-aff8-bb53add86bc9 pretty_name: Unrecommended Network Watcher Flow Log Retention Policy + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-11-01/networkwatchers/flowlogs?tabs=json#retentionpolicyparameters-object 568a4d22-3517-44a6-a7ad-6a7eed88722c: categories: @@ -5764,6 +6320,7 @@ rules: group: top10-security-logging-monitoring-failures name: 568a4d22-3517-44a6-a7ad-6a7eed88722c pretty_name: S3 Bucket Without Versioning + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning 568cc372-ca64-420d-9015-ee347d00d288: categories: @@ -5775,6 +6332,7 @@ rules: group: top10-crypto-failures name: 568cc372-ca64-420d-9015-ee347d00d288 pretty_name: User Data Contains Encoded Private Key + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-launchconfig.html 56a585f5-555c-48b2-8395-e64e4740a9cf: categories: @@ -5786,6 +6344,7 @@ rules: name: 56a585f5-555c-48b2-8395-e64e4740a9cf pretty_name: CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern 56dad03e-e94f-4dd6-93a4-c253a03ff7a0: categories: @@ -5795,6 +6354,7 @@ rules: group: supply-chain-cicd-weak-configuration name: 56dad03e-e94f-4dd6-93a4-c253a03ff7a0 pretty_name: Cosmos DB Account Without Tags + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account 56f6a008-1b14-4af4-b9b2-ab7cf7e27641: categories: @@ -5804,6 +6364,7 @@ rules: group: top10-security-logging-monitoring-failures name: 56f6a008-1b14-4af4-b9b2-ab7cf7e27641 pretty_name: DocDB Logging Is Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports 571254d8-aa6a-432e-9725-535d3ef04d69: categories: @@ -5814,6 +6375,7 @@ rules: group: cloud-insecure-iam name: 571254d8-aa6a-432e-9725-535d3ef04d69 pretty_name: Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy 5744cbb8-5946-4b75-a196-ade44449525b: categories: @@ -5824,6 +6386,7 @@ rules: group: top10-insecure-design name: 5744cbb8-5946-4b75-a196-ade44449525b pretty_name: HPA Targeted Deployments With Configured Replica Count + recommended: true ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/ 574e8d82-1db2-4b9c-b526-e320ede9a9ff: categories: @@ -5834,6 +6397,7 @@ rules: group: top10-insecure-design name: 574e8d82-1db2-4b9c-b526-e320ede9a9ff pretty_name: SQL Server Database With Alerts Disabled + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/securityalertpolicies?tabs=json 575a2155-6af1-4026-b1af-d5bc8fe2a904: categories: @@ -5845,6 +6409,7 @@ rules: group: cloud-insecure-iam name: 575a2155-6af1-4026-b1af-d5bc8fe2a904 pretty_name: IAM Policy Grants Full Permissions + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy 577ac19c-6a77-46d7-9f14-e049cdd15ec2: categories: @@ -5855,6 +6420,7 @@ rules: group: cloud-insecure-iam name: 577ac19c-6a77-46d7-9f14-e049cdd15ec2 pretty_name: CPU Requests Not Set + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#requests 579a0727-9c29-4d58-8195-fc5802a8bdb4: categories: @@ -5865,6 +6431,7 @@ rules: group: cloud-weak-configuration name: 579a0727-9c29-4d58-8195-fc5802a8bdb4 pretty_name: Shielded GKE Nodes Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enable_shielded_nodes 57b12981-3816-4c31-b190-a1e614361dd2: categories: @@ -5874,6 +6441,7 @@ rules: group: cloud-insecure-iam name: 57b12981-3816-4c31-b190-a1e614361dd2 pretty_name: Public Lambda via API Gateway + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html 57b9893d-33b1-4419-bcea-a717ea87e139: categories: @@ -5884,6 +6452,7 @@ rules: group: cloud-insecure-iam name: 57b9893d-33b1-4419-bcea-a717ea87e139 pretty_name: S3 Bucket ACL Allows Read to Any Authenticated User + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl 57ced4b9-6ba4-487b-8843-b65562b90c77: categories: @@ -5894,6 +6463,7 @@ rules: group: cloud-resources-public-access name: 57ced4b9-6ba4-487b-8843-b65562b90c77 pretty_name: Security Group With Unrestricted Access To SSH + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html 5813ef56-fa94-406a-b35d-977d4a56ff2b: categories: @@ -5903,6 +6473,7 @@ rules: group: top10-security-logging-monitoring-failures name: 5813ef56-fa94-406a-b35d-977d4a56ff2b pretty_name: API Gateway X-Ray Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#xray_tracing_enabled 581dae78-307d-45d5-aae4-fe2b0db267a5: categories: @@ -5915,6 +6486,7 @@ rules: group: cloud-weak-configuration name: 581dae78-307d-45d5-aae4-fe2b0db267a5 pretty_name: Azure Container Registry With No Locks + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_lock_module.html 583053b7-e632-46f0-b989-f81ff8045385: categories: @@ -5924,6 +6496,7 @@ rules: group: supply-chain-scm-weak-configuration name: 583053b7-e632-46f0-b989-f81ff8045385 pretty_name: Invalid Image Tag + recommended: true ref: https://kubernetes.io/docs/concepts/containers/images/#updating-images 5864d189-ee9a-4009-ac0c-8a582e6b7919: categories: @@ -5934,6 +6507,7 @@ rules: group: top10-security-logging-monitoring-failures name: 5864d189-ee9a-4009-ac0c-8a582e6b7919 pretty_name: CloudWatch Management Console Auth Failed Alarm Missing + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern 5864fb39-d719-4182-80e2-89dbe627be63: categories: @@ -5946,6 +6520,7 @@ rules: group: cloud-insecure-iam name: 5864fb39-d719-4182-80e2-89dbe627be63 pretty_name: Amazon DMS Replication Instance Is Publicly Accessible + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dms-replicationinstance.html 586abcee-9653-462d-ad7b-2638a32bd6e6: categories: @@ -5957,6 +6532,7 @@ rules: group: cloud-insecure-iam name: 586abcee-9653-462d-ad7b-2638a32bd6e6 pretty_name: No Global And Operation Security Defined (v2) + recommended: true ref: https://swagger.io/specification/v2/#security-requirement-object 587d5d82-70cf-449b-9817-f60f9bccb88c: categories: @@ -5967,6 +6543,7 @@ rules: group: cloud-weak-configuration name: 587d5d82-70cf-449b-9817-f60f9bccb88c pretty_name: Container Host Pid Is True + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_pid 58876b44-a690-4e9f-9214-7735fa0dd15d: categories: @@ -5977,6 +6554,7 @@ rules: group: cloud-insecure-iam name: 58876b44-a690-4e9f-9214-7735fa0dd15d pretty_name: CronJob Deadline Not Configured + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cron_job#starting_deadline_seconds 58b35504-0287-4154-bf69-02c0573deab8: categories: @@ -5987,6 +6565,7 @@ rules: group: top10-crypto-failures name: 58b35504-0287-4154-bf69-02c0573deab8 pretty_name: Sagemaker Endpoint Configuration Encryption Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_endpoint_configuration#kms_key_arn 58f06434-a88c-4f74-826c-db7e10cc7def: categories: @@ -5998,6 +6577,7 @@ rules: group: top10-insecure-design name: 58f06434-a88c-4f74-826c-db7e10cc7def pretty_name: Request Body Object With Incorrect Media Type + recommended: true ref: https://swagger.io/specification/#media-type-object 5906092d-5f74-490d-9a03-78febe0f65e1: categories: @@ -6009,6 +6589,7 @@ rules: group: cloud-weak-configuration name: 5906092d-5f74-490d-9a03-78febe0f65e1 pretty_name: GitHub Repository Set To Public + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codestar-githubrepository.html 5907595b-5b6d-4142-b173-dbb0e73fbff8: categories: @@ -6019,6 +6600,7 @@ rules: group: top10-insecure-design name: 5907595b-5b6d-4142-b173-dbb0e73fbff8 pretty_name: Exposing Port 22 (SSH) + recommended: true ref: https://sysdig.com/blog/dockerfile-best-practices/ 590d878b-abdc-428f-895a-e2b68a0e1998: categories: @@ -6030,6 +6612,7 @@ rules: group: cloud-resources-public-access name: 590d878b-abdc-428f-895a-e2b68a0e1998 pretty_name: Unknown Port Exposed To Internet + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 5915c20f-dffa-4cee-b5d4-f457ddc0151a: categories: @@ -6039,6 +6622,7 @@ rules: group: top10-insecure-design name: 5915c20f-dffa-4cee-b5d4-f457ddc0151a pretty_name: Empty Array + recommended: true ref: https://swagger.io/specification/ 591ade62-d6b0-4580-b1ae-209f80ba1cd9: categories: @@ -6050,6 +6634,7 @@ rules: group: cloud-weak-configuration name: 591ade62-d6b0-4580-b1ae-209f80ba1cd9 pretty_name: Service Account Name Undefined Or Empty + recommended: true ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ 592ad21d-ad9b-46c6-8d2d-fad09d62a942: categories: @@ -6060,6 +6645,7 @@ rules: group: cloud-insecure-iam name: 592ad21d-ad9b-46c6-8d2d-fad09d62a942 pretty_name: Permissive Access to Create Pods + recommended: true ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping 59312e8a-a64e-41e7-a252-618533dd1ea8: categories: @@ -6069,6 +6655,7 @@ rules: group: top10-insecure-design name: 59312e8a-a64e-41e7-a252-618533dd1ea8 pretty_name: Output Without Description + recommended: true ref: https://www.terraform.io/docs/language/values/outputs.html#description-output-value-documentation 594c198b-4d79-41b8-9b36-fde13348b619: categories: @@ -6080,6 +6667,7 @@ rules: group: cloud-resources-public-access name: 594c198b-4d79-41b8-9b36-fde13348b619 pretty_name: Sensitive Port Is Exposed To Entire Network + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule 594f54e7-f744-45ab-93e4-c6dbaf6cd571: categories: @@ -6090,6 +6678,7 @@ rules: group: top10-crypto-failures name: 594f54e7-f744-45ab-93e4-c6dbaf6cd571 pretty_name: S3 Bucket Without Server-side-encryption + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html 59571246-3f62-4965-a96f-c7d97e269351: categories: @@ -6099,6 +6688,7 @@ rules: group: cloud-weak-configuration name: 59571246-3f62-4965-a96f-c7d97e269351 pretty_name: Google Project Auto Create Network Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project 599318f2-6653-4569-9e21-041d06c63a89: categories: @@ -6110,6 +6700,7 @@ rules: group: cloud-weak-configuration name: 599318f2-6653-4569-9e21-041d06c63a89 pretty_name: AKS Private Cluster Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#private_cluster_enabled 59a849c2-1127-4023-85a5-ef906dcd458c: categories: @@ -6130,6 +6721,7 @@ rules: group: top10-security-logging-monitoring-failures name: 59acb56b-2b10-4c2c-ba38-f2223c3f5cfc pretty_name: Small MSSQL Server Audit Retention + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server 59c2f769-7cc2-49c8-a3de-4e211135cfab: categories: @@ -6142,6 +6734,7 @@ rules: group: top10-insecure-design name: 59c2f769-7cc2-49c8-a3de-4e211135cfab pretty_name: Property 'allowEmptyValue' Ignored + recommended: true ref: https://swagger.io/specification/#parameter-object 59cb3da7-f206-4ae6-b827-7abf0a9cab9d: categories: @@ -6152,6 +6745,7 @@ rules: group: cloud-resources-public-access name: 59cb3da7-f206-4ae6-b827-7abf0a9cab9d pretty_name: Network Security Group With Unrestricted Access To RDP + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2020-07-01/networksecuritygroups?tabs=json#securityrulepropertiesformat-object 59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd: categories: @@ -6163,6 +6757,7 @@ rules: group: cloud-insecure-iam name: 59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd pretty_name: Serverless Role With Full Privileges + recommended: true ref: https://www.serverless.com/framework/docs/providers/aws/guide/iam 5a2486aa-facf-477d-a5c1-b010789459ce: categories: @@ -6173,6 +6768,7 @@ rules: group: cloud-resources-public-access name: 5a2486aa-facf-477d-a5c1-b010789459ce pretty_name: EC2 Instance Has Public IP + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#associate_public_ip_address 5a443297-19d4-4381-9e5b-24faf947ec22: categories: @@ -6182,6 +6778,7 @@ rules: group: cloud-insecure-iam name: 5a443297-19d4-4381-9e5b-24faf947ec22 pretty_name: Certificate Has Expired + recommended: true ref: https://docs.ansible.com/ansible/2.10/collections/community/aws/aws_acm_module.html 5aea1d7e-b834-4749-b143-2c7ec3bd5922: categories: @@ -6191,6 +6788,7 @@ rules: group: top10-insecure-design name: 5aea1d7e-b834-4749-b143-2c7ec3bd5922 pretty_name: Invalid Tag External Documentation URL (v3) + recommended: true ref: https://swagger.io/specification/#external-documentation-object 5b033ec8-f079-4323-b5c8-99d4620433a9: categories: @@ -6201,6 +6799,7 @@ rules: group: top10-crypto-failures name: 5b033ec8-f079-4323-b5c8-99d4620433a9 pretty_name: EMR Security Configuration Encryption Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-emr-securityconfiguration.html 5b48c507-0d1f-41b0-a630-76817c6b4189: categories: @@ -6211,6 +6810,7 @@ rules: group: cloud-weak-secrets-management name: 5b48c507-0d1f-41b0-a630-76817c6b4189 pretty_name: RefreshToken Is Exposed + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ask-skill.html#cfn-ask-skill-authenticationconfiguration 5b4d4aee-ac94-4810-9611-833636e5916d: categories: @@ -6221,6 +6821,7 @@ rules: group: cloud-insecure-iam name: 5b4d4aee-ac94-4810-9611-833636e5916d pretty_name: Role With Privilege Escalation By Actions 'iam:CreateAccessKey' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy 5b6d53dd-3ba3-4269-b4d7-f82e880e43c3: categories: @@ -6232,6 +6833,7 @@ rules: group: top10-insecure-design name: 5b6d53dd-3ba3-4269-b4d7-f82e880e43c3 pretty_name: Liveness Probe Is Not Defined + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#liveness_probe 5b8d7527-de8e-4114-b9dd-9d988f1f418f: categories: @@ -6242,6 +6844,7 @@ rules: group: top10-security-logging-monitoring-failures name: 5b8d7527-de8e-4114-b9dd-9d988f1f418f pretty_name: CloudWatch AWS Config Configuration Changes Alarm Missing + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern 5b9d237a-57d5-4177-be0e-71434b0fef47: categories: @@ -6254,6 +6857,7 @@ rules: group: cloud-weak-configuration name: 5b9d237a-57d5-4177-be0e-71434b0fef47 pretty_name: KMS Key With Full Permissions + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_kms_module.html 5ba316a9-c466-4ec1-8d5b-bc6107dc9a92: categories: @@ -6263,6 +6867,7 @@ rules: group: top10-security-logging-monitoring-failures name: 5ba316a9-c466-4ec1-8d5b-bc6107dc9a92 pretty_name: CloudTrail SNS Topic Name Undefined + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html 5ba6229c-8057-433e-91d0-21cf13569ca9: categories: @@ -6274,6 +6879,7 @@ rules: group: cloud-weak-configuration name: 5ba6229c-8057-433e-91d0-21cf13569ca9 pretty_name: Service Control Policies Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy 5baa92d2-d8ee-4c75-88a4-52d9d8bb8067: categories: @@ -6285,6 +6891,7 @@ rules: group: cloud-weak-configuration name: 5baa92d2-d8ee-4c75-88a4-52d9d8bb8067 pretty_name: GKE Legacy Authorization Enabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster 5beacce3-4020-4a3d-9e1d-a36f953df630: categories: @@ -6296,6 +6903,7 @@ rules: group: top10-crypto-failures name: 5beacce3-4020-4a3d-9e1d-a36f953df630 pretty_name: RDS Storage Not Encrypted + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html 5c0003fb-9aa0-42c1-9da3-eb0e332bef21: categories: @@ -6306,6 +6914,7 @@ rules: group: top10-crypto-failures name: 5c0003fb-9aa0-42c1-9da3-eb0e332bef21 pretty_name: Secure Ciphers Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution 5c0b06d5-b7a4-484c-aeb0-75a836269ff0: categories: @@ -6316,6 +6925,7 @@ rules: group: top10-security-logging-monitoring-failures name: 5c0b06d5-b7a4-484c-aeb0-75a836269ff0 pretty_name: CloudTrail Logging Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-islogging 5c281bf8-d9bb-47f2-b909-3f6bb11874ad: categories: @@ -6325,6 +6935,7 @@ rules: group: cloud-resources-public-access name: 5c281bf8-d9bb-47f2-b909-3f6bb11874ad pretty_name: Service Type is NodePort + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service#type 5c666ed9-b586-49ab-9873-c495a833b705: categories: @@ -6334,6 +6945,7 @@ rules: group: cloud-insecure-iam name: 5c666ed9-b586-49ab-9873-c495a833b705 pretty_name: Elasticsearch Without IAM Authentication + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-accesspolicies 5c6b727b-1382-4629-8ba9-abd1365e5610: categories: @@ -6345,6 +6957,7 @@ rules: group: cloud-weak-configuration name: 5c6b727b-1382-4629-8ba9-abd1365e5610 pretty_name: Redshift Publicly Accessible + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/redshift_module.html 5c6dd5e7-1fe0-4cae-8f81-4c122717cef3: categories: @@ -6356,6 +6969,7 @@ rules: group: top10-crypto-failures name: 5c6dd5e7-1fe0-4cae-8f81-4c122717cef3 pretty_name: Kinesis SSE Not Configured + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream#server_side_encryption 5c80db8e-03f5-43a2-b4af-1f3f87018157: categories: @@ -6365,6 +6979,7 @@ rules: group: cloud-insecure-iam name: 5c80db8e-03f5-43a2-b4af-1f3f87018157 pretty_name: Role Definition Allows Custom Role Creation + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_roledefinition_module.html#parameter-permissions/actions 5c822443-e1ea-46b8-84eb-758ec602e844: categories: @@ -6376,6 +6991,7 @@ rules: group: cloud-weak-configuration name: 5c822443-e1ea-46b8-84eb-758ec602e844 pretty_name: Security Group is Not Configured + recommended: true ref: https://www.terraform.io/docs/providers/azure/r/virtual_network.html 5d29effc-5d68-481f-9721-d74e5919226b: categories: @@ -6387,6 +7003,7 @@ rules: group: cloud-insecure-iam name: 5d29effc-5d68-481f-9721-d74e5919226b pretty_name: Security Field On Operations Has An Empty Array (v2) + recommended: true ref: https://swagger.io/specification/v2/#operation-object 5d3c1807-acb3-4bb0-be4e-0440230feeaf: categories: @@ -6396,6 +7013,7 @@ rules: group: top10-security-logging-monitoring-failures name: 5d3c1807-acb3-4bb0-be4e-0440230feeaf pretty_name: CloudWatch Metrics Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cw-alarm.html 5d89db57-8b51-4b38-bb76-b9bd42bd40f0: categories: @@ -6407,6 +7025,7 @@ rules: group: cloud-resources-public-access name: 5d89db57-8b51-4b38-bb76-b9bd42bd40f0 pretty_name: ElastiCache Using Default Port + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#port 5d9e3164-9265-470c-9a10-57ae454ac0c7: categories: @@ -6417,6 +7036,7 @@ rules: group: top10-crypto-failures name: 5d9e3164-9265-470c-9a10-57ae454ac0c7 pretty_name: CloudTrail Log Files Not Encrypted With KMS + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#kms_key_id 5da47109-f8d6-4585-9e2b-96a8958a12f5: categories: @@ -6428,6 +7048,7 @@ rules: group: cloud-insecure-iam name: 5da47109-f8d6-4585-9e2b-96a8958a12f5 pretty_name: Basic Auth File Is Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ 5e0fb613-ba9b-44c3-88f0-b44188466bfd: categories: @@ -6438,6 +7059,7 @@ rules: group: cloud-weak-secrets-management name: 5e0fb613-ba9b-44c3-88f0-b44188466bfd pretty_name: RAM Account Password Policy Not Require at Least one Uppercase Character + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#require_uppercase_characters 5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275: categories: @@ -6447,6 +7069,7 @@ rules: group: top10-insecure-design name: 5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275 pretty_name: Object Without Required Property (v2) + recommended: true ref: https://swagger.io/specification/v2/ 5e6c9c68-8a82-408e-8749-ddad78cbb9c5: categories: @@ -6457,6 +7080,7 @@ rules: group: top10-insecure-design name: 5e6c9c68-8a82-408e-8749-ddad78cbb9c5 pretty_name: Security Group Rule Without Description + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html 5e7acff5-095b-40ac-9073-ac2e4ad8a512: categories: @@ -6467,6 +7091,7 @@ rules: group: top10-insecure-design name: 5e7acff5-095b-40ac-9073-ac2e4ad8a512 pretty_name: IAM Policies Without Groups + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-policy 5e92d816-2177-4083-85b4-f61b4f7176d9: categories: @@ -6476,6 +7101,7 @@ rules: group: cloud-insecure-iam name: 5e92d816-2177-4083-85b4-f61b4f7176d9 pretty_name: Public Lambda via API Gateway + recommended: true ref: https://docs.ansible.com/ansible/2.4/lambda_policy_module.html 5ea61624-3733-4a3a-8ca4-b96fec9c5aeb: categories: @@ -6485,6 +7111,7 @@ rules: group: top10-insecure-design name: 5ea61624-3733-4a3a-8ca4-b96fec9c5aeb pretty_name: Invalid Operation External Documentation URL (v3) + recommended: true ref: https://swagger.io/specification/#external-documentation-object 5ea624e4-c8b1-4bb3-87a4-4235a776adcc: categories: @@ -6496,6 +7123,7 @@ rules: group: cloud-insecure-iam name: 5ea624e4-c8b1-4bb3-87a4-4235a776adcc pretty_name: SNS Topic Publicity Has Allow and NotAction Simultaneously + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy 5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce: categories: @@ -6506,6 +7134,7 @@ rules: group: top10-crypto-failures name: 5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce pretty_name: CA Certificate Identifier Is Outdated + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-ca_certificate_identifier 5ef61c88-bbb4-4725-b1df-55d23c9676bb: categories: @@ -6515,6 +7144,7 @@ rules: group: cloud-weak-configuration name: 5ef61c88-bbb4-4725-b1df-55d23c9676bb pretty_name: Cloud DNS Without DNSSEC + recommended: true ref: https://www.terraform.io/docs/providers/google/d/dns_managed_zone.html 5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f: categories: @@ -6524,6 +7154,7 @@ rules: group: cloud-resources-public-access name: 5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f pretty_name: Default Response Undefined On Operations (v2) + recommended: true ref: https://swagger.io/specification/v2/#responses-object 5f4735ce-b9ba-4d95-a089-a37a767b716f: categories: @@ -6534,6 +7165,7 @@ rules: group: cloud-insecure-iam name: 5f4735ce-b9ba-4d95-a089-a37a767b716f pretty_name: CPU Limits Not Set + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#limits 5f670f9d-b1b4-4c90-8618-2288f1ab9676: categories: @@ -6544,6 +7176,7 @@ rules: group: top10-crypto-failures name: 5f670f9d-b1b4-4c90-8618-2288f1ab9676 pretty_name: NAS File System Without KMS + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/nas_file_system#kms_key_id 5f700072-b7ce-4e84-b3f3-497bf1c24a4d: categories: @@ -6554,6 +7187,7 @@ rules: group: cloud-weak-secrets-management name: 5f700072-b7ce-4e84-b3f3-497bf1c24a4d pretty_name: DMS Endpoint Password Exposed + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dms-endpoint.html 5f89001f-6dd9-49ff-9b15-d8cd71b617f4: categories: @@ -6563,6 +7197,7 @@ rules: group: cloud-resources-public-access name: 5f89001f-6dd9-49ff-9b15-d8cd71b617f4 pretty_name: Kubelet Not Managing Ip Tables + recommended: true ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ 5fa731ea-e844-47a6-a1e8-abc25e95847e: categories: @@ -6574,6 +7209,7 @@ rules: group: supply-chain-scm-weak-configuration name: 5fa731ea-e844-47a6-a1e8-abc25e95847e pretty_name: Vulnerable OpenSSL Version + recommended: true ref: https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html 5fb49a69-8d46-4495-a2f8-9c8c622b2b6e: categories: @@ -6584,6 +7220,7 @@ rules: group: top10-crypto-failures name: 5fb49a69-8d46-4495-a2f8-9c8c622b2b6e pretty_name: S3 Bucket Object Not Encrypted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object#server_side_encryption 60224630-175a-472a-9e23-133827040766: categories: @@ -6596,6 +7233,7 @@ rules: group: top10-insecure-design name: 60224630-175a-472a-9e23-133827040766 pretty_name: EC2 Not EBS Optimized + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#ebs_optimized 60263b4a-6801-4587-911d-919c37ed733b: categories: @@ -6606,6 +7244,7 @@ rules: group: cloud-insecure-iam name: 60263b4a-6801-4587-911d-919c37ed733b pretty_name: Group With Privilege Escalation By Actions 'iam:PutUserPolicy' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy 60587dbd-6b67-432e-90f7-a8cf1892d968: categories: @@ -6617,6 +7256,7 @@ rules: group: cloud-resources-public-access name: 60587dbd-6b67-432e-90f7-a8cf1892d968 pretty_name: Public Security Group Rule All Ports or Protocols + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/security_group_rule#cidr_ip 609839ae-bd81-4375-9910-5bce72ae7b92: categories: @@ -6626,6 +7266,7 @@ rules: group: top10-security-logging-monitoring-failures name: 609839ae-bd81-4375-9910-5bce72ae7b92 pretty_name: MSSQL Server Auditing Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server 609cd557-66b4-41fa-8edd-2abc6c7cfd08: categories: @@ -6635,6 +7276,7 @@ rules: group: top10-insecure-design name: 609cd557-66b4-41fa-8edd-2abc6c7cfd08 pretty_name: Path Without Operation (v2) + recommended: true ref: https://swagger.io/specification/v2/#pathItemObject 60a05ede-0a68-4d0d-a58f-f538cf55ff79: categories: @@ -6644,6 +7286,7 @@ rules: group: cloud-weak-configuration name: 60a05ede-0a68-4d0d-a58f-f538cf55ff79 pretty_name: Serverless API Cache Cluster Disabled + recommended: true ref: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-cacheclusterenabled 60af03ff-a421-45c8-b214-6741035476fa: categories: @@ -6654,6 +7297,7 @@ rules: group: cloud-weak-configuration name: 60af03ff-a421-45c8-b214-6741035476fa pretty_name: Container Resources Limits Undefined + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod 60b5f56b-66ff-4e1c-9b62-5753e16825bc: categories: @@ -6664,6 +7308,7 @@ rules: group: cloud-resources-public-access name: 60b5f56b-66ff-4e1c-9b62-5753e16825bc pretty_name: Success Response Code Undefined for Put Operation (v3) + recommended: true ref: https://swagger.io/specification/#operation-object 60bfbb8a-c72f-467f-a6dd-a46b7d612789: categories: @@ -6674,6 +7319,7 @@ rules: group: cloud-weak-configuration name: 60bfbb8a-c72f-467f-a6dd-a46b7d612789 pretty_name: ECR Image Tag Not Immutable + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_ecr_module.html 60fb6621-9f02-473b-9424-ba9a825747d3: categories: @@ -6684,6 +7330,7 @@ rules: group: top10-insecure-design name: 60fb6621-9f02-473b-9424-ba9a825747d3 pretty_name: Link Object With Both 'operationId' And 'operationRef' + recommended: true ref: https://swagger.io/specification/#link-object 6107c530-7178-464a-88bc-df9cdd364ac8: categories: @@ -6694,6 +7341,7 @@ rules: group: cloud-resources-public-access name: 6107c530-7178-464a-88bc-df9cdd364ac8 pretty_name: OSS Bucket Ip Restriction Disabled + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy 610e266e-6c12-4bca-9925-1ed0cd29742b: categories: @@ -6703,6 +7351,7 @@ rules: group: cloud-insecure-iam name: 610e266e-6c12-4bca-9925-1ed0cd29742b pretty_name: Security Opt Not Set + recommended: true ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt 611ab018-c4aa-4ba2-b0f6-a448337509a6: categories: @@ -6713,6 +7362,7 @@ rules: group: cloud-weak-configuration name: 611ab018-c4aa-4ba2-b0f6-a448337509a6 pretty_name: Using Unrecommended Namespace + recommended: true ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/ 6172e7ab-d2b7-45f8-a7db-1603931d8ba3: categories: @@ -6722,6 +7372,7 @@ rules: group: top10-insecure-design name: 6172e7ab-d2b7-45f8-a7db-1603931d8ba3 pretty_name: Responses Object Is Empty (v2) + recommended: true ref: https://swagger.io/specification/v2/#responsesObject 617ef6ff-711e-4bd7-94ae-e965911b1b40: categories: @@ -6733,6 +7384,7 @@ rules: name: 617ef6ff-711e-4bd7-94ae-e965911b1b40 pretty_name: Google Project IAM Binding Service Account has Token Creator or Account User Role + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_binding 61a94903-3cd3-4780-88ec-fc918819b9c8: categories: @@ -6747,6 +7399,7 @@ rules: group: top10-crypto-failures name: 61a94903-3cd3-4780-88ec-fc918819b9c8 pretty_name: ELB Using Insecure Protocols + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html 61c3cb8b-0715-47e4-b788-86dde40dd2db: categories: @@ -6756,6 +7409,7 @@ rules: group: cloud-weak-configuration name: 61c3cb8b-0715-47e4-b788-86dde40dd2db pretty_name: Dashboard Is Enabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster 61cf9883-1752-4768-b18c-0d57f2737709: categories: @@ -6766,6 +7420,7 @@ rules: group: cloud-resources-public-access name: 61cf9883-1752-4768-b18c-0d57f2737709 pretty_name: EKS Cluster Has Public Access CIDRs + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster 61d1a2d0-4db8-405a-913d-5d2ce49dff6f: categories: @@ -6777,6 +7432,7 @@ rules: group: cloud-weak-configuration name: 61d1a2d0-4db8-405a-913d-5d2ce49dff6f pretty_name: Instance With No VPC + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html 62232513-b16f-4010-83d7-51d0e1d45426: categories: @@ -6787,6 +7443,7 @@ rules: group: cloud-insecure-iam name: 62232513-b16f-4010-83d7-51d0e1d45426 pretty_name: OSS Bucket Public Access Enabled + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#acl 625abc0e-f980-4ac9-a775-f7519ee34296: categories: @@ -6797,6 +7454,7 @@ rules: group: top10-security-logging-monitoring-failures name: 625abc0e-f980-4ac9-a775-f7519ee34296 pretty_name: API Gateway Deployment Without Access Log Setting + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_deployment 62c8cf50-87f0-4295-a974-8184ed78fe02: categories: @@ -6807,6 +7465,7 @@ rules: group: cloud-resources-public-access name: 62c8cf50-87f0-4295-a974-8184ed78fe02 pretty_name: GKE Master Authorized Networks Disabled + recommended: true ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters 62d52544-82ef-4b75-8308-cad49d50212b: categories: @@ -6816,6 +7475,7 @@ rules: group: cloud-weak-configuration name: 62d52544-82ef-4b75-8308-cad49d50212b pretty_name: JSON Object Schema Without Type (v2) + recommended: true ref: https://swagger.io/specification/v2/#schemaObject 63ae3638-a38c-4ff4-b616-6e1f72a31a6a: categories: @@ -6828,6 +7488,7 @@ rules: group: cloud-insecure-iam name: 63ae3638-a38c-4ff4-b616-6e1f72a31a6a pretty_name: Cloud Storage Anonymous or Publicly Accessible + recommended: true ref: https://cloud.google.com/storage/docs/json_api/v1/buckets 63ebcb19-2739-4d3f-aa5c-e8bbb9b85281: categories: @@ -6838,6 +7499,7 @@ rules: group: top10-crypto-failures name: 63ebcb19-2739-4d3f-aa5c-e8bbb9b85281 pretty_name: EKS Cluster Encryption Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#encryption_config 6425c98b-ca4e-41fe-896a-c78772c131f8: categories: @@ -6847,6 +7509,7 @@ rules: group: top10-crypto-failures name: 6425c98b-ca4e-41fe-896a-c78772c131f8 pretty_name: PostgreSQL Server Infrastructure Encryption Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server#infrastructure_encryption_enabled 6452c424-1d92-4deb-bb18-a03e95d579c4: categories: @@ -6857,6 +7520,7 @@ rules: group: supply-chain-scm-weak-configuration name: 6452c424-1d92-4deb-bb18-a03e95d579c4 pretty_name: Yum install Without Version + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run 647de8aa-5a42-41b5-9faf-22136f117380: categories: @@ -6868,6 +7532,7 @@ rules: group: cloud-weak-configuration name: 647de8aa-5a42-41b5-9faf-22136f117380 pretty_name: RDS DB Instance Publicly Accessible + recommended: true ref: https://www.pulumi.com/registry/packages/aws/api-docs/rds/instance/#publiclyaccessible_yaml 64a222aa-7793-4e40-915f-4b302c76e4d4: categories: @@ -6880,6 +7545,7 @@ rules: group: cloud-insecure-iam name: 64a222aa-7793-4e40-915f-4b302c76e4d4 pretty_name: S3 Bucket ACL Grants WRITE_ACP Permission + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl 64ab651b-f5b2-4af0-8c89-ddd03c4d0e61: categories: @@ -6891,6 +7557,7 @@ rules: group: top10-crypto-failures name: 64ab651b-f5b2-4af0-8c89-ddd03c4d0e61 pretty_name: S3 Bucket SSE Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html 656880aa-1388-488f-a6d4-8f73c23149b2: categories: @@ -6901,6 +7568,7 @@ rules: group: top10-crypto-failures name: 656880aa-1388-488f-a6d4-8f73c23149b2 pretty_name: RDS Database Cluster not Encrypted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_cluster_snapshot 65844ba3-03a1-40a8-b3dd-919f122e8c95: categories: @@ -6910,6 +7578,7 @@ rules: group: top10-crypto-failures name: 65844ba3-03a1-40a8-b3dd-919f122e8c95 pretty_name: RDS Storage Encryption Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html#cfn-rds-dbcluster-storageencrypted 65905cec-d691-4320-b320-2000436cb696: categories: @@ -6920,6 +7589,7 @@ rules: group: cloud-resources-public-access name: 65905cec-d691-4320-b320-2000436cb696 pretty_name: Security Group With Unrestricted Access To SSH + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 65c1bc7a-4835-4ac4-a2b6-13d310b0648d: categories: @@ -6931,6 +7601,7 @@ rules: group: cloud-weak-configuration name: 65c1bc7a-4835-4ac4-a2b6-13d310b0648d pretty_name: Cluster Labels Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster 65d07da5-9af5-44df-8983-52d2e6f24c44: categories: @@ -6940,6 +7611,7 @@ rules: group: top10-security-logging-monitoring-failures name: 65d07da5-9af5-44df-8983-52d2e6f24c44 pretty_name: CloudTrail Not Integrated With CloudWatch + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html 660360d3-9ca7-46d1-b147-3acc4002953f: categories: @@ -6950,6 +7622,7 @@ rules: group: top10-crypto-failures name: 660360d3-9ca7-46d1-b147-3acc4002953f pretty_name: SQL DB Instance With SSL Disabled + recommended: true ref: https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances 663062e9-473d-4e87-99bc-6f3684b3df40: categories: @@ -6961,6 +7634,7 @@ rules: group: top10-insecure-design name: 663062e9-473d-4e87-99bc-6f3684b3df40 pretty_name: SQL Server Predictable Admin Account Name + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlserver_module.html 663c442d-f918-4f62-b096-0bf5dcbeb655: categories: @@ -6972,6 +7646,7 @@ rules: group: cloud-insecure-iam name: 663c442d-f918-4f62-b096-0bf5dcbeb655 pretty_name: Security Field On Operations Has An Empty Array (v3) + recommended: true ref: https://swagger.io/specification/#operation-object 66477506-6abb-49ed-803d-3fa174cd5f6a: categories: @@ -6984,6 +7659,7 @@ rules: group: top10-crypto-failures name: 66477506-6abb-49ed-803d-3fa174cd5f6a pretty_name: Launch Configuration Is Not Encrypted + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_lc_module.html 66505003-7aba-45a1-8d83-5162d5706ef5: categories: @@ -6993,6 +7669,7 @@ rules: group: cloud-insecure-iam name: 66505003-7aba-45a1-8d83-5162d5706ef5 pretty_name: Ram Policy Attached to User + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_user_policy_attachment 6685d912-d81f-4cfa-95ad-e316ea31c989: categories: @@ -7003,6 +7680,7 @@ rules: group: cloud-weak-secrets-management name: 6685d912-d81f-4cfa-95ad-e316ea31c989 pretty_name: Directory Service Simple AD Password Exposed + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-directoryservice-simplead.html 66c6f96f-2d9e-417e-a998-9058aeeecd44: categories: @@ -7016,6 +7694,7 @@ rules: group: cloud-insecure-iam name: 66c6f96f-2d9e-417e-a998-9058aeeecd44 pretty_name: S3 Bucket Allows List Action From All Principals + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy 66cd88ac-9ddf-424a-b77e-e55e17630bee: categories: @@ -7026,6 +7705,7 @@ rules: group: cloud-weak-configuration name: 66cd88ac-9ddf-424a-b77e-e55e17630bee pretty_name: Batch Job Definition With Privileged Container Properties + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/batch_job_definition 66dae697-507b-4aef-be18-eec5bd707f33: categories: @@ -7035,6 +7715,7 @@ rules: group: cloud-weak-configuration name: 66dae697-507b-4aef-be18-eec5bd707f33 pretty_name: OSLogin Is Disabled In VM Instance + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html 66f130d9-b81d-4e8e-9b08-da74b9c891df: categories: @@ -7044,6 +7725,7 @@ rules: group: top10-security-logging-monitoring-failures name: 66f130d9-b81d-4e8e-9b08-da74b9c891df pretty_name: Missing Cluster Log Types + recommended: true ref: https://www.terraform.io/docs/providers/aws/r/eks_cluster.html 66f2d8f9-a911-4ced-ae27-34f09690bb2c: categories: @@ -7054,6 +7736,7 @@ rules: group: cloud-resources-public-access name: 66f2d8f9-a911-4ced-ae27-34f09690bb2c pretty_name: Security Groups Allows Unrestricted Outbound Traffic + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html 671211c5-5d2a-4e97-8867-30fc28b02216: categories: @@ -7063,6 +7746,7 @@ rules: group: cloud-insecure-iam name: 671211c5-5d2a-4e97-8867-30fc28b02216 pretty_name: API Gateway Method Does Not Contains An API Key + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method 6726dcc0-5ff5-459d-b473-a780bef7665c: categories: @@ -7074,6 +7758,7 @@ rules: group: top10-crypto-failures name: 6726dcc0-5ff5-459d-b473-a780bef7665c pretty_name: S3 Bucket SSE Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration 678fd659-96f2-454a-a2a0-c2571f83a4a3: categories: @@ -7084,6 +7769,7 @@ rules: group: cloud-resources-public-access name: 678fd659-96f2-454a-a2a0-c2571f83a4a3 pretty_name: RDP Access Is Not Restricted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall 6797f581-0433-4768-ae3e-7ceb2f8b138e: categories: @@ -7094,6 +7780,7 @@ rules: group: top10-insecure-design name: 6797f581-0433-4768-ae3e-7ceb2f8b138e pretty_name: Azure Instance Using Basic Authentication + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?tabs=json#linuxconfiguration-object 67bfdff1-31ce-4525-b564-e94368735360: categories: @@ -7104,6 +7791,7 @@ rules: group: top10-crypto-failures name: 67bfdff1-31ce-4525-b564-e94368735360 pretty_name: NAS File System Not Encrypted + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/nas_file_system#encrypt_type 67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae: categories: @@ -7114,6 +7802,7 @@ rules: group: top10-insecure-design name: 67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae pretty_name: Last User Is 'root' + recommended: true ref: https://docs.docker.com/engine/reference/builder/#user 68a51e22-ae5a-4d48-8e87-b01a323605c9: categories: @@ -7124,6 +7813,7 @@ rules: group: supply-chain-cicd-weak-configuration name: 68a51e22-ae5a-4d48-8e87-b01a323605c9 pretty_name: Using Unnamed Build Stages + recommended: true ref: https://docs.docker.com/develop/develop-images/multistage-build/ 68b6a789-82f8-4cfd-85de-e95332fe6a61: categories: @@ -7133,6 +7823,7 @@ rules: group: cloud-weak-configuration name: 68b6a789-82f8-4cfd-85de-e95332fe6a61 pretty_name: MQ Broker Is Publicly Accessible + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amazonmq-broker.html#cfn-amazonmq-broker-publiclyaccessible 68e5fcac-390c-4939-a373-6074b7be7c71: categories: @@ -7142,6 +7833,7 @@ rules: group: cloud-insecure-iam name: 68e5fcac-390c-4939-a373-6074b7be7c71 pretty_name: Security Scheme Using HTTP Basic + recommended: true ref: https://swagger.io/specification/#security-scheme-object 68eb4bf3-f9bf-463d-b5cf-e029bb446d2e: categories: @@ -7152,6 +7844,7 @@ rules: group: top10-insecure-design name: 68eb4bf3-f9bf-463d-b5cf-e029bb446d2e pretty_name: Security Group Rule Without Description + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#description 6938958b-3f1a-451c-909b-baeee14bdc97: categories: @@ -7163,6 +7856,7 @@ rules: group: supply-chain-cicd-weak-configuration name: 6938958b-3f1a-451c-909b-baeee14bdc97 pretty_name: Multiple ENTRYPOINT Instructions Listed + recommended: true ref: https://docs.docker.com/engine/reference/builder/#entrypoint 6952a7e0-6e48-4285-bbc1-27c64e60f888: categories: @@ -7172,6 +7866,7 @@ rules: group: top10-insecure-design name: 6952a7e0-6e48-4285-bbc1-27c64e60f888 pretty_name: Invalid Schema External Documentation URL (v3) + recommended: true ref: https://swagger.io/specification/#external-documentation-object 698a464e-bb3e-4ba8-ab5e-e6599b7644a0: categories: @@ -7182,6 +7877,7 @@ rules: group: top10-insecure-design name: 698a464e-bb3e-4ba8-ab5e-e6599b7644a0 pretty_name: Components Parameter Definition Is Unused + recommended: true ref: https://swagger.io/specification/#components-object 698ed579-b239-4f8f-a388-baa4bcb13ef8: categories: @@ -7191,6 +7887,7 @@ rules: group: top10-insecure-design name: 698ed579-b239-4f8f-a388-baa4bcb13ef8 pretty_name: Healthcheck Not Set + recommended: true ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#healthcheck 6998389e-66b2-473d-8d05-c8d71ac4d04d: categories: @@ -7201,6 +7898,7 @@ rules: group: cloud-weak-configuration name: 6998389e-66b2-473d-8d05-c8d71ac4d04d pretty_name: Array Without Maximum Number of Items (v3) + recommended: true ref: https://swagger.io/specification/#schema-object 69b5d7da-a5db-4db9-a42e-90b65d0efb0b: categories: @@ -7211,6 +7909,7 @@ rules: group: top10-security-logging-monitoring-failures name: 69b5d7da-a5db-4db9-a42e-90b65d0efb0b pretty_name: ActionTrail Trail OSS Bucket is Publicly Accessible + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/actiontrail_trail 69bbc5e3-0818-4150-89cc-1e989b48f23b: categories: @@ -7221,6 +7920,7 @@ rules: group: cloud-weak-configuration name: 69bbc5e3-0818-4150-89cc-1e989b48f23b pretty_name: Ingress Controller Exposes Workload + recommended: true ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/ 69d7aefd-149d-47b8-8d89-1c2181a8067b: categories: @@ -7231,6 +7931,7 @@ rules: group: top10-insecure-design name: 69d7aefd-149d-47b8-8d89-1c2181a8067b pretty_name: Path Parameter With No Corresponding Template Path (v3) + recommended: true ref: https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#pathTemplating 69e7c320-b65d-41bb-be02-d63ecc0bcc9d: categories: @@ -7240,6 +7941,7 @@ rules: group: top10-insecure-design name: 69e7c320-b65d-41bb-be02-d63ecc0bcc9d pretty_name: ECR Repository Without Policy + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy 69f72007-502e-457b-bd2d-5012e31ac049: categories: @@ -7250,6 +7952,7 @@ rules: group: cloud-resources-public-access name: 69f72007-502e-457b-bd2d-5012e31ac049 pretty_name: Firewall Rule Allows Too Many Hosts To Access Redis Cache + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscachefirewallrule_module.html 6a2c219f-da5e-4745-941e-5ea8cde23356: categories: @@ -7259,6 +7962,7 @@ rules: group: top10-insecure-design name: 6a2c219f-da5e-4745-941e-5ea8cde23356 pretty_name: Example JSON Reference Does Not Exists + recommended: true ref: https://swagger.io/specification/#components-object 6a3201a5-1630-494b-b294-3129d06b0eca: categories: @@ -7270,6 +7974,7 @@ rules: group: cloud-resources-public-access name: 6a3201a5-1630-494b-b294-3129d06b0eca pretty_name: SQL Database Server Firewall Allows All IPS + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2014-04-01/servers/firewallrules?tabs=json 6a4080ae-79bd-42f6-a924-8f534c1c018b: categories: @@ -7280,6 +7985,7 @@ rules: group: cloud-resources-public-access name: 6a4080ae-79bd-42f6-a924-8f534c1c018b pretty_name: Google Compute Subnetwork with Private Google Access Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_subnetwork_module.html#parameter-private_ip_google_access 6a647814-def5-4b85-88f5-897c19f509cd: categories: @@ -7291,6 +7997,7 @@ rules: group: top10-crypto-failures name: 6a647814-def5-4b85-88f5-897c19f509cd pretty_name: Redshift Not Encrypted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#encrypted 6a68bebe-c021-492e-8ddb-55b0567fb768: categories: @@ -7303,6 +8010,7 @@ rules: group: cloud-weak-configuration name: 6a68bebe-c021-492e-8ddb-55b0567fb768 pretty_name: Security Context Deny Admission Control Plugin Not Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ 6a6d7e56-c913-4549-b5c5-5221e624d2ec: categories: @@ -7316,6 +8024,7 @@ rules: group: cloud-insecure-iam name: 6a6d7e56-c913-4549-b5c5-5221e624d2ec pretty_name: S3 Bucket With All Permissions + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-policy 6ad087d7-a509-4b20-b853-9ef6f5ebaa98: categories: @@ -7326,6 +8035,7 @@ rules: group: top10-security-logging-monitoring-failures name: 6ad087d7-a509-4b20-b853-9ef6f5ebaa98 pretty_name: CloudTrail Multi Region Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html#parameter-is_multi_region_trail 6b2739db-9c49-4db7-b980-7816e0c248c1: categories: @@ -7336,6 +8046,7 @@ rules: group: cloud-resources-public-access name: 6b2739db-9c49-4db7-b980-7816e0c248c1 pretty_name: API Gateway Endpoint Config is Not Private + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api 6b376af8-cfe8-49ab-a08d-f32de23661a4: categories: @@ -7347,6 +8058,7 @@ rules: group: supply-chain-cicd-weak-configuration name: 6b376af8-cfe8-49ab-a08d-f32de23661a4 pretty_name: WORKDIR Path Not Absolute + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir 6b5b0313-771b-4319-ad7a-122ee78700ef: categories: @@ -7357,6 +8069,7 @@ rules: group: cloud-resources-public-access name: 6b5b0313-771b-4319-ad7a-122ee78700ef pretty_name: Serverless API Endpoint Config Not Private + recommended: true ref: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-endpointconfiguration 6b610c50-99fb-4ef0-a5f3-e312fd945bc3: categories: @@ -7367,6 +8080,7 @@ rules: group: cloud-insecure-iam name: 6b610c50-99fb-4ef0-a5f3-e312fd945bc3 pretty_name: Cpus Not Limited + recommended: true ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#resources 6b6874fe-4c2f-4eea-8b90-7cceaa4a125e: categories: @@ -7377,6 +8091,7 @@ rules: group: top10-security-logging-monitoring-failures name: 6b6874fe-4c2f-4eea-8b90-7cceaa4a125e pretty_name: CloudWatch Network Gateways Changes Alarm Missing + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern 6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a: categories: @@ -7386,6 +8101,7 @@ rules: group: cloud-insecure-iam name: 6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a pretty_name: Shared Host Network Namespace + recommended: true ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ 6b76f589-9713-44ab-97f5-59a3dba1a285: categories: @@ -7396,6 +8112,7 @@ rules: group: top10-insecure-design name: 6b76f589-9713-44ab-97f5-59a3dba1a285 pretty_name: Components Request Body Definition Is Unused + recommended: true ref: https://swagger.io/specification/#components-object 6b896afb-ca07-467a-b256-1a0077a1c08e: categories: @@ -7408,6 +8125,7 @@ rules: group: cloud-insecure-iam name: 6b896afb-ca07-467a-b256-1a0077a1c08e pretty_name: RBAC Wildcard In Rule + recommended: true ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ 6c131358-c54d-419b-9dd6-1f7dd41d180c: categories: @@ -7420,6 +8138,7 @@ rules: group: top10-crypto-failures name: 6c131358-c54d-419b-9dd6-1f7dd41d180c pretty_name: ECS Cluster Not Encrypted At Rest + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html 6c2d627c-de0f-45fb-b33d-dad9bffbb421: categories: @@ -7430,6 +8149,7 @@ rules: group: top10-security-logging-monitoring-failures name: 6c2d627c-de0f-45fb-b33d-dad9bffbb421 pretty_name: Cloud Storage Bucket Logging Not Enabled + recommended: true ref: https://doc.crds.dev/github.com/crossplane/provider-gcp/storage.gcp.crossplane.io/Bucket/v1alpha3@v0.21.0#spec-logging 6c35d2c6-09f2-4e5c-a094-e0e91327071d: categories: @@ -7443,6 +8163,7 @@ rules: group: cloud-resources-public-access name: 6c35d2c6-09f2-4e5c-a094-e0e91327071d pretty_name: Response Code Missing (v3) + recommended: true ref: https://swagger.io/specification/#operation-object 6c7cfec3-c686-4ed2-bf58-a1ec054b63fc: categories: @@ -7452,6 +8173,7 @@ rules: group: top10-crypto-failures name: 6c7cfec3-c686-4ed2-bf58-a1ec054b63fc pretty_name: Redis Cache Allows Non SSL Connections + recommended: true ref: https://doc.crds.dev/github.com/crossplane/provider-azure/cache.azure.crossplane.io/Redis/v1beta1@v0.19.0#spec-forProvider-enableNonSslPort 6c8d51af-218d-4bfb-94a9-94eabaa0703a: categories: @@ -7461,6 +8183,7 @@ rules: group: cloud-weak-configuration name: 6c8d51af-218d-4bfb-94a9-94eabaa0703a pretty_name: S3 Bucket Without Ignore Public ACL + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html 6ccb85d7-0420-4907-9380-50313f80946b: categories: @@ -7473,6 +8196,7 @@ rules: group: cloud-weak-configuration name: 6ccb85d7-0420-4907-9380-50313f80946b pretty_name: Private Cluster Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster 6cf42c97-facd-4fda-b8af-ea4529123355: categories: @@ -7482,6 +8206,7 @@ rules: group: cloud-weak-configuration name: 6cf42c97-facd-4fda-b8af-ea4529123355 pretty_name: Kubelet Protect Kernel Defaults Set To False + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ 6cf4c3a7-ceb0-4475-8892-3745b84be24a: categories: @@ -7492,6 +8217,7 @@ rules: group: top10-crypto-failures name: 6cf4c3a7-ceb0-4475-8892-3745b84be24a pretty_name: DNSSEC Using RSASHA1 + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_dns_managed_zone_module.html#return-dnssecConfig/defaultKeySpecs/algorithm 6d087495-2a42-4735-abf7-02ef5660a7e6: categories: @@ -7503,6 +8229,7 @@ rules: group: top10-crypto-failures name: 6d087495-2a42-4735-abf7-02ef5660a7e6 pretty_name: EFS Without KMS + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html 6d173be7-545a-46c6-a81d-2ae52ed1605d: categories: @@ -7513,6 +8240,7 @@ rules: group: cloud-weak-configuration name: 6d173be7-545a-46c6-a81d-2ae52ed1605d pretty_name: Tiller (Helm v2) Is Deployed + recommended: true ref: https://kubernetes.io/docs/concepts/containers/images/ 6d19ce0f-b3d8-4128-ac3d-1064e0f00494: categories: @@ -7523,6 +8251,7 @@ rules: group: cloud-resources-public-access name: 6d19ce0f-b3d8-4128-ac3d-1064e0f00494 pretty_name: CloudFront Without WAF + recommended: true ref: https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-webACLID 6d23d87e-1c5b-4308-b224-92624300f29b: categories: @@ -7533,6 +8262,7 @@ rules: group: cloud-insecure-iam name: 6d23d87e-1c5b-4308-b224-92624300f29b pretty_name: User With Privilege Escalation By Actions 'iam:AttachGroupPolicy' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy 6d2e0790-cc3d-4c74-b973-d4e8b09f4455: categories: @@ -7542,6 +8272,7 @@ rules: group: top10-insecure-design name: 6d2e0790-cc3d-4c74-b973-d4e8b09f4455 pretty_name: Global Schema Definition Not Being Used + recommended: true ref: https://swagger.io/specification/v2/#definitionsObject 6d34aff3-fdd2-460c-8190-756a3b4969e8: categories: @@ -7552,6 +8283,7 @@ rules: group: cloud-weak-configuration name: 6d34aff3-fdd2-460c-8190-756a3b4969e8 pretty_name: Cloud SQL Instance With Contained Database Authentication On + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags 6d64f311-3da6-45f3-80f1-14db9771ea40: categories: @@ -7562,6 +8294,7 @@ rules: group: cloud-weak-configuration name: 6d64f311-3da6-45f3-80f1-14db9771ea40 pretty_name: Permissive Web ACL Default Action + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-webacl.html 6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35: categories: @@ -7572,6 +8305,7 @@ rules: group: top10-crypto-failures name: 6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35 pretty_name: DNSSEC Using RSASHA1 + recommended: true ref: https://cloud.google.com/dns/docs/reference/v1/managedZones 6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8: categories: @@ -7581,6 +8315,7 @@ rules: group: cloud-weak-secrets-management name: 6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8 pretty_name: Secrets As Environment Variables + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#secret_key_ref 6db03a91-f933-4f13-ab38-a8b87a7de54d: categories: @@ -7591,6 +8326,7 @@ rules: group: top10-insecure-design name: 6db03a91-f933-4f13-ab38-a8b87a7de54d pretty_name: ElastiCache Nodes Not Created Across Multi AZ + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster 6db52fa6-d4da-4608-908a-89f0c59e743e: categories: @@ -7601,6 +8337,7 @@ rules: group: top10-crypto-failures name: 6db52fa6-d4da-4608-908a-89f0c59e743e pretty_name: MSK Cluster Encryption Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster#encryption_info 6db6e0c2-32a3-4a2e-93b5-72c35f4119db: categories: @@ -7612,6 +8349,7 @@ rules: group: supply-chain-cicd-weak-configuration name: 6db6e0c2-32a3-4a2e-93b5-72c35f4119db pretty_name: Copy With More Than Two Arguments Not Ending With Slash + recommended: true ref: https://docs.docker.com/engine/reference/builder/#copy 6deb34e2-5d9c-499a-801b-ea6d9eda894f: categories: @@ -7622,6 +8360,7 @@ rules: group: cloud-insecure-iam name: 6deb34e2-5d9c-499a-801b-ea6d9eda894f pretty_name: User With Privilege Escalation By Actions 'iam:UpdateLoginProfile' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy 6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97: categories: @@ -7632,6 +8371,7 @@ rules: group: top10-software-data-integrity-failures name: 6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97 pretty_name: Stack Retention Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance#stack_set_name 6e19193a-8753-436d-8a09-76dcff91bb03: categories: @@ -7641,6 +8381,7 @@ rules: group: supply-chain-scm-weak-configuration name: 6e19193a-8753-436d-8a09-76dcff91bb03 pretty_name: Yum Install Allows Manual Input + recommended: true ref: https://docs.docker.com/engine/reference/builder/#run 6e2b1ec1-1eca-4eb7-9d4d-2882680b4811: categories: @@ -7650,6 +8391,7 @@ rules: group: cloud-weak-secrets-management name: 6e2b1ec1-1eca-4eb7-9d4d-2882680b4811 pretty_name: Project-wide SSH Keys Are Enabled In VM Instances + recommended: true ref: https://cloud.google.com/compute/docs/reference/rest/v1/instances 6e3fd2ed-5c83-4c68-9679-7700d224d379: categories: @@ -7660,6 +8402,7 @@ rules: group: top10-insecure-design name: 6e3fd2ed-5c83-4c68-9679-7700d224d379 pretty_name: ALB Not Dropping Invalid Headers + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields 6e856af2-62d7-4ba2-adc1-73b62cef9cc1: categories: @@ -7670,6 +8413,7 @@ rules: group: cloud-resources-public-access name: 6e856af2-62d7-4ba2-adc1-73b62cef9cc1 pretty_name: Security Group With Unrestricted Access To SSH + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html 6e8849c1-3aa7-40e3-9063-b85ee300f29f: categories: @@ -7680,6 +8424,7 @@ rules: group: top10-crypto-failures name: 6e8849c1-3aa7-40e3-9063-b85ee300f29f pretty_name: SQS With SSE Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue 6e96ed39-bf45-4089-99ba-f1fe7cf6966f: categories: @@ -7693,6 +8438,7 @@ rules: group: cloud-resources-public-access name: 6e96ed39-bf45-4089-99ba-f1fe7cf6966f pretty_name: Response Code Missing (v2) + recommended: true ref: https://swagger.io/specification/v2/#operation-object 6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d: categories: @@ -7702,6 +8448,7 @@ rules: group: cloud-insecure-iam name: 6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d pretty_name: SDB Domain Declared As A Resource + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-simpledb.html 6ef03ff6-a2bd-483c-851f-631f248bc0ea: categories: @@ -7722,6 +8469,7 @@ rules: group: top10-insecure-design name: 6f5f5444-1422-495f-81ef-24cefd61ed2c pretty_name: Password Without Reuse Prevention + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html#parameter-pw_reuse_prevent 6fa44721-ef21-41c6-8665-330d59461163: categories: @@ -7735,6 +8483,7 @@ rules: group: cloud-insecure-iam name: 6fa44721-ef21-41c6-8665-330d59461163 pretty_name: S3 Bucket Allows Delete Action From All Principals + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html 70111098-7f85-48f0-b1b4-e4261cf5f61b: categories: @@ -7744,6 +8493,7 @@ rules: group: cloud-resources-public-access name: 70111098-7f85-48f0-b1b4-e4261cf5f61b pretty_name: Website with 'Http20Enabled' Disabled + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites?tabs=json#siteproperties-object 704dadd3-54fc-48ac-b6a0-02f170011473: categories: @@ -7753,6 +8503,7 @@ rules: group: top10-security-logging-monitoring-failures name: 704dadd3-54fc-48ac-b6a0-02f170011473 pretty_name: GuardDuty Detector Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector#example-usage 704fcc44-a58f-4af5-82e2-93f2a58ef918: categories: @@ -7763,6 +8514,7 @@ rules: group: top10-insecure-design name: 704fcc44-a58f-4af5-82e2-93f2a58ef918 pretty_name: User with IAM Role + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/iam_policy#role 7081f85c-b94d-40fd-8b45-a4f1cac75e46: categories: @@ -7772,6 +8524,7 @@ rules: group: cloud-insecure-iam name: 7081f85c-b94d-40fd-8b45-a4f1cac75e46 pretty_name: IAM Access Key Is Exposed + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key 70919c0b-2548-4e6b-8d7a-3d84ab6dabba: categories: @@ -7781,6 +8534,7 @@ rules: group: top10-software-data-integrity-failures name: 70919c0b-2548-4e6b-8d7a-3d84ab6dabba pretty_name: OSS Bucket Versioning Disabled + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#versioning 709e6da6-fa1f-44cc-8f17-7f25f96dadbe: categories: @@ -7793,6 +8547,7 @@ rules: group: top10-crypto-failures name: 709e6da6-fa1f-44cc-8f17-7f25f96dadbe pretty_name: SageMaker Data Encryption Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sagemaker-notebookinstance.html 70b42736-efee-4bce-80d5-50358ed94990: categories: @@ -7803,6 +8558,7 @@ rules: group: cloud-insecure-iam name: 70b42736-efee-4bce-80d5-50358ed94990 pretty_name: Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy 70cb518c-d990-46f6-bc05-44a5041493d6: categories: @@ -7813,6 +8569,7 @@ rules: group: cloud-insecure-iam name: 70cb518c-d990-46f6-bc05-44a5041493d6 pretty_name: User With Privilege Escalation By Actions 'iam:AttachUserPolicy' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy 70d3873e-d537-46e5-ac3b-4e48fbdd29b4: categories: @@ -7822,6 +8579,7 @@ rules: group: cloud-insecure-iam name: 70d3873e-d537-46e5-ac3b-4e48fbdd29b4 pretty_name: Cleartext API Key In Global Security (v2) + recommended: true ref: https://swagger.io/specification/v2/#securityDefinitionsObject 71397b34-1d50-4ee1-97cb-c96c34676f74: categories: @@ -7832,6 +8590,7 @@ rules: group: top10-security-logging-monitoring-failures name: 71397b34-1d50-4ee1-97cb-c96c34676f74 pretty_name: Lambda Functions Without X-Ray Tracing + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_module.html 71493c8b-3014-404c-9802-078b74496fb7: categories: @@ -7842,6 +8601,7 @@ rules: group: cloud-weak-secrets-management name: 71493c8b-3014-404c-9802-078b74496fb7 pretty_name: Amplify App Basic Auth Config Password Exposed + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-amplify-app-basicauthconfig.html 71beb6ab-8b70-4816-a9ac-a0ff1fb22a62: categories: @@ -7851,6 +8611,7 @@ rules: group: top10-insecure-design name: 71beb6ab-8b70-4816-a9ac-a0ff1fb22a62 pretty_name: Properties Missing Required Property (v2) + recommended: true ref: https://swagger.io/specification/v2/#schemaObject 71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e: categories: @@ -7861,6 +8622,7 @@ rules: group: top10-insecure-design name: 71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e pretty_name: UNIX Ports Out Of Range + recommended: true ref: https://docs.docker.com/engine/reference/builder/#expose 71ea648a-d31a-4b5a-a589-5674243f1c33: categories: @@ -7871,6 +8633,7 @@ rules: group: cloud-resources-public-access name: 71ea648a-d31a-4b5a-a589-5674243f1c33 pretty_name: Public Port Wide + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html 722b0f24-5a64-4cca-aa96-cfc26b7e3a5b: categories: @@ -7882,6 +8645,7 @@ rules: group: cloud-resources-public-access name: 722b0f24-5a64-4cca-aa96-cfc26b7e3a5b pretty_name: Unknown Port Exposed To Internet + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html 7249e3b0-9231-4af3-bc5f-5daf4988ecbf: categories: @@ -7892,6 +8656,7 @@ rules: group: top10-insecure-design name: 7249e3b0-9231-4af3-bc5f-5daf4988ecbf pretty_name: StatefulSet Without PodDisruptionBudget + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#selector 727c4fd4-d604-4df6-a179-7713d3c85e20: categories: @@ -7902,6 +8667,7 @@ rules: group: top10-crypto-failures name: 727c4fd4-d604-4df6-a179-7713d3c85e20 pretty_name: EFS Not Encrypted + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-encrypt 72840c35-3876-48be-900d-f21b2f0c2ea1: categories: @@ -7912,6 +8678,7 @@ rules: group: top10-crypto-failures name: 72840c35-3876-48be-900d-f21b2f0c2ea1 pretty_name: EFS Not Encrypted + recommended: true ref: https://doc.crds.dev/github.com/crossplane/provider-aws/efs.aws.crossplane.io/FileSystem/v1alpha1@v0.29.0#spec-forProvider-encrypted 7289eebd-a477-4064-8ad4-3c044bd70b00: categories: @@ -7922,6 +8689,7 @@ rules: group: cloud-resources-public-access name: 7289eebd-a477-4064-8ad4-3c044bd70b00 pretty_name: Google Compute Network Using Firewall Rule that Allows Port Range + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html#parameter-allowed 729ebb15-8060-40f7-9017-cb72676a5487: categories: @@ -7932,6 +8700,7 @@ rules: group: top10-security-logging-monitoring-failures name: 729ebb15-8060-40f7-9017-cb72676a5487 pretty_name: PostgreSQL Log Duration Not Set + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html 72a931c2-12f5-40d1-93cc-47bff2f7aa2a: categories: @@ -7941,6 +8710,7 @@ rules: group: top10-security-logging-monitoring-failures name: 72a931c2-12f5-40d1-93cc-47bff2f7aa2a pretty_name: API Gateway With CloudWatch Logging Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudwatchlogs_log_group_module.html#ansible-collections-community-aws-cloudwatchlogs-log-group-module 72ceb736-0aee-43ea-a191-3a69ab135681: categories: @@ -7951,6 +8721,7 @@ rules: group: cloud-insecure-iam name: 72ceb736-0aee-43ea-a191-3a69ab135681 pretty_name: No ROS Stack Policy + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ros_stack 72d259ca-9741-48dd-9f62-eb11f2936b37: categories: @@ -7961,6 +8732,7 @@ rules: group: top10-insecure-design name: 72d259ca-9741-48dd-9f62-eb11f2936b37 pretty_name: Header Parameter Named as 'Content-Type' (v3) + recommended: true ref: https://swagger.io/specification/#parameter-object 730675f9-52ed-49b6-8ead-0acb5dd7df7f: categories: @@ -7972,6 +8744,7 @@ rules: group: cloud-insecure-iam name: 730675f9-52ed-49b6-8ead-0acb5dd7df7f pretty_name: SQS Policy With Public Access + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy 7307579a-3abb-46ad-9ce5-2a915634d5c8: categories: @@ -7981,6 +8754,7 @@ rules: group: cloud-weak-configuration name: 7307579a-3abb-46ad-9ce5-2a915634d5c8 pretty_name: PSP With Added Capabilities + recommended: true ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ 730a5951-2760-407a-b032-dd629b55c23a: categories: @@ -7994,6 +8768,7 @@ rules: group: top10-crypto-failures name: 730a5951-2760-407a-b032-dd629b55c23a pretty_name: ELB Using Insecure Protocols + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html 7350fa23-dcf7-4938-916d-6a60b0c73b50: categories: @@ -8005,6 +8780,7 @@ rules: group: top10-insecure-design name: 7350fa23-dcf7-4938-916d-6a60b0c73b50 pretty_name: CMK Is Unusable + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#is_enabled 737a0dd9-0aaa-4145-8118-f01778262b8a: categories: @@ -8014,6 +8790,7 @@ rules: group: cloud-weak-configuration name: 737a0dd9-0aaa-4145-8118-f01778262b8a pretty_name: Default Service Account In Use + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account#automount_service_account_token 7384dfb2-fcd1-4fbf-91cd-6c44c318c33c: categories: @@ -8024,6 +8801,7 @@ rules: group: supply-chain-scm-weak-configuration name: 7384dfb2-fcd1-4fbf-91cd-6c44c318c33c pretty_name: APT-GET Not Avoiding Additional Packages + recommended: true ref: https://docs.docker.com/engine/reference/builder/#run 73980e43-f399-4fcc-a373-658228f7adf7: categories: @@ -8034,6 +8812,7 @@ rules: group: cloud-weak-secrets-management name: 73980e43-f399-4fcc-a373-658228f7adf7 pretty_name: Amplify App Access Token Exposed + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amplify-app.html 73c3bc54-3cc6-4c0a-b30a-e19f2abfc951: categories: @@ -8043,6 +8822,7 @@ rules: group: top10-insecure-design name: 73c3bc54-3cc6-4c0a-b30a-e19f2abfc951 pretty_name: Non Body Parameter Without Schema + recommended: true ref: https://swagger.io/specification/v2/#parameterObject 73d59e76-a12c-4b74-a3d8-d3e1e19c25b3: categories: @@ -8053,6 +8833,7 @@ rules: group: cloud-resources-public-access name: 73d59e76-a12c-4b74-a3d8-d3e1e19c25b3 pretty_name: EKS node group remote access + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-nodegroup.html 73e251f0-363d-4e53-86e2-0a93592437eb: categories: @@ -8063,6 +8844,7 @@ rules: group: top10-security-logging-monitoring-failures name: 73e251f0-363d-4e53-86e2-0a93592437eb pretty_name: Audit Log Path Not Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ 73e42469-3a86-4f39-ad78-098f325b4e9f: categories: @@ -8074,6 +8856,7 @@ rules: group: top10-crypto-failures name: 73e42469-3a86-4f39-ad78-098f325b4e9f pretty_name: MySQL SSL Connection Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_server 73fb21a1-b19a-45b1-b648-b47b1678681e: categories: @@ -8086,6 +8869,7 @@ rules: group: cloud-weak-configuration name: 73fb21a1-b19a-45b1-b648-b47b1678681e pretty_name: Legacy Client Certificate Auth Enabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster 741f1291-47ac-4a85-a07b-3d32a9d6bd3e: categories: @@ -8096,6 +8880,7 @@ rules: group: top10-insecure-design name: 741f1291-47ac-4a85-a07b-3d32a9d6bd3e pretty_name: DynamoDB Table Point In Time Recovery Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#point_in_time_recovery 74581e3b-1d55-4323-a139-5959a7b3abc5: categories: @@ -8107,6 +8892,7 @@ rules: group: cloud-insecure-iam name: 74581e3b-1d55-4323-a139-5959a7b3abc5 pretty_name: Security Field On Operations Has An Empty Object Definition (v2) + recommended: true ref: https://swagger.io/specification/v2/#operation-object 74703c89-0ea2-49ab-a7db-bf04f19f5a57: categories: @@ -8118,6 +8904,7 @@ rules: group: cloud-insecure-iam name: 74703c89-0ea2-49ab-a7db-bf04f19f5a57 pretty_name: Global Security Field Is Undefined (v2) + recommended: true ref: https://swagger.io/specification/v2/#securityRequirementObject 74a18d1a-cf02-4a31-8791-ed0967ad7fdc: categories: @@ -8128,6 +8915,7 @@ rules: group: top10-insecure-design name: 74a18d1a-cf02-4a31-8791-ed0967ad7fdc pretty_name: Cognito UserPool Without MFA + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html 750b40be-4bac-4f59-bdc4-1ca0e6c3450e: categories: @@ -8137,6 +8925,7 @@ rules: group: top10-insecure-design name: 750b40be-4bac-4f59-bdc4-1ca0e6c3450e pretty_name: Property Not Unique + recommended: true ref: https://swagger.io/specification/v2/#schemaObject 750f6448-27c0-49f8-a153-b81735c1e19c: categories: @@ -8147,6 +8936,7 @@ rules: group: top10-insecure-design name: 750f6448-27c0-49f8-a153-b81735c1e19c pretty_name: Multi 'collectionformat' Not Valid For 'in' Parameter + recommended: true ref: https://swagger.io/specification/v2/#parameterObject 75418eb9-39ec-465f-913c-6f2b6a80dc77: categories: @@ -8157,6 +8947,7 @@ rules: group: cloud-resources-public-access name: 75418eb9-39ec-465f-913c-6f2b6a80dc77 pretty_name: RDP Access Is Not Restricted + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html 75480b31-f349-4b9a-861f-bce19588e674: categories: @@ -8167,6 +8958,7 @@ rules: group: cloud-insecure-iam name: 75480b31-f349-4b9a-861f-bce19588e674 pretty_name: S3 Bucket ACL Allows Read to Any Authenticated User + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html#parameter-permission 75be209d-1948-41f6-a8c8-e22dd0121134: categories: @@ -8176,6 +8968,7 @@ rules: group: cloud-insecure-iam name: 75be209d-1948-41f6-a8c8-e22dd0121134 pretty_name: ECR Repository Is Publicly Accessible + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html 75ec6890-83af-4bf1-9f16-e83726df0bd0: categories: @@ -8186,6 +8979,7 @@ rules: group: top10-insecure-design name: 75ec6890-83af-4bf1-9f16-e83726df0bd0 pretty_name: Lambda Permission Misconfigured + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission 7674a686-e4b1-4a95-83d4-1fd53c623d84: categories: @@ -8196,6 +8990,7 @@ rules: group: top10-crypto-failures name: 7674a686-e4b1-4a95-83d4-1fd53c623d84 pretty_name: Config Rule For Encrypted Volumes Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_config_rule_module.html#parameter-source/identifier 768aab52-2504-4a2f-a3e3-329d5a679848: categories: @@ -8206,6 +9001,7 @@ rules: group: top10-security-logging-monitoring-failures name: 768aab52-2504-4a2f-a3e3-329d5a679848 pretty_name: Audit Log Maxbackup Not Properly Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ 76976de7-c7b1-4f64-a94f-90c1345914c2: categories: @@ -8215,6 +9011,7 @@ rules: group: top10-crypto-failures name: 76976de7-c7b1-4f64-a94f-90c1345914c2 pretty_name: ElastiCache Replication Group Not Encrypted At Rest + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group#at_rest_encryption_enabled 76ddf32c-85b1-4808-8935-7eef8030ab36: categories: @@ -8225,6 +9022,7 @@ rules: group: cloud-weak-configuration name: 76ddf32c-85b1-4808-8935-7eef8030ab36 pretty_name: Batch Job Definition With Privileged Container Properties + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-batch-jobdefinition.html 77276d82-4f45-4cf1-8e2b-4d345b936228: categories: @@ -8235,6 +9033,7 @@ rules: group: cloud-insecure-iam name: 77276d82-4f45-4cf1-8e2b-4d345b936228 pretty_name: Global Security Scheme Using Basic Authentication + recommended: true ref: https://swagger.io/specification/#security-scheme-object 773116aa-2e6d-416f-bd85-f0301cc05d76: categories: @@ -8245,6 +9044,7 @@ rules: group: cloud-insecure-iam name: 773116aa-2e6d-416f-bd85-f0301cc05d76 pretty_name: Security Definitions Allows Password Flow + recommended: true ref: https://swagger.io/specification/v2/#securitySchemeObject 7750fcca-dd03-4d38-b663-4b70289bcfd4: categories: @@ -8258,6 +9058,7 @@ rules: group: cloud-weak-configuration name: 7750fcca-dd03-4d38-b663-4b70289bcfd4 pretty_name: Small Flow Logs Retention Period + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_watcher_flow_log 7772bb8c-c0f3-42d4-8e4e-f1b8939ad085: categories: @@ -8269,6 +9070,7 @@ rules: group: cloud-insecure-iam name: 7772bb8c-c0f3-42d4-8e4e-f1b8939ad085 pretty_name: S3 Bucket Access to Any Principal + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html 77783205-c4ca-4f80-bb80-c777f267c547: categories: @@ -8278,6 +9080,7 @@ rules: group: supply-chain-scm-weak-configuration name: 77783205-c4ca-4f80-bb80-c777f267c547 pretty_name: APT-GET Missing '-y' To Avoid Manual Input + recommended: true ref: https://docs.docker.com/engine/reference/builder/#run 7782d4b3-e23e-432b-9742-d9528432e771: categories: @@ -8288,6 +9091,7 @@ rules: group: cloud-insecure-iam name: 7782d4b3-e23e-432b-9742-d9528432e771 pretty_name: Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy 77b6f1e2-bde4-4a6a-ae7e-a40659ff1576: categories: @@ -8299,6 +9103,7 @@ rules: group: cloud-resources-public-access name: 77b6f1e2-bde4-4a6a-ae7e-a40659ff1576 pretty_name: EC2 Network ACL Overlapping Ports + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-networkaclentry-portrange.html 77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc: categories: @@ -8309,6 +9114,7 @@ rules: group: cloud-insecure-iam name: 77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc pretty_name: Cloud Storage Bucket Is Publicly Accessible + recommended: true ref: https://cloud.google.com/storage/docs/json_api/v1/bucketAccessControls 78055456-f670-4d2e-94d5-392d1cf4f5e4: categories: @@ -8320,6 +9126,7 @@ rules: group: cloud-resources-public-access name: 78055456-f670-4d2e-94d5-392d1cf4f5e4 pretty_name: ELB Sensitive Port Is Exposed To Entire Network + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html 7814ddda-e758-4a56-8be3-289a81ded929: categories: @@ -8330,6 +9137,7 @@ rules: group: top10-security-logging-monitoring-failures name: 7814ddda-e758-4a56-8be3-289a81ded929 pretty_name: Cloud Storage Bucket Versioning Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_storage_bucket_module.html#parameter-versioning 783860a3-6dca-4c8b-81d0-7b62769ccbca: categories: @@ -8340,6 +9148,7 @@ rules: group: top10-security-logging-monitoring-failures name: 783860a3-6dca-4c8b-81d0-7b62769ccbca pretty_name: API Gateway Deployment Without API Gateway UsagePlan Associated + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-deployment.html 78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07: categories: @@ -8350,6 +9159,7 @@ rules: group: top10-insecure-design name: 78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07 pretty_name: Default Invalid (v2) + recommended: true ref: https://swagger.io/specification/v2/#schemaObject 78f1ec6f-5659-41ea-bd48-d0a142dce4f2: categories: @@ -8361,6 +9171,7 @@ rules: name: 78f1ec6f-5659-41ea-bd48-d0a142dce4f2 pretty_name: Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy 79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92: categories: @@ -8371,6 +9182,7 @@ rules: group: cloud-resources-public-access name: 79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92 pretty_name: Email Notifications Disabled + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.security/securitycontacts 79d745f0-d5f3-46db-9504-bef73e9fd528: categories: @@ -8380,6 +9192,7 @@ rules: group: top10-insecure-design name: 79d745f0-d5f3-46db-9504-bef73e9fd528 pretty_name: ECS Service Without Running Tasks + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#cfn-ecs-service-deploymentconfiguration 7a01dfbd-da62-4165-aed7-71349ad42ab4: categories: @@ -8389,6 +9202,7 @@ rules: group: top10-insecure-design name: 7a01dfbd-da62-4165-aed7-71349ad42ab4 pretty_name: Response JSON Reference Does Not Exists (v3) + recommended: true ref: https://swagger.io/specification/#components-object 7a1ee8a9-71be-4b11-bb70-efb62d16863b: categories: @@ -8399,6 +9213,7 @@ rules: group: cloud-resources-public-access name: 7a1ee8a9-71be-4b11-bb70-efb62d16863b pretty_name: RDS Instance SSL Action Disabled + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#ssl_action 7a70eed6-de3a-4da2-94da-a2bbc8fe2a48: categories: @@ -8408,6 +9223,7 @@ rules: group: top10-insecure-design name: 7a70eed6-de3a-4da2-94da-a2bbc8fe2a48 pretty_name: IAM Password Without Symbol + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy 7ab33ac0-e4a3-418f-a673-50da4e34df21: categories: @@ -8418,6 +9234,7 @@ rules: group: top10-security-logging-monitoring-failures name: 7ab33ac0-e4a3-418f-a673-50da4e34df21 pretty_name: PostgreSQL Log Checkpoints Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html 7af1c447-c014-4f05-bd8b-ebe3a15734ac: categories: @@ -8428,6 +9245,7 @@ rules: group: cloud-resources-public-access name: 7af1c447-c014-4f05-bd8b-ebe3a15734ac pretty_name: SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html 7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2: categories: @@ -8437,6 +9255,7 @@ rules: group: top10-crypto-failures name: 7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2 pretty_name: ElasticSearch Encryption With KMS Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain 7af43613-6bb9-4a0e-8c4d-1314b799425e: categories: @@ -8450,6 +9269,7 @@ rules: group: cloud-insecure-iam name: 7af43613-6bb9-4a0e-8c4d-1314b799425e pretty_name: S3 Bucket Access to Any Principal + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy 7b47138f-ec0e-47dc-8516-e7728fe3cc17: categories: @@ -8460,6 +9280,7 @@ rules: group: top10-security-logging-monitoring-failures name: 7b47138f-ec0e-47dc-8516-e7728fe3cc17 pretty_name: PostgreSQL Log Connections Not Set + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html 7b590235-1ff4-421b-b9ff-5227134be9bb: categories: @@ -8471,6 +9292,7 @@ rules: group: top10-security-logging-monitoring-failures name: 7b590235-1ff4-421b-b9ff-5227134be9bb pretty_name: CloudFront Logging Disabled + recommended: true ref: https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-logging 7c25f361-7c66-44bf-9b69-022acd5eb4bd: categories: @@ -8482,6 +9304,7 @@ rules: group: top10-software-data-integrity-failures name: 7c25f361-7c66-44bf-9b69-022acd5eb4bd pretty_name: Key Vault Not Recoverable + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/2019-09-01/vaults?tabs=json#vaultproperties-object 7c81d34c-8e5a-402b-9798-9f442630e678: categories: @@ -8492,6 +9315,7 @@ rules: group: cloud-weak-configuration name: 7c81d34c-8e5a-402b-9798-9f442630e678 pretty_name: Image Without Digest + recommended: true ref: https://kubernetes.io/docs/concepts/containers/images/#updating-images 7c96920c-6fd0-449d-9a52-0aa431b6beaf: categories: @@ -8502,6 +9326,7 @@ rules: group: cloud-insecure-iam name: 7c96920c-6fd0-449d-9a52-0aa431b6beaf pretty_name: Role With Privilege Escalation By Actions 'iam:AttachUserPolicy' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy 7c98538a-81c6-444b-bf04-e60bc3ceeec0: categories: @@ -8512,6 +9337,7 @@ rules: group: cloud-resources-public-access name: 7c98538a-81c6-444b-bf04-e60bc3ceeec0 pretty_name: IP Forwarding Enabled + recommended: true ref: https://cloud.google.com/compute/docs/reference/rest/v1/instances 7cc6c791-5f68-4816-a564-b9b699f9d26e: categories: @@ -8523,6 +9349,7 @@ rules: group: cloud-resources-public-access name: 7cc6c791-5f68-4816-a564-b9b699f9d26e pretty_name: ElastiCache Using Default Port + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/elasticache_module.html#parameter-cache_port 7d544dad-8a6c-431c-84c1-5f07fe9afc0e: categories: @@ -8534,6 +9361,7 @@ rules: name: 7d544dad-8a6c-431c-84c1-5f07fe9afc0e pretty_name: Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy 7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b: categories: @@ -8544,6 +9372,7 @@ rules: group: cloud-weak-configuration name: 7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b pretty_name: SQL DB Instance Publicly Accessible + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html 7db727c1-1720-468e-b80e-06697f71e09e: categories: @@ -8555,6 +9384,7 @@ rules: group: cloud-insecure-iam name: 7db727c1-1720-468e-b80e-06697f71e09e pretty_name: ECS Service Admin Role Is Present + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_service_module.html 7db8bd7e-9772-478c-9ec5-4bc202c5686f: categories: @@ -8564,6 +9394,7 @@ rules: group: top10-software-data-integrity-failures name: 7db8bd7e-9772-478c-9ec5-4bc202c5686f pretty_name: OSS Bucket Lifecycle Rule Disabled + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#lifecycle_rule 7dbba512-e244-42dc-98bb-422339827967: categories: @@ -8573,6 +9404,7 @@ rules: group: top10-security-logging-monitoring-failures name: 7dbba512-e244-42dc-98bb-422339827967 pretty_name: CloudWatch Logging Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_query_log 7dfb316c-a6c2-454d-b8a2-97f147b0c0ff: categories: @@ -8584,6 +9416,7 @@ rules: group: top10-crypto-failures name: 7dfb316c-a6c2-454d-b8a2-97f147b0c0ff pretty_name: DB Instance Storage Not Encrypted + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html 7e4a6e76-568d-43ef-8c4e-36dea481bff1: categories: @@ -8593,6 +9426,7 @@ rules: group: cloud-resources-public-access name: 7e4a6e76-568d-43ef-8c4e-36dea481bff1 pretty_name: EC2 Instance Using Default VPC + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#subnet_id 7ebc9038-0bde-479a-acc4-6ed7b6758899: categories: @@ -8605,6 +9439,7 @@ rules: group: cloud-weak-configuration name: 7ebc9038-0bde-479a-acc4-6ed7b6758899 pretty_name: KMS Key With Full Permissions + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key 7ebd323c-31b7-4e5b-b26f-de5e9e477af8: categories: @@ -8616,6 +9451,7 @@ rules: group: supply-chain-scm-weak-configuration name: 7ebd323c-31b7-4e5b-b26f-de5e9e477af8 pretty_name: Missing Flag From Dnf Install + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run 7ef7d141-9fbb-4679-a977-fd0883436906: categories: @@ -8628,6 +9464,7 @@ rules: group: cloud-weak-configuration name: 7ef7d141-9fbb-4679-a977-fd0883436906 pretty_name: Cluster Master Authentication Disabled + recommended: true ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters 7f0a8696-7159-4337-ad0d-8a3ab4a78195: categories: @@ -8637,6 +9474,7 @@ rules: group: cloud-resources-public-access name: 7f0a8696-7159-4337-ad0d-8a3ab4a78195 pretty_name: MariaDB Server Public Network Access Enabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mariadb_server#public_network_access_enabled 7f15962a-d862-451c-ac9b-84ec13747aa6: categories: @@ -8647,6 +9485,7 @@ rules: group: top10-insecure-design name: 7f15962a-d862-451c-ac9b-84ec13747aa6 pretty_name: Object Using Enum With Keyword (v2) + recommended: true ref: https://swagger.io/specification/v2/#schemaObject 7f203940-39c4-4ea7-91ee-7aba16bca9e2: categories: @@ -8656,6 +9495,7 @@ rules: group: top10-insecure-design name: 7f203940-39c4-4ea7-91ee-7aba16bca9e2 pretty_name: Property 'allowReserved' Improperly Defined + recommended: true ref: https://swagger.io/specification/#parameter-object 7f384a5f-b5a2-4d84-8ca3-ee0a5247becb: categories: @@ -8666,6 +9506,7 @@ rules: group: cloud-insecure-iam name: 7f384a5f-b5a2-4d84-8ca3-ee0a5247becb pretty_name: Empty Roles For ECS Cluster Task Definitions + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html 7f65be75-90ab-4036-8c2a-410aef7bb650: categories: @@ -8676,6 +9517,7 @@ rules: group: top10-crypto-failures name: 7f65be75-90ab-4036-8c2a-410aef7bb650 pretty_name: Kinesis SSE Not Configured + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kinesis-stream.html 7f79f858-fbe8-4186-8a2c-dfd0d958a40f: categories: @@ -8685,6 +9527,7 @@ rules: group: cloud-insecure-iam name: 7f79f858-fbe8-4186-8a2c-dfd0d958a40f pretty_name: IAM Access Key Is Exposed + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_module.html 7f8843f0-9ea5-42b4-a02b-753055113195: categories: @@ -8695,6 +9538,7 @@ rules: group: top10-insecure-design name: 7f8843f0-9ea5-42b4-a02b-753055113195 pretty_name: Geo Restriction Disabled + recommended: true ref: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html 7f8f1b60-43df-4c28-aa21-fb836dbd8071: categories: @@ -8705,6 +9549,7 @@ rules: group: cloud-insecure-iam name: 7f8f1b60-43df-4c28-aa21-fb836dbd8071 pretty_name: API Gateway Stage Without API Gateway UsagePlan Associated + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html 7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a: categories: @@ -8715,6 +9560,7 @@ rules: group: top10-insecure-design name: 7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a pretty_name: File Parameter With Wrong Consumes Property + recommended: true ref: https://swagger.io/specification/v2/#operation-object 7fd0d461-5b8c-4815-898c-f2b4b117eb28: categories: @@ -8724,6 +9570,7 @@ rules: group: cloud-insecure-iam name: 7fd0d461-5b8c-4815-898c-f2b4b117eb28 pretty_name: API Gateway Without Configured Authorizer + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-authorizer.html 7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892: categories: @@ -8735,6 +9582,7 @@ rules: group: top10-crypto-failures name: 7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892 pretty_name: ECS Task Definition Container With Plaintext Password + recommended: true ref: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_environment 800fa019-49dd-421b-9042-7331fdd83fa2: categories: @@ -8744,6 +9592,7 @@ rules: group: cloud-weak-secrets-management name: 800fa019-49dd-421b-9042-7331fdd83fa2 pretty_name: High Access Key Rotation Period + recommended: true ref: https://docs.amazonaws.cn/en_us/config/latest/developerguide/access-keys-rotated.html 8010e17a-00e9-4635-a692-90d6bcec68bd: categories: @@ -8755,6 +9604,7 @@ rules: group: cloud-resources-public-access name: 8010e17a-00e9-4635-a692-90d6bcec68bd pretty_name: Default Security Groups With Unrestricted Traffic + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html 801f0c6a-a834-4467-89c6-ddecffb46b5a: categories: @@ -8764,6 +9614,7 @@ rules: group: top10-insecure-design name: 801f0c6a-a834-4467-89c6-ddecffb46b5a pretty_name: Link JSON Reference Does Not Exists + recommended: true ref: https://swagger.io/specification/#components-object 8055dec2-efb8-4fe6-8837-d9bed6ff202a: categories: @@ -8776,6 +9627,7 @@ rules: name: 8055dec2-efb8-4fe6-8837-d9bed6ff202a pretty_name: User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy 80908a75-586b-4c61-ab04-490f4f4525b8: categories: @@ -8786,6 +9638,7 @@ rules: group: top10-crypto-failures name: 80908a75-586b-4c61-ab04-490f4f4525b8 pretty_name: ELB Without Secure Protocol + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html 809f77f8-d10e-4842-a84f-3be7b6ff1190: categories: @@ -8799,6 +9652,7 @@ rules: group: top10-crypto-failures name: 809f77f8-d10e-4842-a84f-3be7b6ff1190 pretty_name: ELB Using Weak Ciphers + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html 80b15fb1-6207-40f4-a803-6915ae619a03: categories: @@ -8808,6 +9662,7 @@ rules: group: cloud-weak-configuration name: 80b15fb1-6207-40f4-a803-6915ae619a03 pretty_name: Cloud DNS Without DNSSEC + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_dns_managed_zone_module.html#return-dnssecConfig/state 80b7ac3f-d2b7-4577-9b10-df7913497162: categories: @@ -8817,6 +9672,7 @@ rules: group: top10-crypto-failures name: 80b7ac3f-d2b7-4577-9b10-df7913497162 pretty_name: EBS Volume Encryption Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volume.html 80d45af4-4920-4236-a56e-b7ef419d1941: categories: @@ -8826,6 +9682,7 @@ rules: group: top10-security-logging-monitoring-failures name: 80d45af4-4920-4236-a56e-b7ef419d1941 pretty_name: API Gateway Stage Access Logging Settings Not Defined + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-stage.html#cfn-apigatewayv2-stage-accesslogsettings 80f93444-b240-4ebb-a4c6-5c40b76c04ea: categories: @@ -8835,6 +9692,7 @@ rules: group: cloud-weak-configuration name: 80f93444-b240-4ebb-a4c6-5c40b76c04ea pretty_name: PSP Allows Sharing Host IPC + recommended: true ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ 811762c8-2e99-4f70-88f9-a63875a953b1: categories: @@ -8845,6 +9703,7 @@ rules: group: top10-insecure-design name: 811762c8-2e99-4f70-88f9-a63875a953b1 pretty_name: Schema Has A Required Property Undefined (v2) + recommended: true ref: https://swagger.io/specification/v2/#schemaObject 815021c8-a50c-46d9-b192-24f71072c400: categories: @@ -8855,6 +9714,7 @@ rules: group: top10-insecure-design name: 815021c8-a50c-46d9-b192-24f71072c400 pretty_name: Paths Object is Empty (v3) + recommended: true ref: https://swagger.io/specification/#paths-object 8152e0cf-d2f0-47ad-96d5-d003a76eabd1: categories: @@ -8865,6 +9725,7 @@ rules: group: top10-security-logging-monitoring-failures name: 8152e0cf-d2f0-47ad-96d5-d003a76eabd1 pretty_name: Lambda Functions Without X-Ray Tracing + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#tracing_config 816ea8cf-d589-442d-a917-2dd0ce0e45e3: categories: @@ -8874,6 +9735,7 @@ rules: group: cloud-insecure-iam name: 816ea8cf-d589-442d-a917-2dd0ce0e45e3 pretty_name: SQS Policy Allows All Actions + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy 8173d5eb-96b5-4aa6-a71b-ecfa153c123d: categories: @@ -8884,6 +9746,7 @@ rules: group: top10-security-logging-monitoring-failures name: 8173d5eb-96b5-4aa6-a71b-ecfa153c123d pretty_name: CloudTrail Multi Region Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#is_multi_region_trail 818f38ed-8446-4132-9c03-474d49e10195: categories: @@ -8895,6 +9758,7 @@ rules: group: cloud-insecure-iam name: 818f38ed-8446-4132-9c03-474d49e10195 pretty_name: SNS Topic Publicity Has Allow and NotAction Simultaneously + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-sns-policy 819d50fd-1cdf-45c3-9936-be408aaad93e: categories: @@ -8904,6 +9768,7 @@ rules: group: cloud-weak-configuration name: 819d50fd-1cdf-45c3-9936-be408aaad93e pretty_name: Security Center Pricing Tier Is Not Standard + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_subscription_pricing 81ce9394-013d-4731-8fcc-9d229b474073: categories: @@ -8915,6 +9780,7 @@ rules: group: cloud-weak-configuration name: 81ce9394-013d-4731-8fcc-9d229b474073 pretty_name: CS Kubernetes Node Pool Auto Repair Disabled + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/cs_kubernetes_node_pool#auto_repair 8212e2d7-e683-49bc-bf78-d6799075c5a7: categories: @@ -8925,6 +9791,7 @@ rules: group: cloud-resources-public-access name: 8212e2d7-e683-49bc-bf78-d6799075c5a7 pretty_name: Compute Instance Is Publicly Accessible + recommended: true ref: https://cloud.google.com/compute/docs/reference/rest/v1/instances 8263f146-5e03-43e0-9cfe-db960d56d1e7: categories: @@ -8934,6 +9801,7 @@ rules: group: top10-crypto-failures name: 8263f146-5e03-43e0-9cfe-db960d56d1e7 pretty_name: Storage Account Not Using Latest TLS Encryption Version + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account 826abb30-3cd5-4e0b-a93b-67729b4f7e63: categories: @@ -8946,6 +9814,7 @@ rules: group: cloud-insecure-iam name: 826abb30-3cd5-4e0b-a93b-67729b4f7e63 pretty_name: RBAC Roles with Read Secrets Permissions + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role#rule 8275fab0-68ec-4705-bbf4-86975edb170e: categories: @@ -8956,6 +9825,7 @@ rules: group: cloud-weak-configuration name: 8275fab0-68ec-4705-bbf4-86975edb170e pretty_name: API Gateway Without Security Policy + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-securitypolicy 829ce3b8-065c-41a3-ad57-e0accfea82d2: categories: @@ -8967,6 +9837,7 @@ rules: group: cloud-resources-public-access name: 829ce3b8-065c-41a3-ad57-e0accfea82d2 pretty_name: Unknown Port Exposed To Internet + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html 829f1c60-2bab-44c6-8a21-5cd9d39a2c82: categories: @@ -8977,6 +9848,7 @@ rules: group: cloud-resources-public-access name: 829f1c60-2bab-44c6-8a21-5cd9d39a2c82 pretty_name: Compute Instance Is Publicly Accessible + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html#parameter-network_interfaces/access_configs 83103dff-d57f-42a8-bd81-40abab64c1a7: categories: @@ -8988,6 +9860,7 @@ rules: group: cloud-insecure-iam name: 83103dff-d57f-42a8-bd81-40abab64c1a7 pretty_name: BigQuery Dataset Is Public + recommended: true ref: https://cloud.google.com/bigquery/docs/reference/rest/v2/datasets 83130a07-235b-4a80-918b-a370e53f0bd9: categories: @@ -8997,6 +9870,7 @@ rules: group: cloud-insecure-iam name: 83130a07-235b-4a80-918b-a370e53f0bd9 pretty_name: App Service Authentication Is Not Set + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-web?tabs=json 8320826e-7a9c-4b0b-9535-578333193432: categories: @@ -9008,6 +9882,7 @@ rules: group: cloud-insecure-iam name: 8320826e-7a9c-4b0b-9535-578333193432 pretty_name: RBAC Roles Allow Privilege Escalation + recommended: true ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update 835a4f2f-df43-437d-9943-545ccfc55961: categories: @@ -9017,6 +9892,7 @@ rules: group: cloud-resources-public-access name: 835a4f2f-df43-437d-9943-545ccfc55961 pretty_name: Azure Front Door WAF Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/frontdoor#web_application_firewall_policy_link_id 835d5497-a526-4aea-a23f-98a9afd1635f: categories: @@ -9027,6 +9903,7 @@ rules: group: cloud-insecure-iam name: 835d5497-a526-4aea-a23f-98a9afd1635f pretty_name: S3 Bucket ACL Allows Read to Any Authenticated User + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html 837e033c-4717-40bd-807e-6abaa30161b7: categories: @@ -9037,6 +9914,7 @@ rules: group: top10-security-logging-monitoring-failures name: 837e033c-4717-40bd-807e-6abaa30161b7 pretty_name: Stack Notifications Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stack.html 83957b81-39c1-4191-8e12-671d2ce14354: categories: @@ -9046,6 +9924,7 @@ rules: group: top10-insecure-design name: 83957b81-39c1-4191-8e12-671d2ce14354 pretty_name: IAM Password Without Uppercase Letter + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html 839f238f-2e3a-4a72-b945-8abdf91af955: categories: @@ -9056,6 +9935,7 @@ rules: group: top10-insecure-design name: 839f238f-2e3a-4a72-b945-8abdf91af955 pretty_name: IAM Password Without Number + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user 83a229ba-483e-47c6-8db7-dc96969bce5a: categories: @@ -9066,6 +9946,7 @@ rules: group: cloud-insecure-iam name: 83a229ba-483e-47c6-8db7-dc96969bce5a pretty_name: SQL Database Audit Disabled + recommended: true ref: https://www.terraform.io/docs/providers/azurerm/r/sql_database.html 83bf5aca-138a-498e-b9cd-ad5bc5e117b4: categories: @@ -9075,6 +9956,7 @@ rules: group: top10-crypto-failures name: 83bf5aca-138a-498e-b9cd-ad5bc5e117b4 pretty_name: Neptune Database Cluster Encryption Disabled + recommended: true ref: https://doc.crds.dev/github.com/crossplane/provider-aws/neptune.aws.crossplane.io/DBCluster/v1alpha1@v0.29.0#spec-forProvider-storageEncrypted 83c5fa4c-e098-48fc-84ee-0a537287ddd2: categories: @@ -9085,6 +9967,7 @@ rules: group: cloud-resources-public-access name: 83c5fa4c-e098-48fc-84ee-0a537287ddd2 pretty_name: Unrestricted Security Group Ingress + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html 845acfbe-3e10-4b8e-b656-3b404d36dfb2: categories: @@ -9094,6 +9977,7 @@ rules: group: cloud-resources-public-access name: 845acfbe-3e10-4b8e-b656-3b404d36dfb2 pretty_name: Service Type is NodePort + recommended: true ref: https://kubernetes.io/docs/concepts/services-networking/service/ 846646e3-2af1-428c-ac5d-271eccfa6faf: categories: @@ -9104,6 +9988,7 @@ rules: group: cloud-insecure-iam name: 846646e3-2af1-428c-ac5d-271eccfa6faf pretty_name: Group With Privilege Escalation By Actions 'iam:CreateAccessKey' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy 84c826c9-1893-4b34-8cdd-db97645b4bf3: categories: @@ -9113,6 +9998,7 @@ rules: group: top10-insecure-design name: 84c826c9-1893-4b34-8cdd-db97645b4bf3 pretty_name: Path Without Operation (v3) + recommended: true ref: https://swagger.io/specification/#path-item-object 84d36481-fd63-48cb-838e-635c44806ec2: categories: @@ -9123,6 +10009,7 @@ rules: group: cloud-insecure-iam name: 84d36481-fd63-48cb-838e-635c44806ec2 pretty_name: Google Project IAM Member Service Account Has Admin Role + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member 85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7: categories: @@ -9133,6 +10020,7 @@ rules: group: cloud-insecure-iam name: 85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7 pretty_name: Cross-Account IAM Assume Role Policy Without ExternalId or MFA + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-assumerolepolicydocument 857f8808-e96a-4ba8-a9b7-f2d4ec6cad94: categories: @@ -9143,6 +10031,7 @@ rules: group: top10-insecure-design name: 857f8808-e96a-4ba8-a9b7-f2d4ec6cad94 pretty_name: Automatic Minor Upgrades Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-auto_minor_version_upgrade 85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3: categories: @@ -9152,6 +10041,7 @@ rules: group: cloud-resources-public-access name: 85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3 pretty_name: Network Policy Is Not Targeting Any Pod + recommended: true ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ 85da374f-b00f-4832-9d44-84a1ca1e89f8: categories: @@ -9163,6 +10053,7 @@ rules: group: cloud-weak-configuration name: 85da374f-b00f-4832-9d44-84a1ca1e89f8 pretty_name: App Service FTPS Enforce Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#ftps_state 860ba89b-b8de-4e72-af54-d6aee4138a69: categories: @@ -9173,6 +10064,7 @@ rules: group: cloud-insecure-iam name: 860ba89b-b8de-4e72-af54-d6aee4138a69 pretty_name: S3 Bucket Allows Public Policy + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html 862fe4bf-3eec-4767-a517-40f378886b88: categories: @@ -9183,6 +10075,7 @@ rules: group: top10-crypto-failures name: 862fe4bf-3eec-4767-a517-40f378886b88 pretty_name: Kinesis Not Encrypted With KMS + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream 86571149-eef3-4280-a645-01e60df854b0: categories: @@ -9202,6 +10095,7 @@ rules: group: top10-insecure-design name: 8657197e-3f87-4694-892b-8144701d83c1 pretty_name: Readiness Probe Is Not Configured + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#readiness_probe 86733e01-a435-4bd5-a8b0-5108be9dc1e4: categories: @@ -9212,6 +10106,7 @@ rules: group: top10-insecure-design name: 86733e01-a435-4bd5-a8b0-5108be9dc1e4 pretty_name: Header Response Name Is Invalid (v2) + recommended: true ref: https://swagger.io/specification/v2/#response-object 8697a1a4-82c6-4603-8ac8-57529756744e: categories: @@ -9222,6 +10117,7 @@ rules: group: cloud-weak-configuration name: 8697a1a4-82c6-4603-8ac8-57529756744e pretty_name: Array Items Has No Type (v2) + recommended: true ref: https://swagger.io/specification/v2/#format 869e7fb4-30f0-4bdb-b360-ad548f337f2f: categories: @@ -9231,6 +10127,7 @@ rules: group: cloud-weak-configuration name: 869e7fb4-30f0-4bdb-b360-ad548f337f2f pretty_name: Redis Cache Allows Non SSL Connections + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscache_module.html 86a248ab-0e01-4564-a82a-878303e253bb: categories: @@ -9240,6 +10137,7 @@ rules: group: top10-crypto-failures name: 86a248ab-0e01-4564-a82a-878303e253bb pretty_name: ElasticSearch Not Encrypted At Rest + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-encryptionatrestoptions 86a947ea-f577-4efb-a8b0-5fc00257d521: categories: @@ -9249,6 +10147,7 @@ rules: group: cloud-insecure-iam name: 86a947ea-f577-4efb-a8b0-5fc00257d521 pretty_name: Non Kube System Pod With Host Mount + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod 86b0efa7-4901-4edd-a37a-c034bec6645a: categories: @@ -9259,6 +10158,7 @@ rules: group: cloud-insecure-iam name: 86b0efa7-4901-4edd-a37a-c034bec6645a pretty_name: SQS Queue Exposed + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html#parameter-policy 86b1fa30-9790-4980-994d-a27e0f6f27c1: categories: @@ -9270,6 +10170,7 @@ rules: group: cloud-insecure-iam name: 86b1fa30-9790-4980-994d-a27e0f6f27c1 pretty_name: Cleartext Credentials With Basic Authentication For Operation + recommended: true ref: https://swagger.io/specification/#operation-object 86e3702f-c868-44b2-b61d-ea5316c18110: categories: @@ -9279,6 +10180,7 @@ rules: group: cloud-resources-public-access name: 86e3702f-c868-44b2-b61d-ea5316c18110 pretty_name: Default Response Undefined On Operations (v3) + recommended: true ref: https://swagger.io/specification/#responses-object 86f92117-eed8-4614-9c6c-b26da20ff37f: categories: @@ -9289,6 +10191,7 @@ rules: group: cloud-insecure-iam name: 86f92117-eed8-4614-9c6c-b26da20ff37f pretty_name: AKS RBAC Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#role_based_access_control 87065ef8-de9b-40d8-9753-f4a4303e27a4: categories: @@ -9300,6 +10203,7 @@ rules: group: cloud-weak-configuration name: 87065ef8-de9b-40d8-9753-f4a4303e27a4 pretty_name: Container Is Privileged + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#privileged 87482183-a8e7-4e42-a566-7a23ec231c16: categories: @@ -9309,6 +10213,7 @@ rules: group: cloud-resources-public-access name: 87482183-a8e7-4e42-a566-7a23ec231c16 pretty_name: Security Group Ingress With Port Range + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html 874d68a3-bfbe-4a4b-aaa0-9e74d7da634b: categories: @@ -9319,6 +10224,7 @@ rules: group: cloud-weak-configuration name: 874d68a3-bfbe-4a4b-aaa0-9e74d7da634b pretty_name: Certificate RSA Key Bytes Lower Than 256 + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api 87554eef-154d-411d-bdce-9dbd91e56851: categories: @@ -9328,6 +10234,7 @@ rules: group: cloud-weak-configuration name: 87554eef-154d-411d-bdce-9dbd91e56851 pretty_name: PSP Allows Privilege Escalation + recommended: true ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ 8810968b-4b15-421d-918b-d91eb4bb8d1d: categories: @@ -9339,6 +10246,7 @@ rules: group: cloud-weak-configuration name: 8810968b-4b15-421d-918b-d91eb4bb8d1d pretty_name: Cluster Labels Disabled + recommended: true ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters 881696a8-68c5-4073-85bc-7c38a3deb854: categories: @@ -9348,6 +10256,7 @@ rules: group: top10-software-data-integrity-failures name: 881696a8-68c5-4073-85bc-7c38a3deb854 pretty_name: Key Vault Soft Delete Is Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_keyvault_module.html#parameter-enable_soft_delete 881a6e71-c2a7-4fe2-b9c3-dfcf08895331: categories: @@ -9357,6 +10266,7 @@ rules: group: top10-insecure-design name: 881a6e71-c2a7-4fe2-b9c3-dfcf08895331 pretty_name: Example Not Compliant With Schema Type (v3) + recommended: true ref: https://swagger.io/specification/#example-object 8833f180-96f1-46f4-9147-849aafa56029: categories: @@ -9366,6 +10276,7 @@ rules: group: cloud-resources-public-access name: 8833f180-96f1-46f4-9147-849aafa56029 pretty_name: EC2 Instance Using Default VPC + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-vpc_subnet_id 88541597-6f88-42c8-bac6-7e0b855e8ff6: categories: @@ -9379,6 +10290,7 @@ rules: group: cloud-insecure-iam name: 88541597-6f88-42c8-bac6-7e0b855e8ff6 pretty_name: OSS Bucket Allows List Action From All Principals + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy 88d55d94-315d-4564-beee-d2d725feab11: categories: @@ -9389,6 +10301,7 @@ rules: group: cloud-weak-configuration name: 88d55d94-315d-4564-beee-d2d725feab11 pretty_name: SageMaker Enabling Internet Access + recommended: true ref: https://docs.aws.amazon.com/sagemaker/latest/dg/security_iam_id-based-policy-examples.html#sagemaker-condition-nbi-lockdown 88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6: categories: @@ -9400,6 +10313,7 @@ rules: group: top10-crypto-failures name: 88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6 pretty_name: IAM Database Auth Not Enabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#iam_database_authentication_enabled 89143358-cec6-49f5-9392-920c591c669c: categories: @@ -9410,6 +10324,7 @@ rules: group: cloud-weak-secrets-management name: 89143358-cec6-49f5-9392-920c591c669c pretty_name: Ram Account Password Policy Not Require At Least one Lowercase Character + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#require_lowercase_characters 89561b03-cb35-44a9-a7e9-8356e71606f4: categories: @@ -9421,6 +10336,7 @@ rules: name: 89561b03-cb35-44a9-a7e9-8356e71606f4 pretty_name: User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy 895a5a95-3756-4b04-9924-2f3bc93181bd: categories: @@ -9432,6 +10348,7 @@ rules: group: cloud-resources-public-access name: 895a5a95-3756-4b04-9924-2f3bc93181bd pretty_name: Etcd TLS Certificate Not Properly Configured + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ 895ed0d9-6fec-4567-8614-d7a74b599a53: categories: @@ -9451,6 +10368,7 @@ rules: group: top10-insecure-design name: 89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a pretty_name: Password Without Reuse Prevention + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy#password_reuse_prevention 89827c57-5a8a-49eb-9731-976a606d70db: categories: @@ -9460,6 +10378,7 @@ rules: group: top10-crypto-failures name: 89827c57-5a8a-49eb-9731-976a606d70db pretty_name: Workspace Without Encryption + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-workspaces-workspace.html 89afe3f0-4681-4ce3-89ed-896cebd4277c: categories: @@ -9470,6 +10389,7 @@ rules: group: top10-security-logging-monitoring-failures name: 89afe3f0-4681-4ce3-89ed-896cebd4277c pretty_name: PostgreSQL log_checkpoints Flag Not Set To ON + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags 89b79fe5-49bd-4d39-84ce-55f5fc6f7764: categories: @@ -9480,6 +10400,7 @@ rules: group: top10-insecure-design name: 89b79fe5-49bd-4d39-84ce-55f5fc6f7764 pretty_name: SQL Alert Policy Without Emails + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/securityalertpolicies?tabs=json 89f84a1e-75f8-47c5-83b5-bee8e2de4168: categories: @@ -9490,6 +10411,7 @@ rules: group: top10-security-logging-monitoring-failures name: 89f84a1e-75f8-47c5-83b5-bee8e2de4168 pretty_name: Monitoring Log Profile Without All Activities + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_monitorlogprofile_module.html 89fe890f-b480-460c-8b6b-7d8b1468adb4: categories: @@ -9500,6 +10422,7 @@ rules: group: top10-security-logging-monitoring-failures name: 89fe890f-b480-460c-8b6b-7d8b1468adb4 pretty_name: IAM Audit Not Properly Configured + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_audit_config 8a301064-c291-4b20-adcb-403fe7fd95fd: categories: @@ -9511,6 +10434,7 @@ rules: group: top10-insecure-design name: 8a301064-c291-4b20-adcb-403fe7fd95fd pretty_name: Changing Default Shell Using RUN Command + recommended: true ref: https://docs.docker.com/engine/reference/builder/#shell 8a6d36cd-0bc6-42b7-92c4-67acc8576861: categories: @@ -9522,6 +10446,7 @@ rules: group: cloud-weak-configuration name: 8a6d36cd-0bc6-42b7-92c4-67acc8576861 pretty_name: Instance With No VPC + recommended: true ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-vpc.html 8a893e46-e267-485a-8690-51f39951de58: categories: @@ -9531,6 +10456,7 @@ rules: group: cloud-weak-configuration name: 8a893e46-e267-485a-8690-51f39951de58 pretty_name: COS Node Image Not Used + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#node_config 8ada6e80-0ade-439e-b176-0b28f6bce35a: categories: @@ -9541,6 +10467,7 @@ rules: group: cloud-weak-configuration name: 8ada6e80-0ade-439e-b176-0b28f6bce35a pretty_name: Run Using Sudo + recommended: true ref: https://docs.docker.com/engine/reference/builder/#run 8aee4754-970d-4c5f-8142-a49dfe388b1a: categories: @@ -9551,6 +10478,7 @@ rules: group: top10-insecure-design name: 8aee4754-970d-4c5f-8142-a49dfe388b1a pretty_name: Server Object Variable Not Used + recommended: true ref: https://swagger.io/specification/#server-variable-object 8af270ce-298b-4405-9922-82a10aee7a4f: categories: @@ -9562,6 +10490,7 @@ rules: group: cloud-insecure-iam name: 8af270ce-298b-4405-9922-82a10aee7a4f pretty_name: Global Security Field Is Undefined (v3) + recommended: true ref: https://swagger.io/specification/#security-requirement-object 8af7162d-6c98-482f-868e-0d33fb675ca8: categories: @@ -9571,6 +10500,7 @@ rules: group: cloud-insecure-iam name: 8af7162d-6c98-482f-868e-0d33fb675ca8 pretty_name: Shared Host User Namespace + recommended: true ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#userns_mode 8b042c30-e441-453f-b162-7696982ebc58: categories: @@ -9581,6 +10511,7 @@ rules: group: top10-software-data-integrity-failures name: 8b042c30-e441-453f-b162-7696982ebc58 pretty_name: Geo Redundancy Is Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server 8b1b1e67-6248-4dca-bbad-93486bb181c0: categories: @@ -9591,6 +10522,7 @@ rules: group: top10-security-logging-monitoring-failures name: 8b1b1e67-6248-4dca-bbad-93486bb181c0 pretty_name: CloudWatch Root Account Use Missing + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern 8b36775e-183d-4d46-b0f7-96a6f34a723f: categories: @@ -9601,6 +10533,7 @@ rules: group: cloud-insecure-iam name: 8b36775e-183d-4d46-b0f7-96a6f34a723f pretty_name: Missing AppArmor Profile + recommended: true ref: https://kubernetes.io/docs/tutorials/clusters/apparmor/ 8b862ca9-0fbd-4959-ad72-b6609bdaa22d: categories: @@ -9611,6 +10544,7 @@ rules: group: cloud-weak-configuration name: 8b862ca9-0fbd-4959-ad72-b6609bdaa22d pretty_name: Tiller Service Is Not Deleted + recommended: true ref: https://kubernetes.io/docs/concepts/services-networking/service 8bbb242f-6e38-4127-86d4-d8f0b2687ae2: categories: @@ -9621,6 +10555,7 @@ rules: group: top10-crypto-failures name: 8bbb242f-6e38-4127-86d4-d8f0b2687ae2 pretty_name: AMI Not Encrypted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami 8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d: categories: @@ -9630,6 +10565,7 @@ rules: group: top10-insecure-design name: 8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d pretty_name: IAM Password Without Minimum Length + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html 8bfbf7ab-d5e8-4100-8618-798956e101e0: categories: @@ -9640,6 +10576,7 @@ rules: group: cloud-insecure-iam name: 8bfbf7ab-d5e8-4100-8618-798956e101e0 pretty_name: User With Privilege Escalation By Actions 'iam:PutGroupPolicy' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy 8bfed1c6-2d59-4924-bc7f-9b9d793ed0df: categories: @@ -9650,6 +10587,7 @@ rules: group: top10-insecure-design name: 8bfed1c6-2d59-4924-bc7f-9b9d793ed0df pretty_name: Parameter Object Content With Multiple Entries + recommended: true ref: https://swagger.io/specification/#parameter-object 8c0695d8-2378-4cd6-8243-7fd5894fa574: categories: @@ -9663,6 +10601,7 @@ rules: group: cloud-insecure-iam name: 8c0695d8-2378-4cd6-8243-7fd5894fa574 pretty_name: OSS Bucket Allows Delete Action From All Principals + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy 8c3bedf1-c570-4c3b-b414-d068cd39a00c: categories: @@ -9674,6 +10613,7 @@ rules: group: cloud-weak-configuration name: 8c3bedf1-c570-4c3b-b414-d068cd39a00c pretty_name: AKS Network Policy Misconfigured + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_aks_module.html#parameter-network_profile/network_policy 8c415f6f-7b90-4a27-a44a-51047e1506f9: categories: @@ -9684,6 +10624,7 @@ rules: group: top10-software-data-integrity-failures name: 8c415f6f-7b90-4a27-a44a-51047e1506f9 pretty_name: RDS With Backup Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html 8c81d6c0-716b-49ec-afa5-2d62da4e3f3c: categories: @@ -9693,6 +10634,7 @@ rules: group: cloud-weak-configuration name: 8c81d6c0-716b-49ec-afa5-2d62da4e3f3c pretty_name: String Schema with Broad Pattern (v3) + recommended: true ref: https://swagger.io/specification/#schema-object 8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85: categories: @@ -9702,6 +10644,7 @@ rules: group: cloud-weak-configuration name: 8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85 pretty_name: Maximum Length Undefined (v3) + recommended: true ref: https://swagger.io/specification/#schema-object 8c849af7-a399-46f7-a34c-32d3dc96f1fc: categories: @@ -9711,6 +10654,7 @@ rules: group: cloud-resources-public-access name: 8c849af7-a399-46f7-a34c-32d3dc96f1fc pretty_name: ElastiCache Without VPC + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#subnet_group_name 8c84f75e-5048-4926-a4cb-33e7b3431300: categories: @@ -9721,6 +10665,7 @@ rules: group: top10-insecure-design name: 8c84f75e-5048-4926-a4cb-33e7b3431300 pretty_name: Header Parameter Named as 'Authorization' (v3) + recommended: true ref: https://swagger.io/specification/#parameter-object 8cf4671a-cf3d-46fc-8389-21e7405063a2: categories: @@ -9730,6 +10675,7 @@ rules: group: supply-chain-cicd-weak-configuration name: 8cf4671a-cf3d-46fc-8389-21e7405063a2 pretty_name: StatefulSet Requests Storage + recommended: true ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ 8d03993b-8384-419b-a681-d1f55149397c: categories: @@ -9739,6 +10685,7 @@ rules: group: cloud-insecure-iam name: 8d03993b-8384-419b-a681-d1f55149397c pretty_name: EC2 Instance Using Default Security Group + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-group 8d0921d6-4131-461f-a253-99e873f8f77e: categories: @@ -9749,6 +10696,7 @@ rules: group: top10-insecure-design name: 8d0921d6-4131-461f-a253-99e873f8f77e pretty_name: Server URL Uses Undefined Variables + recommended: true ref: https://swagger.io/specification/#server-object 8d29754a-2a18-460d-a1ba-9509f8d359da: categories: @@ -9759,6 +10707,7 @@ rules: group: top10-insecure-design name: 8d29754a-2a18-460d-a1ba-9509f8d359da pretty_name: IAM Access Analyzer Not Enabled + recommended: true ref: https://docs.amazonaws.cn/en_us/AWSCloudFormation/latest/UserGuide/aws-resource-accessanalyzer-analyzer.html 8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56: categories: @@ -9768,6 +10717,7 @@ rules: group: top10-security-logging-monitoring-failures name: 8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56 pretty_name: RDS Without Logging + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#enabled_cloudwatch_logs_exports 8db5544e-4874-4baa-9322-e9f75a2d219e: categories: @@ -9778,6 +10728,7 @@ rules: group: cloud-insecure-iam name: 8db5544e-4874-4baa-9322-e9f75a2d219e pretty_name: Field 'securityScheme' On Components Is Undefined + recommended: true ref: https://swagger.io/specification/#security-scheme-object 8dd0ff1f-0da4-48df-9bb3-7f338ae36a40: categories: @@ -9790,6 +10741,7 @@ rules: group: top10-insecure-design name: 8dd0ff1f-0da4-48df-9bb3-7f338ae36a40 pretty_name: EC2 Not EBS Optimized + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-ebsoptimized 8df8e857-bd59-44fa-9f4c-d77594b95b46: categories: @@ -9799,6 +10751,7 @@ rules: group: cloud-weak-configuration name: 8df8e857-bd59-44fa-9f4c-d77594b95b46 pretty_name: Lambda Function Without Tags + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html 8e3063f4-b511-45c3-b030-f3b0c9131951: categories: @@ -9808,6 +10761,7 @@ rules: group: top10-insecure-design name: 8e3063f4-b511-45c3-b030-f3b0c9131951 pretty_name: IAM Password Without Lowercase Letter + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html 8e75e431-449f-49e9-b56a-c8f1378025cf: categories: @@ -9818,6 +10772,7 @@ rules: group: cloud-insecure-iam name: 8e75e431-449f-49e9-b56a-c8f1378025cf pretty_name: Role Assignment Not Limit Guest User Permissions + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment 8e94dced-9bcc-4203-8eb7-7e41202b2505: categories: @@ -9829,6 +10784,7 @@ rules: group: top10-insecure-design name: 8e94dced-9bcc-4203-8eb7-7e41202b2505 pretty_name: Auto Scaling Group With No Associated ELB + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group#load_balancers 8ed0bfce-f780-46d4-b086-21c3628f09ad: categories: @@ -9838,6 +10794,7 @@ rules: group: cloud-insecure-iam name: 8ed0bfce-f780-46d4-b086-21c3628f09ad pretty_name: SES Policy With Allowed IAM Actions + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_ses_identity_policy_module.html#parameter-policy 8f3c16b3-354d-45db-8ad5-5066778a9485: categories: @@ -9848,6 +10805,7 @@ rules: group: cloud-insecure-iam name: 8f3c16b3-354d-45db-8ad5-5066778a9485 pretty_name: Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy 8f75840d-9ee7-42f3-b203-b40e3979eb12: categories: @@ -9858,6 +10816,7 @@ rules: group: cloud-insecure-iam name: 8f75840d-9ee7-42f3-b203-b40e3979eb12 pretty_name: Role With Privilege Escalation By Actions 'iam:PutUserPolicy' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy 8f957abd-9703-413d-87d3-c578950a753c: categories: @@ -9867,6 +10826,7 @@ rules: group: cloud-insecure-iam name: 8f957abd-9703-413d-87d3-c578950a753c pretty_name: IAM Group Without Users + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html 8f98334a-99aa-4d85-b72a-1399ca010413: categories: @@ -9876,6 +10836,7 @@ rules: group: top10-insecure-design name: 8f98334a-99aa-4d85-b72a-1399ca010413 pretty_name: OSS Bucket Transfer Acceleration Disabled + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#transfer_acceleration 8fa9ceea-881f-4ef0-b0b8-728f589699a7: categories: @@ -9886,6 +10847,7 @@ rules: group: cloud-insecure-iam name: 8fa9ceea-881f-4ef0-b0b8-728f589699a7 pretty_name: Role Definitions Allow Custom Subscription Role Creation + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/roledefinitions?tabs=json#permission-object 8fdb08a0-a868-4fdf-9c27-ccab0237f1ab: categories: @@ -9896,6 +10858,7 @@ rules: group: top10-software-data-integrity-failures name: 8fdb08a0-a868-4fdf-9c27-ccab0237f1ab pretty_name: ElastiCache Redis Cluster Without Backup + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#snapshot_retention_limit 8fe1846f-52cc-4413-ace9-1933d7d23672: categories: @@ -9905,6 +10868,7 @@ rules: group: cloud-weak-configuration name: 8fe1846f-52cc-4413-ace9-1933d7d23672 pretty_name: Parameter Object Without Schema + recommended: true ref: https://swagger.io/specification/#parameter-object 8fe6d18a-ad4c-4397-8884-e3a9da57f4c9: categories: @@ -9915,6 +10879,7 @@ rules: group: top10-insecure-design name: 8fe6d18a-ad4c-4397-8884-e3a9da57f4c9 pretty_name: Schema Enum Invalid (v2) + recommended: true ref: https://swagger.io/specification/v2/#schema-object 90120147-f2e7-4fda-bb21-6fa9109afd63: categories: @@ -9925,6 +10890,7 @@ rules: group: cloud-resources-public-access name: 90120147-f2e7-4fda-bb21-6fa9109afd63 pretty_name: MySQL Server SSL Enforcement Disabled + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.dbformysql/servers?tabs=json#serverpropertiesforcreate-object 9025b2b3-e554-4842-ba87-db7aeec36d35: categories: @@ -9934,6 +10900,7 @@ rules: group: top10-crypto-failures name: 9025b2b3-e554-4842-ba87-db7aeec36d35 pretty_name: Unscanned ECR Image + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html#cfn-ecr-repository-imagescanningconfiguration 9038b526-4c19-4928-bca2-c03d503bdb79: categories: @@ -9946,6 +10913,7 @@ rules: group: cloud-weak-configuration name: 9038b526-4c19-4928-bca2-c03d503bdb79 pretty_name: Shielded VM Disabled + recommended: true ref: https://cloud.google.com/compute/docs/reference/rest/v1/instances 90501b1b-cded-4cc1-9e8b-206b85cda317: categories: @@ -9957,6 +10925,7 @@ rules: group: cloud-weak-configuration name: 90501b1b-cded-4cc1-9e8b-206b85cda317 pretty_name: S3 Static Website Host Enabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-websiteconfiguration.html 905f4741-f965-45c1-98db-f7a00a0e5c73: categories: @@ -9967,6 +10936,7 @@ rules: group: cloud-insecure-iam name: 905f4741-f965-45c1-98db-f7a00a0e5c73 pretty_name: SNS Topic is Publicly Accessible + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/sns_topic_module.html 9073f073-5d60-4b46-b569-0d6baa80ed95: categories: @@ -9976,6 +10946,7 @@ rules: group: cloud-resources-public-access name: 9073f073-5d60-4b46-b569-0d6baa80ed95 pretty_name: Storage Account Allows Default Network Access + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json#storageaccountpropertiescreateparameters-object 9127f0d9-2310-42e7-866f-5fd9d20dcbad: categories: @@ -9990,6 +10961,7 @@ rules: group: cloud-weak-configuration name: 9127f0d9-2310-42e7-866f-5fd9d20dcbad pretty_name: Cluster Allows Unsafe Sysctls + recommended: true ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ 9192e0f9-eca5-4056-9282-ae2a736a4088: categories: @@ -10002,6 +10974,7 @@ rules: group: cloud-weak-configuration name: 9192e0f9-eca5-4056-9282-ae2a736a4088 pretty_name: Pod Security Policy Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster 91bea7b8-0c31-4863-adc9-93f6177266c4: categories: @@ -10012,6 +10985,7 @@ rules: group: supply-chain-cicd-weak-configuration name: 91bea7b8-0c31-4863-adc9-93f6177266c4 pretty_name: Stack Without Template + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack 91dacd0e-d189-4a9c-8272-5999a3cc32d9: categories: @@ -10022,6 +10996,7 @@ rules: group: cloud-weak-configuration name: 91dacd0e-d189-4a9c-8272-5999a3cc32d9 pretty_name: PSP Allows Sharing Host PID + recommended: true ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ 91f16d09-689e-4926-aca7-155157f634ed: categories: @@ -10031,6 +11006,7 @@ rules: group: top10-insecure-design name: 91f16d09-689e-4926-aca7-155157f634ed pretty_name: ECS Service Without Running Tasks + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service 92302b47-b0cc-46cb-a28f-5610ecda140b: categories: @@ -10042,6 +11018,7 @@ rules: group: cloud-resources-public-access name: 92302b47-b0cc-46cb-a28f-5610ecda140b pretty_name: Website with Client Certificate Auth Disabled + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites?tabs=json#siteproperties-object 9232306a-f839-40aa-b3ef-b352001da9a5: categories: @@ -10051,6 +11028,7 @@ rules: group: top10-security-logging-monitoring-failures name: 9232306a-f839-40aa-b3ef-b352001da9a5 pretty_name: S3 Bucket Without Versioning + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-versioning 9239c289-9e4c-4d92-8be1-9d506057c971: categories: @@ -10060,6 +11038,7 @@ rules: group: top10-insecure-design name: 9239c289-9e4c-4d92-8be1-9d506057c971 pretty_name: Invalid License URL (v3) + recommended: true ref: https://swagger.io/specification/#license-object 9296f1cc-7a40-45de-bd41-f31745488a0e: categories: @@ -10070,6 +11049,7 @@ rules: group: top10-crypto-failures name: 9296f1cc-7a40-45de-bd41-f31745488a0e pretty_name: SQS With SSE Disabled + recommended: true ref: https://doc.crds.dev/github.com/crossplane/provider-aws/sqs.aws.crossplane.io/Queue/v1beta1@v0.29.0#spec-forProvider-kmsMasterKeyId 92d65c51-5d82-4507-a2a1-d252e9706855: categories: @@ -10080,6 +11060,7 @@ rules: group: supply-chain-cicd-weak-configuration name: 92d65c51-5d82-4507-a2a1-d252e9706855 pretty_name: ROS Stack Without Template + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ros_stack 92e4464a-4139-4d57-8742-b5acc0347680: categories: @@ -10090,6 +11071,7 @@ rules: group: cloud-insecure-iam name: 92e4464a-4139-4d57-8742-b5acc0347680 pretty_name: KMS Admin and CryptoKey Roles In Use + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#policy_data 92fe237e-074c-4262-81a4-2077acb928c1: categories: @@ -10100,6 +11082,7 @@ rules: group: cloud-resources-public-access name: 92fe237e-074c-4262-81a4-2077acb928c1 pretty_name: Sensitive Port Is Exposed To Wide Private Network + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 9307a2ed-35c2-413d-94de-a1a0682c2158: categories: @@ -10110,6 +11093,7 @@ rules: group: cloud-insecure-iam name: 9307a2ed-35c2-413d-94de-a1a0682c2158 pretty_name: AKS Cluster RBAC Disabled + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json 934613fe-b12c-4e5a-95f5-c1dcdffac1ff: categories: @@ -10120,6 +11104,7 @@ rules: group: top10-security-logging-monitoring-failures name: 934613fe-b12c-4e5a-95f5-c1dcdffac1ff pretty_name: CloudWatch Without Retention Period Specified + recommended: true ref: https://doc.crds.dev/github.com/crossplane/provider-aws/cloudwatchlogs.aws.crossplane.io/LogGroup/v1alpha1@v0.29.0#spec-forProvider-retentionInDays 9356962e-4a4f-4d06-ac59-dc8008775eaa: categories: @@ -10130,6 +11115,7 @@ rules: group: cloud-weak-configuration name: 9356962e-4a4f-4d06-ac59-dc8008775eaa pretty_name: Not Proper Email Account In Use + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_binding 9391103a-d8d7-4671-ac5d-606ba7ccb0ac: categories: @@ -10140,6 +11126,7 @@ rules: group: cloud-weak-secrets-management name: 9391103a-d8d7-4671-ac5d-606ba7ccb0ac pretty_name: Etcd Client Certificate Authentication Set To False + recommended: true ref: https://etcd.io/docs/v3.4/op-guide/security/ 93d88cf7-f078-46a8-8ddc-178e03aeacf1: categories: @@ -10150,6 +11137,7 @@ rules: group: supply-chain-scm-weak-configuration name: 93d88cf7-f078-46a8-8ddc-178e03aeacf1 pretty_name: Missing Version Specification In dnf install + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ 94690d79-b3b0-43de-b656-84ebef5753e5: categories: @@ -10161,6 +11149,7 @@ rules: group: top10-security-logging-monitoring-failures name: 94690d79-b3b0-43de-b656-84ebef5753e5 pretty_name: CloudFront Logging Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution 9488c451-074e-4cd3-aee3-7db6104f542c: categories: @@ -10171,6 +11160,7 @@ rules: group: top10-security-logging-monitoring-failures name: 9488c451-074e-4cd3-aee3-7db6104f542c pretty_name: Lambda Functions Without X-Ray Tracing + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-tracingconfig.html 949376f1-f560-4c6d-a016-63424ca931bb: categories: @@ -10180,6 +11170,7 @@ rules: group: top10-insecure-design name: 949376f1-f560-4c6d-a016-63424ca931bb pretty_name: Schema Discriminator Property Not String (v2) + recommended: true ref: https://swagger.io/specification/v2/#schema-object 94b76ea5-e074-4ca2-8a03-c5a606e30645: categories: @@ -10191,6 +11182,7 @@ rules: group: top10-insecure-design name: 94b76ea5-e074-4ca2-8a03-c5a606e30645 pretty_name: Object Is Using A Deprecated API Version + recommended: true ref: https://kubernetes.io/docs/reference/using-api/deprecation-guide/ 94fbe150-27e3-4eba-9ca6-af32865e4503: categories: @@ -10202,6 +11194,7 @@ rules: name: 94fbe150-27e3-4eba-9ca6-af32865e4503 pretty_name: User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy 9513a694-aa0d-41d8-be61-3271e056f36b: categories: @@ -10212,6 +11205,7 @@ rules: group: supply-chain-scm-weak-configuration name: 9513a694-aa0d-41d8-be61-3271e056f36b pretty_name: Add Instead of Copy + recommended: true ref: https://docs.docker.com/engine/reference/builder/#add 953b3cdb-ce13-428a-aa12-318726506661: categories: @@ -10223,6 +11217,7 @@ rules: group: cloud-insecure-iam name: 953b3cdb-ce13-428a-aa12-318726506661 pretty_name: IAM Policies With Full Privileges + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html 95588189-1abd-4df1-9588-b0a5034f9e87: categories: @@ -10233,6 +11228,7 @@ rules: group: cloud-insecure-iam name: 95588189-1abd-4df1-9588-b0a5034f9e87 pretty_name: Missing App Armor Config + recommended: true ref: https://www.pulumi.com/registry/packages/kubernetes/api-docs/core/v1/pod/#objectmeta 95601b9a-7fe8-4aee-9b58-d36fd9382dfc: categories: @@ -10245,6 +11241,7 @@ rules: group: top10-security-logging-monitoring-failures name: 95601b9a-7fe8-4aee-9b58-d36fd9382dfc pretty_name: Stackdriver Logging Disabled + recommended: true ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters 9564406d-e761-4e61-b8d7-5926e3ab8e79: categories: @@ -10256,6 +11253,7 @@ rules: group: cloud-resources-public-access name: 9564406d-e761-4e61-b8d7-5926e3ab8e79 pretty_name: DB Security Group With Public Scope + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html 9587c890-0524-40c2-9ce2-663af7c2f063: categories: @@ -10266,6 +11264,7 @@ rules: group: cloud-insecure-iam name: 9587c890-0524-40c2-9ce2-663af7c2f063 pretty_name: Service Account Admission Control Plugin Disabled + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ 961ce567-a16d-4d7d-9027-f0ec2628a555: categories: @@ -10277,6 +11276,7 @@ rules: group: top10-crypto-failures name: 961ce567-a16d-4d7d-9027-f0ec2628a555 pretty_name: SSL Enforce Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlserver_module.html#parameter-enforce_ssl 962fa01e-b791-4dcc-b04a-4a3e7389be5e: categories: @@ -10287,6 +11287,7 @@ rules: group: top10-insecure-design name: 962fa01e-b791-4dcc-b04a-4a3e7389be5e pretty_name: Components Schema Definition Is Unused + recommended: true ref: https://swagger.io/specification/#components-object 9630336b-3fed-4096-8173-b9afdfe346a7: categories: @@ -10296,6 +11297,7 @@ rules: group: top10-crypto-failures name: 9630336b-3fed-4096-8173-b9afdfe346a7 pretty_name: Unscanned ECR Image + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#scan_on_push 965a043f-5f3c-4d0a-be72-d9ce12fdb4d6: categories: @@ -10306,6 +11308,7 @@ rules: group: cloud-resources-public-access name: 965a043f-5f3c-4d0a-be72-d9ce12fdb4d6 pretty_name: Success Response Code Undefined for Put Operation (v2) + recommended: true ref: https://swagger.io/specification/v2/#operation-object 965a08d7-ef86-4f14-8792-4a3b2098937e: categories: @@ -10315,6 +11318,7 @@ rules: group: supply-chain-scm-weak-configuration name: 965a08d7-ef86-4f14-8792-4a3b2098937e pretty_name: Apt Get Install Pin Version Not Defined + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ 965e8830-2bec-4b9b-a7f0-24dbc200a68f: categories: @@ -10326,6 +11330,7 @@ rules: group: top10-crypto-failures name: 965e8830-2bec-4b9b-a7f0-24dbc200a68f pretty_name: Google Compute SSL Policy Weak Cipher In Use + recommended: true ref: https://www.pulumi.com/registry/packages/gcp/api-docs/compute/sslpolicy/#mintlsversion_yaml 9670f240-7b4d-4955-bd93-edaa9fa38b58: categories: @@ -10336,6 +11341,7 @@ rules: group: top10-crypto-failures name: 9670f240-7b4d-4955-bd93-edaa9fa38b58 pretty_name: Path Server Object Uses HTTP (v3) + recommended: true ref: https://swagger.io/specification/#server-object 96729c6b-7400-4d9e-9807-17f00cdde4d2: categories: @@ -10347,6 +11353,7 @@ rules: group: cloud-insecure-iam name: 96729c6b-7400-4d9e-9807-17f00cdde4d2 pretty_name: No Global And Operation Security Defined (v3) + recommended: true ref: https://swagger.io/specification/#security-requirement-object 967575e5-eb44-4c24-aadb-7e33608ed30a: categories: @@ -10357,6 +11364,7 @@ rules: group: cloud-weak-configuration name: 967575e5-eb44-4c24-aadb-7e33608ed30a pretty_name: Schema Object is Empty (v2) + recommended: true ref: https://swagger.io/specification/v2/#schemaObject 967eb3e6-26fc-497d-8895-6428beb6e8e2: categories: @@ -10366,6 +11374,7 @@ rules: group: top10-crypto-failures name: 967eb3e6-26fc-497d-8895-6428beb6e8e2 pretty_name: Elasticsearch Domain Not Encrypted Node To Node + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#node_to_node_encryption 96beb800-566f-49a9-a0ea-dbdf4bc80429: categories: @@ -10376,6 +11385,7 @@ rules: group: top10-insecure-design name: 96beb800-566f-49a9-a0ea-dbdf4bc80429 pretty_name: JSON '$ref' alongside other properties (v3) + recommended: true ref: https://swagger.io/specification/#reference-object 96e8183b-e985-457b-90cd-61c0503a3369: categories: @@ -10385,6 +11395,7 @@ rules: group: top10-security-logging-monitoring-failures name: 96e8183b-e985-457b-90cd-61c0503a3369 pretty_name: Global Accelerator Flow Logs Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/globalaccelerator_accelerator#flow_logs_enabled 96ed3526-0179-4c73-b1b2-372fde2e0d13: categories: @@ -10394,6 +11405,7 @@ rules: group: top10-security-logging-monitoring-failures name: 96ed3526-0179-4c73-b1b2-372fde2e0d13 pretty_name: Default VPC Exists + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc 96fe318e-d631-4156-99fa-9080d57280ae: categories: @@ -10406,6 +11418,7 @@ rules: group: top10-insecure-design name: 96fe318e-d631-4156-99fa-9080d57280ae pretty_name: App Service Without Latest PHP Version + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#php_version 970d224d-b42a-416b-81f9-8f4dfe70c4bc: categories: @@ -10418,6 +11431,7 @@ rules: group: cloud-weak-configuration name: 970d224d-b42a-416b-81f9-8f4dfe70c4bc pretty_name: Root Account Has Active Access Keys + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key 970ed7a2-0aca-4425-acf1-0453c9ecbca1: categories: @@ -10428,6 +11442,7 @@ rules: group: cloud-insecure-iam name: 970ed7a2-0aca-4425-acf1-0453c9ecbca1 pretty_name: Group With Privilege Escalation By Actions 'iam:AddUserToGroup' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy 97707503-a22c-4cd7-b7c0-f088fa7cf830: categories: @@ -10438,6 +11453,7 @@ rules: group: top10-crypto-failures name: 97707503-a22c-4cd7-b7c0-f088fa7cf830 pretty_name: AMI Not Encrypted + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_ami_module.html 97cb0688-369a-4d26-b1f7-86c4c91231bc: categories: @@ -10447,6 +11463,7 @@ rules: group: top10-security-logging-monitoring-failures name: 97cb0688-369a-4d26-b1f7-86c4c91231bc pretty_name: ECS Cluster with Container Insights Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster#setting 97e94d17-e2c7-4109-a53b-6536ac1bb64e: categories: @@ -10457,6 +11474,7 @@ rules: group: top10-insecure-design name: 97e94d17-e2c7-4109-a53b-6536ac1bb64e pretty_name: VPC Attached With Too Many Gateways + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc-gateway-attachment.html 97fa667a-d05b-4f16-9071-58b939f34751: categories: @@ -10468,6 +11486,7 @@ rules: group: cloud-resources-public-access name: 97fa667a-d05b-4f16-9071-58b939f34751 pretty_name: Serial Ports Are Enabled For VM Instances + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance 98295b32-ec09-4b5b-89a9-39853197f914: categories: @@ -10477,6 +11496,7 @@ rules: group: top10-insecure-design name: 98295b32-ec09-4b5b-89a9-39853197f914 pretty_name: Schema JSON Reference Does Not Exists (v2) + recommended: true ref: https://swagger.io/specification/v2/#definitionsObject 982aa526-6970-4c59-8b9b-2ce7e019fe36: categories: @@ -10487,6 +11507,7 @@ rules: group: top10-security-logging-monitoring-failures name: 982aa526-6970-4c59-8b9b-2ce7e019fe36 pretty_name: API Gateway With CloudWatch Logging Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#managing-the-api-logging-cloudwatch-log-group 9850d621-7485-44f7-8bdd-b3cf426315cf: categories: @@ -10496,6 +11517,7 @@ rules: group: top10-insecure-design name: 9850d621-7485-44f7-8bdd-b3cf426315cf pretty_name: IAM Password Without Minimum Length + recommended: true ref: https://www.pulumi.com/registry/packages/aws/api-docs/iam/accountpasswordpolicy/#minimumpasswordlength_yaml 98a8f708-121b-455b-ae2f-da3fb59d17e1: categories: @@ -10507,6 +11529,7 @@ rules: group: cloud-weak-configuration name: 98a8f708-121b-455b-ae2f-da3fb59d17e1 pretty_name: S3 Bucket with Unsecured CORS Rule + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#cors_rule 98ce8b81-7707-4734-aa39-627c6db3d84b: categories: @@ -10517,6 +11540,7 @@ rules: group: cloud-weak-secrets-management name: 98ce8b81-7707-4734-aa39-627c6db3d84b pretty_name: Auto TLS Set To True + recommended: true ref: https://etcd.io/docs/v3.4/op-guide/security/ 98d59056-f745-4ef5-8613-32bca8d40b7e: categories: @@ -10526,6 +11550,7 @@ rules: group: top10-crypto-failures name: 98d59056-f745-4ef5-8613-32bca8d40b7e pretty_name: Neptune Database Cluster Encryption Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster#storage_encrypted 98e04ca0-34f5-4c74-8fec-d2e611ce2790: categories: @@ -10538,6 +11563,7 @@ rules: group: cloud-weak-configuration name: 98e04ca0-34f5-4c74-8fec-d2e611ce2790 pretty_name: Network Policy Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html 990eaf09-d6f1-4c3c-b174-a517b1de8917: categories: @@ -10547,6 +11573,7 @@ rules: group: top10-insecure-design name: 990eaf09-d6f1-4c3c-b174-a517b1de8917 pretty_name: Responses Object Is Empty (v3) + recommended: true ref: https://swagger.io/specification/#responses-object 99614418-f82b-4852-a9ae-5051402b741c: categories: @@ -10559,6 +11586,7 @@ rules: group: top10-insecure-design name: 99614418-f82b-4852-a9ae-5051402b741c pretty_name: MAINTAINER Instruction Being Used + recommended: true ref: https://docs.docker.com/engine/reference/builder/#maintainer-deprecated 99733b39-6413-4ed8-8acf-dc7cdc9b4e51: categories: @@ -10569,6 +11597,7 @@ rules: group: cloud-insecure-iam name: 99733b39-6413-4ed8-8acf-dc7cdc9b4e51 pretty_name: Cleartext API Key In Operation Security (v2) + recommended: true ref: https://swagger.io/specification/v2/#securityDefinitionsObject 99eb2c95-2040-4104-9e7c-e16f7474d218: categories: @@ -10579,6 +11608,7 @@ rules: group: cloud-weak-configuration name: 99eb2c95-2040-4104-9e7c-e16f7474d218 pretty_name: Array Without Maximum Number of Items (v2) + recommended: true ref: https://swagger.io/specification/v2/#parameterObject 9a205ba3-0dd1-42eb-8d54-2ffec836b51a: categories: @@ -10589,6 +11619,7 @@ rules: group: cloud-insecure-iam name: 9a205ba3-0dd1-42eb-8d54-2ffec836b51a pretty_name: Role With Privilege Escalation By Actions 'iam:CreateLoginProfile' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy 9a4ef195-74b9-4c58-b8ed-2b2fe4353a75: categories: @@ -10600,6 +11631,7 @@ rules: group: cloud-resources-public-access name: 9a4ef195-74b9-4c58-b8ed-2b2fe4353a75 pretty_name: VPC Default Security Group Accepts All Traffic + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group 9aa32890-ac1a-45ee-81ca-5164e2098556: categories: @@ -10609,6 +11641,7 @@ rules: group: cloud-weak-configuration name: 9aa32890-ac1a-45ee-81ca-5164e2098556 pretty_name: NET_RAW Capabilities Disabled for PSP + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#required_drop_capabilities 9aa6e95c-d964-4239-a3a8-9f37a3c5a31f: categories: @@ -10619,6 +11652,7 @@ rules: group: cloud-insecure-iam name: 9aa6e95c-d964-4239-a3a8-9f37a3c5a31f pretty_name: Undefined Scope 'securityDefinition' On Global 'security' Field + recommended: true ref: https://swagger.io/specification/v2/#security-scheme-object 9b09dee1-f09b-4013-91d2-158fa4695f4b: categories: @@ -10629,6 +11663,7 @@ rules: group: top10-security-logging-monitoring-failures name: 9b09dee1-f09b-4013-91d2-158fa4695f4b pretty_name: AKS Logging To Azure Monitoring Is Disabled + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json#managedclusteraddonprofile 9b0ffadc-a61f-4c2a-b1e6-68fab60f6267: categories: @@ -10640,6 +11675,7 @@ rules: name: 9b0ffadc-a61f-4c2a-b1e6-68fab60f6267 pretty_name: Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy 9b18fc19-7fb8-49b1-8452-9c757c70f926: categories: @@ -10650,6 +11686,7 @@ rules: group: top10-insecure-design name: 9b18fc19-7fb8-49b1-8452-9c757c70f926 pretty_name: ElastiCache Nodes Not Created Across Multi AZ + recommended: true ref: https://www.pulumi.com/registry/packages/aws/api-docs/elasticache/cluster/#azmode_yaml 9b633f3b-c94b-4fbb-a65b-1a4e9134fb63: categories: @@ -10659,6 +11696,7 @@ rules: group: cloud-resources-public-access name: 9b633f3b-c94b-4fbb-a65b-1a4e9134fb63 pretty_name: Success Response Code Undefined for Get Operation (v2) + recommended: true ref: https://swagger.io/specification/v2/#operation-object 9b6a3f5b-5fd6-40ee-9bc0-ed604911212d: categories: @@ -10670,6 +11708,7 @@ rules: group: cloud-insecure-iam name: 9b6a3f5b-5fd6-40ee-9bc0-ed604911212d pretty_name: SQS Policy With Public Access + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-policy.html 9b6b0f38-92a2-41f9-b881-3a1083d99f1b: categories: @@ -10680,6 +11719,7 @@ rules: group: supply-chain-scm-weak-configuration name: 9b6b0f38-92a2-41f9-b881-3a1083d99f1b pretty_name: Run Utilities And POSIX Commands + recommended: true ref: https://docs.docker.com/engine/reference/builder/#run 9b83114b-b2a1-4534-990d-06da015e47aa: categories: @@ -10690,6 +11730,7 @@ rules: group: top10-insecure-design name: 9b83114b-b2a1-4534-990d-06da015e47aa pretty_name: Lambda Permission Misconfigured + recommended: true ref: https://docs.aws.amazon.com/pt_br/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html 9b877bd8-94b4-4c10-a060-8e0436cc09fa: categories: @@ -10700,6 +11741,7 @@ rules: group: cloud-insecure-iam name: 9b877bd8-94b4-4c10-a060-8e0436cc09fa pretty_name: User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy 9ba198e0-fef4-464a-8a4d-75ea55300de7: categories: @@ -10710,6 +11752,7 @@ rules: group: cloud-insecure-iam name: 9ba198e0-fef4-464a-8a4d-75ea55300de7 pretty_name: Neptune Cluster Instance is Publicly Accessible + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster_instance#publicly_accessible 9bae49be-0aa3-4de5-bab2-4c3a069e40cd: categories: @@ -10720,6 +11763,7 @@ rules: group: supply-chain-cicd-weak-configuration name: 9bae49be-0aa3-4de5-bab2-4c3a069e40cd pretty_name: Update Instruction Alone + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run 9bb3c639-5edf-458c-8ee5-30c17c7d671d: categories: @@ -10729,6 +11773,7 @@ rules: group: cloud-weak-configuration name: 9bb3c639-5edf-458c-8ee5-30c17c7d671d pretty_name: Function App Client Certificates Unrequired + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#client_cert_mode 9c238c97-1991-4c0b-9c7d-6c7912e1dc7c: categories: @@ -10738,6 +11783,7 @@ rules: group: cloud-insecure-iam name: 9c238c97-1991-4c0b-9c7d-6c7912e1dc7c pretty_name: Cleartext API Key In Global Security (v3) + recommended: true ref: https://swagger.io/specification/#security-scheme-object 9c301481-e6ec-44f7-8a49-8ec63e2969ea: categories: @@ -10748,6 +11794,7 @@ rules: group: top10-security-logging-monitoring-failures name: 9c301481-e6ec-44f7-8a49-8ec63e2969ea pretty_name: Small MSSQL Audit Retention Period + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server 9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae: categories: @@ -10758,6 +11805,7 @@ rules: group: top10-insecure-design name: 9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae pretty_name: Components Response Definition Is Unused + recommended: true ref: https://swagger.io/specification/#components-object 9c7028d9-04c2-45be-b8b2-1188ccaefb36: categories: @@ -10768,6 +11816,7 @@ rules: group: cloud-resources-public-access name: 9c7028d9-04c2-45be-b8b2-1188ccaefb36 pretty_name: SageMaker Notebook Not Placed In VPC + recommended: true ref: https://docs.aws.amazon.com/sagemaker/latest/dg/security_iam_id-based-policy-examples.html#sagemaker-condition-nbi-lockdown 9cf25d62-0b96-42c8-b66d-998cd6ee5bb8: categories: @@ -10778,6 +11827,7 @@ rules: group: top10-insecure-design name: 9cf25d62-0b96-42c8-b66d-998cd6ee5bb8 pretty_name: IAM Password Without Number + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html 9cf718ce-46f9-430e-89ec-c456f8b469ee: categories: @@ -10788,6 +11838,7 @@ rules: group: top10-crypto-failures name: 9cf718ce-46f9-430e-89ec-c456f8b469ee pretty_name: User Data Shell Script Is Encoded + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#user_data_base64 9d0d4512-1959-43a2-a17f-72360ff06d1b: categories: @@ -10797,6 +11848,7 @@ rules: group: top10-security-logging-monitoring-failures name: 9d0d4512-1959-43a2-a17f-72360ff06d1b pretty_name: CloudWatch VPC Changes Alarm Missing + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern 9d13b150-a2ab-42a1-b6f4-142e41f81e52: categories: @@ -10806,6 +11858,7 @@ rules: group: cloud-weak-secrets-management name: 9d13b150-a2ab-42a1-b6f4-142e41f81e52 pretty_name: SNS Topic Without KmsMasterKeyId + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-topic.html 9d43040e-e703-4e16-8bfe-8d4da10fa7e6: categories: @@ -10817,6 +11870,7 @@ rules: group: cloud-insecure-iam name: 9d43040e-e703-4e16-8bfe-8d4da10fa7e6 pretty_name: Container CPU Requests Not Equal To It's Limits + recommended: true ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ 9d47956b-29cd-43b1-9e6e-b39a4d484353: categories: @@ -10826,6 +11880,7 @@ rules: group: top10-insecure-design name: 9d47956b-29cd-43b1-9e6e-b39a4d484353 pretty_name: Non-Array Schema With Items (v2) + recommended: true ref: https://swagger.io/specification/v2/#schema-object 9d967a2b-9d64-41a6-abea-dfc4960299bd: categories: @@ -10836,6 +11891,7 @@ rules: group: cloud-weak-configuration name: 9d967a2b-9d64-41a6-abea-dfc4960299bd pretty_name: JSON Object Schema Without Properties (v3) + recommended: true ref: https://swagger.io/specification/#schema-object 9dab0179-433d-4dff-af8f-0091025691df: categories: @@ -10847,6 +11903,7 @@ rules: group: cloud-weak-configuration name: 9dab0179-433d-4dff-af8f-0091025691df pretty_name: Function App FTPS Enforce Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#ftps_state 9db38e87-f6aa-4b5e-a1ec-7266df259409: categories: @@ -10857,6 +11914,7 @@ rules: group: top10-security-logging-monitoring-failures name: 9db38e87-f6aa-4b5e-a1ec-7266df259409 pretty_name: Email Alerts Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_contact 9df7f78f-ebe3-432e-ac3b-b67189c15518: categories: @@ -10869,6 +11927,7 @@ rules: group: cloud-weak-configuration name: 9df7f78f-ebe3-432e-ac3b-b67189c15518 pretty_name: Cluster Master Authentication Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html 9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f: categories: @@ -10879,6 +11938,7 @@ rules: group: cloud-weak-configuration name: 9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f pretty_name: Cloud SQL Instance With Cross DB Ownership Chaining On + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags 9e8c89b3-7997-4d15-93e4-7911b9db99fd: categories: @@ -10890,6 +11950,7 @@ rules: group: cloud-weak-configuration name: 9e8c89b3-7997-4d15-93e4-7911b9db99fd pretty_name: Inline Policies Are Attached To ECS Service + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html 9ec311bf-dfd9-421f-8498-0b063c8bc552: categories: @@ -10899,6 +11960,7 @@ rules: group: cloud-insecure-iam name: 9ec311bf-dfd9-421f-8498-0b063c8bc552 pretty_name: IAM User With Access To Console + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile 9ecb6b21-18bc-4aa7-bd07-db20f1c746db: categories: @@ -10910,6 +11972,7 @@ rules: group: top10-crypto-failures name: 9ecb6b21-18bc-4aa7-bd07-db20f1c746db pretty_name: CloudFormation Specifying Credentials Not Safe + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-authentication.html 9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8: categories: @@ -10931,6 +11994,7 @@ rules: group: top10-security-logging-monitoring-failures name: 9ef08939-ea40-489c-8851-667870b2ef50 pretty_name: ROS Stack Notifications Disabled + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ros_stack#notification_urls 9ef7d25d-9764-4224-9968-fa321c56ef76: categories: @@ -10940,6 +12004,7 @@ rules: group: cloud-weak-configuration name: 9ef7d25d-9764-4224-9968-fa321c56ef76 pretty_name: AWS Password Policy With Unchangeable Passwords + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy 9efb0b2d-89c9-41a3-91ca-dcc0aec911fd: categories: @@ -10949,6 +12014,7 @@ rules: group: supply-chain-scm-weak-configuration name: 9efb0b2d-89c9-41a3-91ca-dcc0aec911fd pretty_name: Image Version Not Explicit + recommended: true ref: https://docs.docker.com/engine/reference/builder/#from 9f34885e-c08f-4d13-a7d1-cf190c5bd268: categories: @@ -10960,6 +12026,7 @@ rules: group: top10-crypto-failures name: 9f34885e-c08f-4d13-a7d1-cf190c5bd268 pretty_name: Redis Not Compliant + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/elasticache_module.html#parameter-cache_engine_version 9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d: categories: @@ -10969,6 +12036,7 @@ rules: group: top10-security-logging-monitoring-failures name: 9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d pretty_name: Configuration Aggregator to All Regions Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationaggregator.html 9f40c07e-699e-4410-8856-3ba0f2e3a2dd: categories: @@ -10979,6 +12047,7 @@ rules: group: top10-crypto-failures name: 9f40c07e-699e-4410-8856-3ba0f2e3a2dd pretty_name: CA Certificate Identifier Is Outdated + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance 9f4a9409-9c60-4671-be96-9716dbf63db1: categories: @@ -10991,6 +12060,7 @@ rules: group: cloud-weak-configuration name: 9f4a9409-9c60-4671-be96-9716dbf63db1 pretty_name: ECS Task Definition Network Mode Not Recommended + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#network_mode 9f85c3f6-26fd-4007-938a-2e0cb0100980: categories: @@ -11003,6 +12073,7 @@ rules: group: cloud-insecure-iam name: 9f85c3f6-26fd-4007-938a-2e0cb0100980 pretty_name: RBAC Roles with Impersonate Permission + recommended: true ref: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation 9f88c88d-824d-4d9a-b985-e22977046042: categories: @@ -11012,6 +12083,7 @@ rules: group: cloud-weak-configuration name: 9f88c88d-824d-4d9a-b985-e22977046042 pretty_name: Additional Properties Too Permissive + recommended: true ref: https://swagger.io/specification/#schema-object 9fcd0a0a-9b6f-4670-a215-d94e6bf3f184: categories: @@ -11023,6 +12095,7 @@ rules: group: top10-crypto-failures name: 9fcd0a0a-9b6f-4670-a215-d94e6bf3f184 pretty_name: IAM Database Auth Not Enabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-enableiamdatabaseauthentication 9fedee41-2e6d-4091-b011-4a16b4c18c70: categories: @@ -11033,6 +12106,7 @@ rules: group: cloud-resources-public-access name: 9fedee41-2e6d-4091-b011-4a16b4c18c70 pretty_name: Success Response Code Undefined for Post Operation (v2) + recommended: true ref: https://swagger.io/specification/v2/#operation-object ASP_Best_Coding_Practice_Aptca_Methods_Call_Non_Aptca_Methods: categories: @@ -11046,6 +12120,7 @@ rules: group: top10-insecure-design name: ASP_Best_Coding_Practice_Aptca_Methods_Call_Non_Aptca_Methods pretty_name: Aptca Methods Call Non Aptca Methods - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Best_Coding_Practice_Dynamic_SQL_Queries: categories: @@ -11062,6 +12137,7 @@ rules: group: top10-injection name: ASP_Best_Coding_Practice_Dynamic_SQL_Queries pretty_name: Dynamic SQL Queries - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Best_Coding_Practice_Empty_Catch: categories: @@ -11075,6 +12151,7 @@ rules: group: top10-insecure-design name: ASP_Best_Coding_Practice_Empty_Catch pretty_name: Empty Catch - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Best_Coding_Practice_Hardcoded_Absolute_Path: categories: @@ -11089,6 +12166,7 @@ rules: group: top10-software-data-integrity-failures name: ASP_Best_Coding_Practice_Hardcoded_Absolute_Path pretty_name: Hardcoded Absolute Path - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Best_Coding_Practice_Hardcoded_Connection_String: categories: @@ -11104,6 +12182,7 @@ rules: group: top10-id-authn-failures name: ASP_Best_Coding_Practice_Hardcoded_Connection_String pretty_name: Hardcoded Connection String - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined: categories: @@ -11116,6 +12195,7 @@ rules: group: top10-insecure-design name: ASP_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined pretty_name: Just One of Equals and Hash code Defined - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Best_Coding_Practice_Missing_XML_Validation: categories: @@ -11129,6 +12209,7 @@ rules: group: top10-insecure-design name: ASP_Best_Coding_Practice_Missing_XML_Validation pretty_name: Missing XML Validation - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Best_Coding_Practice_NULL_Argument_to_Equals: categories: @@ -11141,6 +12222,7 @@ rules: group: top10-insecure-design name: ASP_Best_Coding_Practice_NULL_Argument_to_Equals pretty_name: NULL Argument to Equals - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Best_Coding_Practice_Pages_Without_Global_Error_Handler: categories: @@ -11155,6 +12237,7 @@ rules: group: top10-insecure-design name: ASP_Best_Coding_Practice_Pages_Without_Global_Error_Handler pretty_name: Pages Without Global Error Handler - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Best_Coding_Practice_PersistSecurityInfo_is_True: categories: @@ -11168,6 +12251,7 @@ rules: group: top10-insecure-design name: ASP_Best_Coding_Practice_PersistSecurityInfo_is_True pretty_name: PersistSecurityInfo is True - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Best_Coding_Practice_Sockets_in_WebApp: categories: @@ -11181,6 +12265,7 @@ rules: group: top10-insecure-design name: ASP_Best_Coding_Practice_Sockets_in_WebApp pretty_name: Sockets in WebApp - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Best_Coding_Practice_Threads_in_WebApp: categories: @@ -11194,6 +12279,7 @@ rules: group: top10-insecure-design name: ASP_Best_Coding_Practice_Threads_in_WebApp pretty_name: Threads in WebApp - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Best_Coding_Practice_Unclosed_Objects: categories: @@ -11207,6 +12293,7 @@ rules: group: top10-insecure-design name: ASP_Best_Coding_Practice_Unclosed_Objects pretty_name: Unclosed Objects - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Best_Coding_Practice_Unvalidated_Arguments_Of_Public_Methods: categories: @@ -11219,6 +12306,7 @@ rules: group: top10-insecure-design name: ASP_Best_Coding_Practice_Unvalidated_Arguments_Of_Public_Methods pretty_name: Unvalidated Arguments Of Public Methods - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Best_Coding_Practice_Use_of_System_Output_Stream: categories: @@ -11232,6 +12320,7 @@ rules: group: top10-insecure-design name: ASP_Best_Coding_Practice_Use_of_System_Output_Stream pretty_name: Use of System Output Stream - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Best_Coding_Practice_Visible_Fields: categories: @@ -11245,6 +12334,7 @@ rules: group: top10-insecure-design name: ASP_Best_Coding_Practice_Visible_Fields pretty_name: Visible Fields - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Heuristic_Heuristic_2nd_Order_SQL_Injection: categories: @@ -11261,6 +12351,7 @@ rules: group: top10-injection name: ASP_Heuristic_Heuristic_2nd_Order_SQL_Injection pretty_name: Heuristic 2nd Order SQL Injection - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Heuristic_Heuristic_CSRF: categories: @@ -11276,6 +12367,7 @@ rules: group: top10-injection name: ASP_Heuristic_Heuristic_CSRF pretty_name: Heuristic CSRF - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Heuristic_Heuristic_DB_Parameter_Tampering: categories: @@ -11289,6 +12381,7 @@ rules: group: top10-broken-access-control name: ASP_Heuristic_Heuristic_DB_Parameter_Tampering pretty_name: Heuristic DB Parameter Tampering - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Heuristic_Heuristic_Parameter_Tampering: categories: @@ -11303,6 +12396,7 @@ rules: group: top10-insecure-design name: ASP_Heuristic_Heuristic_Parameter_Tampering pretty_name: Heuristic Parameter Tampering - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Heuristic_Heuristic_SQL_Injection: categories: @@ -11319,6 +12413,7 @@ rules: group: top10-injection name: ASP_Heuristic_Heuristic_SQL_Injection pretty_name: Heuristic SQL Injection - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Heuristic_Heuristic_Stored_XSS: categories: @@ -11334,6 +12429,7 @@ rules: group: top10-injection name: ASP_Heuristic_Heuristic_Stored_XSS pretty_name: Heuristic Stored XSS - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_High_Risk_Code_Injection: categories: @@ -11351,6 +12447,7 @@ rules: group: top10-injection name: ASP_High_Risk_Code_Injection pretty_name: Code Injection - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_High_Risk_Command_Injection: categories: @@ -11368,6 +12465,7 @@ rules: group: top10-injection name: ASP_High_Risk_Command_Injection pretty_name: Command Injection - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_High_Risk_Connection_String_Injection: categories: @@ -11383,6 +12481,7 @@ rules: group: top10-injection name: ASP_High_Risk_Connection_String_Injection pretty_name: Connection String Injection - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_High_Risk_Dangerous_File_Upload: categories: @@ -11398,6 +12497,7 @@ rules: group: top10-insecure-design name: ASP_High_Risk_Dangerous_File_Upload pretty_name: Dangerous File Upload - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_High_Risk_LDAP_Injection: categories: @@ -11414,6 +12514,7 @@ rules: group: top10-injection name: ASP_High_Risk_LDAP_Injection pretty_name: LDAP Injection - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_High_Risk_Reflected_XSS_All_Clients: categories: @@ -11430,6 +12531,7 @@ rules: group: top10-injection name: ASP_High_Risk_Reflected_XSS_All_Clients pretty_name: Reflected XSS All Clients - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_High_Risk_Resource_Injection: categories: @@ -11445,6 +12547,7 @@ rules: group: top10-injection name: ASP_High_Risk_Resource_Injection pretty_name: Resource Injection - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_High_Risk_SQL_Injection: categories: @@ -11462,6 +12565,7 @@ rules: group: top10-injection name: ASP_High_Risk_SQL_Injection pretty_name: SQL Injection - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_High_Risk_Second_Order_SQL_Injection: categories: @@ -11479,6 +12583,7 @@ rules: group: top10-injection name: ASP_High_Risk_Second_Order_SQL_Injection pretty_name: Second Order SQL Injection - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_High_Risk_Stored_XSS: categories: @@ -11495,6 +12600,7 @@ rules: group: top10-injection name: ASP_High_Risk_Stored_XSS pretty_name: Stored XSS - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_High_Risk_UTF7_XSS: categories: @@ -11511,6 +12617,7 @@ rules: group: top10-injection name: ASP_High_Risk_UTF7_XSS pretty_name: UTF7 XSS - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_High_Risk_XPath_Injection: categories: @@ -11527,6 +12634,7 @@ rules: group: top10-injection name: ASP_High_Risk_XPath_Injection pretty_name: XPath Injection - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Blind_SQL_Injections: categories: @@ -11543,6 +12651,7 @@ rules: group: top10-injection name: ASP_Low_Visibility_Blind_SQL_Injections pretty_name: Blind SQL Injections - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Cleansing_Canonicalization_and_Comparison_Errors: categories: @@ -11556,6 +12665,7 @@ rules: group: top10-injection name: ASP_Low_Visibility_Cleansing_Canonicalization_and_Comparison_Errors pretty_name: Cleansing Canonicalization and Comparison Errors - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Client_Side_Only_Validation: categories: @@ -11569,6 +12679,7 @@ rules: group: top10-insecure-design name: ASP_Low_Visibility_Client_Side_Only_Validation pretty_name: Client Side Only Validation - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Hardcoded_password_in_Connection_String: categories: @@ -11582,6 +12693,7 @@ rules: group: top10-security-misconfiguration name: ASP_Low_Visibility_Hardcoded_password_in_Connection_String pretty_name: Hardcoded password in Connection String - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Impersonation_Issue: categories: @@ -11595,6 +12707,7 @@ rules: group: top10-security-misconfiguration name: ASP_Low_Visibility_Impersonation_Issue pretty_name: Impersonation Issue - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Improper_Exception_Handling: categories: @@ -11607,6 +12720,7 @@ rules: group: top10-insecure-design name: ASP_Low_Visibility_Improper_Exception_Handling pretty_name: Improper Exception Handling - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Improper_Resource_Shutdown_or_Release: categories: @@ -11620,6 +12734,7 @@ rules: group: top10-insecure-design name: ASP_Low_Visibility_Improper_Resource_Shutdown_or_Release pretty_name: Improper Resource Shutdown or Release - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Improper_Session_Management: categories: @@ -11633,6 +12748,7 @@ rules: group: top10-broken-access-control name: ASP_Low_Visibility_Improper_Session_Management pretty_name: Improper Session Management - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Improper_Transaction_Handling: categories: @@ -11647,6 +12763,7 @@ rules: group: top10-insecure-design name: ASP_Low_Visibility_Improper_Transaction_Handling pretty_name: Improper Transaction Handling - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Information_Exposure_Through_an_Error_Message: categories: @@ -11660,6 +12777,7 @@ rules: group: top10-insecure-design name: ASP_Low_Visibility_Information_Exposure_Through_an_Error_Message pretty_name: Information Exposure Through an Error Message - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Information_Leak_Through_Persistent_Cookies: categories: @@ -11673,6 +12791,7 @@ rules: group: top10-insecure-design name: ASP_Low_Visibility_Information_Leak_Through_Persistent_Cookies pretty_name: Information Leak Through Persistent Cookies - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Insecure_Randomness: categories: @@ -11686,6 +12805,7 @@ rules: group: top10-crypto-failures name: ASP_Low_Visibility_Insecure_Randomness pretty_name: Insecure Randomness - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Insufficiently_Protected_Credentials: categories: @@ -11700,6 +12820,7 @@ rules: group: top10-insecure-design name: ASP_Low_Visibility_Insufficiently_Protected_Credentials pretty_name: Insufficiently Protected Credentials - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_JavaScript_Hijacking: categories: @@ -11715,6 +12836,7 @@ rules: group: top10-injection name: ASP_Low_Visibility_JavaScript_Hijacking pretty_name: JavaScript Hijacking - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Leaving_Temporary_Files: categories: @@ -11727,6 +12849,7 @@ rules: group: top10-broken-access-control name: ASP_Low_Visibility_Leaving_Temporary_Files pretty_name: Leaving Temporary Files - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Log_Forging: categories: @@ -11739,6 +12862,7 @@ rules: group: top10-security-logging-monitoring-failures name: ASP_Low_Visibility_Log_Forging pretty_name: Log Forging - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Open_Redirect: categories: @@ -11753,6 +12877,7 @@ rules: group: top10-broken-access-control name: ASP_Low_Visibility_Open_Redirect pretty_name: Open Redirect - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Script_Poisoning: categories: @@ -11768,6 +12893,7 @@ rules: group: top10-injection name: ASP_Low_Visibility_Script_Poisoning pretty_name: Script Poisoning - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Server_Code_In_Client_Comment: categories: @@ -11783,6 +12909,7 @@ rules: group: top10-insecure-design name: ASP_Low_Visibility_Server_Code_In_Client_Comment pretty_name: Server Code In Client Comment - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Session_Clearing_Problems: categories: @@ -11797,6 +12924,7 @@ rules: group: top10-id-authn-failures name: ASP_Low_Visibility_Session_Clearing_Problems pretty_name: Session Clearing Problems - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Session_Poisoning: categories: @@ -11811,6 +12939,7 @@ rules: group: top10-insecure-design name: ASP_Low_Visibility_Session_Poisoning pretty_name: Session Poisoning - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Thread_Safety_Issue: categories: @@ -11825,6 +12954,7 @@ rules: group: top10-insecure-design name: ASP_Low_Visibility_Thread_Safety_Issue pretty_name: Thread Safety Issue - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables: categories: @@ -11838,6 +12968,7 @@ rules: group: top10-insecure-design name: ASP_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables pretty_name: Trust Boundary Violation in Session Variables - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_URL_Canonicalization_Issue: categories: @@ -11852,6 +12983,7 @@ rules: group: top10-injection name: ASP_Low_Visibility_URL_Canonicalization_Issue pretty_name: URL Canonicalization Issue - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_Use_Of_Hardcoded_Password: categories: @@ -11865,6 +12997,7 @@ rules: group: top10-id-authn-failures name: ASP_Low_Visibility_Use_Of_Hardcoded_Password pretty_name: Use Of Hardcoded Password - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Low_Visibility_XSS_Evasion_Attack: categories: @@ -11880,6 +13013,7 @@ rules: group: top10-injection name: ASP_Low_Visibility_XSS_Evasion_Attack pretty_name: XSS Evasion Attack - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Medium_Threat_CSRF: categories: @@ -11895,6 +13029,7 @@ rules: group: top10-injection name: ASP_Medium_Threat_CSRF pretty_name: CSRF - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Medium_Threat_DB_Parameter_Tampering: categories: @@ -11908,6 +13043,7 @@ rules: group: top10-broken-access-control name: ASP_Medium_Threat_DB_Parameter_Tampering pretty_name: DB Parameter Tampering - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Medium_Threat_DoS_by_Sleep: categories: @@ -11920,6 +13056,7 @@ rules: group: top10-insecure-design name: ASP_Medium_Threat_DoS_by_Sleep pretty_name: DoS by Sleep - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Medium_Threat_HTTP_Response_Splitting: categories: @@ -11934,6 +13071,7 @@ rules: group: top10-injection name: ASP_Medium_Threat_HTTP_Response_Splitting pretty_name: HTTP Response Splitting - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Medium_Threat_Improper_Locking: categories: @@ -11947,6 +13085,7 @@ rules: group: top10-insecure-design name: ASP_Medium_Threat_Improper_Locking pretty_name: Improper Locking - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Medium_Threat_Parameter_Tampering: categories: @@ -11961,6 +13100,7 @@ rules: group: top10-insecure-design name: ASP_Medium_Threat_Parameter_Tampering pretty_name: Parameter Tampering - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Medium_Threat_Path_Traversal: categories: @@ -11978,6 +13118,7 @@ rules: group: top10-broken-access-control name: ASP_Medium_Threat_Path_Traversal pretty_name: Path Traversal - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Medium_Threat_Privacy_Violation: categories: @@ -11993,6 +13134,7 @@ rules: group: top10-broken-access-control name: ASP_Medium_Threat_Privacy_Violation pretty_name: Privacy Violation - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Medium_Threat_Reflected_XSS_Specific_Clients: categories: @@ -12008,6 +13150,7 @@ rules: group: top10-injection name: ASP_Medium_Threat_Reflected_XSS_Specific_Clients pretty_name: Reflected XSS Specific Clients - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Medium_Threat_SQL_Injection_Evasion_Attack: categories: @@ -12024,6 +13167,7 @@ rules: group: top10-injection name: ASP_Medium_Threat_SQL_Injection_Evasion_Attack pretty_name: SQL Injection Evasion Attack - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Medium_Threat_Stored_Code_Injection: categories: @@ -12040,6 +13184,7 @@ rules: group: top10-injection name: ASP_Medium_Threat_Stored_Code_Injection pretty_name: Stored Code Injection - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Medium_Threat_Unclosed_Connection: categories: @@ -12053,6 +13198,7 @@ rules: group: top10-insecure-design name: ASP_Medium_Threat_Unclosed_Connection pretty_name: Unclosed Connection - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Medium_Threat_Untrusted_Activex: categories: @@ -12067,6 +13213,7 @@ rules: group: top10-vulnerable-components name: ASP_Medium_Threat_Untrusted_Activex pretty_name: Untrusted Activex - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key: categories: @@ -12080,6 +13227,7 @@ rules: group: top10-crypto-failures name: ASP_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key pretty_name: Use of Hard coded Cryptographic Key - ASP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Code_Quality_Async_Future_Method_Inside_Loops: categories: @@ -12093,6 +13241,7 @@ rules: group: top10-insecure-design name: Apex_Force_com_Code_Quality_Async_Future_Method_Inside_Loops pretty_name: Async Future Method Inside Loops - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Code_Quality_Bulkify_Apex_Methods_Using_Collections_In_Methods: categories: @@ -12106,6 +13255,7 @@ rules: group: top10-insecure-design name: Apex_Force_com_Code_Quality_Bulkify_Apex_Methods_Using_Collections_In_Methods pretty_name: Bulkify Apex Methods Using Collections In Methods - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Code_Quality_DML_Statements_Inside_Loops: categories: @@ -12119,6 +13269,7 @@ rules: group: top10-insecure-design name: Apex_Force_com_Code_Quality_DML_Statements_Inside_Loops pretty_name: DML Statements Inside Loops - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Code_Quality_HTTP_Callouts: categories: @@ -12131,6 +13282,7 @@ rules: group: top10-insecure-design name: Apex_Force_com_Code_Quality_HTTP_Callouts pretty_name: HTTP Callouts - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Code_Quality_Hardcoded_Messages: categories: @@ -12144,6 +13296,7 @@ rules: group: top10-security-misconfiguration name: Apex_Force_com_Code_Quality_Hardcoded_Messages pretty_name: Hardcoded Messages - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Code_Quality_Hardcoding_Ids: categories: @@ -12157,6 +13310,7 @@ rules: group: top10-insecure-design name: Apex_Force_com_Code_Quality_Hardcoding_Ids pretty_name: Hardcoding Ids - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Code_Quality_Hardcoding_Of_Trigger_New: categories: @@ -12170,6 +13324,7 @@ rules: group: top10-insecure-design name: Apex_Force_com_Code_Quality_Hardcoding_Of_Trigger_New pretty_name: Hardcoding Of Trigger New - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Code_Quality_Hardcoding_Of_Trigger_Old: categories: @@ -12183,6 +13338,7 @@ rules: group: top10-insecure-design name: Apex_Force_com_Code_Quality_Hardcoding_Of_Trigger_Old pretty_name: Hardcoding Of Trigger Old - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Code_Quality_Hardcoding_References_To_Static_Resources: categories: @@ -12196,6 +13352,7 @@ rules: group: top10-insecure-design name: Apex_Force_com_Code_Quality_Hardcoding_References_To_Static_Resources pretty_name: Hardcoding References To Static Resources - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Code_Quality_Multiple_Forms_In_Visualforce_Page: categories: @@ -12209,6 +13366,7 @@ rules: group: top10-insecure-design name: Apex_Force_com_Code_Quality_Multiple_Forms_In_Visualforce_Page pretty_name: Multiple Forms In Visualforce Page - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Code_Quality_Multiple_Trigger_On_same_sObject: categories: @@ -12222,6 +13380,7 @@ rules: group: top10-insecure-design name: Apex_Force_com_Code_Quality_Multiple_Trigger_On_same_sObject pretty_name: Multiple Trigger On same sObject - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Code_Quality_Queries_With_No_Where_Or_Limit_Clause: categories: @@ -12234,6 +13393,7 @@ rules: group: top10-insecure-design name: Apex_Force_com_Code_Quality_Queries_With_No_Where_Or_Limit_Clause pretty_name: Queries With No Where Or Limit Clause - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Code_Quality_SOSL_SOQL_Statments_Inside_Loops: categories: @@ -12246,6 +13406,7 @@ rules: group: top10-insecure-design name: Apex_Force_com_Code_Quality_SOSL_SOQL_Statments_Inside_Loops pretty_name: SOSL SOQL Statments Inside Loops - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Code_Quality_Test_Assert_Without_Message: categories: @@ -12259,6 +13420,7 @@ rules: group: top10-insecure-design name: Apex_Force_com_Code_Quality_Test_Assert_Without_Message pretty_name: Test Assert Without Message - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Code_Quality_Test_Methods_With_No_Assert: categories: @@ -12272,6 +13434,7 @@ rules: group: top10-insecure-design name: Apex_Force_com_Code_Quality_Test_Methods_With_No_Assert pretty_name: Test Methods With No Assert - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Code_Quality_Unused_Variable: categories: @@ -12285,6 +13448,7 @@ rules: group: top10-insecure-design name: Apex_Force_com_Code_Quality_Unused_Variable pretty_name: Unused Variable - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Code_Quality_Use_Of_Ajax_Toolkit: categories: @@ -12297,6 +13461,7 @@ rules: group: top10-insecure-design name: Apex_Force_com_Code_Quality_Use_Of_Ajax_Toolkit pretty_name: Use Of Ajax Toolkit - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Code_Quality_Use_of_Hard_Coded_Cryptographic_Key: categories: @@ -12310,6 +13475,7 @@ rules: group: top10-crypto-failures name: Apex_Force_com_Code_Quality_Use_of_Hard_Coded_Cryptographic_Key pretty_name: Use of Hard Coded Cryptographic Key - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Critical_Security_Risk_Reflected_XSS: categories: @@ -12326,6 +13492,7 @@ rules: group: top10-injection name: Apex_Force_com_Critical_Security_Risk_Reflected_XSS pretty_name: Reflected XSS - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Critical_Security_Risk_Resource_Injection: categories: @@ -12341,6 +13508,7 @@ rules: group: top10-injection name: Apex_Force_com_Critical_Security_Risk_Resource_Injection pretty_name: Resource Injection - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Critical_Security_Risk_SOQL_SOSL_Injection: categories: @@ -12358,6 +13526,7 @@ rules: group: top10-injection name: Apex_Force_com_Critical_Security_Risk_SOQL_SOSL_Injection pretty_name: SOQL SOSL Injection - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Critical_Security_Risk_Stored_XSS: categories: @@ -12374,6 +13543,7 @@ rules: group: top10-injection name: Apex_Force_com_Critical_Security_Risk_Stored_XSS pretty_name: Stored XSS - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Serious_Security_Risk_CRUD_Delete: categories: @@ -12388,6 +13558,7 @@ rules: group: top10-insecure-design name: Apex_Force_com_Serious_Security_Risk_CRUD_Delete pretty_name: CRUD Delete - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Serious_Security_Risk_CSRF: categories: @@ -12403,6 +13574,7 @@ rules: group: top10-injection name: Apex_Force_com_Serious_Security_Risk_CSRF pretty_name: CSRF - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Serious_Security_Risk_CSRF_With_VF_Call: categories: @@ -12418,6 +13590,7 @@ rules: group: top10-injection name: Apex_Force_com_Serious_Security_Risk_CSRF_With_VF_Call pretty_name: CSRF With VF Call - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Serious_Security_Risk_Cookies_Scoping: categories: @@ -12431,6 +13604,7 @@ rules: group: top10-broken-access-control name: Apex_Force_com_Serious_Security_Risk_Cookies_Scoping pretty_name: Cookies Scoping - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Serious_Security_Risk_Dangerous_Methods: categories: @@ -12445,6 +13619,7 @@ rules: group: top10-vulnerable-components name: Apex_Force_com_Serious_Security_Risk_Dangerous_Methods pretty_name: Dangerous Methods - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Serious_Security_Risk_Dereferenced_Field: categories: @@ -12458,6 +13633,7 @@ rules: group: top10-broken-access-control name: Apex_Force_com_Serious_Security_Risk_Dereferenced_Field pretty_name: Dereferenced Field - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Serious_Security_Risk_FLS_Create: categories: @@ -12471,6 +13647,7 @@ rules: group: top10-broken-access-control name: Apex_Force_com_Serious_Security_Risk_FLS_Create pretty_name: FLS Create - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Serious_Security_Risk_FLS_Create_Partial: categories: @@ -12484,6 +13661,7 @@ rules: group: top10-broken-access-control name: Apex_Force_com_Serious_Security_Risk_FLS_Create_Partial pretty_name: FLS Create Partial - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Serious_Security_Risk_FLS_Read: categories: @@ -12497,6 +13675,7 @@ rules: group: top10-broken-access-control name: Apex_Force_com_Serious_Security_Risk_FLS_Read pretty_name: FLS Read - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Serious_Security_Risk_FLS_Update: categories: @@ -12510,6 +13689,7 @@ rules: group: top10-broken-access-control name: Apex_Force_com_Serious_Security_Risk_FLS_Update pretty_name: FLS Update - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Serious_Security_Risk_FLS_Update_Partial: categories: @@ -12523,6 +13703,7 @@ rules: group: top10-broken-access-control name: Apex_Force_com_Serious_Security_Risk_FLS_Update_Partial pretty_name: FLS Update Partial - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Serious_Security_Risk_Frame_Spoofing: categories: @@ -12538,6 +13719,7 @@ rules: group: top10-injection name: Apex_Force_com_Serious_Security_Risk_Frame_Spoofing pretty_name: Frame Spoofing - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Serious_Security_Risk_HttpSplitting: categories: @@ -12552,6 +13734,7 @@ rules: group: top10-injection name: Apex_Force_com_Serious_Security_Risk_HttpSplitting pretty_name: HttpSplitting - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Serious_Security_Risk_Insecure_Cookie: categories: @@ -12565,6 +13748,7 @@ rules: group: top10-security-misconfiguration name: Apex_Force_com_Serious_Security_Risk_Insecure_Cookie pretty_name: Insecure Cookie - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Serious_Security_Risk_Insecure_Endpoint: categories: @@ -12578,6 +13762,7 @@ rules: group: top10-insecure-design name: Apex_Force_com_Serious_Security_Risk_Insecure_Endpoint pretty_name: Insecure Endpoint - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Serious_Security_Risk_Sharing: categories: @@ -12592,6 +13777,7 @@ rules: group: top10-insecure-design name: Apex_Force_com_Serious_Security_Risk_Sharing pretty_name: Sharing - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Serious_Security_Risk_Sharing_With_Controller: categories: @@ -12606,6 +13792,7 @@ rules: group: top10-insecure-design name: Apex_Force_com_Serious_Security_Risk_Sharing_With_Controller pretty_name: Sharing With Controller - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Serious_Security_Risk_URL_Redirection_Attack: categories: @@ -12620,6 +13807,7 @@ rules: group: top10-broken-access-control name: Apex_Force_com_Serious_Security_Risk_URL_Redirection_Attack pretty_name: URL Redirection Attack - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Force_com_Serious_Security_Risk_inputText_Ignoring_FLS: categories: @@ -12633,6 +13821,7 @@ rules: group: top10-injection name: Apex_Force_com_Serious_Security_Risk_inputText_Ignoring_FLS pretty_name: inputText Ignoring FLS - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_ActionPoller_Frequency_Check: categories: @@ -12645,6 +13834,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_ActionPoller_Frequency_Check pretty_name: ActionPoller Frequency Check - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_Ajax_Toolkit_From_VF: categories: @@ -12658,6 +13848,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_Ajax_Toolkit_From_VF pretty_name: Ajax Toolkit From VF - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_Batch_Apex_exists: categories: @@ -12670,6 +13861,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_Batch_Apex_exists pretty_name: Batch Apex exists - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_Batch_Apex_makes_outbound_call: categories: @@ -12682,6 +13874,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_Batch_Apex_makes_outbound_call pretty_name: Batch Apex makes outbound call - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_DmlOptions_Set_To_False: categories: @@ -12695,6 +13888,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_DmlOptions_Set_To_False pretty_name: DmlOptions Set To False - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_Empty_Catch_Blocks: categories: @@ -12707,6 +13901,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_Empty_Catch_Blocks pretty_name: Empty Catch Blocks - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_Empty_IfStmt: categories: @@ -12720,6 +13915,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_Empty_IfStmt pretty_name: Empty IfStmt - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_Empty_Methods: categories: @@ -12733,6 +13929,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_Empty_Methods pretty_name: Empty Methods - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_Empty_WhileStmt: categories: @@ -12745,6 +13942,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_Empty_WhileStmt pretty_name: Empty WhileStmt - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_Find_Exposed_Test_Data: categories: @@ -12758,6 +13956,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_Find_Exposed_Test_Data pretty_name: Find Exposed Test Data - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_Future_exists: categories: @@ -12770,6 +13969,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_Future_exists pretty_name: Future exists - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_Old_API_Version: categories: @@ -12783,6 +13983,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_Old_API_Version pretty_name: Old API Version - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_Outbound_Email_Send: categories: @@ -12795,6 +13996,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_Outbound_Email_Send pretty_name: Outbound Email Send - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_Report_with_no_Filter: categories: @@ -12807,6 +14009,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_Report_with_no_Filter pretty_name: Report with no Filter - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_SOQL_Dynamic_null_in_Where: categories: @@ -12819,6 +14022,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_SOQL_Dynamic_null_in_Where pretty_name: SOQL Dynamic null in Where - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_SOQL_Formula_in_Where: categories: @@ -12832,6 +14036,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_SOQL_Formula_in_Where pretty_name: SOQL Formula in Where - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_SOQL_Hardcoded_null_in_Where: categories: @@ -12846,6 +14051,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_SOQL_Hardcoded_null_in_Where pretty_name: SOQL Hardcoded null in Where - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_SOQL_Relationship_in_Where: categories: @@ -12860,6 +14066,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_SOQL_Relationship_in_Where pretty_name: SOQL Relationship in Where - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_SOQL_With_All_Fields: categories: @@ -12875,6 +14082,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_SOQL_With_All_Fields pretty_name: SOQL With All Fields - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_SOQL_with_All_Fields_in_Loop: categories: @@ -12890,6 +14098,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_SOQL_with_All_Fields_in_Loop pretty_name: SOQL with All Fields in Loop - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_SOSL_With_Where_Clause: categories: @@ -12902,6 +14111,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_SOSL_With_Where_Clause pretty_name: SOSL With Where Clause - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_Warn_About_Viewstate_Size_Limit: categories: @@ -12915,6 +14125,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_Warn_About_Viewstate_Size_Limit pretty_name: Warn About Viewstate Size Limit - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_ISV_Quality_Rules_Workflow_sends_Emails: categories: @@ -12928,6 +14139,7 @@ rules: group: top10-insecure-design name: Apex_ISV_Quality_Rules_Workflow_sends_Emails pretty_name: Workflow sends Emails - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Low_Visibility_Escape_False_Warning: categories: @@ -12941,6 +14153,7 @@ rules: group: top10-injection name: Apex_Low_Visibility_Escape_False_Warning pretty_name: Escape False Warning - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Low_Visibility_Hardcoded_Password: categories: @@ -12954,6 +14167,7 @@ rules: group: top10-id-authn-failures name: Apex_Low_Visibility_Hardcoded_Password pretty_name: Hardcoded Password - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Low_Visibility_Parameter_Tampering: categories: @@ -12968,6 +14182,7 @@ rules: group: top10-insecure-design name: Apex_Low_Visibility_Parameter_Tampering pretty_name: Parameter Tampering - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Low_Visibility_Password_misuse: categories: @@ -12981,6 +14196,7 @@ rules: group: top10-id-authn-failures name: Apex_Low_Visibility_Password_misuse pretty_name: Password misuse - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Low_Visibility_Potential_Frame_Injection: categories: @@ -12993,6 +14209,7 @@ rules: group: top10-injection name: Apex_Low_Visibility_Potential_Frame_Injection pretty_name: Potential Frame Injection - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Low_Visibility_Potential_URL_Redirection_Attack: categories: @@ -13007,6 +14224,7 @@ rules: group: top10-broken-access-control name: Apex_Low_Visibility_Potential_URL_Redirection_Attack pretty_name: Potential URL Redirection Attack - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Low_Visibility_Privacy_Violation: categories: @@ -13022,6 +14240,7 @@ rules: group: top10-broken-access-control name: Apex_Low_Visibility_Privacy_Violation pretty_name: Privacy Violation - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Low_Visibility_Second_Order_SOQL_SOSL_Injection: categories: @@ -13038,6 +14257,7 @@ rules: group: top10-injection name: Apex_Low_Visibility_Second_Order_SOQL_SOSL_Injection pretty_name: Second Order SOQL SOSL Injection - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: categories: @@ -13050,6 +14270,7 @@ rules: group: top10-crypto-failures name: Apex_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm pretty_name: Use of Broken or Risky Cryptographic Algorithm - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apex_Low_Visibility_Verbose_Error_Reporting: categories: @@ -13063,6 +14284,7 @@ rules: group: top10-insecure-design name: Apex_Low_Visibility_Verbose_Error_Reporting pretty_name: Verbose Error Reporting - Apex + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apple_Secure_Coding_Guide_Buffer_Size_Literal: categories: @@ -13077,6 +14299,7 @@ rules: group: top10-insecure-design name: Apple_Secure_Coding_Guide_Buffer_Size_Literal pretty_name: Buffer Size Literal - Apple + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apple_Secure_Coding_Guide_Buffer_Size_Literal_Condition: categories: @@ -13091,6 +14314,7 @@ rules: group: top10-insecure-design name: Apple_Secure_Coding_Guide_Buffer_Size_Literal_Condition pretty_name: Buffer Size Literal Condition - Apple + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apple_Secure_Coding_Guide_Buffer_Size_Literal_Overflow: categories: @@ -13105,6 +14329,7 @@ rules: group: top10-insecure-design name: Apple_Secure_Coding_Guide_Buffer_Size_Literal_Overflow pretty_name: Buffer Size Literal Overflow - Apple + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apple_Secure_Coding_Guide_Improper_Implementation_of_NSSecureCoding: categories: @@ -13120,6 +14345,7 @@ rules: group: top10-software-data-integrity-failures name: Apple_Secure_Coding_Guide_Improper_Implementation_of_NSSecureCoding pretty_name: Improper Implementation of NSSecureCoding - Apple + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apple_Secure_Coding_Guide_Jailbrake_File_Referenced_By_Name: categories: @@ -13133,6 +14359,7 @@ rules: group: top10-broken-access-control name: Apple_Secure_Coding_Guide_Jailbrake_File_Referenced_By_Name pretty_name: Jailbrake File Referenced By Name - Apple + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apple_Secure_Coding_Guide_Jailbreak_Unchecked_File_Operation_Result_Code: categories: @@ -13146,6 +14373,7 @@ rules: group: top10-insecure-design name: Apple_Secure_Coding_Guide_Jailbreak_Unchecked_File_Operation_Result_Code pretty_name: Jailbreak Unchecked File Operation Result Code - Apple + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apple_Secure_Coding_Guide_NSPredicate_Injection: categories: @@ -13160,6 +14388,7 @@ rules: group: top10-insecure-design name: Apple_Secure_Coding_Guide_NSPredicate_Injection pretty_name: NSPredicate Injection - Apple + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apple_Secure_Coding_Guide_NSPredicate_Injection_Via_Deserialization: categories: @@ -13175,6 +14404,7 @@ rules: group: top10-software-data-integrity-failures name: Apple_Secure_Coding_Guide_NSPredicate_Injection_Via_Deserialization pretty_name: NSPredicate Injection Via Deserialization - Apple + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apple_Secure_Coding_Guide_Path_Manipulation: categories: @@ -13188,6 +14418,7 @@ rules: group: top10-insecure-design name: Apple_Secure_Coding_Guide_Path_Manipulation pretty_name: Path Manipulation - Apple + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apple_Secure_Coding_Guide_Signed_Memory_Arithmetic: categories: @@ -13205,6 +14436,7 @@ rules: group: top10-insecure-design name: Apple_Secure_Coding_Guide_Signed_Memory_Arithmetic pretty_name: Signed Memory Arithmetic - Apple + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apple_Secure_Coding_Guide_UDP_Protocol_Used: categories: @@ -13217,6 +14449,7 @@ rules: group: top10-insecure-design name: Apple_Secure_Coding_Guide_UDP_Protocol_Used pretty_name: UDP Protocol Used - Apple + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apple_Secure_Coding_Guide_URL_Injection: categories: @@ -13232,6 +14465,7 @@ rules: group: top10-injection name: Apple_Secure_Coding_Guide_URL_Injection pretty_name: URL Injection - Apple + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apple_Secure_Coding_Guide_Unchecked_CString_Convertion: categories: @@ -13245,6 +14479,7 @@ rules: group: top10-insecure-design name: Apple_Secure_Coding_Guide_Unchecked_CString_Convertion pretty_name: Unchecked CString Convertion - Apple + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apple_Secure_Coding_Guide_Unscrubbed_Secret: categories: @@ -13260,6 +14495,7 @@ rules: group: top10-insecure-design name: Apple_Secure_Coding_Guide_Unscrubbed_Secret pretty_name: Unscrubbed Secret - Apple + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Apple_Secure_Coding_Guide_Unsecure_Deserialization: categories: @@ -13275,6 +14511,7 @@ rules: group: top10-software-data-integrity-failures name: Apple_Secure_Coding_Guide_Unsecure_Deserialization pretty_name: Unsecure Deserialization - Apple + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Buffer_Size_Literal: categories: @@ -13289,6 +14526,7 @@ rules: group: top10-insecure-design name: CPP_Best_Coding_Practice_Buffer_Size_Literal pretty_name: Buffer Size Literal - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Buffer_Size_Literal_Condition: categories: @@ -13303,6 +14541,7 @@ rules: group: top10-insecure-design name: CPP_Best_Coding_Practice_Buffer_Size_Literal_Condition pretty_name: Buffer Size Literal Condition - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Buffer_Size_Literal_Overflow: categories: @@ -13316,6 +14555,7 @@ rules: group: top10-insecure-design name: CPP_Best_Coding_Practice_Buffer_Size_Literal_Overflow pretty_name: Buffer Size Literal Overflow - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Dead_Code: categories: @@ -13328,6 +14568,7 @@ rules: group: top10-insecure-design name: CPP_Best_Coding_Practice_Dead_Code pretty_name: Dead Code - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: @@ -13341,6 +14582,7 @@ rules: group: top10-insecure-design name: CPP_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception pretty_name: Declaration Of Catch For Generic Exception - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action: categories: @@ -13354,6 +14596,7 @@ rules: group: top10-insecure-design name: CPP_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action pretty_name: Detection of Error Condition Without Action - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Empty_Methods: categories: @@ -13366,6 +14609,7 @@ rules: group: top10-insecure-design name: CPP_Best_Coding_Practice_Empty_Methods pretty_name: Empty Methods - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: categories: @@ -13379,6 +14623,7 @@ rules: group: top10-insecure-design name: CPP_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere pretty_name: Exposure of Resource to Wrong Sphere - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_GOTO_Statement: categories: @@ -13396,6 +14641,7 @@ rules: group: top10-insecure-design name: CPP_Best_Coding_Practice_GOTO_Statement pretty_name: GOTO Statement - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Hardcoded_Absolute_Path: categories: @@ -13410,6 +14656,7 @@ rules: group: top10-software-data-integrity-failures name: CPP_Best_Coding_Practice_Hardcoded_Absolute_Path pretty_name: Hardcoded Absolute Path - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Magic_Numbers: categories: @@ -13423,6 +14670,7 @@ rules: group: top10-insecure-design name: CPP_Best_Coding_Practice_Magic_Numbers pretty_name: Magic Numbers - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Methods_Without_ReturnType: categories: @@ -13435,6 +14683,7 @@ rules: group: top10-insecure-design name: CPP_Best_Coding_Practice_Methods_Without_ReturnType pretty_name: Methods Without ReturnType - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Non_Private_Static_Constructors: categories: @@ -13447,6 +14696,7 @@ rules: group: top10-insecure-design name: CPP_Best_Coding_Practice_Non_Private_Static_Constructors pretty_name: Non Private Static Constructors - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Reliance_On_Untrusted_Inputs_In_Security_Decision: categories: @@ -13461,6 +14711,7 @@ rules: group: top10-insecure-design name: CPP_Best_Coding_Practice_Reliance_On_Untrusted_Inputs_In_Security_Decision pretty_name: Reliance On Untrusted Inputs In Security Decision - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Unused_Variable: categories: @@ -13474,6 +14725,7 @@ rules: group: top10-insecure-design name: CPP_Best_Coding_Practice_Unused_Variable pretty_name: Unused Variable - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Unvalidated_Arguments_Of_Public_Methods: categories: @@ -13486,6 +14738,7 @@ rules: group: top10-insecure-design name: CPP_Best_Coding_Practice_Unvalidated_Arguments_Of_Public_Methods pretty_name: Unvalidated Arguments Of Public Methods - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Improper_Index_Access: categories: @@ -13501,6 +14754,7 @@ rules: group: top10-insecure-design name: CPP_Buffer_Overflow_Buffer_Improper_Index_Access pretty_name: Buffer Improper Index Access - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_AddressOfLocalVarReturned: categories: @@ -13514,6 +14768,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_AddressOfLocalVarReturned pretty_name: Buffer Overflow AddressOfLocalVarReturned - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_IndexFromInput: categories: @@ -13529,6 +14784,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_IndexFromInput pretty_name: Buffer Overflow IndexFromInput - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_Indexes: categories: @@ -13544,6 +14800,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_Indexes pretty_name: Buffer Overflow Indexes - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_LongString: categories: @@ -13559,6 +14816,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_LongString pretty_name: Buffer Overflow LongString - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_Loops: categories: @@ -13572,6 +14830,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_Loops pretty_name: Buffer Overflow Loops - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_Loops_Old: categories: @@ -13585,6 +14844,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_Loops_Old pretty_name: Buffer Overflow Loops Old - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_LowBound: categories: @@ -13600,6 +14860,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_LowBound pretty_name: Buffer Overflow LowBound - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_OutOfBound: categories: @@ -13615,6 +14876,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_OutOfBound pretty_name: Buffer Overflow OutOfBound - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_StrcpyStrcat: categories: @@ -13630,6 +14892,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_StrcpyStrcat pretty_name: Buffer Overflow StrcpyStrcat - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_Unbounded_Buffer: categories: @@ -13645,6 +14908,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_Unbounded_Buffer pretty_name: Buffer Overflow Unbounded Buffer - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_Unbounded_Format: categories: @@ -13660,6 +14924,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_Unbounded_Format pretty_name: Buffer Overflow Unbounded Format - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_Wrong_Buffer_Size: categories: @@ -13674,6 +14939,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_Wrong_Buffer_Size pretty_name: Buffer Overflow Wrong Buffer Size - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_boundcpy_WrongSizeParam: categories: @@ -13688,6 +14954,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_boundcpy_WrongSizeParam pretty_name: Buffer Overflow boundcpy WrongSizeParam - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_boundedcpy: categories: @@ -13703,6 +14970,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_boundedcpy pretty_name: Buffer Overflow boundedcpy - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_boundedcpy2: categories: @@ -13717,6 +14985,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_boundedcpy2 pretty_name: Buffer Overflow boundedcpy2 - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_cin: categories: @@ -13732,6 +15001,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_cin pretty_name: Buffer Overflow cin - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_cpycat: categories: @@ -13747,6 +15017,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_cpycat pretty_name: Buffer Overflow cpycat - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_fgets: categories: @@ -13762,6 +15033,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_fgets pretty_name: Buffer Overflow fgets - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_scanf: categories: @@ -13777,6 +15049,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_scanf pretty_name: Buffer Overflow scanf - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_sizeof: categories: @@ -13792,6 +15065,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_sizeof pretty_name: Buffer Overflow sizeof - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Buffer_Overflow_unbounded: categories: @@ -13807,6 +15081,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Buffer_Overflow_unbounded pretty_name: Buffer Overflow unbounded - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Format_String_Attack: categories: @@ -13821,6 +15096,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Format_String_Attack pretty_name: Format String Attack - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Improper_Null_Termination: categories: @@ -13835,6 +15111,7 @@ rules: group: top10-insecure-design name: CPP_Buffer_Overflow_Improper_Null_Termination pretty_name: Improper Null Termination - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Missing_Precision: categories: @@ -13849,6 +15126,7 @@ rules: group: top10-insecure-design name: CPP_Buffer_Overflow_Missing_Precision pretty_name: Missing Precision - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_MultiByte_String_Length: categories: @@ -13862,6 +15140,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_MultiByte_String_Length pretty_name: MultiByte String Length - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Off_by_One_Error: categories: @@ -13876,6 +15155,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Off_by_One_Error pretty_name: Off by One Error - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Off_by_One_Error_in_Arrays: categories: @@ -13890,6 +15170,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Off_by_One_Error_in_Arrays pretty_name: Off by One Error in Arrays - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Off_by_One_Error_in_Loops: categories: @@ -13903,6 +15184,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Off_by_One_Error_in_Loops pretty_name: Off by One Error in Loops - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Off_by_One_Error_in_Methods: categories: @@ -13916,6 +15198,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Off_by_One_Error_in_Methods pretty_name: Off by One Error in Methods - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Open_SSL_HeartBleed: categories: @@ -13931,6 +15214,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Open_SSL_HeartBleed pretty_name: Open SSL HeartBleed - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_Potential_Precision_Problem: categories: @@ -13945,6 +15229,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_Potential_Precision_Problem pretty_name: Potential Precision Problem - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_String_Termination_Error: categories: @@ -13959,6 +15244,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_String_Termination_Error pretty_name: String Termination Error - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Buffer_Overflow_String_Termination_cin: categories: @@ -13973,6 +15259,7 @@ rules: group: top10-injection name: CPP_Buffer_Overflow_String_Termination_cin pretty_name: String Termination cin - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Heuristic_Freed_Pointer_Not_Set_To_Null: categories: @@ -13988,6 +15275,7 @@ rules: group: top10-insecure-design name: CPP_Heuristic_Freed_Pointer_Not_Set_To_Null pretty_name: Freed Pointer Not Set To Null - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Heuristic_Heuristic_2nd_Order_Buffer_Overflow_malloc: categories: @@ -14002,6 +15290,7 @@ rules: group: top10-injection name: CPP_Heuristic_Heuristic_2nd_Order_Buffer_Overflow_malloc pretty_name: Heuristic 2nd Order Buffer Overflow malloc - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Heuristic_Heuristic_2nd_Order_Buffer_Overflow_read: categories: @@ -14016,6 +15305,7 @@ rules: group: top10-injection name: CPP_Heuristic_Heuristic_2nd_Order_Buffer_Overflow_read pretty_name: Heuristic 2nd Order Buffer Overflow read - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Heuristic_Heuristic_2nd_Order_SQL_Injection: categories: @@ -14032,6 +15322,7 @@ rules: group: top10-injection name: CPP_Heuristic_Heuristic_2nd_Order_SQL_Injection pretty_name: Heuristic 2nd Order SQL Injection - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Heuristic_Heuristic_Buffer_Improper_Index_Access: categories: @@ -14046,6 +15337,7 @@ rules: group: top10-insecure-design name: CPP_Heuristic_Heuristic_Buffer_Improper_Index_Access pretty_name: Heuristic Buffer Improper Index Access - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Heuristic_Heuristic_Buffer_Overflow_malloc: categories: @@ -14060,6 +15352,7 @@ rules: group: top10-injection name: CPP_Heuristic_Heuristic_Buffer_Overflow_malloc pretty_name: Heuristic Buffer Overflow malloc - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Heuristic_Heuristic_Buffer_Overflow_read: categories: @@ -14074,6 +15367,7 @@ rules: group: top10-injection name: CPP_Heuristic_Heuristic_Buffer_Overflow_read pretty_name: Heuristic Buffer Overflow read - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Heuristic_Heuristic_CGI_Stored_XSS: categories: @@ -14089,6 +15383,7 @@ rules: group: top10-injection name: CPP_Heuristic_Heuristic_CGI_Stored_XSS pretty_name: Heuristic CGI Stored XSS - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Heuristic_Heuristic_DB_Parameter_Tampering: categories: @@ -14102,6 +15397,7 @@ rules: group: top10-broken-access-control name: CPP_Heuristic_Heuristic_DB_Parameter_Tampering pretty_name: Heuristic DB Parameter Tampering - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Heuristic_Heuristic_NULL_Pointer_Dereference1: categories: @@ -14117,6 +15413,7 @@ rules: group: top10-insecure-design name: CPP_Heuristic_Heuristic_NULL_Pointer_Dereference1 pretty_name: Heuristic NULL Pointer Dereference1 - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Heuristic_Heuristic_NULL_Pointer_Dereference2: categories: @@ -14132,6 +15429,7 @@ rules: group: top10-insecure-design name: CPP_Heuristic_Heuristic_NULL_Pointer_Dereference2 pretty_name: Heuristic NULL Pointer Dereference2 - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Heuristic_Heuristic_Parameter_Tampering: categories: @@ -14146,6 +15444,7 @@ rules: group: top10-insecure-design name: CPP_Heuristic_Heuristic_Parameter_Tampering pretty_name: Heuristic Parameter Tampering - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Heuristic_Heuristic_SQL_Injection: categories: @@ -14162,6 +15461,7 @@ rules: group: top10-injection name: CPP_Heuristic_Heuristic_SQL_Injection pretty_name: Heuristic SQL Injection - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Heuristic_Heuristic_Unchecked_Return_Value: categories: @@ -14175,6 +15475,7 @@ rules: group: top10-insecure-design name: CPP_Heuristic_Heuristic_Unchecked_Return_Value pretty_name: Heuristic Unchecked Return Value - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Heuristic_Potential_Off_by_One_Error_in_Loops: categories: @@ -14188,6 +15489,7 @@ rules: group: top10-injection name: CPP_Heuristic_Potential_Off_by_One_Error_in_Loops pretty_name: Potential Off by One Error in Loops - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_High_Risk_CGI_Reflected_XSS: categories: @@ -14204,6 +15506,7 @@ rules: group: top10-injection name: CPP_High_Risk_CGI_Reflected_XSS pretty_name: CGI Reflected XSS - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_High_Risk_CGI_Stored_XSS: categories: @@ -14220,6 +15523,7 @@ rules: group: top10-injection name: CPP_High_Risk_CGI_Stored_XSS pretty_name: CGI Stored XSS - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_High_Risk_Command_Injection: categories: @@ -14237,6 +15541,7 @@ rules: group: top10-injection name: CPP_High_Risk_Command_Injection pretty_name: Command Injection - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_High_Risk_Connection_String_Injection: categories: @@ -14252,6 +15557,7 @@ rules: group: top10-injection name: CPP_High_Risk_Connection_String_Injection pretty_name: Connection String Injection - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_High_Risk_LDAP_Injection: categories: @@ -14268,6 +15574,7 @@ rules: group: top10-injection name: CPP_High_Risk_LDAP_Injection pretty_name: LDAP Injection - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_High_Risk_Process_Control: categories: @@ -14283,6 +15590,7 @@ rules: group: top10-injection name: CPP_High_Risk_Process_Control pretty_name: Process Control - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_High_Risk_Resource_Injection: categories: @@ -14298,6 +15606,7 @@ rules: group: top10-injection name: CPP_High_Risk_Resource_Injection pretty_name: Resource Injection - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_High_Risk_SQL_Injection: categories: @@ -14315,6 +15624,7 @@ rules: group: top10-injection name: CPP_High_Risk_SQL_Injection pretty_name: SQL Injection - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Insecure_Credential_Storage_Comparison_Timing_Attack: categories: @@ -14330,6 +15640,7 @@ rules: group: top10-insecure-design name: CPP_Insecure_Credential_Storage_Comparison_Timing_Attack pretty_name: Comparison Timing Attack - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Insecure_Credential_Storage_Insecure_Scrypt_Parameters: categories: @@ -14344,6 +15655,7 @@ rules: group: top10-insecure-design name: CPP_Insecure_Credential_Storage_Insecure_Scrypt_Parameters pretty_name: Insecure Scrypt Parameters - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Insecure_Credential_Storage_Insufficient_BCrypt_Cost: categories: @@ -14358,6 +15670,7 @@ rules: group: top10-insecure-design name: CPP_Insecure_Credential_Storage_Insufficient_BCrypt_Cost pretty_name: Insufficient BCrypt Cost - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Insecure_Credential_Storage_Insufficient_Output_Length: categories: @@ -14372,6 +15685,7 @@ rules: group: top10-insecure-design name: CPP_Insecure_Credential_Storage_Insufficient_Output_Length pretty_name: Insufficient Output Length - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Insecure_Credential_Storage_PBKDF2_Insufficient_Iteration_Count: categories: @@ -14386,6 +15700,7 @@ rules: group: top10-insecure-design name: CPP_Insecure_Credential_Storage_PBKDF2_Insufficient_Iteration_Count pretty_name: PBKDF2 Insufficient Iteration Count - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Insecure_Credential_Storage_PBKDF2_Weak_Salt_Value: categories: @@ -14400,6 +15715,7 @@ rules: group: top10-insecure-design name: CPP_Insecure_Credential_Storage_PBKDF2_Weak_Salt_Value pretty_name: PBKDF2 Weak Salt Value - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Insecure_Credential_Storage_Scrypt_Weak_Salt_Value: categories: @@ -14414,6 +15730,7 @@ rules: group: top10-insecure-design name: CPP_Insecure_Credential_Storage_Scrypt_Weak_Salt_Value pretty_name: Scrypt Weak Salt Value - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Insecure_Credential_Storage_Weak_Mechanism: categories: @@ -14428,6 +15745,7 @@ rules: group: top10-insecure-design name: CPP_Insecure_Credential_Storage_Weak_Mechanism pretty_name: Weak Mechanism - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Integer_Overflow_Boolean_Overflow: categories: @@ -14444,6 +15762,7 @@ rules: group: top10-injection name: CPP_Integer_Overflow_Boolean_Overflow pretty_name: Boolean Overflow - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Integer_Overflow_Char_Overflow: categories: @@ -14460,6 +15779,7 @@ rules: group: top10-injection name: CPP_Integer_Overflow_Char_Overflow pretty_name: Char Overflow - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Integer_Overflow_Float_Overflow: categories: @@ -14476,6 +15796,7 @@ rules: group: top10-injection name: CPP_Integer_Overflow_Float_Overflow pretty_name: Float Overflow - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Integer_Overflow_Get_Right_Assignment: categories: @@ -14492,6 +15813,7 @@ rules: group: top10-injection name: CPP_Integer_Overflow_Get_Right_Assignment pretty_name: Get Right Assignment - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Integer_Overflow_Integer_Overflow: categories: @@ -14508,6 +15830,7 @@ rules: group: top10-injection name: CPP_Integer_Overflow_Integer_Overflow pretty_name: Integer Overflow - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Integer_Overflow_Long_Overflow: categories: @@ -14524,6 +15847,7 @@ rules: group: top10-injection name: CPP_Integer_Overflow_Long_Overflow pretty_name: Long Overflow - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Integer_Overflow_Short_Overflow: categories: @@ -14540,6 +15864,7 @@ rules: group: top10-injection name: CPP_Integer_Overflow_Short_Overflow pretty_name: Short Overflow - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Integer_Overflow_Type_Conversion_Error: categories: @@ -14555,6 +15880,7 @@ rules: group: top10-injection name: CPP_Integer_Overflow_Type_Conversion_Error pretty_name: Type Conversion Error - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Integer_Overflow_Wrong_Size_t_Allocation: categories: @@ -14569,6 +15895,7 @@ rules: group: top10-injection name: CPP_Integer_Overflow_Wrong_Size_t_Allocation pretty_name: Wrong Size t Allocation - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Arithmetic_Operation_On_Boolean: categories: @@ -14581,6 +15908,7 @@ rules: group: top10-insecure-design name: CPP_Low_Visibility_Arithmetic_Operation_On_Boolean pretty_name: Arithmetic Operation On Boolean - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Blind_SQL_Injections: categories: @@ -14597,6 +15925,7 @@ rules: group: top10-injection name: CPP_Low_Visibility_Blind_SQL_Injections pretty_name: Blind SQL Injections - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Creation_of_chroot_Jail_without_Changing_Working_Directory: categories: @@ -14611,6 +15940,7 @@ rules: group: top10-insecure-design name: CPP_Low_Visibility_Creation_of_chroot_Jail_without_Changing_Working_Directory pretty_name: Creation of chroot Jail without Changing Working Directory - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Deprecated_CRT_Functions_VS2005: categories: @@ -14624,6 +15954,7 @@ rules: group: top10-insecure-design name: CPP_Low_Visibility_Deprecated_CRT_Functions_VS2005 pretty_name: Deprecated CRT Functions VS2005 - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Exposure_of_System_Data_to_Unauthorized_Control_Sphere: categories: @@ -14638,6 +15969,7 @@ rules: group: top10-broken-access-control name: CPP_Low_Visibility_Exposure_of_System_Data_to_Unauthorized_Control_Sphere pretty_name: Exposure of System Data to Unauthorized Control Sphere - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Heap_Inspection: categories: @@ -14652,6 +15984,7 @@ rules: group: top10-broken-access-control name: CPP_Low_Visibility_Heap_Inspection pretty_name: Heap Inspection - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Improper_Exception_Handling: categories: @@ -14664,6 +15997,7 @@ rules: group: top10-insecure-design name: CPP_Low_Visibility_Improper_Exception_Handling pretty_name: Improper Exception Handling - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Improper_Resource_Access_Authorization: categories: @@ -14677,6 +16011,7 @@ rules: group: top10-broken-access-control name: CPP_Low_Visibility_Improper_Resource_Access_Authorization pretty_name: Improper Resource Access Authorization - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Improper_Resource_Shutdown_or_Release: categories: @@ -14690,6 +16025,7 @@ rules: group: top10-insecure-design name: CPP_Low_Visibility_Improper_Resource_Shutdown_or_Release pretty_name: Improper Resource Shutdown or Release - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Improper_Transaction_Handling: categories: @@ -14704,6 +16040,7 @@ rules: group: top10-insecure-design name: CPP_Low_Visibility_Improper_Transaction_Handling pretty_name: Improper Transaction Handling - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Inconsistent_Implementations: categories: @@ -14717,6 +16054,7 @@ rules: group: top10-insecure-design name: CPP_Low_Visibility_Inconsistent_Implementations pretty_name: Inconsistent Implementations - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Incorrect_Permission_Assignment_For_Critical_Resources: categories: @@ -14730,6 +16068,7 @@ rules: group: top10-broken-access-control name: CPP_Low_Visibility_Incorrect_Permission_Assignment_For_Critical_Resources pretty_name: Incorrect Permission Assignment For Critical Resources - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Information_Exposure_Through_Comments: categories: @@ -14745,6 +16084,7 @@ rules: group: top10-broken-access-control name: CPP_Low_Visibility_Information_Exposure_Through_Comments pretty_name: Information Exposure Through Comments - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Information_Exposure_Through_an_Error_Message: categories: @@ -14758,6 +16098,7 @@ rules: group: top10-insecure-design name: CPP_Low_Visibility_Information_Exposure_Through_an_Error_Message pretty_name: Information Exposure Through an Error Message - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Insecure_Temporary_File: categories: @@ -14771,6 +16112,7 @@ rules: group: top10-broken-access-control name: CPP_Low_Visibility_Insecure_Temporary_File pretty_name: Insecure Temporary File - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Insufficiently_Protected_Credentials: categories: @@ -14785,6 +16127,7 @@ rules: group: top10-insecure-design name: CPP_Low_Visibility_Insufficiently_Protected_Credentials pretty_name: Insufficiently Protected Credentials - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Leaving_Temporary_Files: categories: @@ -14797,6 +16140,7 @@ rules: group: top10-broken-access-control name: CPP_Low_Visibility_Leaving_Temporary_Files pretty_name: Leaving Temporary Files - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Leftover_Debug_Code: categories: @@ -14811,6 +16155,7 @@ rules: group: top10-insecure-design name: CPP_Low_Visibility_Leftover_Debug_Code pretty_name: Leftover Debug Code - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Log_Forging: categories: @@ -14823,6 +16168,7 @@ rules: group: top10-security-logging-monitoring-failures name: CPP_Low_Visibility_Log_Forging pretty_name: Log Forging - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_NULL_Pointer_Dereference: categories: @@ -14838,6 +16184,7 @@ rules: group: top10-insecure-design name: CPP_Low_Visibility_NULL_Pointer_Dereference pretty_name: NULL Pointer Dereference - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Potential_Path_Traversal: categories: @@ -14853,6 +16200,7 @@ rules: group: top10-broken-access-control name: CPP_Low_Visibility_Potential_Path_Traversal pretty_name: Potential Path Traversal - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Privacy_Violation: categories: @@ -14868,6 +16216,7 @@ rules: group: top10-broken-access-control name: CPP_Low_Visibility_Privacy_Violation pretty_name: Privacy Violation - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Reliance_on_DNS_Lookups_in_a_Decision: categories: @@ -14882,6 +16231,7 @@ rules: group: top10-insecure-design name: CPP_Low_Visibility_Reliance_on_DNS_Lookups_in_a_Decision pretty_name: Reliance on DNS Lookups in a Decision - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Sizeof_Pointer_Argument: categories: @@ -14896,6 +16246,7 @@ rules: group: top10-insecure-design name: CPP_Low_Visibility_Sizeof_Pointer_Argument pretty_name: Sizeof Pointer Argument - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Stored_Blind_SQL_Injections: categories: @@ -14912,6 +16263,7 @@ rules: group: top10-injection name: CPP_Low_Visibility_Stored_Blind_SQL_Injections pretty_name: Stored Blind SQL Injections - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_TOCTOU: categories: @@ -14927,6 +16279,7 @@ rules: group: top10-insecure-design name: CPP_Low_Visibility_TOCTOU pretty_name: TOCTOU - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Unchecked_Array_Index: categories: @@ -14941,6 +16294,7 @@ rules: group: top10-insecure-design name: CPP_Low_Visibility_Unchecked_Array_Index pretty_name: Unchecked Array Index - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Unchecked_Return_Value: categories: @@ -14954,6 +16308,7 @@ rules: group: top10-insecure-design name: CPP_Low_Visibility_Unchecked_Return_Value pretty_name: Unchecked Return Value - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Undefined_Behavior: categories: @@ -14967,6 +16322,7 @@ rules: group: top10-insecure-design name: CPP_Low_Visibility_Undefined_Behavior pretty_name: Undefined Behavior - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Unreleased_Resource_Leak: categories: @@ -14980,6 +16336,7 @@ rules: group: top10-broken-access-control name: CPP_Low_Visibility_Unreleased_Resource_Leak pretty_name: Unreleased Resource Leak - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Use_Of_Deprecated_Class: categories: @@ -14993,6 +16350,7 @@ rules: group: top10-insecure-design name: CPP_Low_Visibility_Use_Of_Deprecated_Class pretty_name: Use Of Deprecated Class - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Use_Of_Hardcoded_Password: categories: @@ -15006,6 +16364,7 @@ rules: group: top10-id-authn-failures name: CPP_Low_Visibility_Use_Of_Hardcoded_Password pretty_name: Use Of Hardcoded Password - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Use_of_Insufficiently_Random_Values: categories: @@ -15019,6 +16378,7 @@ rules: group: top10-crypto-failures name: CPP_Low_Visibility_Use_of_Insufficiently_Random_Values pretty_name: Use of Insufficiently Random Values - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Use_of_Obsolete_Functions: categories: @@ -15032,6 +16392,7 @@ rules: group: top10-insecure-design name: CPP_Low_Visibility_Use_of_Obsolete_Functions pretty_name: Use of Obsolete Functions - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Low_Visibility_Use_of_Sizeof_On_a_Pointer_Type: categories: @@ -15046,6 +16407,7 @@ rules: group: top10-insecure-design name: CPP_Low_Visibility_Use_of_Sizeof_On_a_Pointer_Type pretty_name: Use of Sizeof On a Pointer Type - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R00_01_03_Find_Unused_Variables: categories: @@ -15058,6 +16420,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R00_01_03_Find_Unused_Variables pretty_name: R00 01 03 Find Unused Variables - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R00_01_05_Find_Unused_Typedefs: categories: @@ -15070,6 +16433,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R00_01_05_Find_Unused_Typedefs pretty_name: R00 01 05 Find Unused Typedefs - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R00_01_10_Find_Unused_Defined_Functions: categories: @@ -15083,6 +16447,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R00_01_10_Find_Unused_Defined_Functions pretty_name: R00 01 10 Find Unused Defined Functions - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R00_01_11_Find_Unused_Parameters: categories: @@ -15095,6 +16460,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R00_01_11_Find_Unused_Parameters pretty_name: R00 01 11 Find Unused Parameters - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R00_01_12_Find_Virtual_Unused_Parameters: categories: @@ -15107,6 +16473,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R00_01_12_Find_Virtual_Unused_Parameters pretty_name: R00 01 12 Find Virtual Unused Parameters - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R02_03_01_Trigraphs: categories: @@ -15119,6 +16486,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R02_03_01_Trigraphs pretty_name: R02 03 01 Trigraphs - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R02_05_01_Digraphs: categories: @@ -15132,6 +16500,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R02_05_01_Digraphs pretty_name: R02 05 01 Digraphs - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R02_07_02_Code_Commented_Out: categories: @@ -15145,6 +16514,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R02_07_02_Code_Commented_Out pretty_name: R02 07 02 Code Commented Out - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R02_07_03_Code_CPP_Commented_Out: categories: @@ -15158,6 +16528,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R02_07_03_Code_CPP_Commented_Out pretty_name: R02 07 03 Code CPP Commented Out - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R02_10_02_Identifiers_Hide_Outer_Scope_Identifiers: categories: @@ -15171,6 +16542,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R02_10_02_Identifiers_Hide_Outer_Scope_Identifiers pretty_name: R02 10 02 Identifiers Hide Outer Scope Identifiers - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R02_10_03_Typedef_Name_Reused: categories: @@ -15184,6 +16556,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R02_10_03_Typedef_Name_Reused pretty_name: R02 10 03 Typedef Name Reused - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R02_10_04_Class_Enum_Union_Names_Reused: categories: @@ -15197,6 +16570,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R02_10_04_Class_Enum_Union_Names_Reused pretty_name: R02 10 04 Class Enum Union Names Reused - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R02_10_05_Non_Member_Static_Name_Reuse: categories: @@ -15210,6 +16584,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R02_10_05_Non_Member_Static_Name_Reuse pretty_name: R02 10 05 Non Member Static Name Reuse - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R02_13_01_Non_ISO_Escapes: categories: @@ -15223,6 +16598,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R02_13_01_Non_ISO_Escapes pretty_name: R02 13 01 Non ISO Escapes - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R02_13_02_Non_Zero_Octal_Constant: categories: @@ -15236,6 +16612,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R02_13_02_Non_Zero_Octal_Constant pretty_name: R02 13 02 Non Zero Octal Constant - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R02_13_03_U_Suffix_Not_Applied_To_Unsigned_Hex_Oct: categories: @@ -15249,6 +16626,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R02_13_03_U_Suffix_Not_Applied_To_Unsigned_Hex_Oct pretty_name: R02 13 03 U Suffix Not Applied To Unsigned Hex Oct - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R02_13_04_Literal_Suffix_Uppercase: categories: @@ -15262,6 +16640,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R02_13_04_Literal_Suffix_Uppercase pretty_name: R02 13 04 Literal Suffix Uppercase - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R03_01_03_Find_Arrays_Without_Size: categories: @@ -15275,6 +16654,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R03_01_03_Find_Arrays_Without_Size pretty_name: R03 01 03 Find Arrays Without Size - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R03_02_01_Identical_Function_and_Object_Decl_Def: categories: @@ -15288,6 +16668,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R03_02_01_Identical_Function_and_Object_Decl_Def pretty_name: R03 02 01 Identical Function and Object Decl Def - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R03_04_01_Obj_Defined_Outside_Minimal_Scope: categories: @@ -15301,6 +16682,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R03_04_01_Obj_Defined_Outside_Minimal_Scope pretty_name: R03 04 01 Obj Defined Outside Minimal Scope - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R03_09_02_Non_Typedef_Basic_Types: categories: @@ -15314,6 +16696,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R03_09_02_Non_Typedef_Basic_Types pretty_name: R03 09 02 Non Typedef Basic Types - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R04_10_01_NULL_As_An_Integer_Value: categories: @@ -15327,6 +16710,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R04_10_01_NULL_As_An_Integer_Value pretty_name: R04 10 01 NULL As An Integer Value - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R04_10_02_Literal_Zero_As_Null_Pointer_Constant: categories: @@ -15341,6 +16725,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R04_10_02_Literal_Zero_As_Null_Pointer_Constant pretty_name: R04 10 02 Literal Zero As Null Pointer Constant - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R05_00_07_Improper_Explicit_Floating_Integral_Conversion_Of_Expression: categories: @@ -15355,6 +16740,7 @@ rules: name: CPP_MISRA_CPP_R05_00_07_Improper_Explicit_Floating_Integral_Conversion_Of_Expression pretty_name: R05 00 07 Improper Explicit Floating Integral Conversion Of Expression - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R05_00_10_Bitwise_Operator_On_Unsigned_Char_Short_Types: categories: @@ -15368,6 +16754,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R05_00_10_Bitwise_Operator_On_Unsigned_Char_Short_Types pretty_name: R05 00 10 Bitwise Operator On Unsigned Char Short Types - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R05_00_11_Plain_Char_Type_Usage: categories: @@ -15382,6 +16769,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R05_00_11_Plain_Char_Type_Usage pretty_name: R05 00 11 Plain Char Type Usage - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R05_00_12_Not_Plain_Char_Type_Usage: categories: @@ -15395,6 +16783,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R05_00_12_Not_Plain_Char_Type_Usage pretty_name: R05 00 12 Not Plain Char Type Usage - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R05_00_21_Bitwise_Operator_On_Signed_Type: categories: @@ -15408,6 +16797,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R05_00_21_Bitwise_Operator_On_Signed_Type pretty_name: R05 00 21 Bitwise Operator On Signed Type - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R05_02_01_AND_OR_Operands_Not_As_Postfix_Expressions: categories: @@ -15421,6 +16811,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R05_02_01_AND_OR_Operands_Not_As_Postfix_Expressions pretty_name: R05 02 01 AND OR Operands Not As Postfix Expressions - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R05_02_10_Using_Of_Incremental_And_Decrimental_Operators: categories: @@ -15434,6 +16825,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R05_02_10_Using_Of_Incremental_And_Decrimental_Operators pretty_name: R05 02 10 Using Of Incremental And Decrimental Operators - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R05_02_11_Find_Special_Operator_Overloads: categories: @@ -15448,6 +16840,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R05_02_11_Find_Special_Operator_Overloads pretty_name: R05 02 11 Find Special Operator Overloads - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R05_03_02_Unary_Minus_Operator_On_Unsigned_Type: categories: @@ -15462,6 +16855,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R05_03_02_Unary_Minus_Operator_On_Unsigned_Type pretty_name: R05 03 02 Unary Minus Operator On Unsigned Type - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R05_03_03_Overloading_Reference_Oper: categories: @@ -15475,6 +16869,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R05_03_03_Overloading_Reference_Oper pretty_name: R05 03 03 Overloading Reference Oper - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R05_18_01_Comma_Operator_Used: categories: @@ -15488,6 +16883,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R05_18_01_Comma_Operator_Used pretty_name: R05 18 01 Comma Operator Used - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_02_01_Assignment_in_Sub_Expr: categories: @@ -15501,6 +16897,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R06_02_01_Assignment_in_Sub_Expr pretty_name: R06 02 01 Assignment in Sub Expr - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_02_02_FloatingPt_Equality_Inequality_Testing: categories: @@ -15516,6 +16913,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R06_02_02_FloatingPt_Equality_Inequality_Testing pretty_name: R06 02 02 FloatingPt Equality Inequality Testing - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_03_01_Not_Compound_Switch_Or_Iteration_Statement: categories: @@ -15529,6 +16927,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R06_03_01_Not_Compound_Switch_Or_Iteration_Statement pretty_name: R06 03 01 Not Compound Switch Or Iteration Statement - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_04_01_Not_Compound_If_Or_Else: categories: @@ -15542,6 +16941,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R06_04_01_Not_Compound_If_Or_Else pretty_name: R06 04 01 Not Compound If Or Else - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_04_02_If_Else_If_Not_Ending_With_Else: categories: @@ -15555,6 +16955,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R06_04_02_If_Else_If_Not_Ending_With_Else pretty_name: R06 04 02 If Else If Not Ending With Else - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_04_04_Case_Not_Enclosed_By_Compound_Switch: categories: @@ -15568,6 +16969,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R06_04_04_Case_Not_Enclosed_By_Compound_Switch pretty_name: R06 04 04 Case Not Enclosed By Compound Switch - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_04_05_Non_Empty_Switch_Clause_Without_Break_or_Throw: categories: @@ -15581,6 +16983,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R06_04_05_Non_Empty_Switch_Clause_Without_Break_or_Throw pretty_name: R06 04 05 Non Empty Switch Clause Without Break or Throw - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_04_06_Non_Default_Final_Clause_In_Switch_Statement: categories: @@ -15594,6 +16997,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R06_04_06_Non_Default_Final_Clause_In_Switch_Statement pretty_name: R06 04 06 Non Default Final Clause In Switch Statement - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_04_07_Find_Switch_Condition_Bool: categories: @@ -15606,6 +17010,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R06_04_07_Find_Switch_Condition_Bool pretty_name: R06 04 07 Find Switch Condition Bool - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_05_01_Single_Non_Float_LC: categories: @@ -15619,6 +17024,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R06_05_01_Single_Non_Float_LC pretty_name: R06 05 01 Single Non Float LC - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_05_02_Loop_Counter_Modify: categories: @@ -15632,6 +17038,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R06_05_02_Loop_Counter_Modify pretty_name: R06 05 02 Loop Counter Modify - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_05_03_Change_Lc_In_St_And_Cond: categories: @@ -15645,6 +17052,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R06_05_03_Change_Lc_In_St_And_Cond pretty_name: R06 05 03 Change Lc In St And Cond - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_05_04_Incremental_Modified: categories: @@ -15658,6 +17066,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R06_05_04_Incremental_Modified pretty_name: R06 05 04 Incremental Modified - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_05_05_Lcv_Change_In_For_Stmt: categories: @@ -15671,6 +17080,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R06_05_05_Lcv_Change_In_For_Stmt pretty_name: R06 05 05 Lcv Change In For Stmt - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_05_06_Bool_Lcv_Change: categories: @@ -15683,6 +17093,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R06_05_06_Bool_Lcv_Change pretty_name: R06 05 06 Bool Lcv Change - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_06_02_Backward_Use_Of_Goto: categories: @@ -15696,6 +17107,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R06_06_02_Backward_Use_Of_Goto pretty_name: R06 06 02 Backward Use Of Goto - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_06_03_Continue_In_Legal_For: categories: @@ -15709,6 +17121,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R06_06_03_Continue_In_Legal_For pretty_name: R06 06 03 Continue In Legal For - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_06_04_One_GoTo_Break_In_Iteration: categories: @@ -15722,6 +17135,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R06_06_04_One_GoTo_Break_In_Iteration pretty_name: R06 06 04 One GoTo Break In Iteration - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_06_05_Single_Point_Exit_At_Function_End: categories: @@ -15736,6 +17150,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R06_06_05_Single_Point_Exit_At_Function_End pretty_name: R06 06 05 Single Point Exit At Function End - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_01_01_Declare_Const_if_not_Modified: categories: @@ -15749,6 +17164,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R07_01_01_Declare_Const_if_not_Modified pretty_name: R07 01 01 Declare Const if not Modified - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_01_02_Declare_Ref_Const_if_not_Modified: categories: @@ -15762,6 +17178,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R07_01_02_Declare_Ref_Const_if_not_Modified pretty_name: R07 01 02 Declare Ref Const if not Modified - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_03_01_Definitions_in_Global_Namespace: categories: @@ -15775,6 +17192,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R07_03_01_Definitions_in_Global_Namespace pretty_name: R07 03 01 Definitions in Global Namespace - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_03_02_Find_non_Global_Mains: categories: @@ -15787,6 +17205,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R07_03_02_Find_non_Global_Mains pretty_name: R07 03 02 Find non Global Mains - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_03_03_Unnamed_NS_in_Headers: categories: @@ -15800,6 +17219,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R07_03_03_Unnamed_NS_in_Headers pretty_name: R07 03 03 Unnamed NS in Headers - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_03_04_Find_Using_Directives: categories: @@ -15812,6 +17232,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R07_03_04_Find_Using_Directives pretty_name: R07 03 04 Find Using Directives - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_03_05_Multiple_Declarations_After_Using: categories: @@ -15825,6 +17246,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R07_03_05_Multiple_Declarations_After_Using pretty_name: R07 03 05 Multiple Declarations After Using - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_03_06_Find_Using_in_Headers: categories: @@ -15838,6 +17260,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R07_03_06_Find_Using_in_Headers pretty_name: R07 03 06 Find Using in Headers - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_05_02_Address_Assignment_out_of_Scope: categories: @@ -15851,6 +17274,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R07_05_02_Address_Assignment_out_of_Scope pretty_name: R07 05 02 Address Assignment out of Scope - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_05_03_Return_Parameter_Passed_by_Ref: categories: @@ -15864,6 +17288,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R07_05_03_Return_Parameter_Passed_by_Ref pretty_name: R07 05 03 Return Parameter Passed by Ref - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_05_04_Recursion_Exists: categories: @@ -15877,6 +17302,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R07_05_04_Recursion_Exists pretty_name: R07 05 04 Recursion Exists - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R08_00_01_Find_Multiple_Declarators: categories: @@ -15890,6 +17316,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R08_00_01_Find_Multiple_Declarators pretty_name: R08 00 01 Find Multiple Declarators - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R08_04_01_Function_With_Variable_Number_Of_Arguments: categories: @@ -15903,6 +17330,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R08_04_01_Function_With_Variable_Number_Of_Arguments pretty_name: R08 04 01 Function With Variable Number Of Arguments - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R08_04_03_Explicit_Return_Throw: categories: @@ -15916,6 +17344,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R08_04_03_Explicit_Return_Throw pretty_name: R08 04 03 Explicit Return Throw - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R08_05_01_Uninitialized_Variable_Use: categories: @@ -15928,6 +17357,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R08_05_01_Uninitialized_Variable_Use pretty_name: R08 05 01 Uninitialized Variable Use - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R09_05_01_Use_Of_Union: categories: @@ -15941,6 +17371,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R09_05_01_Use_Of_Union pretty_name: R09 05 01 Use Of Union - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R09_06_02_bool_Unsigned_Signed_Bit_Field: categories: @@ -15954,6 +17385,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R09_06_02_bool_Unsigned_Signed_Bit_Field pretty_name: R09 06 02 bool Unsigned Signed Bit Field - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R09_06_03_Enum_Bit_Fields: categories: @@ -15967,6 +17399,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R09_06_03_Enum_Bit_Fields pretty_name: R09 06 03 Enum Bit Fields - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R09_06_04_Bit_Fields_Length: categories: @@ -15980,6 +17413,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R09_06_04_Bit_Fields_Length pretty_name: R09 06 04 Bit Fields Length - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R10_01_01_Find_Virtual_Base_Classes: categories: @@ -15993,6 +17427,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R10_01_01_Find_Virtual_Base_Classes pretty_name: R10 01 01 Find Virtual Base Classes - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R10_03_02_Find_Override_Without_Virtual: categories: @@ -16006,6 +17441,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R10_03_02_Find_Override_Without_Virtual pretty_name: R10 03 02 Find Override Without Virtual - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R10_03_03_Redeclare_Function_as_Pure: categories: @@ -16019,6 +17455,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R10_03_03_Redeclare_Function_as_Pure pretty_name: R10 03 03 Redeclare Function as Pure - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R12_01_03_Find_non_Explicit_Constructor: categories: @@ -16031,6 +17468,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R12_01_03_Find_non_Explicit_Constructor pretty_name: R12 01 03 Find non Explicit Constructor - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_00_02_Throw_Pointers: categories: @@ -16043,6 +17481,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R15_00_02_Throw_Pointers pretty_name: R15 00 02 Throw Pointers - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_00_03_Goto_Label_Inside_TryCatch: categories: @@ -16056,6 +17495,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R15_00_03_Goto_Label_Inside_TryCatch pretty_name: R15 00 03 Goto Label Inside TryCatch - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_01_02_No_Explicit_Null_Throw: categories: @@ -16068,6 +17508,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R15_01_02_No_Explicit_Null_Throw pretty_name: R15 01 02 No Explicit Null Throw - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_01_03_Empty_Throw_Outside_Catch: categories: @@ -16081,6 +17522,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R15_01_03_Empty_Throw_Outside_Catch pretty_name: R15 01 03 Empty Throw Outside Catch - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_03_02_Catch_All_In_Main: categories: @@ -16094,6 +17536,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R15_03_02_Catch_All_In_Main pretty_name: R15 03 02 Catch All In Main - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_03_03_Accessing_Non_Static_Mem_In_Ctr_Dtr: categories: @@ -16107,6 +17550,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R15_03_03_Accessing_Non_Static_Mem_In_Ctr_Dtr pretty_name: R15 03 03 Accessing Non Static Mem In Ctr Dtr - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_03_07_Catch_All_Final: categories: @@ -16123,6 +17567,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R15_03_07_Catch_All_Final pretty_name: R15 03 07 Catch All Final - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_05_01_Statements_Outside_TryCatch_Dtr: categories: @@ -16136,6 +17581,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R15_05_01_Statements_Outside_TryCatch_Dtr pretty_name: R15 05 01 Statements Outside TryCatch Dtr - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_00_02_Define_Only_in_Global_Namespace: categories: @@ -16149,6 +17595,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R16_00_02_Define_Only_in_Global_Namespace pretty_name: R16 00 02 Define Only in Global Namespace - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_00_03_Use_Of_Undef_Directive: categories: @@ -16162,6 +17609,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R16_00_03_Use_Of_Undef_Directive pretty_name: R16 00 03 Use Of Undef Directive - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_00_04_Function_Like_Macros_Shall_Not_Be_Defined: categories: @@ -16174,6 +17622,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R16_00_04_Function_Like_Macros_Shall_Not_Be_Defined pretty_name: R16 00 04 Function Like Macros Shall Not Be Defined - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_00_05_No_Tokens_In_Func_Like_Macro: categories: @@ -16186,6 +17635,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R16_00_05_No_Tokens_In_Func_Like_Macro pretty_name: R16 00 05 No Tokens In Func Like Macro - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_00_07_Undefined_Macro_Identifiers: categories: @@ -16199,6 +17649,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R16_00_07_Undefined_Macro_Identifiers pretty_name: R16 00 07 Undefined Macro Identifiers - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_00_08_Sharp_Before_Preprocessing_Token: categories: @@ -16212,6 +17663,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R16_00_08_Sharp_Before_Preprocessing_Token pretty_name: R16 00 08 Sharp Before Preprocessing Token - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_01_01_Defined_Standart_Forms: categories: @@ -16224,6 +17676,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R16_01_01_Defined_Standart_Forms pretty_name: R16 01 01 Defined Standart Forms - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_01_02_Preprocessor_If_And_Else_Operators_Reside_In_Different_Files: categories: @@ -16238,6 +17691,7 @@ rules: name: CPP_MISRA_CPP_R16_01_02_Preprocessor_If_And_Else_Operators_Reside_In_Different_Files pretty_name: R16 01 02 Preprocessor If And Else Operators Reside In Different Files - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_02_06_Include_Directive_In_Wrong_Format: categories: @@ -16251,6 +17705,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R16_02_06_Include_Directive_In_Wrong_Format pretty_name: R16 02 06 Include Directive In Wrong Format - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_03_02_Pound_Preprocessor_Operator_Is_Used: categories: @@ -16264,6 +17719,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R16_03_02_Pound_Preprocessor_Operator_Is_Used pretty_name: R16 03 02 Pound Preprocessor Operator Is Used - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R17_00_01_Standard_Library_Redefined_Or_Undefined: categories: @@ -16277,6 +17733,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R17_00_01_Standard_Library_Redefined_Or_Undefined pretty_name: R17 00 01 Standard Library Redefined Or Undefined - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R17_00_02_Standard_Library_Macros_Reuse: categories: @@ -16290,6 +17747,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R17_00_02_Standard_Library_Macros_Reuse pretty_name: R17 00 02 Standard Library Macros Reuse - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R17_00_03_Standard_Library_Functions_Override: categories: @@ -16304,6 +17762,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R17_00_03_Standard_Library_Functions_Override pretty_name: R17 00 03 Standard Library Functions Override - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R18_00_04_Ctime: categories: @@ -16317,6 +17776,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R18_00_04_Ctime pretty_name: R18 00 04 Ctime - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R18_00_05_Unbounded_Functions_Of_Library_CString: categories: @@ -16330,6 +17790,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R18_00_05_Unbounded_Functions_Of_Library_CString pretty_name: R18 00 05 Unbounded Functions Of Library CString - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R18_04_01_Dynamic_Heap_Memory_Allocation: categories: @@ -16343,6 +17804,7 @@ rules: group: top10-injection name: CPP_MISRA_CPP_R18_04_01_Dynamic_Heap_Memory_Allocation pretty_name: R18 04 01 Dynamic Heap Memory Allocation - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R18_07_01_Csignal: categories: @@ -16356,6 +17818,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_CPP_R18_07_01_Csignal pretty_name: R18 07 01 Csignal - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R01_04_Emergent_Features_Shall_Not_Be_Used: categories: @@ -16369,6 +17832,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R01_04_Emergent_Features_Shall_Not_Be_Used pretty_name: R01 04 Emergent Features Shall Not Be Used - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R02_X_Unused_Code: categories: @@ -16382,6 +17846,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R02_X_Unused_Code pretty_name: R02 X Unused Code - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R03_X_Comments: categories: @@ -16396,6 +17861,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R03_X_Comments pretty_name: R03 X Comments - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R04_X_Character_Sets: categories: @@ -16409,6 +17875,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R04_X_Character_Sets pretty_name: R04 X Character Sets - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R05_X_Identifiers: categories: @@ -16422,6 +17889,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R05_X_Identifiers pretty_name: R05 X Identifiers - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R06_X_Bitfields: categories: @@ -16435,6 +17903,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R06_X_Bitfields pretty_name: R06 X Bitfields - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R07_01_Octal_Constans_Shall_Not_Be_Used: categories: @@ -16447,6 +17916,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R07_01_Octal_Constans_Shall_Not_Be_Used pretty_name: R07 01 Octal Constans Shall Not Be Used - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R07_02_U_Or_u_Suffix_Shall_Be_Applied_To_All_Unsigned_Type_Integers: categories: @@ -16461,6 +17931,7 @@ rules: name: CPP_MISRA_C_2012_R07_02_U_Or_u_Suffix_Shall_Be_Applied_To_All_Unsigned_Type_Integers pretty_name: R07 02 U Or u Suffix Shall Be Applied To All Unsigned Type Integers - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R07_03_Lowercase_l_Shall_Not_Be_Used_In_A_Literal_Suffix: categories: @@ -16474,6 +17945,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R07_03_Lowercase_l_Shall_Not_Be_Used_In_A_Literal_Suffix pretty_name: R07 03 Lowercase l Shall Not Be Used In A Literal Suffix - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R07_04_String_Literal_Should_Be_Assigned_To_Pointer_To_Const_Char: categories: @@ -16488,6 +17960,7 @@ rules: name: CPP_MISRA_C_2012_R07_04_String_Literal_Should_Be_Assigned_To_Pointer_To_Const_Char pretty_name: R07 04 String Literal Should Be Assigned To Pointer To Const Char - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R08_02_Function_Prototype_With_Named_Parameters: categories: @@ -16501,6 +17974,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R08_02_Function_Prototype_With_Named_Parameters pretty_name: R08 02 Function Prototype With Named Parameters - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R08_03_Functions_Have_Same_Name: categories: @@ -16514,6 +17988,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R08_03_Functions_Have_Same_Name pretty_name: R08 03 Functions Have Same Name - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R08_04_Compatible_Declaration_Shall_Be_Visible: categories: @@ -16527,6 +18002,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R08_04_Compatible_Declaration_Shall_Be_Visible pretty_name: R08 04 Compatible Declaration Shall Be Visible - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R08_05_External_Objects_Shall_Be_Declared_Once: categories: @@ -16540,6 +18016,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R08_05_External_Objects_Shall_Be_Declared_Once pretty_name: R08 05 External Objects Shall Be Declared Once - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R08_06_Single_External_Definition_Per_External_Identifier: categories: @@ -16553,6 +18030,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R08_06_Single_External_Definition_Per_External_Identifier pretty_name: R08 06 Single External Definition Per External Identifier - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R08_07_Function_And_Objects_Should_Not_Use_Extern_When_Referenced_In_One_File: categories: @@ -16567,6 +18045,7 @@ rules: name: CPP_MISRA_C_2012_R08_07_Function_And_Objects_Should_Not_Use_Extern_When_Referenced_In_One_File pretty_name: R08 07 Function And Objects Should Not Use Extern When Referenced In One File - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R08_08_Static_Shall_Be_Used_In_All_Internal_Linkage_Declarations: categories: @@ -16581,6 +18060,7 @@ rules: name: CPP_MISRA_C_2012_R08_08_Static_Shall_Be_Used_In_All_Internal_Linkage_Declarations pretty_name: R08 08 Static Shall Be Used In All Internal Linkage Declarations - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R08_09_Identifiers_Should_Be_Defined_At_Block_Scope: categories: @@ -16594,6 +18074,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R08_09_Identifiers_Should_Be_Defined_At_Block_Scope pretty_name: R08 09 Identifiers Should Be Defined At Block Scope - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R08_10_Inline_Function_Shall_Be_Declared_With_Static: categories: @@ -16607,6 +18088,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R08_10_Inline_Function_Shall_Be_Declared_With_Static pretty_name: R08 10 Inline Function Shall Be Declared With Static - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R08_11_Extern_Array_Shall_Be_Declared_With_Determined_Size: categories: @@ -16619,6 +18101,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R08_11_Extern_Array_Shall_Be_Declared_With_Determined_Size pretty_name: R08 11 Extern Array Shall Be Declared With Determined Size - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R08_12_Value_Implicitly_Specified_Of_Enumeration_Constant_Shall_Be_Unique: categories: @@ -16633,6 +18116,7 @@ rules: name: CPP_MISRA_C_2012_R08_12_Value_Implicitly_Specified_Of_Enumeration_Constant_Shall_Be_Unique pretty_name: R08 12 Value Implicitly Specified Of Enumeration Constant Shall Be Unique - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R08_13_Pointer_Should_Point_Const: categories: @@ -16646,6 +18130,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R08_13_Pointer_Should_Point_Const pretty_name: R08 13 Pointer Should Point Const - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R08_14_Restrict_Type_Qualifier: categories: @@ -16660,6 +18145,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R08_14_Restrict_Type_Qualifier pretty_name: R08 14 Restrict Type Qualifier - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R09_01_Value_Not_Read_Before_Being_Set: categories: @@ -16673,6 +18159,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R09_01_Value_Not_Read_Before_Being_Set pretty_name: R09 01 Value Not Read Before Being Set - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R09_02_to_03_Array_Initializer_Validation: categories: @@ -16687,6 +18174,7 @@ rules: group: top10-injection name: CPP_MISRA_C_2012_R09_02_to_03_Array_Initializer_Validation pretty_name: R09 02 to 03 Array Initializer Validation - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R10_01_Operands_Shall_Not_Be_Of_An_Inappropriate_Essential_Type: categories: @@ -16701,6 +18189,7 @@ rules: name: CPP_MISRA_C_2012_R10_01_Operands_Shall_Not_Be_Of_An_Inappropriate_Essential_Type pretty_name: R10 01 Operands Shall Not Be Of An Inappropriate Essential Type - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R10_02_Char_Type_Shall_Not_Be_Used_Inappropriately_In_Operations: categories: @@ -16715,6 +18204,7 @@ rules: name: CPP_MISRA_C_2012_R10_02_Char_Type_Shall_Not_Be_Used_Inappropriately_In_Operations pretty_name: R10 02 Char Type Shall Not Be Used Inappropriately In Operations - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R10_03_Value_Of_An_Expression_Assigned_To_Inappropriate_Essential_Type: categories: @@ -16729,6 +18219,7 @@ rules: name: CPP_MISRA_C_2012_R10_03_Value_Of_An_Expression_Assigned_To_Inappropriate_Essential_Type pretty_name: R10 03 Value Of An Expression Assigned To Inappropriate Essential Type - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R10_04_Binary_Operator_Operands_With_Same_Type: categories: @@ -16742,6 +18233,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R10_04_Binary_Operator_Operands_With_Same_Type pretty_name: R10 04 Binary Operator Operands With Same Type - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R10_05_Value_Of_An_Expression_Cast_To_Inappropriate_Essential_Type: categories: @@ -16756,6 +18248,7 @@ rules: name: CPP_MISRA_C_2012_R10_05_Value_Of_An_Expression_Cast_To_Inappropriate_Essential_Type pretty_name: R10 05 Value Of An Expression Cast To Inappropriate Essential Type - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R10_06_to_08_Composite_Expressions: categories: @@ -16769,6 +18262,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R10_06_to_08_Composite_Expressions pretty_name: R10 06 to 08 Composite Expressions - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R11_X_Pointer_Type_Conversions: categories: @@ -16783,6 +18277,7 @@ rules: group: top10-vulnerable-components name: CPP_MISRA_C_2012_R11_X_Pointer_Type_Conversions pretty_name: R11 X Pointer Type Conversions - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R12_01_Explicit_Operator_Precedence: categories: @@ -16797,6 +18292,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R12_01_Explicit_Operator_Precedence pretty_name: R12 01 Explicit Operator Precedence - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R12_02_Right_Operand_Of_Shift_Operator_Out_Of_Range: categories: @@ -16810,6 +18306,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R12_02_Right_Operand_Of_Shift_Operator_Out_Of_Range pretty_name: R12 02 Right Operand Of Shift Operator Out Of Range - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R12_03_Comma_Operator_Shall_Not_Be_Used: categories: @@ -16823,6 +18320,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R12_03_Comma_Operator_Shall_Not_Be_Used pretty_name: R12 03 Comma Operator Shall Not Be Used - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R12_04_Unsigned_Integer_Wrap_Around: categories: @@ -16836,6 +18334,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R12_04_Unsigned_Integer_Wrap_Around pretty_name: R12 04 Unsigned Integer Wrap Around - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R12_05_Sizeof_Operand_Not_Array_Of_Type: categories: @@ -16849,6 +18348,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R12_05_Sizeof_Operand_Not_Array_Of_Type pretty_name: R12 05 Sizeof Operand Not Array Of Type - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R13_X_Side_Effects: categories: @@ -16862,6 +18362,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R13_X_Side_Effects pretty_name: R13 X Side Effects - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R14_X_Control_Statement_Expressions: categories: @@ -16875,6 +18376,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R14_X_Control_Statement_Expressions pretty_name: R14 X Control Statement Expressions - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R15_01_to_03_Goto_Usage_Constraints: categories: @@ -16888,6 +18390,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R15_01_to_03_Goto_Usage_Constraints pretty_name: R15 01 to 03 Goto Usage Constraints - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R15_04_Iteration_Single_Exit_Point: categories: @@ -16901,6 +18404,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R15_04_Iteration_Single_Exit_Point pretty_name: R15 04 Iteration Single Exit Point - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R15_05_Function_Single_Exit_Point: categories: @@ -16914,6 +18418,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R15_05_Function_Single_Exit_Point pretty_name: R15 05 Function Single Exit Point - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R15_06_Statement_Body_Shall_Be_Compound: categories: @@ -16928,6 +18433,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R15_06_Statement_Body_Shall_Be_Compound pretty_name: R15 06 Statement Body Shall Be Compound - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R15_07_If_Else_If_Constructs_Not_Ending_With_Else: categories: @@ -16941,6 +18447,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R15_07_If_Else_If_Constructs_Not_Ending_With_Else pretty_name: R15 07 If Else If Constructs Not Ending With Else - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R16_X_Switches: categories: @@ -16954,6 +18461,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R16_X_Switches pretty_name: R16 X Switches - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R17_01_StdArg_Shall_Not_Be_Used: categories: @@ -16966,6 +18474,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R17_01_StdArg_Shall_Not_Be_Used pretty_name: R17 01 StdArg Shall Not Be Used - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R17_02_No_Recursion: categories: @@ -16979,6 +18488,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R17_02_No_Recursion pretty_name: R17 02 No Recursion - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R17_03_Function_Shall_Not_Be_Declared_Implicitly: categories: @@ -16992,6 +18502,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R17_03_Function_Shall_Not_Be_Declared_Implicitly pretty_name: R17 03 Function Shall Not Be Declared Implicitly - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R17_04_Non_Void_Has_Valid_Return: categories: @@ -17004,6 +18515,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R17_04_Non_Void_Has_Valid_Return pretty_name: R17 04 Non Void Has Valid Return - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R17_05_to_06_Functions_With_Array_Parameter: categories: @@ -17017,6 +18529,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R17_05_to_06_Functions_With_Array_Parameter pretty_name: R17 05 to 06 Functions With Array Parameter - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R17_07_Value_Returned_By_Non_Void_Function_Shall_Be_Used: categories: @@ -17030,6 +18543,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R17_07_Value_Returned_By_Non_Void_Function_Shall_Be_Used pretty_name: R17 07 Value Returned By Non Void Function Shall Be Used - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R17_08_Function_Parameter_Should_Not_Be_Modified: categories: @@ -17043,6 +18557,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R17_08_Function_Parameter_Should_Not_Be_Modified pretty_name: R17 08 Function Parameter Should Not Be Modified - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R18_04_Pointer_Arithmetic: categories: @@ -17056,6 +18571,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R18_04_Pointer_Arithmetic pretty_name: R18 04 Pointer Arithmetic - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R18_05_Pointer_Nesting: categories: @@ -17069,6 +18585,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R18_05_Pointer_Nesting pretty_name: R18 05 Pointer Nesting - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R18_06_Automatic_Storage_Addresses_Shall_Not_Be_Copied: categories: @@ -17082,6 +18599,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R18_06_Automatic_Storage_Addresses_Shall_Not_Be_Copied pretty_name: R18 06 Automatic Storage Addresses Shall Not Be Copied - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R18_07_to_08_Variable_Length_And_Flexible_Arrays: categories: @@ -17095,6 +18613,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R18_07_to_08_Variable_Length_And_Flexible_Arrays pretty_name: R18 07 to 08 Variable Length And Flexible Arrays - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R19_X_Overlapping_Storage: categories: @@ -17108,6 +18627,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R19_X_Overlapping_Storage pretty_name: R19 X Overlapping Storage - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R20_01_Include_Directive_Precedence: categories: @@ -17121,6 +18641,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R20_01_Include_Directive_Precedence pretty_name: R20 01 Include Directive Precedence - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R20_02_Invalid_Include_Names: categories: @@ -17135,6 +18656,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R20_02_Invalid_Include_Names pretty_name: R20 02 Invalid Include Names - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R20_03_Includes_In_Wrong_Format: categories: @@ -17149,6 +18671,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R20_03_Includes_In_Wrong_Format pretty_name: R20 03 Includes In Wrong Format - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R20_04_Macros_With_Keyword_Name: categories: @@ -17161,6 +18684,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R20_04_Macros_With_Keyword_Name pretty_name: R20 04 Macros With Keyword Name - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R20_05_Undef_Shall_Not_Be_Used: categories: @@ -17174,6 +18698,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R20_05_Undef_Shall_Not_Be_Used pretty_name: R20 05 Undef Shall Not Be Used - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R20_10_to_12_Preprocessor_Concatenation_Operations: categories: @@ -17187,6 +18712,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R20_10_to_12_Preprocessor_Concatenation_Operations pretty_name: R20 10 to 12 Preprocessor Concatenation Operations - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R20_13_Valid_PreProcessor_Directives: categories: @@ -17201,6 +18727,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R20_13_Valid_PreProcessor_Directives pretty_name: R20 13 Valid PreProcessor Directives - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R20_14_Preprocessor_IF_Else_In_Same_File: categories: @@ -17215,6 +18742,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R20_14_Preprocessor_IF_Else_In_Same_File pretty_name: R20 14 Preprocessor IF Else In Same File - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R21_01_to_12_Usage_of_C_Standard_Library: categories: @@ -17228,6 +18756,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R21_01_to_12_Usage_of_C_Standard_Library pretty_name: R21 01 to 12 Usage of C Standard Library - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R21_13_to_20_C_Standard_Library_Types: categories: @@ -17241,6 +18770,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R21_13_to_20_C_Standard_Library_Types pretty_name: R21 13 to 20 C Standard Library Types - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_2012_R22_X_Resources: categories: @@ -17254,6 +18784,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_2012_R22_X_Resources pretty_name: R22 X Resources - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R02_02_CPP_Comment_Style: categories: @@ -17267,6 +18798,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R02_02_CPP_Comment_Style pretty_name: R02 02 CPP Comment Style - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R02_03_Nested_Comments: categories: @@ -17280,6 +18812,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R02_03_Nested_Comments pretty_name: R02 03 Nested Comments - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R02_04_Code_Commented_Out: categories: @@ -17292,6 +18825,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R02_04_Code_Commented_Out pretty_name: R02 04 Code Commented Out - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R03_04_Not_Explained_Pragma_Usage: categories: @@ -17305,6 +18839,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R03_04_Not_Explained_Pragma_Usage pretty_name: R03 04 Not Explained Pragma Usage - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R04_01_Non_ISO_Escape_Sequences: categories: @@ -17318,6 +18853,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R04_01_Non_ISO_Escape_Sequences pretty_name: R04 01 Non ISO Escape Sequences - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R04_02_Trigraphs: categories: @@ -17330,6 +18866,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R04_02_Trigraphs pretty_name: R04 02 Trigraphs - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R05_01_Identifiers_Length_Violation: categories: @@ -17343,6 +18880,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R05_01_Identifiers_Length_Violation pretty_name: R05 01 Identifiers Length Violation - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R05_02_Identifiers_Hiding_Outer_Scope_Identifiers: categories: @@ -17356,6 +18894,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R05_02_Identifiers_Hiding_Outer_Scope_Identifiers pretty_name: R05 02 Identifiers Hiding Outer Scope Identifiers - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R05_03_Typedef_Name_Reused: categories: @@ -17368,6 +18907,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R05_03_Typedef_Name_Reused pretty_name: R05 03 Typedef Name Reused - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R05_04_Tag_Name_Reused: categories: @@ -17380,6 +18920,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R05_04_Tag_Name_Reused pretty_name: R05 04 Tag Name Reused - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R05_05_Identifier_With_Static_Storage_Reused: categories: @@ -17393,6 +18934,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R05_05_Identifier_With_Static_Storage_Reused pretty_name: R05 05 Identifier With Static Storage Reused - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R05_07_Identifier_Name_Reused: categories: @@ -17406,6 +18948,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R05_07_Identifier_Name_Reused pretty_name: R05 07 Identifier Name Reused - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R06_01_Plain_Char_Type_Usage: categories: @@ -17419,6 +18962,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R06_01_Plain_Char_Type_Usage pretty_name: R06 01 Plain Char Type Usage - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R06_02_Not_Plain_Char_Type_Usage: categories: @@ -17432,6 +18976,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R06_02_Not_Plain_Char_Type_Usage pretty_name: R06 02 Not Plain Char Type Usage - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R06_03_Non_Typedefd_Basic_Types: categories: @@ -17445,6 +18990,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R06_03_Non_Typedefd_Basic_Types pretty_name: R06 03 Non Typedefd Basic Types - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R06_04_Bit_Fields_Type: categories: @@ -17458,6 +19004,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R06_04_Bit_Fields_Type pretty_name: R06 04 Bit Fields Type - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R06_05_Bit_Fields_Length: categories: @@ -17470,6 +19017,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R06_05_Bit_Fields_Length pretty_name: R06 05 Bit Fields Length - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R07_01_Non_Zero_Octal_Constant: categories: @@ -17482,6 +19030,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R07_01_Non_Zero_Octal_Constant pretty_name: R07 01 Non Zero Octal Constant - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R08_03_Identical_Function_Decl_Def: categories: @@ -17495,6 +19044,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R08_03_Identical_Function_Decl_Def pretty_name: R08 03 Identical Function Decl Def - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R08_05_Object_Function_In_Header_File: categories: @@ -17508,6 +19058,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R08_05_Object_Function_In_Header_File pretty_name: R08 05 Object Function In Header File - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R08_07_Block_Scope_Obj_If_Used_By_Single_Function: categories: @@ -17521,6 +19072,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R08_07_Block_Scope_Obj_If_Used_By_Single_Function pretty_name: R08 07 Block Scope Obj If Used By Single Function - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R08_08_External_Objects_Declared_Once: categories: @@ -17534,6 +19086,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R08_08_External_Objects_Declared_Once pretty_name: R08 08 External Objects Declared Once - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R09_03_Initializing_Non_First_And_Not_All_Members_In_Enum: categories: @@ -17547,6 +19100,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R09_03_Initializing_Non_First_And_Not_All_Members_In_Enum pretty_name: R09 03 Initializing Non First And Not All Members In Enum - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R10_06_U_Suffix_Not_Applied_To_Unsigned_Const: categories: @@ -17561,6 +19115,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R10_06_U_Suffix_Not_Applied_To_Unsigned_Const pretty_name: R10 06 U Suffix Not Applied To Unsigned Const - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R12_05_AND_OR_Operands_Not_As_Primary_Expressions: categories: @@ -17575,6 +19130,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R12_05_AND_OR_Operands_Not_As_Primary_Expressions pretty_name: R12 05 AND OR Operands Not As Primary Expressions - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R12_07_Bitwise_Operator_On_Signed_Type: categories: @@ -17588,6 +19144,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R12_07_Bitwise_Operator_On_Signed_Type pretty_name: R12 07 Bitwise Operator On Signed Type - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R12_09_Unary_Minus_Operator_On_Unsigned_Type: categories: @@ -17601,6 +19158,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R12_09_Unary_Minus_Operator_On_Unsigned_Type pretty_name: R12 09 Unary Minus Operator On Unsigned Type - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R12_10_Comma_Operator_Used: categories: @@ -17615,6 +19173,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R12_10_Comma_Operator_Used pretty_name: R12 10 Comma Operator Used - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R12_12_Floating_Point_Bit_Underlying_Representation_Used: categories: @@ -17628,6 +19187,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R12_12_Floating_Point_Bit_Underlying_Representation_Used pretty_name: R12 12 Floating Point Bit Underlying Representation Used - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R12_13_Using_Of_Incremental_And_Decrimental_Operators: categories: @@ -17641,6 +19201,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R12_13_Using_Of_Incremental_And_Decrimental_Operators pretty_name: R12 13 Using Of Incremental And Decrimental Operators - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R13_01_Assignment_Operators_In_Boolean_Expressions: categories: @@ -17653,6 +19214,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R13_01_Assignment_Operators_In_Boolean_Expressions pretty_name: R13 01 Assignment Operators In Boolean Expressions - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R13_03_Floating_Point_Equality_Or_Inequality: categories: @@ -17666,6 +19228,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R13_03_Floating_Point_Equality_Or_Inequality pretty_name: R13 03 Floating Point Equality Or Inequality - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R13_04_Floating_Points_Objects_In_For_Control: categories: @@ -17679,6 +19242,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R13_04_Floating_Points_Objects_In_For_Control pretty_name: R13 04 Floating Points Objects In For Control - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R13_06_Loop_Iterator_Modified_In_Loop_Body: categories: @@ -17691,6 +19255,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R13_06_Loop_Iterator_Modified_In_Loop_Body pretty_name: R13 06 Loop Iterator Modified In Loop Body - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R14_04_Use_Of_Goto: categories: @@ -17704,6 +19269,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R14_04_Use_Of_Goto pretty_name: R14 04 Use Of Goto - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R14_05_Use_Of_Continue: categories: @@ -17717,6 +19283,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R14_05_Use_Of_Continue pretty_name: R14 05 Use Of Continue - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R14_06_Multiple_Breaks_In_Iteration_Statement: categories: @@ -17730,6 +19297,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R14_06_Multiple_Breaks_In_Iteration_Statement pretty_name: R14 06 Multiple Breaks In Iteration Statement - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R14_07_Single_Point_Exit_At_Function_End: categories: @@ -17743,6 +19311,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R14_07_Single_Point_Exit_At_Function_End pretty_name: R14 07 Single Point Exit At Function End - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R14_08_Not_Compound_Switch_Or_Iteration_Statement: categories: @@ -17756,6 +19325,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R14_08_Not_Compound_Switch_Or_Iteration_Statement pretty_name: R14 08 Not Compound Switch Or Iteration Statement - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R14_09_Not_Compound_If_Or_Else: categories: @@ -17770,6 +19340,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R14_09_Not_Compound_If_Or_Else pretty_name: R14 09 Not Compound If Or Else - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R14_10_If_Else_If_Not_Ending_With_Else: categories: @@ -17785,6 +19356,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R14_10_If_Else_If_Not_Ending_With_Else pretty_name: R14 10 If Else If Not Ending With Else - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R15_01_Case_Not_Enclosed_By_Compound_Switch: categories: @@ -17797,6 +19369,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R15_01_Case_Not_Enclosed_By_Compound_Switch pretty_name: R15 01 Case Not Enclosed By Compound Switch - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R15_02_Non_Empty_Switch_Clause_Without_Break: categories: @@ -17810,6 +19383,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R15_02_Non_Empty_Switch_Clause_Without_Break pretty_name: R15 02 Non Empty Switch Clause Without Break - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R15_03_Non_Default_Final_Clause_In_Switch_Statement: categories: @@ -17823,6 +19397,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R15_03_Non_Default_Final_Clause_In_Switch_Statement pretty_name: R15 03 Non Default Final Clause In Switch Statement - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R15_05_No_Cases_in_Switch_Statement: categories: @@ -17836,6 +19411,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R15_05_No_Cases_in_Switch_Statement pretty_name: R15 05 No Cases in Switch Statement - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R16_01_Function_With_Variable_Number_Of_Arguments: categories: @@ -17848,6 +19424,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R16_01_Function_With_Variable_Number_Of_Arguments pretty_name: R16 01 Function With Variable Number Of Arguments - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R16_02_Recursion_Exists: categories: @@ -17860,6 +19437,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R16_02_Recursion_Exists pretty_name: R16 02 Recursion Exists - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R16_03_Function_Prototype_Without_Identifiers: categories: @@ -17873,6 +19451,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R16_03_Function_Prototype_Without_Identifiers pretty_name: R16 03 Function Prototype Without Identifiers - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R16_04_Different_Identifiers_In_Function_Definition_And_Prototype: categories: @@ -17887,6 +19466,7 @@ rules: name: CPP_MISRA_C_R16_04_Different_Identifiers_In_Function_Definition_And_Prototype pretty_name: R16 04 Different Identifiers In Function Definition And Prototype - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R16_05_Function_Prototype_Declaration_Without_Parameters: categories: @@ -17900,6 +19480,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R16_05_Function_Prototype_Declaration_Without_Parameters pretty_name: R16 05 Function Prototype Declaration Without Parameters - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R16_06_Function_Invoke_Arg_Number_Not_Match_Function_Def_Number: categories: @@ -17916,6 +19497,7 @@ rules: name: CPP_MISRA_C_R16_06_Function_Invoke_Arg_Number_Not_Match_Function_Def_Number pretty_name: R16 06 Function Invoke Arg Number Not Match Function Def Number - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R16_07_Parameter_Pointer_To_Const_Where_Not_Modified: categories: @@ -17929,6 +19511,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R16_07_Parameter_Pointer_To_Const_Where_Not_Modified pretty_name: R16 07 Parameter Pointer To Const Where Not Modified - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R16_08_Non_Explicit_Return_Statement_In_Non_Void_Function: categories: @@ -17942,6 +19525,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R16_08_Non_Explicit_Return_Statement_In_Non_Void_Function pretty_name: R16 08 Non Explicit Return Statement In Non Void Function - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R16_09_Using_Function_Identifier_Not_Call_Or_Pointer: categories: @@ -17954,6 +19538,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R16_09_Using_Function_Identifier_Not_Call_Or_Pointer pretty_name: R16 09 Using Function Identifier Not Call Or Pointer - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R18_04_Use_Of_Union: categories: @@ -17967,6 +19552,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R18_04_Use_Of_Union pretty_name: R18 04 Use Of Union - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R19_01_Non_Prepocessor_Command_Before_Include_In_File: categories: @@ -17980,6 +19566,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R19_01_Non_Prepocessor_Command_Before_Include_In_File pretty_name: R19 01 Non Prepocessor Command Before Include In File - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R19_02_Non_Standard_Chars_In_Header_File_Name: categories: @@ -17993,6 +19580,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R19_02_Non_Standard_Chars_In_Header_File_Name pretty_name: R19 02 Non Standard Chars In Header File Name - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R19_03_Include_Directive_In_Wrong_Format: categories: @@ -18006,6 +19594,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R19_03_Include_Directive_In_Wrong_Format pretty_name: R19 03 Include Directive In Wrong Format - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R19_05_Using_Define_Or_Undef_Directive_In_Block: categories: @@ -18019,6 +19608,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R19_05_Using_Define_Or_Undef_Directive_In_Block pretty_name: R19 05 Using Define Or Undef Directive In Block - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R19_06_Use_Of_Undef_Derective: categories: @@ -18032,6 +19622,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R19_06_Use_Of_Undef_Derective pretty_name: R19 06 Use Of Undef Derective - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R19_12_Multiple_Pound_Or_Double_Pound_In_Same_Macro: categories: @@ -18044,6 +19635,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R19_12_Multiple_Pound_Or_Double_Pound_In_Same_Macro pretty_name: R19 12 Multiple Pound Or Double Pound In Same Macro - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R19_13_Pound_Preprocessor_Operator_Is_Used: categories: @@ -18057,6 +19649,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R19_13_Pound_Preprocessor_Operator_Is_Used pretty_name: R19 13 Pound Preprocessor Operator Is Used - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R19_17_Preprocessor_If_And_Else_Operators_Reside_In_Different_Files: categories: @@ -18072,6 +19665,7 @@ rules: name: CPP_MISRA_C_R19_17_Preprocessor_If_And_Else_Operators_Reside_In_Different_Files pretty_name: R19 17 Preprocessor If And Else Operators Reside In Different Files - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R20_05_Using_Errno_Indicator_From_Errno_H: categories: @@ -18086,6 +19680,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R20_05_Using_Errno_Indicator_From_Errno_H pretty_name: R20 05 Using Errno Indicator From Errno H - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R20_06_Using_Offsetof_Macro_From_Stddef_H: categories: @@ -18100,6 +19695,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R20_06_Using_Offsetof_Macro_From_Stddef_H pretty_name: R20 06 Using Offsetof Macro From Stddef H - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R20_07_Using_Setjmp_Longjmp_Macros_From_Setjmp_H: categories: @@ -18113,6 +19709,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R20_07_Using_Setjmp_Longjmp_Macros_From_Setjmp_H pretty_name: R20 07 Using Setjmp Longjmp Macros From Setjmp H - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R20_08_Using_Signal_Handling_From_Signal_H: categories: @@ -18126,6 +19723,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R20_08_Using_Signal_Handling_From_Signal_H pretty_name: R20 08 Using Signal Handling From Signal H - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R20_09_Using_Input_Output_From_Stdio_H: categories: @@ -18139,6 +19737,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R20_09_Using_Input_Output_From_Stdio_H pretty_name: R20 09 Using Input Output From Stdio H - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R20_10_Using_Atof_Atoi_Atol_Functions_From_Stdlib_H: categories: @@ -18152,6 +19751,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R20_10_Using_Atof_Atoi_Atol_Functions_From_Stdlib_H pretty_name: R20 10 Using Atof Atoi Atol Functions From Stdlib H - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R20_11_Using_Abort_Exit_Getenv_System_Functions_From_Stdlib_H: categories: @@ -18165,6 +19765,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R20_11_Using_Abort_Exit_Getenv_System_Functions_From_Stdlib_H pretty_name: R20 11 Using Abort Exit Getenv System Functions From Stdlib H - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_C_R20_12_Using_Time_Handling_From_Time_H: categories: @@ -18178,6 +19779,7 @@ rules: group: top10-insecure-design name: CPP_MISRA_C_R20_12_Using_Time_Handling_From_Time_H pretty_name: R20 12 Using Time Handling From Time H - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Cleartext_Transmission_Of_Sensitive_Information: categories: @@ -18191,6 +19793,7 @@ rules: group: top10-broken-access-control name: CPP_Medium_Threat_Cleartext_Transmission_Of_Sensitive_Information pretty_name: Cleartext Transmission Of Sensitive Information - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_DB_Parameter_Tampering: categories: @@ -18204,6 +19807,7 @@ rules: group: top10-broken-access-control name: CPP_Medium_Threat_DB_Parameter_Tampering pretty_name: DB Parameter Tampering - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Dangerous_Functions: categories: @@ -18217,6 +19821,7 @@ rules: group: top10-vulnerable-components name: CPP_Medium_Threat_Dangerous_Functions pretty_name: Dangerous Functions - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Divide_By_Zero: categories: @@ -18229,6 +19834,7 @@ rules: group: top10-insecure-design name: CPP_Medium_Threat_Divide_By_Zero pretty_name: Divide By Zero - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_DoS_by_Sleep: categories: @@ -18241,6 +19847,7 @@ rules: group: top10-insecure-design name: CPP_Medium_Threat_DoS_by_Sleep pretty_name: DoS by Sleep - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Double_Free: categories: @@ -18254,6 +19861,7 @@ rules: group: top10-insecure-design name: CPP_Medium_Threat_Double_Free pretty_name: Double Free - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Download_of_Code_Without_Integrity_Check: categories: @@ -18268,6 +19876,7 @@ rules: group: top10-software-data-integrity-failures name: CPP_Medium_Threat_Download_of_Code_Without_Integrity_Check pretty_name: Download of Code Without Integrity Check - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Environment_Injection: categories: @@ -18280,6 +19889,7 @@ rules: group: top10-security-misconfiguration name: CPP_Medium_Threat_Environment_Injection pretty_name: Environment Injection - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Hardcoded_password_in_Connection_String: categories: @@ -18293,6 +19903,7 @@ rules: group: top10-security-misconfiguration name: CPP_Medium_Threat_Hardcoded_password_in_Connection_String pretty_name: Hardcoded password in Connection String - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Improperly_Locked_Memory: categories: @@ -18308,6 +19919,7 @@ rules: group: top10-insecure-design name: CPP_Medium_Threat_Improperly_Locked_Memory pretty_name: Improperly Locked Memory - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Inadequate_Encryption_Strength: categories: @@ -18322,6 +19934,7 @@ rules: group: top10-crypto-failures name: CPP_Medium_Threat_Inadequate_Encryption_Strength pretty_name: Inadequate Encryption Strength - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Inadequate_Pointer_Validation: categories: @@ -18335,6 +19948,7 @@ rules: group: top10-injection name: CPP_Medium_Threat_Inadequate_Pointer_Validation pretty_name: Inadequate Pointer Validation - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_MemoryFree_on_StackVariable: categories: @@ -18348,6 +19962,7 @@ rules: group: top10-insecure-design name: CPP_Medium_Threat_MemoryFree_on_StackVariable pretty_name: MemoryFree on StackVariable - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Memory_Leak: categories: @@ -18361,6 +19976,7 @@ rules: group: top10-broken-access-control name: CPP_Medium_Threat_Memory_Leak pretty_name: Memory Leak - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Parameter_Tampering: categories: @@ -18375,6 +19991,7 @@ rules: group: top10-insecure-design name: CPP_Medium_Threat_Parameter_Tampering pretty_name: Parameter Tampering - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Path_Traversal: categories: @@ -18392,6 +20009,7 @@ rules: group: top10-broken-access-control name: CPP_Medium_Threat_Path_Traversal pretty_name: Path Traversal - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Plaintext_Storage_Of_A_Password: categories: @@ -18404,6 +20022,7 @@ rules: group: top10-insecure-design name: CPP_Medium_Threat_Plaintext_Storage_Of_A_Password pretty_name: Plaintext Storage Of A Password - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Pointer_Subtraction_Determines_Size: categories: @@ -18417,6 +20036,7 @@ rules: group: top10-insecure-design name: CPP_Medium_Threat_Pointer_Subtraction_Determines_Size pretty_name: Pointer Subtraction Determines Size - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Setting_Manipulation: categories: @@ -18429,6 +20049,7 @@ rules: group: top10-security-misconfiguration name: CPP_Medium_Threat_Setting_Manipulation pretty_name: Setting Manipulation - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Uncontrolled_Recursion: categories: @@ -18443,6 +20064,7 @@ rules: group: top10-insecure-design name: CPP_Medium_Threat_Uncontrolled_Recursion pretty_name: Uncontrolled Recursion - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Use_After_Free: categories: @@ -18457,6 +20079,7 @@ rules: group: top10-insecure-design name: CPP_Medium_Threat_Use_After_Free pretty_name: Use After Free - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key: categories: @@ -18470,6 +20093,7 @@ rules: group: top10-crypto-failures name: CPP_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key pretty_name: Use of Hard coded Cryptographic Key - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Use_of_Uninitialized_Pointer: categories: @@ -18483,6 +20107,7 @@ rules: group: top10-insecure-design name: CPP_Medium_Threat_Use_of_Uninitialized_Pointer pretty_name: Use of Uninitialized Pointer - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Use_of_Uninitialized_Variable: categories: @@ -18496,6 +20121,7 @@ rules: group: top10-insecure-design name: CPP_Medium_Threat_Use_of_Uninitialized_Variable pretty_name: Use of Uninitialized Variable - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Use_of_Zero_Initialized_Pointer: categories: @@ -18509,6 +20135,7 @@ rules: group: top10-insecure-design name: CPP_Medium_Threat_Use_of_Zero_Initialized_Pointer pretty_name: Use of Zero Initialized Pointer - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Use_of_a_One_Way_Hash_without_a_Salt: categories: @@ -18523,6 +20150,7 @@ rules: group: top10-crypto-failures name: CPP_Medium_Threat_Use_of_a_One_Way_Hash_without_a_Salt pretty_name: Use of a One Way Hash without a Salt - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Medium_Threat_Wrong_Memory_Allocation: categories: @@ -18536,6 +20164,7 @@ rules: group: top10-injection name: CPP_Medium_Threat_Wrong_Memory_Allocation pretty_name: Wrong Memory Allocation - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Stored_Vulnerabilities_Second_Order_SQL_Injection: categories: @@ -18552,6 +20181,7 @@ rules: group: top10-injection name: CPP_Stored_Vulnerabilities_Second_Order_SQL_Injection pretty_name: Second Order SQL Injection - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_boundcpy: categories: @@ -18566,6 +20196,7 @@ rules: group: top10-injection name: CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_boundcpy pretty_name: Stored Buffer Overflow boundcpy - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_cpycat: categories: @@ -18580,6 +20211,7 @@ rules: group: top10-injection name: CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_cpycat pretty_name: Stored Buffer Overflow cpycat - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_fgets: categories: @@ -18594,6 +20226,7 @@ rules: group: top10-injection name: CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_fgets pretty_name: Stored Buffer Overflow fgets - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_fscanf: categories: @@ -18608,6 +20241,7 @@ rules: group: top10-injection name: CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_fscanf pretty_name: Stored Buffer Overflow fscanf - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Stored_Vulnerabilities_Stored_Command_Injection: categories: @@ -18624,6 +20258,7 @@ rules: group: top10-injection name: CPP_Stored_Vulnerabilities_Stored_Command_Injection pretty_name: Stored Command Injection - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Stored_Vulnerabilities_Stored_Connection_String_Injection: categories: @@ -18638,6 +20273,7 @@ rules: group: top10-injection name: CPP_Stored_Vulnerabilities_Stored_Connection_String_Injection pretty_name: Stored Connection String Injection - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Stored_Vulnerabilities_Stored_DB_Parameter_Tampering: categories: @@ -18651,6 +20287,7 @@ rules: group: top10-broken-access-control name: CPP_Stored_Vulnerabilities_Stored_DB_Parameter_Tampering pretty_name: Stored DB Parameter Tampering - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Stored_Vulnerabilities_Stored_DoS_by_Sleep: categories: @@ -18663,6 +20300,7 @@ rules: group: top10-insecure-design name: CPP_Stored_Vulnerabilities_Stored_DoS_by_Sleep pretty_name: Stored DoS by Sleep - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Stored_Vulnerabilities_Stored_Environment_Injection: categories: @@ -18675,6 +20313,7 @@ rules: group: top10-security-misconfiguration name: CPP_Stored_Vulnerabilities_Stored_Environment_Injection pretty_name: Stored Environment Injection - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Stored_Vulnerabilities_Stored_Format_String_Attack: categories: @@ -18688,6 +20327,7 @@ rules: group: top10-injection name: CPP_Stored_Vulnerabilities_Stored_Format_String_Attack pretty_name: Stored Format String Attack - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Stored_Vulnerabilities_Stored_LDAP_Injection: categories: @@ -18703,6 +20343,7 @@ rules: group: top10-injection name: CPP_Stored_Vulnerabilities_Stored_LDAP_Injection pretty_name: Stored LDAP Injection - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Stored_Vulnerabilities_Stored_Log_Forging: categories: @@ -18715,6 +20356,7 @@ rules: group: top10-security-logging-monitoring-failures name: CPP_Stored_Vulnerabilities_Stored_Log_Forging pretty_name: Stored Log Forging - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Stored_Vulnerabilities_Stored_Parameter_Tampering: categories: @@ -18729,6 +20371,7 @@ rules: group: top10-insecure-design name: CPP_Stored_Vulnerabilities_Stored_Parameter_Tampering pretty_name: Stored Parameter Tampering - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Stored_Vulnerabilities_Stored_Path_Traversal: categories: @@ -18746,6 +20389,7 @@ rules: group: top10-broken-access-control name: CPP_Stored_Vulnerabilities_Stored_Path_Traversal pretty_name: Stored Path Traversal - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Stored_Vulnerabilities_Stored_Process_Control: categories: @@ -18760,6 +20404,7 @@ rules: group: top10-injection name: CPP_Stored_Vulnerabilities_Stored_Process_Control pretty_name: Stored Process Control - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Stored_Vulnerabilities_Stored_Resource_Injection: categories: @@ -18774,6 +20419,7 @@ rules: group: top10-injection name: CPP_Stored_Vulnerabilities_Stored_Resource_Injection pretty_name: Stored Resource Injection - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Weak_Cryptography_Asymmetric_Encryption_Improper_Padding: categories: @@ -18788,6 +20434,7 @@ rules: group: top10-crypto-failures name: CPP_Weak_Cryptography_Asymmetric_Encryption_Improper_Padding pretty_name: Asymmetric Encryption Improper Padding - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Weak_Cryptography_Asymmetric_Encryption_Insufficient_Key_Size: categories: @@ -18802,6 +20449,7 @@ rules: group: top10-crypto-failures name: CPP_Weak_Cryptography_Asymmetric_Encryption_Insufficient_Key_Size pretty_name: Asymmetric Encryption Insufficient Key Size - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Weak_Cryptography_Asymmetric_Encryption_RSA_Low_Public_Exponent: categories: @@ -18816,6 +20464,7 @@ rules: group: top10-crypto-failures name: CPP_Weak_Cryptography_Asymmetric_Encryption_RSA_Low_Public_Exponent pretty_name: Asymmetric Encryption RSA Low Public Exponent - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Weak_Cryptography_Encoding_Used_Instead_of_Encryption: categories: @@ -18829,6 +20478,7 @@ rules: group: top10-insecure-design name: CPP_Weak_Cryptography_Encoding_Used_Instead_of_Encryption pretty_name: Encoding Used Instead of Encryption - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Weak_Cryptography_Hashing_Length_Extension_Attack: categories: @@ -18843,6 +20493,7 @@ rules: group: top10-crypto-failures name: CPP_Weak_Cryptography_Hashing_Length_Extension_Attack pretty_name: Hashing Length Extension Attack - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Weak_Cryptography_Personal_Information_Without_Encryption: categories: @@ -18856,6 +20507,7 @@ rules: group: top10-insecure-design name: CPP_Weak_Cryptography_Personal_Information_Without_Encryption pretty_name: Personal Information Without Encryption - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Weak_Cryptography_Symmetric_Encryption_Insecure_Cipher_Mode: categories: @@ -18870,6 +20522,7 @@ rules: group: top10-crypto-failures name: CPP_Weak_Cryptography_Symmetric_Encryption_Insecure_Cipher_Mode pretty_name: Symmetric Encryption Insecure Cipher Mode - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Weak_Cryptography_Symmetric_Encryption_Insecure_Predictable_IV: categories: @@ -18884,6 +20537,7 @@ rules: group: top10-crypto-failures name: CPP_Weak_Cryptography_Symmetric_Encryption_Insecure_Predictable_IV pretty_name: Symmetric Encryption Insecure Predictable IV - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Weak_Cryptography_Symmetric_Encryption_Insecure_Predictable_Key: categories: @@ -18898,6 +20552,7 @@ rules: group: top10-crypto-failures name: CPP_Weak_Cryptography_Symmetric_Encryption_Insecure_Predictable_Key pretty_name: Symmetric Encryption Insecure Predictable Key - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Weak_Cryptography_Symmetric_Encryption_Insecure_Static_IV: categories: @@ -18912,6 +20567,7 @@ rules: group: top10-crypto-failures name: CPP_Weak_Cryptography_Symmetric_Encryption_Insecure_Static_IV pretty_name: Symmetric Encryption Insecure Static IV - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Weak_Cryptography_Symmetric_Encryption_Insecure_Static_Key: categories: @@ -18926,6 +20582,7 @@ rules: group: top10-crypto-failures name: CPP_Weak_Cryptography_Symmetric_Encryption_Insecure_Static_Key pretty_name: Symmetric Encryption Insecure Static Key - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Weak_Cryptography_Use_Of_Weak_Hashing_Primitive: categories: @@ -18940,6 +20597,7 @@ rules: group: top10-crypto-failures name: CPP_Weak_Cryptography_Use_Of_Weak_Hashing_Primitive pretty_name: Use Of Weak Hashing Primitive - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Weak_Cryptography_Weak_Randomness_Biased_Random_Sample: categories: @@ -18953,6 +20611,7 @@ rules: group: top10-crypto-failures name: CPP_Weak_Cryptography_Weak_Randomness_Biased_Random_Sample pretty_name: Weak Randomness Biased Random Sample - CPP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Aptca_Methods_Call_Non_Aptca_Methods: categories: @@ -18966,6 +20625,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Aptca_Methods_Call_Non_Aptca_Methods pretty_name: Aptca Methods Call Non Aptca Methods - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Catch_NullPointerException: categories: @@ -18979,6 +20639,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Catch_NullPointerException pretty_name: Catch NullPointerException - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: @@ -18992,6 +20653,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception pretty_name: Declaration Of Catch For Generic Exception - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Deprecated_Methods: categories: @@ -19004,6 +20666,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Deprecated_Methods pretty_name: Deprecated Methods - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action: categories: @@ -19017,6 +20680,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action pretty_name: Detection of Error Condition Without Action - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Direct_Use_of_Sockets: categories: @@ -19030,6 +20694,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Direct_Use_of_Sockets pretty_name: Direct Use of Sockets - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Dynamic_SQL_Queries: categories: @@ -19046,6 +20711,7 @@ rules: group: top10-injection name: CSharp_Best_Coding_Practice_Dynamic_SQL_Queries pretty_name: Dynamic SQL Queries - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: categories: @@ -19059,6 +20725,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere pretty_name: Exposure of Resource to Wrong Sphere - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_GetLastWin32Error_Is_Not_Called_After_Pinvoke: categories: @@ -19073,6 +20740,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_GetLastWin32Error_Is_Not_Called_After_Pinvoke pretty_name: GetLastWin32Error Is Not Called After Pinvoke - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Hardcoded_Absolute_Path: categories: @@ -19087,6 +20755,7 @@ rules: group: top10-software-data-integrity-failures name: CSharp_Best_Coding_Practice_Hardcoded_Absolute_Path pretty_name: Hardcoded Absolute Path - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Hardcoded_Connection_String: categories: @@ -19102,6 +20771,7 @@ rules: group: top10-id-authn-failures name: CSharp_Best_Coding_Practice_Hardcoded_Connection_String pretty_name: Hardcoded Connection String - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Insufficient_Logging_of_Database_Actions: categories: @@ -19114,6 +20784,7 @@ rules: group: top10-security-logging-monitoring-failures name: CSharp_Best_Coding_Practice_Insufficient_Logging_of_Database_Actions pretty_name: Insufficient Logging of Database Actions - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Insufficient_Logging_of_Exceptions: categories: @@ -19126,6 +20797,7 @@ rules: group: top10-security-logging-monitoring-failures name: CSharp_Best_Coding_Practice_Insufficient_Logging_of_Exceptions pretty_name: Insufficient Logging of Exceptions - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Insufficient_Logging_of_Sensitive_Operations: categories: @@ -19138,6 +20810,7 @@ rules: group: top10-security-logging-monitoring-failures name: CSharp_Best_Coding_Practice_Insufficient_Logging_of_Sensitive_Operations pretty_name: Insufficient Logging of Sensitive Operations - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined: categories: @@ -19150,6 +20823,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined pretty_name: Just One of Equals and Hash code Defined - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Leftover_Debug_Code: categories: @@ -19164,6 +20838,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Leftover_Debug_Code pretty_name: Leftover Debug Code - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Magic_Numbers: categories: @@ -19177,6 +20852,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Magic_Numbers pretty_name: Magic Numbers - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Missing_XML_Validation: categories: @@ -19190,6 +20866,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Missing_XML_Validation pretty_name: Missing XML Validation - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_NULL_Argument_to_Equals: categories: @@ -19203,6 +20880,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_NULL_Argument_to_Equals pretty_name: NULL Argument to Equals - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Non_Private_Static_Constructors: categories: @@ -19215,6 +20893,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Non_Private_Static_Constructors pretty_name: Non Private Static Constructors - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Pages_Without_Global_Error_Handler: categories: @@ -19229,6 +20908,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Pages_Without_Global_Error_Handler pretty_name: Pages Without Global Error Handler - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_PersistSecurityInfo_is_True: categories: @@ -19242,6 +20922,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_PersistSecurityInfo_is_True pretty_name: PersistSecurityInfo is True - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Routed_Deprecated_Code: categories: @@ -19255,6 +20936,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Routed_Deprecated_Code pretty_name: Routed Deprecated Code - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Suspicious_Endpoints: categories: @@ -19269,6 +20951,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Suspicious_Endpoints pretty_name: Suspicious Endpoints - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Threads_in_WebApp: categories: @@ -19282,6 +20965,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Threads_in_WebApp pretty_name: Threads in WebApp - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Unchecked_Error_Condition: categories: @@ -19294,6 +20978,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Unchecked_Error_Condition pretty_name: Unchecked Error Condition - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Unchecked_Return_Value: categories: @@ -19307,6 +20992,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Unchecked_Return_Value pretty_name: Unchecked Return Value - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Unclosed_Objects: categories: @@ -19320,6 +21006,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Unclosed_Objects pretty_name: Unclosed Objects - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Undocumented_API: categories: @@ -19333,6 +21020,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Undocumented_API pretty_name: Undocumented API - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Unsafe_Bidi_Unicode_Data: categories: @@ -19349,6 +21037,7 @@ rules: group: top10-injection name: CSharp_Best_Coding_Practice_Unsafe_Bidi_Unicode_Data pretty_name: Unsafe Bidi Unicode Data - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Unsafe_Homoglyphs_Unicode_Data: categories: @@ -19365,6 +21054,7 @@ rules: group: top10-injection name: CSharp_Best_Coding_Practice_Unsafe_Homoglyphs_Unicode_Data pretty_name: Unsafe Homoglyphs Unicode Data - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Unvalidated_Arguments_Of_Public_Methods: categories: @@ -19377,6 +21067,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Unvalidated_Arguments_Of_Public_Methods pretty_name: Unvalidated Arguments Of Public Methods - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Use_Of_Uninitialized_Variables: categories: @@ -19390,6 +21081,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Use_Of_Uninitialized_Variables pretty_name: Use Of Uninitialized Variables - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Use_of_System_Output_Stream: categories: @@ -19402,6 +21094,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Use_of_System_Output_Stream pretty_name: Use of System Output Stream - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Using_Of_Index_Instead_Of_Key: categories: @@ -19414,6 +21107,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Using_Of_Index_Instead_Of_Key pretty_name: Using Of Index Instead Of Key - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Visible_Pointers: categories: @@ -19426,6 +21120,7 @@ rules: group: top10-insecure-design name: CSharp_Best_Coding_Practice_Visible_Pointers pretty_name: Visible Pointers - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Heuristic_Heuristic_2nd_Order_SQL_Injection: categories: @@ -19442,6 +21137,7 @@ rules: group: top10-injection name: CSharp_Heuristic_Heuristic_2nd_Order_SQL_Injection pretty_name: Heuristic 2nd Order SQL Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Heuristic_Heuristic_CSRF: categories: @@ -19457,6 +21153,7 @@ rules: group: top10-injection name: CSharp_Heuristic_Heuristic_CSRF pretty_name: Heuristic CSRF - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Heuristic_Heuristic_DB_Parameter_Tampering: categories: @@ -19470,6 +21167,7 @@ rules: group: top10-broken-access-control name: CSharp_Heuristic_Heuristic_DB_Parameter_Tampering pretty_name: Heuristic DB Parameter Tampering - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Heuristic_Heuristic_Parameter_Tampering: categories: @@ -19484,6 +21182,7 @@ rules: group: top10-insecure-design name: CSharp_Heuristic_Heuristic_Parameter_Tampering pretty_name: Heuristic Parameter Tampering - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Heuristic_Heuristic_SQL_Injection: categories: @@ -19500,6 +21199,7 @@ rules: group: top10-injection name: CSharp_Heuristic_Heuristic_SQL_Injection pretty_name: Heuristic SQL Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Heuristic_Heuristic_Stored_XSS: categories: @@ -19515,6 +21215,7 @@ rules: group: top10-injection name: CSharp_Heuristic_Heuristic_Stored_XSS pretty_name: Heuristic Stored XSS - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_High_Risk_Code_Injection: categories: @@ -19532,6 +21233,7 @@ rules: group: top10-injection name: CSharp_High_Risk_Code_Injection pretty_name: Code Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_High_Risk_Command_Injection: categories: @@ -19549,6 +21251,7 @@ rules: group: top10-injection name: CSharp_High_Risk_Command_Injection pretty_name: Command Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_High_Risk_Connection_String_Injection: categories: @@ -19564,6 +21267,7 @@ rules: group: top10-injection name: CSharp_High_Risk_Connection_String_Injection pretty_name: Connection String Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_High_Risk_Dangerous_File_Upload: categories: @@ -19579,6 +21283,7 @@ rules: group: top10-insecure-design name: CSharp_High_Risk_Dangerous_File_Upload pretty_name: Dangerous File Upload - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_High_Risk_Deserialization_of_Untrusted_Data: categories: @@ -19594,6 +21299,7 @@ rules: group: top10-software-data-integrity-failures name: CSharp_High_Risk_Deserialization_of_Untrusted_Data pretty_name: Deserialization of Untrusted Data - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_High_Risk_Deserialization_of_Untrusted_Data_MSMQ: categories: @@ -19609,6 +21315,7 @@ rules: group: top10-software-data-integrity-failures name: CSharp_High_Risk_Deserialization_of_Untrusted_Data_MSMQ pretty_name: Deserialization of Untrusted Data MSMQ - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_High_Risk_JWT_No_Signature_Verification: categories: @@ -19624,6 +21331,7 @@ rules: group: top10-id-authn-failures name: CSharp_High_Risk_JWT_No_Signature_Verification pretty_name: JWT No Signature Verification - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_High_Risk_LDAP_Injection: categories: @@ -19640,6 +21348,7 @@ rules: group: top10-injection name: CSharp_High_Risk_LDAP_Injection pretty_name: LDAP Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_High_Risk_Reflected_XSS_All_Clients: categories: @@ -19656,6 +21365,7 @@ rules: group: top10-injection name: CSharp_High_Risk_Reflected_XSS_All_Clients pretty_name: Reflected XSS All Clients - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_High_Risk_Resource_Injection: categories: @@ -19671,6 +21381,7 @@ rules: group: top10-injection name: CSharp_High_Risk_Resource_Injection pretty_name: Resource Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_High_Risk_SQL_Injection: categories: @@ -19688,6 +21399,7 @@ rules: group: top10-injection name: CSharp_High_Risk_SQL_Injection pretty_name: SQL Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_High_Risk_Second_Order_SQL_Injection: categories: @@ -19705,6 +21417,7 @@ rules: group: top10-injection name: CSharp_High_Risk_Second_Order_SQL_Injection pretty_name: Second Order SQL Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_High_Risk_Stored_XSS: categories: @@ -19721,6 +21434,7 @@ rules: group: top10-injection name: CSharp_High_Risk_Stored_XSS pretty_name: Stored XSS - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_High_Risk_UTF7_XSS: categories: @@ -19737,6 +21451,7 @@ rules: group: top10-injection name: CSharp_High_Risk_UTF7_XSS pretty_name: UTF7 XSS - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_High_Risk_Unsafe_Reflection: categories: @@ -19752,6 +21467,7 @@ rules: group: top10-injection name: CSharp_High_Risk_Unsafe_Reflection pretty_name: Unsafe Reflection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_High_Risk_XPath_Injection: categories: @@ -19768,6 +21484,7 @@ rules: group: top10-injection name: CSharp_High_Risk_XPath_Injection pretty_name: XPath Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Blind_SQL_Injections: categories: @@ -19784,6 +21501,7 @@ rules: group: top10-injection name: CSharp_Low_Visibility_Blind_SQL_Injections pretty_name: Blind SQL Injections - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Cleansing_Canonicalization_and_Comparison_Errors: categories: @@ -19797,6 +21515,7 @@ rules: group: top10-injection name: CSharp_Low_Visibility_Cleansing_Canonicalization_and_Comparison_Errors pretty_name: Cleansing Canonicalization and Comparison Errors - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Client_Side_Only_Validation: categories: @@ -19810,6 +21529,7 @@ rules: group: top10-insecure-design name: CSharp_Low_Visibility_Client_Side_Only_Validation pretty_name: Client Side Only Validation - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Command_Argument_Injection: categories: @@ -19824,6 +21544,7 @@ rules: group: top10-injection name: CSharp_Low_Visibility_Command_Argument_Injection pretty_name: Command Argument Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Cross_Site_History_Manipulation: categories: @@ -19839,6 +21560,7 @@ rules: group: top10-software-data-integrity-failures name: CSharp_Low_Visibility_Cross_Site_History_Manipulation pretty_name: Cross Site History Manipulation - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Heap_Inspection: categories: @@ -19853,6 +21575,7 @@ rules: group: top10-broken-access-control name: CSharp_Low_Visibility_Heap_Inspection pretty_name: Heap Inspection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Impersonation_Issue: categories: @@ -19866,6 +21589,7 @@ rules: group: top10-security-misconfiguration name: CSharp_Low_Visibility_Impersonation_Issue pretty_name: Impersonation Issue - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Improper_Encoding_Of_Output: categories: @@ -19881,6 +21605,7 @@ rules: group: top10-injection name: CSharp_Low_Visibility_Improper_Encoding_Of_Output pretty_name: Improper Encoding Of Output - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Improper_Exception_Handling: categories: @@ -19893,6 +21618,7 @@ rules: group: top10-insecure-design name: CSharp_Low_Visibility_Improper_Exception_Handling pretty_name: Improper Exception Handling - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Improper_Resource_Shutdown_or_Release: categories: @@ -19906,6 +21632,7 @@ rules: group: top10-insecure-design name: CSharp_Low_Visibility_Improper_Resource_Shutdown_or_Release pretty_name: Improper Resource Shutdown or Release - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Improper_Session_Management: categories: @@ -19919,6 +21646,7 @@ rules: group: top10-broken-access-control name: CSharp_Low_Visibility_Improper_Session_Management pretty_name: Improper Session Management - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Improper_Transaction_Handling: categories: @@ -19933,6 +21661,7 @@ rules: group: top10-insecure-design name: CSharp_Low_Visibility_Improper_Transaction_Handling pretty_name: Improper Transaction Handling - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Inappropriate_Encoding_for_Output_Context: categories: @@ -19947,6 +21676,7 @@ rules: group: top10-injection name: CSharp_Low_Visibility_Inappropriate_Encoding_for_Output_Context pretty_name: Inappropriate Encoding for Output Context - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Information_Exposure_Through_an_Error_Message: categories: @@ -19960,6 +21690,7 @@ rules: group: top10-insecure-design name: CSharp_Low_Visibility_Information_Exposure_Through_an_Error_Message pretty_name: Information Exposure Through an Error Message - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Information_Exposure_via_Headers: categories: @@ -19973,6 +21704,7 @@ rules: group: top10-broken-access-control name: CSharp_Low_Visibility_Information_Exposure_via_Headers pretty_name: Information Exposure via Headers - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Information_Leak_Through_Persistent_Cookies: categories: @@ -19986,6 +21718,7 @@ rules: group: top10-insecure-design name: CSharp_Low_Visibility_Information_Leak_Through_Persistent_Cookies pretty_name: Information Leak Through Persistent Cookies - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Insufficiently_Protected_Credentials: categories: @@ -20000,6 +21733,7 @@ rules: group: top10-insecure-design name: CSharp_Low_Visibility_Insufficiently_Protected_Credentials pretty_name: Insufficiently Protected Credentials - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_JWT_Excessive_Expiration_Time: categories: @@ -20014,6 +21748,7 @@ rules: group: top10-id-authn-failures name: CSharp_Low_Visibility_JWT_Excessive_Expiration_Time pretty_name: JWT Excessive Expiration Time - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_JWT_Use_Of_Hardcoded_Secret: categories: @@ -20029,6 +21764,7 @@ rules: group: top10-id-authn-failures name: CSharp_Low_Visibility_JWT_Use_Of_Hardcoded_Secret pretty_name: JWT Use Of Hardcoded Secret - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_JavaScript_Hijacking: categories: @@ -20044,6 +21780,7 @@ rules: group: top10-injection name: CSharp_Low_Visibility_JavaScript_Hijacking pretty_name: JavaScript Hijacking - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Leaving_Temporary_Files: categories: @@ -20056,6 +21793,7 @@ rules: group: top10-broken-access-control name: CSharp_Low_Visibility_Leaving_Temporary_Files pretty_name: Leaving Temporary Files - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Log_Forging: categories: @@ -20068,6 +21806,7 @@ rules: group: top10-security-logging-monitoring-failures name: CSharp_Low_Visibility_Log_Forging pretty_name: Log Forging - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Missing_Content_Security_Policy: categories: @@ -20081,6 +21820,7 @@ rules: group: top10-id-authn-failures name: CSharp_Low_Visibility_Missing_Content_Security_Policy pretty_name: Missing Content Security Policy - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Missing_Function_Level_Authorization: categories: @@ -20095,6 +21835,7 @@ rules: group: top10-broken-access-control name: CSharp_Low_Visibility_Missing_Function_Level_Authorization pretty_name: Missing Function Level Authorization - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Off_By_One_Error: categories: @@ -20108,6 +21849,7 @@ rules: group: top10-injection name: CSharp_Low_Visibility_Off_By_One_Error pretty_name: Off By One Error - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Open_Redirect: categories: @@ -20122,6 +21864,7 @@ rules: group: top10-broken-access-control name: CSharp_Low_Visibility_Open_Redirect pretty_name: Open Redirect - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy: categories: @@ -20135,6 +21878,7 @@ rules: group: top10-id-authn-failures name: CSharp_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy pretty_name: Overly Permissive Cross Origin Resource Sharing Policy - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Password_In_Comment: categories: @@ -20150,6 +21894,7 @@ rules: group: top10-id-authn-failures name: CSharp_Low_Visibility_Password_In_Comment pretty_name: Password In Comment - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Permissive_Content_Security_Policy: categories: @@ -20163,6 +21908,7 @@ rules: group: top10-id-authn-failures name: CSharp_Low_Visibility_Permissive_Content_Security_Policy pretty_name: Permissive Content Security Policy - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Potential_ReDoS: categories: @@ -20178,6 +21924,7 @@ rules: group: top10-insecure-design name: CSharp_Low_Visibility_Potential_ReDoS pretty_name: Potential ReDoS - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Potential_ReDoS_By_Injection: categories: @@ -20193,6 +21940,7 @@ rules: group: top10-insecure-design name: CSharp_Low_Visibility_Potential_ReDoS_By_Injection pretty_name: Potential ReDoS By Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Potential_ReDoS_In_Code: categories: @@ -20208,6 +21956,7 @@ rules: group: top10-insecure-design name: CSharp_Low_Visibility_Potential_ReDoS_In_Code pretty_name: Potential ReDoS In Code - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Potential_ReDoS_In_Static_Field: categories: @@ -20223,6 +21972,7 @@ rules: group: top10-insecure-design name: CSharp_Low_Visibility_Potential_ReDoS_In_Static_Field pretty_name: Potential ReDoS In Static Field - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Reliance_on_DNS_Lookups_in_a_Decision: categories: @@ -20237,6 +21987,7 @@ rules: group: top10-insecure-design name: CSharp_Low_Visibility_Reliance_on_DNS_Lookups_in_a_Decision pretty_name: Reliance on DNS Lookups in a Decision - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Session_Clearing_Problems: categories: @@ -20251,6 +22002,7 @@ rules: group: top10-id-authn-failures name: CSharp_Low_Visibility_Session_Clearing_Problems pretty_name: Session Clearing Problems - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Session_Poisoning: categories: @@ -20265,6 +22017,7 @@ rules: group: top10-insecure-design name: CSharp_Low_Visibility_Session_Poisoning pretty_name: Session Poisoning - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Stored_Code_Injection: categories: @@ -20281,6 +22034,7 @@ rules: group: top10-injection name: CSharp_Low_Visibility_Stored_Code_Injection pretty_name: Stored Code Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Stored_Command_Argument_Injection: categories: @@ -20295,6 +22049,7 @@ rules: group: top10-injection name: CSharp_Low_Visibility_Stored_Command_Argument_Injection pretty_name: Stored Command Argument Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Thread_Safety_Issue: categories: @@ -20309,6 +22064,7 @@ rules: group: top10-insecure-design name: CSharp_Low_Visibility_Thread_Safety_Issue pretty_name: Thread Safety Issue - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables: categories: @@ -20322,6 +22078,7 @@ rules: group: top10-insecure-design name: CSharp_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables pretty_name: Trust Boundary Violation in Session Variables - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_URL_Canonicalization_Issue: categories: @@ -20336,6 +22093,7 @@ rules: group: top10-injection name: CSharp_Low_Visibility_URL_Canonicalization_Issue pretty_name: URL Canonicalization Issue - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Unencrypted_Web_Config_File: categories: @@ -20349,6 +22107,7 @@ rules: group: top10-insecure-design name: CSharp_Low_Visibility_Unencrypted_Web_Config_File pretty_name: Unencrypted Web Config File - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Use_Of_Broken_Or_Risky_Cryptographic_Algorithm: categories: @@ -20361,6 +22120,7 @@ rules: group: top10-crypto-failures name: CSharp_Low_Visibility_Use_Of_Broken_Or_Risky_Cryptographic_Algorithm pretty_name: Use Of Broken Or Risky Cryptographic Algorithm - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Use_Of_Hardcoded_Password: categories: @@ -20374,6 +22134,7 @@ rules: group: top10-id-authn-failures name: CSharp_Low_Visibility_Use_Of_Hardcoded_Password pretty_name: Use Of Hardcoded Password - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Use_of_Insufficiently_Random_Values: categories: @@ -20387,6 +22148,7 @@ rules: group: top10-crypto-failures name: CSharp_Low_Visibility_Use_of_Insufficiently_Random_Values pretty_name: Use of Insufficiently Random Values - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_Use_of_RSA_Algorithm_without_OAEP: categories: @@ -20400,6 +22162,7 @@ rules: group: top10-crypto-failures name: CSharp_Low_Visibility_Use_of_RSA_Algorithm_without_OAEP pretty_name: Use of RSA Algorithm without OAEP - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Low_Visibility_XSS_Evasion_Attack: categories: @@ -20415,6 +22178,7 @@ rules: group: top10-injection name: CSharp_Low_Visibility_XSS_Evasion_Attack pretty_name: XSS Evasion Attack - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Buffer_Overflow: categories: @@ -20429,6 +22193,7 @@ rules: group: top10-injection name: CSharp_Medium_Threat_Buffer_Overflow pretty_name: Buffer Overflow - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_CGI_XSS: categories: @@ -20444,6 +22209,7 @@ rules: group: top10-injection name: CSharp_Medium_Threat_CGI_XSS pretty_name: CGI XSS - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_CSRF: categories: @@ -20459,6 +22225,7 @@ rules: group: top10-injection name: CSharp_Medium_Threat_CSRF pretty_name: CSRF - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Cookie_Injection: categories: @@ -20474,6 +22241,7 @@ rules: group: top10-injection name: CSharp_Medium_Threat_Cookie_Injection pretty_name: Cookie Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_DB_Parameter_Tampering: categories: @@ -20487,6 +22255,7 @@ rules: group: top10-broken-access-control name: CSharp_Medium_Threat_DB_Parameter_Tampering pretty_name: DB Parameter Tampering - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Data_Filter_Injection: categories: @@ -20501,6 +22270,7 @@ rules: group: top10-injection name: CSharp_Medium_Threat_Data_Filter_Injection pretty_name: Data Filter Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_DoS_by_Sleep: categories: @@ -20513,6 +22283,7 @@ rules: group: top10-insecure-design name: CSharp_Medium_Threat_DoS_by_Sleep pretty_name: DoS by Sleep - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Excessive_Data_Exposure: categories: @@ -20526,6 +22297,7 @@ rules: group: top10-broken-access-control name: CSharp_Medium_Threat_Excessive_Data_Exposure pretty_name: Excessive Data Exposure - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_HTTP_Response_Splitting: categories: @@ -20540,6 +22312,7 @@ rules: group: top10-injection name: CSharp_Medium_Threat_HTTP_Response_Splitting pretty_name: HTTP Response Splitting - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Hardcoded_password_in_Connection_String: categories: @@ -20553,6 +22326,7 @@ rules: group: top10-security-misconfiguration name: CSharp_Medium_Threat_Hardcoded_password_in_Connection_String pretty_name: Hardcoded password in Connection String - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_HttpOnlyCookies: categories: @@ -20565,6 +22339,7 @@ rules: group: top10-security-misconfiguration name: CSharp_Medium_Threat_HttpOnlyCookies pretty_name: HttpOnlyCookies - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Improper_Locking: categories: @@ -20578,6 +22353,7 @@ rules: group: top10-insecure-design name: CSharp_Medium_Threat_Improper_Locking pretty_name: Improper Locking - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Improper_Restriction_of_XXE_Ref: categories: @@ -20592,6 +22368,7 @@ rules: group: top10-security-misconfiguration name: CSharp_Medium_Threat_Improper_Restriction_of_XXE_Ref pretty_name: Improper Restriction of XXE Ref - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Insecure_Cookie: categories: @@ -20605,6 +22382,7 @@ rules: group: top10-security-misconfiguration name: CSharp_Medium_Threat_Insecure_Cookie pretty_name: Insecure Cookie - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Insufficient_Connection_String_Encryption: categories: @@ -20619,6 +22397,7 @@ rules: group: top10-insecure-design name: CSharp_Medium_Threat_Insufficient_Connection_String_Encryption pretty_name: Insufficient Connection String Encryption - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Integer_Overflow: categories: @@ -20635,6 +22414,7 @@ rules: group: top10-injection name: CSharp_Medium_Threat_Integer_Overflow pretty_name: Integer Overflow - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_JWT_Lack_Of_Expiration_Time: categories: @@ -20649,6 +22429,7 @@ rules: group: top10-id-authn-failures name: CSharp_Medium_Threat_JWT_Lack_Of_Expiration_Time pretty_name: JWT Lack Of Expiration Time - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_JWT_No_Expiration_Time_Validation: categories: @@ -20663,6 +22444,7 @@ rules: group: top10-id-authn-failures name: CSharp_Medium_Threat_JWT_No_Expiration_Time_Validation pretty_name: JWT No Expiration Time Validation - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_JWT_Sensitive_Information_Exposure: categories: @@ -20676,6 +22458,7 @@ rules: group: top10-broken-access-control name: CSharp_Medium_Threat_JWT_Sensitive_Information_Exposure pretty_name: JWT Sensitive Information Exposure - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_MVC_View_Injection: categories: @@ -20691,6 +22474,7 @@ rules: group: top10-injection name: CSharp_Medium_Threat_MVC_View_Injection pretty_name: MVC View Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Missing_Column_Encryption: categories: @@ -20704,6 +22488,7 @@ rules: group: top10-insecure-design name: CSharp_Medium_Threat_Missing_Column_Encryption pretty_name: Missing Column Encryption - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Missing_HSTS_Header: categories: @@ -20717,6 +22502,7 @@ rules: group: top10-id-authn-failures name: CSharp_Medium_Threat_Missing_HSTS_Header pretty_name: Missing HSTS Header - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Missing_Object_Level_Authorization: categories: @@ -20731,6 +22517,7 @@ rules: group: top10-broken-access-control name: CSharp_Medium_Threat_Missing_Object_Level_Authorization pretty_name: Missing Object Level Authorization - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_No_Request_Validation: categories: @@ -20746,6 +22533,7 @@ rules: group: top10-injection name: CSharp_Medium_Threat_No_Request_Validation pretty_name: No Request Validation - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Parameter_Tampering: categories: @@ -20760,6 +22548,7 @@ rules: group: top10-insecure-design name: CSharp_Medium_Threat_Parameter_Tampering pretty_name: Parameter Tampering - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Path_Traversal: categories: @@ -20777,6 +22566,7 @@ rules: group: top10-broken-access-control name: CSharp_Medium_Threat_Path_Traversal pretty_name: Path Traversal - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Persistent_Connection_String: categories: @@ -20795,6 +22585,7 @@ rules: group: top10-insecure-design name: CSharp_Medium_Threat_Persistent_Connection_String pretty_name: Persistent Connection String - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Privacy_Violation: categories: @@ -20810,6 +22601,7 @@ rules: group: top10-broken-access-control name: CSharp_Medium_Threat_Privacy_Violation pretty_name: Privacy Violation - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Race_Condition_within_a_Thread: categories: @@ -20824,6 +22616,7 @@ rules: group: top10-insecure-design name: CSharp_Medium_Threat_Race_Condition_within_a_Thread pretty_name: Race Condition within a Thread - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_ReDoS_By_Regex_Injection: categories: @@ -20839,6 +22632,7 @@ rules: group: top10-insecure-design name: CSharp_Medium_Threat_ReDoS_By_Regex_Injection pretty_name: ReDoS By Regex Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_ReDoS_In_Code: categories: @@ -20854,6 +22648,7 @@ rules: group: top10-insecure-design name: CSharp_Medium_Threat_ReDoS_In_Code pretty_name: ReDoS In Code - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_ReDoS_In_Validation: categories: @@ -20869,6 +22664,7 @@ rules: group: top10-insecure-design name: CSharp_Medium_Threat_ReDoS_In_Validation pretty_name: ReDoS In Validation - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Reflected_XSS_Specific_Clients: categories: @@ -20884,6 +22680,7 @@ rules: group: top10-injection name: CSharp_Medium_Threat_Reflected_XSS_Specific_Clients pretty_name: Reflected XSS Specific Clients - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_SQL_Injection_Evasion_Attack: categories: @@ -20900,6 +22697,7 @@ rules: group: top10-injection name: CSharp_Medium_Threat_SQL_Injection_Evasion_Attack pretty_name: SQL Injection Evasion Attack - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_SSL_Verification_Bypass: categories: @@ -20914,6 +22712,7 @@ rules: group: top10-software-data-integrity-failures name: CSharp_Medium_Threat_SSL_Verification_Bypass pretty_name: SSL Verification Bypass - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_SSRF: categories: @@ -20929,6 +22728,7 @@ rules: group: top10-injection name: CSharp_Medium_Threat_SSRF pretty_name: SSRF - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Session_Fixation: categories: @@ -20943,6 +22743,7 @@ rules: group: top10-id-authn-failures name: CSharp_Medium_Threat_Session_Fixation pretty_name: Session Fixation - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Stored_Command_Injection: categories: @@ -20959,6 +22760,7 @@ rules: group: top10-injection name: CSharp_Medium_Threat_Stored_Command_Injection pretty_name: Stored Command Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Stored_LDAP_Injection: categories: @@ -20974,6 +22776,7 @@ rules: group: top10-injection name: CSharp_Medium_Threat_Stored_LDAP_Injection pretty_name: Stored LDAP Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Stored_Path_Traversal: categories: @@ -20991,6 +22794,7 @@ rules: group: top10-broken-access-control name: CSharp_Medium_Threat_Stored_Path_Traversal pretty_name: Stored Path Traversal - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Stored_XPath_Injection: categories: @@ -21006,6 +22810,7 @@ rules: group: top10-injection name: CSharp_Medium_Threat_Stored_XPath_Injection pretty_name: Stored XPath Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Unclosed_Connection: categories: @@ -21019,6 +22824,7 @@ rules: group: top10-insecure-design name: CSharp_Medium_Threat_Unclosed_Connection pretty_name: Unclosed Connection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Unsafe_Object_Binding: categories: @@ -21033,6 +22839,7 @@ rules: group: top10-software-data-integrity-failures name: CSharp_Medium_Threat_Unsafe_Object_Binding pretty_name: Unsafe Object Binding - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Use_of_Cryptographically_Weak_PRNG: categories: @@ -21046,6 +22853,7 @@ rules: group: top10-crypto-failures name: CSharp_Medium_Threat_Use_of_Cryptographically_Weak_PRNG pretty_name: Use of Cryptographically Weak PRNG - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key: categories: @@ -21059,6 +22867,7 @@ rules: group: top10-crypto-failures name: CSharp_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key pretty_name: Use of Hard coded Cryptographic Key - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Medium_Threat_Value_Shadowing: categories: @@ -21073,6 +22882,7 @@ rules: group: top10-injection name: CSharp_Medium_Threat_Value_Shadowing pretty_name: Value Shadowing - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_WebConfig_CookieLess_Authentication: categories: @@ -21087,6 +22897,7 @@ rules: group: top10-insecure-design name: CSharp_WebConfig_CookieLess_Authentication pretty_name: CookieLess Authentication - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_WebConfig_CookieLess_Session_State: categories: @@ -21099,6 +22910,7 @@ rules: group: top10-broken-access-control name: CSharp_WebConfig_CookieLess_Session_State pretty_name: CookieLess Session State - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_WebConfig_CustomError: categories: @@ -21112,6 +22924,7 @@ rules: group: top10-security-misconfiguration name: CSharp_WebConfig_CustomError pretty_name: CustomError - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_WebConfig_DebugEnabled: categories: @@ -21124,6 +22937,7 @@ rules: group: top10-security-misconfiguration name: CSharp_WebConfig_DebugEnabled pretty_name: DebugEnabled - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_WebConfig_Directory_Browse: categories: @@ -21137,6 +22951,7 @@ rules: group: top10-broken-access-control name: CSharp_WebConfig_Directory_Browse pretty_name: Directory Browse - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_WebConfig_Elmah_Enabled: categories: @@ -21153,6 +22968,7 @@ rules: group: top10-insecure-design name: CSharp_WebConfig_Elmah_Enabled pretty_name: Elmah Enabled - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_WebConfig_HardcodedCredentials: categories: @@ -21167,6 +22983,7 @@ rules: group: top10-id-authn-failures name: CSharp_WebConfig_HardcodedCredentials pretty_name: HardcodedCredentials - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_WebConfig_HttpOnlyCookies_In_Config: categories: @@ -21179,6 +22996,7 @@ rules: group: top10-security-misconfiguration name: CSharp_WebConfig_HttpOnlyCookies_In_Config pretty_name: HttpOnlyCookies In Config - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_WebConfig_Missing_X_Frame_Options: categories: @@ -21193,6 +23011,7 @@ rules: group: top10-insecure-design name: CSharp_WebConfig_Missing_X_Frame_Options pretty_name: Missing X Frame Options - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_WebConfig_NonUniqueFormName: categories: @@ -21206,6 +23025,7 @@ rules: group: top10-insecure-design name: CSharp_WebConfig_NonUniqueFormName pretty_name: NonUniqueFormName - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_WebConfig_Password_in_Configuration_File: categories: @@ -21218,6 +23038,7 @@ rules: group: top10-security-misconfiguration name: CSharp_WebConfig_Password_in_Configuration_File pretty_name: Password in Configuration File - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_WebConfig_RequireSSL: categories: @@ -21231,6 +23052,7 @@ rules: group: top10-security-misconfiguration name: CSharp_WebConfig_RequireSSL pretty_name: RequireSSL - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_WebConfig_SlidingExpiration: categories: @@ -21245,6 +23067,7 @@ rules: group: top10-id-authn-failures name: CSharp_WebConfig_SlidingExpiration pretty_name: SlidingExpiration - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_WebConfig_TraceEnabled: categories: @@ -21259,6 +23082,7 @@ rules: group: top10-insecure-design name: CSharp_WebConfig_TraceEnabled pretty_name: TraceEnabled - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Windows_Phone_Client_Side_Injection: categories: @@ -21276,6 +23100,7 @@ rules: group: top10-injection name: CSharp_Windows_Phone_Client_Side_Injection pretty_name: Client Side Injection - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Windows_Phone_Failure_to_Implement_Least_Privilege: categories: @@ -21290,6 +23115,7 @@ rules: group: top10-broken-access-control name: CSharp_Windows_Phone_Failure_to_Implement_Least_Privilege pretty_name: Failure to Implement Least Privilege - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Windows_Phone_Hard_Coded_Cryptography_Key: categories: @@ -21303,6 +23129,7 @@ rules: group: top10-crypto-failures name: CSharp_Windows_Phone_Hard_Coded_Cryptography_Key pretty_name: Hard Coded Cryptography Key - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Windows_Phone_Insecure_Data_Storage: categories: @@ -21317,6 +23144,7 @@ rules: group: top10-insecure-design name: CSharp_Windows_Phone_Insecure_Data_Storage pretty_name: Insecure Data Storage - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Windows_Phone_Insufficient_Application_Layer_Protect: categories: @@ -21331,6 +23159,7 @@ rules: group: top10-insecure-design name: CSharp_Windows_Phone_Insufficient_Application_Layer_Protect pretty_name: Insufficient Application Layer Protect - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Windows_Phone_Poor_Authorization_and_Authentication: categories: @@ -21345,6 +23174,7 @@ rules: group: top10-id-authn-failures name: CSharp_Windows_Phone_Poor_Authorization_and_Authentication pretty_name: Poor Authorization and Authentication - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Windows_Phone_Side_Channel_Data_Leakage: categories: @@ -21358,6 +23188,7 @@ rules: group: top10-broken-access-control name: CSharp_Windows_Phone_Side_Channel_Data_Leakage pretty_name: Side Channel Data Leakage - CSharp + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Cobol_Heuristic_Possible_Module_Injection: categories: @@ -21371,6 +23202,7 @@ rules: group: top10-injection name: Cobol_Heuristic_Possible_Module_Injection pretty_name: Possible Module Injection - Cobol + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Cobol_High_Risk_Command_Injection: categories: @@ -21388,6 +23220,7 @@ rules: group: top10-injection name: Cobol_High_Risk_Command_Injection pretty_name: Command Injection - Cobol + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Cobol_High_Risk_Module_Injection: categories: @@ -21402,6 +23235,7 @@ rules: group: top10-injection name: Cobol_High_Risk_Module_Injection pretty_name: Module Injection - Cobol + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Cobol_High_Risk_Reflected_XSS_All_Clients: categories: @@ -21418,6 +23252,7 @@ rules: group: top10-injection name: Cobol_High_Risk_Reflected_XSS_All_Clients pretty_name: Reflected XSS All Clients - Cobol + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Cobol_High_Risk_Resource_Injection: categories: @@ -21433,6 +23268,7 @@ rules: group: top10-injection name: Cobol_High_Risk_Resource_Injection pretty_name: Resource Injection - Cobol + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Cobol_High_Risk_Sql_Injection: categories: @@ -21450,6 +23286,7 @@ rules: group: top10-injection name: Cobol_High_Risk_Sql_Injection pretty_name: Sql Injection - Cobol + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Cobol_Low_Visibility_Information_Leak_Through_Comments: categories: @@ -21465,6 +23302,7 @@ rules: group: top10-broken-access-control name: Cobol_Low_Visibility_Information_Leak_Through_Comments pretty_name: Information Leak Through Comments - Cobol + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Cobol_Low_Visibility_Use_Of_Hardcoded_Password: categories: @@ -21478,6 +23316,7 @@ rules: group: top10-id-authn-failures name: Cobol_Low_Visibility_Use_Of_Hardcoded_Password pretty_name: Use Of Hardcoded Password - Cobol + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Cobol_Medium_Threat_Ignored_Error_Conditions: categories: @@ -21491,6 +23330,7 @@ rules: group: top10-insecure-design name: Cobol_Medium_Threat_Ignored_Error_Conditions pretty_name: Ignored Error Conditions - Cobol + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Cobol_Medium_Threat_Path_Traversal: categories: @@ -21508,6 +23348,7 @@ rules: group: top10-broken-access-control name: Cobol_Medium_Threat_Path_Traversal pretty_name: Path Traversal - Cobol + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Best_Coding_Practice_Encrypted_Sensitive_Information_in_External_Storage: categories: @@ -21520,6 +23361,7 @@ rules: group: top10-insecure-design name: Dart_Mobile_Best_Coding_Practice_Encrypted_Sensitive_Information_in_External_Storage pretty_name: Encrypted Sensitive Information in External Storage - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Best_Coding_Practice_Unused_Permission: categories: @@ -21534,6 +23376,7 @@ rules: group: top10-insecure-design name: Dart_Mobile_Best_Coding_Practice_Unused_Permission pretty_name: Unused Permission - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Best_Coding_Practice_Using_Deprecated_Methods: categories: @@ -21547,6 +23390,7 @@ rules: group: top10-insecure-design name: Dart_Mobile_Best_Coding_Practice_Using_Deprecated_Methods pretty_name: Using Deprecated Methods - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Best_Coding_Practice_WebView_Cache_Information_Leak: categories: @@ -21559,6 +23403,7 @@ rules: group: top10-insecure-design name: Dart_Mobile_Best_Coding_Practice_WebView_Cache_Information_Leak pretty_name: WebView Cache Information Leak - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_High_Risk_Resource_Updated_By_URL_Data: categories: @@ -21572,6 +23417,7 @@ rules: group: top10-software-data-integrity-failures name: Dart_Mobile_High_Risk_Resource_Updated_By_URL_Data pretty_name: Resource Updated By URL Data - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_High_Risk_Sensitive_Information_Over_HTTP: categories: @@ -21586,6 +23432,7 @@ rules: group: top10-broken-access-control name: Dart_Mobile_High_Risk_Sensitive_Information_Over_HTTP pretty_name: Sensitive Information Over HTTP - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_High_Risk_Sensitive_Information_Through_URL_Scheme: categories: @@ -21600,6 +23447,7 @@ rules: group: top10-broken-access-control name: Dart_Mobile_High_Risk_Sensitive_Information_Through_URL_Scheme pretty_name: Sensitive Information Through URL Scheme - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_High_Risk_Unencrypted_Sensitive_Information_in_Publicly_Accessible_Cloud_Storage: categories: @@ -21615,6 +23463,7 @@ rules: name: Dart_Mobile_High_Risk_Unencrypted_Sensitive_Information_in_Publicly_Accessible_Cloud_Storage pretty_name: Unencrypted Sensitive Information in Publicly Accessible Cloud Storage - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_High_Risk_Unsafe_Reflection: categories: @@ -21630,6 +23479,7 @@ rules: group: top10-injection name: Dart_Mobile_High_Risk_Unsafe_Reflection pretty_name: Unsafe Reflection - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_App_Transport_Security_Disabled: categories: @@ -21643,6 +23493,7 @@ rules: group: top10-security-misconfiguration name: Dart_Mobile_Low_Visibility_App_Transport_Security_Disabled pretty_name: App Transport Security Disabled - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Autocorrection_Keystroke_Logging: categories: @@ -21658,6 +23509,7 @@ rules: group: top10-broken-access-control name: Dart_Mobile_Low_Visibility_Autocorrection_Keystroke_Logging pretty_name: Autocorrection Keystroke Logging - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Encrypted_Sensitive_Information_in_Publicly_Accessible_Cloud_Storage: categories: @@ -21672,6 +23524,7 @@ rules: name: Dart_Mobile_Low_Visibility_Encrypted_Sensitive_Information_in_Publicly_Accessible_Cloud_Storage pretty_name: Encrypted Sensitive Information in Publicly Accessible Cloud Storage - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Hardcoded_Password_In_Gradle: categories: @@ -21685,6 +23538,7 @@ rules: group: top10-id-authn-failures name: Dart_Mobile_Low_Visibility_Hardcoded_Password_In_Gradle pretty_name: Hardcoded Password In Gradle - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Implicit_Intent_With_Read_Write_Permissions: categories: @@ -21698,6 +23552,7 @@ rules: group: top10-broken-access-control name: Dart_Mobile_Low_Visibility_Implicit_Intent_With_Read_Write_Permissions pretty_name: Implicit Intent With Read Write Permissions - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Improper_Resource_Shutdown_or_Release: categories: @@ -21711,6 +23566,7 @@ rules: group: top10-insecure-design name: Dart_Mobile_Low_Visibility_Improper_Resource_Shutdown_or_Release pretty_name: Improper Resource Shutdown or Release - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Insecure_Android_SDK_Version: categories: @@ -21724,6 +23580,7 @@ rules: group: top10-vulnerable-components name: Dart_Mobile_Low_Visibility_Insecure_Android_SDK_Version pretty_name: Insecure Android SDK Version - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Insecure_HTTP_Connections_Enabled: categories: @@ -21737,6 +23594,7 @@ rules: group: top10-crypto-failures name: Dart_Mobile_Low_Visibility_Insecure_HTTP_Connections_Enabled pretty_name: Insecure HTTP Connections Enabled - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Missing_Certificate_Pinning: categories: @@ -21749,6 +23607,7 @@ rules: group: top10-id-authn-failures name: Dart_Mobile_Low_Visibility_Missing_Certificate_Pinning pretty_name: Missing Certificate Pinning - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Missing_Device_Lock_Verification: categories: @@ -21762,6 +23621,7 @@ rules: group: top10-software-data-integrity-failures name: Dart_Mobile_Low_Visibility_Missing_Device_Lock_Verification pretty_name: Missing Device Lock Verification - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Missing_Root_Or_Jailbreak_Check: categories: @@ -21775,6 +23635,7 @@ rules: group: top10-insecure-design name: Dart_Mobile_Low_Visibility_Missing_Root_Or_Jailbreak_Check pretty_name: Missing Root Or Jailbreak Check - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_No_Installer_Verification_Implemented: categories: @@ -21788,6 +23649,7 @@ rules: group: top10-software-data-integrity-failures name: Dart_Mobile_Low_Visibility_No_Installer_Verification_Implemented pretty_name: No Installer Verification Implemented - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Parameter_Tampering: categories: @@ -21802,6 +23664,7 @@ rules: group: top10-insecure-design name: Dart_Mobile_Low_Visibility_Parameter_Tampering pretty_name: Parameter Tampering - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Private_Storage_SQL_Injection: categories: @@ -21818,6 +23681,7 @@ rules: group: top10-injection name: Dart_Mobile_Low_Visibility_Private_Storage_SQL_Injection pretty_name: Private Storage SQL Injection - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Private_Storage_WebView_JavaScript_Injection: categories: @@ -21833,6 +23697,7 @@ rules: group: top10-injection name: Dart_Mobile_Low_Visibility_Private_Storage_WebView_JavaScript_Injection pretty_name: Private Storage WebView JavaScript Injection - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Secret_Stored_Outside_of_Keychain: categories: @@ -21846,6 +23711,7 @@ rules: group: top10-broken-access-control name: Dart_Mobile_Low_Visibility_Secret_Stored_Outside_of_Keychain pretty_name: Secret Stored Outside of Keychain - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Self_SQL_Injection: categories: @@ -21862,6 +23728,7 @@ rules: group: top10-injection name: Dart_Mobile_Low_Visibility_Self_SQL_Injection pretty_name: Self SQL Injection - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Self_WebView_JavaScript_Injection: categories: @@ -21877,6 +23744,7 @@ rules: group: top10-injection name: Dart_Mobile_Low_Visibility_Self_WebView_JavaScript_Injection pretty_name: Self WebView JavaScript Injection - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Unencrypted_Sensitive_Information_in_Internal_Storage: categories: @@ -21890,6 +23758,7 @@ rules: group: top10-broken-access-control name: Dart_Mobile_Low_Visibility_Unencrypted_Sensitive_Information_in_Internal_Storage pretty_name: Unencrypted Sensitive Information in Internal Storage - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Unencrypted_Sensitive_Information_in_Temporary_File: categories: @@ -21903,6 +23772,7 @@ rules: group: top10-broken-access-control name: Dart_Mobile_Low_Visibility_Unencrypted_Sensitive_Information_in_Temporary_File pretty_name: Unencrypted Sensitive Information in Temporary File - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Use_Of_Implicit_Intent_For_Sensitive_Communication: categories: @@ -21916,6 +23786,7 @@ rules: group: top10-insecure-design name: Dart_Mobile_Low_Visibility_Use_Of_Implicit_Intent_For_Sensitive_Communication pretty_name: Use Of Implicit Intent For Sensitive Communication - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Use_of_Native_Language: categories: @@ -21929,6 +23800,7 @@ rules: group: top10-injection name: Dart_Mobile_Low_Visibility_Use_of_Native_Language pretty_name: Use of Native Language - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Use_of_Non_Cryptographic_Random: categories: @@ -21942,6 +23814,7 @@ rules: group: top10-crypto-failures name: Dart_Mobile_Low_Visibility_Use_of_Non_Cryptographic_Random pretty_name: Use of Non Cryptographic Random - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_User_Information_in_Publicly_Accessible_Storage: categories: @@ -21955,6 +23828,7 @@ rules: group: top10-broken-access-control name: Dart_Mobile_Low_Visibility_User_Information_in_Publicly_Accessible_Storage pretty_name: User Information in Publicly Accessible Storage - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_Broken_or_Risky_Encryption_Algorithm: categories: @@ -21967,6 +23841,7 @@ rules: group: top10-crypto-failures name: Dart_Mobile_Medium_Threat_Broken_or_Risky_Encryption_Algorithm pretty_name: Broken or Risky Encryption Algorithm - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_Broken_or_Risky_Hashing_Function: categories: @@ -21983,6 +23858,7 @@ rules: group: top10-crypto-failures name: Dart_Mobile_Medium_Threat_Broken_or_Risky_Hashing_Function pretty_name: Broken or Risky Hashing Function - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_Communication_Over_HTTP: categories: @@ -21996,6 +23872,7 @@ rules: group: top10-crypto-failures name: Dart_Mobile_Medium_Threat_Communication_Over_HTTP pretty_name: Communication Over HTTP - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_Encoding_Used_Instead_of_Encryption: categories: @@ -22009,6 +23886,7 @@ rules: group: top10-insecure-design name: Dart_Mobile_Medium_Threat_Encoding_Used_Instead_of_Encryption pretty_name: Encoding Used Instead of Encryption - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_Improper_Certificate_Validation: categories: @@ -22021,6 +23899,7 @@ rules: group: top10-id-authn-failures name: Dart_Mobile_Medium_Threat_Improper_Certificate_Validation pretty_name: Improper Certificate Validation - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_Information_Exposure_Through_Query_String: categories: @@ -22034,6 +23913,7 @@ rules: group: top10-insecure-design name: Dart_Mobile_Medium_Threat_Information_Exposure_Through_Query_String pretty_name: Information Exposure Through Query String - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_Insecure_Asymmetric_Cryptographic_Algorithm_Parameters: categories: @@ -22048,6 +23928,7 @@ rules: group: top10-crypto-failures name: Dart_Mobile_Medium_Threat_Insecure_Asymmetric_Cryptographic_Algorithm_Parameters pretty_name: Insecure Asymmetric Cryptographic Algorithm Parameters - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_Insufficiently_Secure_Password_Storage_Algorithm_Parameters: categories: @@ -22062,6 +23943,7 @@ rules: group: top10-insecure-design name: Dart_Mobile_Medium_Threat_Insufficiently_Secure_Password_Storage_Algorithm_Parameters pretty_name: Insufficiently Secure Password Storage Algorithm Parameters - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_Pasteboard_Leakage: categories: @@ -22075,6 +23957,7 @@ rules: group: top10-broken-access-control name: Dart_Mobile_Medium_Threat_Pasteboard_Leakage pretty_name: Pasteboard Leakage - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_Path_Traversal: categories: @@ -22092,6 +23975,7 @@ rules: group: top10-broken-access-control name: Dart_Mobile_Medium_Threat_Path_Traversal pretty_name: Path Traversal - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_Poor_Authorization_and_Authentication: categories: @@ -22106,6 +23990,7 @@ rules: group: top10-id-authn-failures name: Dart_Mobile_Medium_Threat_Poor_Authorization_and_Authentication pretty_name: Poor Authorization and Authentication - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_Public_Storage_SQL_Injection: categories: @@ -22122,6 +24007,7 @@ rules: group: top10-injection name: Dart_Mobile_Medium_Threat_Public_Storage_SQL_Injection pretty_name: Public Storage SQL Injection - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_Public_Storage_WebView_JavaScript_Injection: categories: @@ -22137,6 +24023,7 @@ rules: group: top10-injection name: Dart_Mobile_Medium_Threat_Public_Storage_WebView_JavaScript_Injection pretty_name: Public Storage WebView JavaScript Injection - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_SQL_Injection_from_URL_Scheme_or_Intent: categories: @@ -22153,6 +24040,7 @@ rules: group: top10-injection name: Dart_Mobile_Medium_Threat_SQL_Injection_from_URL_Scheme_or_Intent pretty_name: SQL Injection from URL Scheme or Intent - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_Third_Party_Keyboards_On_Sensitive_Field: categories: @@ -22166,6 +24054,7 @@ rules: group: top10-broken-access-control name: Dart_Mobile_Medium_Threat_Third_Party_Keyboards_On_Sensitive_Field pretty_name: Third Party Keyboards On Sensitive Field - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_Unencrypted_Sensitive_Information_in_External_Storage: categories: @@ -22179,6 +24068,7 @@ rules: group: top10-broken-access-control name: Dart_Mobile_Medium_Threat_Unencrypted_Sensitive_Information_in_External_Storage pretty_name: Unencrypted Sensitive Information in External Storage - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_Use_of_Cryptographically_Weak_PRNG: categories: @@ -22192,6 +24082,7 @@ rules: group: top10-crypto-failures name: Dart_Mobile_Medium_Threat_Use_of_Cryptographically_Weak_PRNG pretty_name: Use of Cryptographically Weak PRNG - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_Use_of_Hardcoded_Cryptographic_IV: categories: @@ -22206,6 +24097,7 @@ rules: group: top10-crypto-failures name: Dart_Mobile_Medium_Threat_Use_of_Hardcoded_Cryptographic_IV pretty_name: Use of Hardcoded Cryptographic IV - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_Use_of_Hardcoded_Cryptographic_Key_in_Client: categories: @@ -22219,6 +24111,7 @@ rules: group: top10-crypto-failures name: Dart_Mobile_Medium_Threat_Use_of_Hardcoded_Cryptographic_Key_in_Client pretty_name: Use of Hardcoded Cryptographic Key in Client - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_Use_of_Hardcoded_Salt: categories: @@ -22233,6 +24126,7 @@ rules: group: top10-crypto-failures name: Dart_Mobile_Medium_Threat_Use_of_Hardcoded_Salt pretty_name: Use of Hardcoded Salt - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Medium_Threat_WebView_JavaScript_Injection_from_URL_Scheme: categories: @@ -22248,6 +24142,7 @@ rules: group: top10-injection name: Dart_Mobile_Medium_Threat_WebView_JavaScript_Injection_from_URL_Scheme pretty_name: WebView JavaScript Injection from URL Scheme - Dart + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_AWS_Lambda_AWS_Credentials_Leak: categories: @@ -22262,6 +24157,7 @@ rules: group: top10-broken-access-control name: Go_AWS_Lambda_AWS_Credentials_Leak pretty_name: AWS Credentials Leak - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_AWS_Lambda_DynamoDB_NoSQL_Injection: categories: @@ -22278,6 +24174,7 @@ rules: group: top10-injection name: Go_AWS_Lambda_DynamoDB_NoSQL_Injection pretty_name: DynamoDB NoSQL Injection - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_AWS_Lambda_Hardcoded_AWS_Credentials: categories: @@ -22293,6 +24190,7 @@ rules: group: top10-id-authn-failures name: Go_AWS_Lambda_Hardcoded_AWS_Credentials pretty_name: Hardcoded AWS Credentials - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_AWS_Lambda_Permission_Manipulation_In_S3: categories: @@ -22306,6 +24204,7 @@ rules: group: top10-broken-access-control name: Go_AWS_Lambda_Permission_Manipulation_In_S3 pretty_name: Permission Manipulation In S3 - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_AWS_Lambda_Race_Condition_Global_Scope: categories: @@ -22319,6 +24218,7 @@ rules: group: top10-insecure-design name: Go_AWS_Lambda_Race_Condition_Global_Scope pretty_name: Race Condition Global Scope - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_AWS_Lambda_Unrestricted_Read_S3: categories: @@ -22333,6 +24233,7 @@ rules: group: top10-broken-access-control name: Go_AWS_Lambda_Unrestricted_Read_S3 pretty_name: Unrestricted Read S3 - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_AWS_Lambda_Unrestricted_Write_S3: categories: @@ -22347,6 +24248,7 @@ rules: group: top10-broken-access-control name: Go_AWS_Lambda_Unrestricted_Write_S3 pretty_name: Unrestricted Write S3 - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_AWS_Lambda_Use_of_Hardcoded_Cryptographic_Key_On_Server: categories: @@ -22360,6 +24262,7 @@ rules: group: top10-crypto-failures name: Go_AWS_Lambda_Use_of_Hardcoded_Cryptographic_Key_On_Server pretty_name: Use of Hardcoded Cryptographic Key On Server - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_AWS_Lambda_User_Based_SDK_Configurations: categories: @@ -22372,6 +24275,7 @@ rules: group: top10-security-misconfiguration name: Go_AWS_Lambda_User_Based_SDK_Configurations pretty_name: User Based SDK Configurations - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_High_Risk_CGI_XSS: categories: @@ -22388,6 +24292,7 @@ rules: group: top10-injection name: Go_High_Risk_CGI_XSS pretty_name: CGI XSS - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_High_Risk_Command_Injection: categories: @@ -22405,6 +24310,7 @@ rules: group: top10-injection name: Go_High_Risk_Command_Injection pretty_name: Command Injection - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_High_Risk_Connection_String_Injection: categories: @@ -22420,6 +24326,7 @@ rules: group: top10-injection name: Go_High_Risk_Connection_String_Injection pretty_name: Connection String Injection - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_High_Risk_Deserialization_of_Untrusted_Data: categories: @@ -22435,6 +24342,7 @@ rules: group: top10-software-data-integrity-failures name: Go_High_Risk_Deserialization_of_Untrusted_Data pretty_name: Deserialization of Untrusted Data - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_High_Risk_JWT_No_Signature_Verification: categories: @@ -22450,6 +24358,7 @@ rules: group: top10-id-authn-failures name: Go_High_Risk_JWT_No_Signature_Verification pretty_name: JWT No Signature Verification - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_High_Risk_Reflected_XSS_All_Clients: categories: @@ -22466,6 +24375,7 @@ rules: group: top10-injection name: Go_High_Risk_Reflected_XSS_All_Clients pretty_name: Reflected XSS All Clients - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_High_Risk_SQL_Injection: categories: @@ -22483,6 +24393,7 @@ rules: group: top10-injection name: Go_High_Risk_SQL_Injection pretty_name: SQL Injection - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_High_Risk_Second_Order_SQL_Injection: categories: @@ -22500,6 +24411,7 @@ rules: group: top10-injection name: Go_High_Risk_Second_Order_SQL_Injection pretty_name: Second Order SQL Injection - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_High_Risk_Stored_Command_Injection: categories: @@ -22517,6 +24429,7 @@ rules: group: top10-injection name: Go_High_Risk_Stored_Command_Injection pretty_name: Stored Command Injection - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_High_Risk_Stored_XSS_All_Clients: categories: @@ -22533,6 +24446,7 @@ rules: group: top10-injection name: Go_High_Risk_Stored_XSS_All_Clients pretty_name: Stored XSS All Clients - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_High_Risk_Unsafe_Reflection: categories: @@ -22548,6 +24462,7 @@ rules: group: top10-injection name: Go_High_Risk_Unsafe_Reflection pretty_name: Unsafe Reflection - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Insecure_Credential_Storage_Insecure_Credential_Storage_Mechanism: categories: @@ -22562,6 +24477,7 @@ rules: group: top10-insecure-design name: Go_Insecure_Credential_Storage_Insecure_Credential_Storage_Mechanism pretty_name: Insecure Credential Storage Mechanism - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Insecure_Credential_Storage_Insecure_Scrypt_Parameters: categories: @@ -22576,6 +24492,7 @@ rules: group: top10-insecure-design name: Go_Insecure_Credential_Storage_Insecure_Scrypt_Parameters pretty_name: Insecure Scrypt Parameters - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Insecure_Credential_Storage_Insufficient_Bcrypt_Cost: categories: @@ -22590,6 +24507,7 @@ rules: group: top10-insecure-design name: Go_Insecure_Credential_Storage_Insufficient_Bcrypt_Cost pretty_name: Insufficient Bcrypt Cost - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Insecure_Credential_Storage_Insufficient_Output_Length: categories: @@ -22604,6 +24522,7 @@ rules: group: top10-insecure-design name: Go_Insecure_Credential_Storage_Insufficient_Output_Length pretty_name: Insufficient Output Length - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Insecure_Credential_Storage_PBKDF2_Insufficient_Iteration_Count: categories: @@ -22618,6 +24537,7 @@ rules: group: top10-insecure-design name: Go_Insecure_Credential_Storage_PBKDF2_Insufficient_Iteration_Count pretty_name: PBKDF2 Insufficient Iteration Count - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Insecure_Credential_Storage_PBKDF2_Weak_Salt_Value: categories: @@ -22632,6 +24552,7 @@ rules: group: top10-insecure-design name: Go_Insecure_Credential_Storage_PBKDF2_Weak_Salt_Value pretty_name: PBKDF2 Weak Salt Value - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Insecure_Credential_Storage_Scrypt_Weak_Salt_Value: categories: @@ -22646,6 +24567,7 @@ rules: group: top10-insecure-design name: Go_Insecure_Credential_Storage_Scrypt_Weak_Salt_Value pretty_name: Scrypt Weak Salt Value - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Low_Visibility_Command_Argument_Injection: categories: @@ -22660,6 +24582,7 @@ rules: group: top10-injection name: Go_Low_Visibility_Command_Argument_Injection pretty_name: Command Argument Injection - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Low_Visibility_Deprecated_API: categories: @@ -22673,6 +24596,7 @@ rules: group: top10-insecure-design name: Go_Low_Visibility_Deprecated_API pretty_name: Deprecated API - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Low_Visibility_Empty_Password_In_Connection_String: categories: @@ -22686,6 +24610,7 @@ rules: group: top10-id-authn-failures name: Go_Low_Visibility_Empty_Password_In_Connection_String pretty_name: Empty Password In Connection String - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Low_Visibility_Improper_Error_Handling: categories: @@ -22698,6 +24623,7 @@ rules: group: top10-insecure-design name: Go_Low_Visibility_Improper_Error_Handling pretty_name: Improper Error Handling - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Low_Visibility_Incorrect_Reflect_Value_Comparison: categories: @@ -22710,6 +24636,7 @@ rules: group: top10-insecure-design name: Go_Low_Visibility_Incorrect_Reflect_Value_Comparison pretty_name: Incorrect Reflect Value Comparison - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Low_Visibility_Log_Forging: categories: @@ -22722,6 +24649,7 @@ rules: group: top10-security-logging-monitoring-failures name: Go_Low_Visibility_Log_Forging pretty_name: Log Forging - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Low_Visibility_Missing_Content_Security_Policy: categories: @@ -22735,6 +24663,7 @@ rules: group: top10-id-authn-failures name: Go_Low_Visibility_Missing_Content_Security_Policy pretty_name: Missing Content Security Policy - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Low_Visibility_Open_Redirect: categories: @@ -22749,6 +24678,7 @@ rules: group: top10-broken-access-control name: Go_Low_Visibility_Open_Redirect pretty_name: Open Redirect - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy: categories: @@ -22762,6 +24692,7 @@ rules: group: top10-id-authn-failures name: Go_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy pretty_name: Overly Permissive Cross Origin Resource Sharing Policy - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Low_Visibility_Permissive_Content_Security_Policy: categories: @@ -22775,6 +24706,7 @@ rules: group: top10-id-authn-failures name: Go_Low_Visibility_Permissive_Content_Security_Policy pretty_name: Permissive Content Security Policy - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Low_Visibility_Plain_Text_Transport_Layer_in_Server: categories: @@ -22788,6 +24720,7 @@ rules: group: top10-security-misconfiguration name: Go_Low_Visibility_Plain_Text_Transport_Layer_in_Server pretty_name: Plain Text Transport Layer in Server - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Low_Visibility_Race_Condition_In_Cross_Functionality: categories: @@ -22804,6 +24737,7 @@ rules: group: top10-insecure-design name: Go_Low_Visibility_Race_Condition_In_Cross_Functionality pretty_name: Race Condition In Cross Functionality - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Low_Visibility_Stored_Command_Argument_Injection: categories: @@ -22818,6 +24752,7 @@ rules: group: top10-injection name: Go_Low_Visibility_Stored_Command_Argument_Injection pretty_name: Stored Command Argument Injection - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Low_Visibility_Use_Of_Broken_Or_Risky_Cryptographic_Algorithm: categories: @@ -22830,6 +24765,7 @@ rules: group: top10-crypto-failures name: Go_Low_Visibility_Use_Of_Broken_Or_Risky_Cryptographic_Algorithm pretty_name: Use Of Broken Or Risky Cryptographic Algorithm - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Low_Visibility_Use_Of_Unsafe_Package: categories: @@ -22843,6 +24779,7 @@ rules: group: top10-vulnerable-components name: Go_Low_Visibility_Use_Of_Unsafe_Package pretty_name: Use Of Unsafe Package - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Low_Visibility_Use_of_Hardcoded_Password: categories: @@ -22856,6 +24793,7 @@ rules: group: top10-id-authn-failures name: Go_Low_Visibility_Use_of_Hardcoded_Password pretty_name: Use of Hardcoded Password - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Medium_Threat_Cleartext_Transmission_Of_Sensitive_Information: categories: @@ -22869,6 +24807,7 @@ rules: group: top10-broken-access-control name: Go_Medium_Threat_Cleartext_Transmission_Of_Sensitive_Information pretty_name: Cleartext Transmission Of Sensitive Information - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Medium_Threat_Denial_Of_Service_Resource_Exhaustion: categories: @@ -22884,6 +24823,7 @@ rules: group: top10-insecure-design name: Go_Medium_Threat_Denial_Of_Service_Resource_Exhaustion pretty_name: Denial Of Service Resource Exhaustion - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Medium_Threat_Divide_By_Zero: categories: @@ -22896,6 +24836,7 @@ rules: group: top10-insecure-design name: Go_Medium_Threat_Divide_By_Zero pretty_name: Divide By Zero - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Medium_Threat_Email_Content_Forgery: categories: @@ -22911,6 +24852,7 @@ rules: group: top10-injection name: Go_Medium_Threat_Email_Content_Forgery pretty_name: Email Content Forgery - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Medium_Threat_Hardcoded_Password_in_Connection_String: categories: @@ -22924,6 +24866,7 @@ rules: group: top10-security-misconfiguration name: Go_Medium_Threat_Hardcoded_Password_in_Connection_String pretty_name: Hardcoded Password in Connection String - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Medium_Threat_Integer_Overflow: categories: @@ -22940,6 +24883,7 @@ rules: group: top10-injection name: Go_Medium_Threat_Integer_Overflow pretty_name: Integer Overflow - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Medium_Threat_Missing_HSTS_Header: categories: @@ -22953,6 +24897,7 @@ rules: group: top10-id-authn-failures name: Go_Medium_Threat_Missing_HSTS_Header pretty_name: Missing HSTS Header - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Medium_Threat_Missing_HttpOnly_Cookie: categories: @@ -22965,6 +24910,7 @@ rules: group: top10-security-misconfiguration name: Go_Medium_Threat_Missing_HttpOnly_Cookie pretty_name: Missing HttpOnly Cookie - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Medium_Threat_Missing_Secure_Cookie: categories: @@ -22978,6 +24924,7 @@ rules: group: top10-security-misconfiguration name: Go_Medium_Threat_Missing_Secure_Cookie pretty_name: Missing Secure Cookie - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Medium_Threat_Parameter_Tampering: categories: @@ -22992,6 +24939,7 @@ rules: group: top10-insecure-design name: Go_Medium_Threat_Parameter_Tampering pretty_name: Parameter Tampering - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Medium_Threat_Privacy_Violation: categories: @@ -23007,6 +24955,7 @@ rules: group: top10-broken-access-control name: Go_Medium_Threat_Privacy_Violation pretty_name: Privacy Violation - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Medium_Threat_Race_Condition_Concurrent_Instances: categories: @@ -23021,6 +24970,7 @@ rules: group: top10-insecure-design name: Go_Medium_Threat_Race_Condition_Concurrent_Instances pretty_name: Race Condition Concurrent Instances - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Medium_Threat_Reflected_Absolute_Path_Traversal: categories: @@ -23036,6 +24986,7 @@ rules: group: top10-broken-access-control name: Go_Medium_Threat_Reflected_Absolute_Path_Traversal pretty_name: Reflected Absolute Path Traversal - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Medium_Threat_Reflected_Relative_Path_Traversal: categories: @@ -23050,6 +25001,7 @@ rules: group: top10-broken-access-control name: Go_Medium_Threat_Reflected_Relative_Path_Traversal pretty_name: Reflected Relative Path Traversal - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Medium_Threat_SSL_Verification_Bypass: categories: @@ -23064,6 +25016,7 @@ rules: group: top10-software-data-integrity-failures name: Go_Medium_Threat_SSL_Verification_Bypass pretty_name: SSL Verification Bypass - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Medium_Threat_SSRF: categories: @@ -23079,6 +25032,7 @@ rules: group: top10-server-side-request-forgery name: Go_Medium_Threat_SSRF pretty_name: SSRF - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Medium_Threat_Stored_Absolute_Path_Traversal: categories: @@ -23094,6 +25048,7 @@ rules: group: top10-broken-access-control name: Go_Medium_Threat_Stored_Absolute_Path_Traversal pretty_name: Stored Absolute Path Traversal - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Medium_Threat_Stored_Relative_Path_Traversal: categories: @@ -23108,6 +25063,7 @@ rules: group: top10-broken-access-control name: Go_Medium_Threat_Stored_Relative_Path_Traversal pretty_name: Stored Relative Path Traversal - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Medium_Threat_Use_of_Cryptographically_Weak_PRNG: categories: @@ -23121,6 +25077,7 @@ rules: group: top10-crypto-failures name: Go_Medium_Threat_Use_of_Cryptographically_Weak_PRNG pretty_name: Use of Cryptographically Weak PRNG - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Go_Medium_Threat_Use_of_Weak_RSA_Keys: categories: @@ -23135,6 +25092,7 @@ rules: group: top10-crypto-failures name: Go_Medium_Threat_Use_of_Weak_RSA_Keys pretty_name: Use of Weak RSA Keys - Go + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Assign_Collection: categories: @@ -23147,6 +25105,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Assign_Collection pretty_name: Assign Collection - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Assigning_instead_of_Comparing: categories: @@ -23160,6 +25119,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Assigning_instead_of_Comparing pretty_name: Assigning instead of Comparing - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Comparing_instead_of_Assigning: categories: @@ -23173,6 +25133,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Comparing_instead_of_Assigning pretty_name: Comparing instead of Assigning - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: @@ -23186,6 +25147,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception pretty_name: Declaration Of Catch For Generic Exception - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Declaration_of_Throws_for_Generic_Exception: categories: @@ -23199,6 +25161,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Declaration_of_Throws_for_Generic_Exception pretty_name: Declaration of Throws for Generic Exception - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Deprecated_Groovy_Code: categories: @@ -23212,6 +25175,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Deprecated_Groovy_Code pretty_name: Deprecated Groovy Code - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Dynamic_SQL_Queries: categories: @@ -23228,6 +25192,7 @@ rules: group: top10-injection name: Groovy_Best_Coding_Practice_Dynamic_SQL_Queries pretty_name: Dynamic SQL Queries - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Empty_Methods: categories: @@ -23240,6 +25205,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Empty_Methods pretty_name: Empty Methods - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Explicit_Calls_To_Methods: categories: @@ -23252,6 +25218,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Explicit_Calls_To_Methods pretty_name: Explicit Calls To Methods - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Explicit_Instantiation: categories: @@ -23264,6 +25231,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Explicit_Instantiation pretty_name: Explicit Instantiation - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: categories: @@ -23277,6 +25245,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere pretty_name: Exposure of Resource to Wrong Sphere - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_GOTO_Statement: categories: @@ -23294,6 +25263,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_GOTO_Statement pretty_name: GOTO Statement - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Getter_Method_Could_Be_Property: categories: @@ -23306,6 +25276,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Getter_Method_Could_Be_Property pretty_name: Getter Method Could Be Property - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Hardcoded_Absolute_Path: categories: @@ -23320,6 +25291,7 @@ rules: group: top10-software-data-integrity-failures name: Groovy_Best_Coding_Practice_Hardcoded_Absolute_Path pretty_name: Hardcoded Absolute Path - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Hardcoded_Connection_String: categories: @@ -23335,6 +25307,7 @@ rules: group: top10-id-authn-failures name: Groovy_Best_Coding_Practice_Hardcoded_Connection_String pretty_name: Hardcoded Connection String - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Incorrect_Block_Delimitation: categories: @@ -23348,6 +25321,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Incorrect_Block_Delimitation pretty_name: Incorrect Block Delimitation - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined: categories: @@ -23360,6 +25334,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined pretty_name: Just One of Equals and Hash code Defined - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Missing_Default_Case_In_Switch_Statement: categories: @@ -23373,6 +25348,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Missing_Default_Case_In_Switch_Statement pretty_name: Missing Default Case In Switch Statement - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Omitted_Break_Statement_In_Switch: categories: @@ -23388,6 +25364,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Omitted_Break_Statement_In_Switch pretty_name: Omitted Break Statement In Switch - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J: categories: @@ -23403,6 +25380,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J pretty_name: Potential Usage of Vulnerable Log4J - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Public_Static_Field_Not_Marked_Final: categories: @@ -23416,6 +25394,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Public_Static_Field_Not_Marked_Final pretty_name: Public Static Field Not Marked Final - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Return_Inside_Finally_Block: categories: @@ -23429,6 +25408,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Return_Inside_Finally_Block pretty_name: Return Inside Finally Block - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Use_Collect_Many: categories: @@ -23441,6 +25421,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Use_Collect_Many pretty_name: Use Collect Many - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Use_Collect_Nested: categories: @@ -23453,6 +25434,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Use_Collect_Nested pretty_name: Use Collect Nested - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Use_of_Wrong_Operator_in_String_Comparison: categories: @@ -23466,6 +25448,7 @@ rules: group: top10-insecure-design name: Groovy_Best_Coding_Practice_Use_of_Wrong_Operator_in_String_Comparison pretty_name: Use of Wrong Operator in String Comparison - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Heuristic_Heuristic_2nd_Order_SQL_Injection: categories: @@ -23482,6 +25465,7 @@ rules: group: top10-injection name: Groovy_Heuristic_Heuristic_2nd_Order_SQL_Injection pretty_name: Heuristic 2nd Order SQL Injection - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Heuristic_Heuristic_CGI_Stored_XSS: categories: @@ -23497,6 +25481,7 @@ rules: group: top10-injection name: Groovy_Heuristic_Heuristic_CGI_Stored_XSS pretty_name: Heuristic CGI Stored XSS - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Heuristic_Heuristic_CSRF: categories: @@ -23512,6 +25497,7 @@ rules: group: top10-injection name: Groovy_Heuristic_Heuristic_CSRF pretty_name: Heuristic CSRF - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Heuristic_Heuristic_DB_Parameter_Tampering: categories: @@ -23525,6 +25511,7 @@ rules: group: top10-broken-access-control name: Groovy_Heuristic_Heuristic_DB_Parameter_Tampering pretty_name: Heuristic DB Parameter Tampering - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Heuristic_Heuristic_Parameter_Tampering: categories: @@ -23539,6 +25526,7 @@ rules: group: top10-insecure-design name: Groovy_Heuristic_Heuristic_Parameter_Tampering pretty_name: Heuristic Parameter Tampering - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Heuristic_Heuristic_SQL_Injection: categories: @@ -23555,6 +25543,7 @@ rules: group: top10-injection name: Groovy_Heuristic_Heuristic_SQL_Injection pretty_name: Heuristic SQL Injection - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Heuristic_Heuristic_Stored_XSS: categories: @@ -23570,6 +25559,7 @@ rules: group: top10-injection name: Groovy_Heuristic_Heuristic_Stored_XSS pretty_name: Heuristic Stored XSS - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_High_Risk_Code_Injection: categories: @@ -23587,6 +25577,7 @@ rules: group: top10-injection name: Groovy_High_Risk_Code_Injection pretty_name: Code Injection - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_High_Risk_Command_Injection: categories: @@ -23604,6 +25595,7 @@ rules: group: top10-injection name: Groovy_High_Risk_Command_Injection pretty_name: Command Injection - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_High_Risk_Connection_String_Injection: categories: @@ -23619,6 +25611,7 @@ rules: group: top10-injection name: Groovy_High_Risk_Connection_String_Injection pretty_name: Connection String Injection - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_High_Risk_LDAP_Injection: categories: @@ -23635,6 +25628,7 @@ rules: group: top10-injection name: Groovy_High_Risk_LDAP_Injection pretty_name: LDAP Injection - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_High_Risk_Reflected_XSS_All_Clients: categories: @@ -23651,6 +25645,7 @@ rules: group: top10-injection name: Groovy_High_Risk_Reflected_XSS_All_Clients pretty_name: Reflected XSS All Clients - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_High_Risk_Resource_Injection: categories: @@ -23666,6 +25661,7 @@ rules: group: top10-injection name: Groovy_High_Risk_Resource_Injection pretty_name: Resource Injection - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_High_Risk_SQL_Injection: categories: @@ -23683,6 +25679,7 @@ rules: group: top10-injection name: Groovy_High_Risk_SQL_Injection pretty_name: SQL Injection - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_High_Risk_Second_Order_SQL_Injection: categories: @@ -23700,6 +25697,7 @@ rules: group: top10-injection name: Groovy_High_Risk_Second_Order_SQL_Injection pretty_name: Second Order SQL Injection - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_High_Risk_Stored_XSS: categories: @@ -23716,6 +25714,7 @@ rules: group: top10-injection name: Groovy_High_Risk_Stored_XSS pretty_name: Stored XSS - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_High_Risk_UTF7_XSS: categories: @@ -23732,6 +25731,7 @@ rules: group: top10-injection name: Groovy_High_Risk_UTF7_XSS pretty_name: UTF7 XSS - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_High_Risk_XPath_Injection: categories: @@ -23748,6 +25748,7 @@ rules: group: top10-injection name: Groovy_High_Risk_XPath_Injection pretty_name: XPath Injection - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Authorization_Bypass_Through_User_Controlled_SQL_PrimaryKey: categories: @@ -23762,6 +25763,7 @@ rules: group: top10-broken-access-control name: Groovy_Low_Visibility_Authorization_Bypass_Through_User_Controlled_SQL_PrimaryKey pretty_name: Authorization Bypass Through User Controlled SQL PrimaryKey - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Blind_SQL_Injections: categories: @@ -23778,6 +25780,7 @@ rules: group: top10-injection name: Groovy_Low_Visibility_Blind_SQL_Injections pretty_name: Blind SQL Injections - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Channel_Accessible_by_NonEndpoint: categories: @@ -23793,6 +25796,7 @@ rules: group: top10-id-authn-failures name: Groovy_Low_Visibility_Channel_Accessible_by_NonEndpoint pretty_name: Channel Accessible by NonEndpoint - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Cleansing_Canonicalization_and_Comparison_Errors: categories: @@ -23806,6 +25810,7 @@ rules: group: top10-injection name: Groovy_Low_Visibility_Cleansing_Canonicalization_and_Comparison_Errors pretty_name: Cleansing Canonicalization and Comparison Errors - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Collapse_of_Data_into_Unsafe_Value: categories: @@ -23819,6 +25824,7 @@ rules: group: top10-injection name: Groovy_Low_Visibility_Collapse_of_Data_into_Unsafe_Value pretty_name: Collapse of Data into Unsafe Value - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Creation_of_Temp_File_With_Insecure_Permissions: categories: @@ -23833,6 +25839,7 @@ rules: group: top10-broken-access-control name: Groovy_Low_Visibility_Creation_of_Temp_File_With_Insecure_Permissions pretty_name: Creation of Temp File With Insecure Permissions - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Creation_of_Temp_File_in_Dir_with_Incorrect_Permissions: categories: @@ -23847,6 +25854,7 @@ rules: group: top10-broken-access-control name: Groovy_Low_Visibility_Creation_of_Temp_File_in_Dir_with_Incorrect_Permissions pretty_name: Creation of Temp File in Dir with Incorrect Permissions - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Cross_Site_History_Manipulation: categories: @@ -23862,6 +25870,7 @@ rules: group: top10-software-data-integrity-failures name: Groovy_Low_Visibility_Cross_Site_History_Manipulation pretty_name: Cross Site History Manipulation - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_DB_Control_of_System_or_Config_Setting: categories: @@ -23874,6 +25883,7 @@ rules: group: top10-security-misconfiguration name: Groovy_Low_Visibility_DB_Control_of_System_or_Config_Setting pretty_name: DB Control of System or Config Setting - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Data_Leak_Between_Sessions: categories: @@ -23890,6 +25900,7 @@ rules: group: top10-broken-access-control name: Groovy_Low_Visibility_Data_Leak_Between_Sessions pretty_name: Data Leak Between Sessions - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Divide_By_Zero: categories: @@ -23902,6 +25913,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Divide_By_Zero pretty_name: Divide By Zero - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_ESAPI_Same_Password_Repeats_Twice: categories: @@ -23915,6 +25927,7 @@ rules: group: top10-id-authn-failures name: Groovy_Low_Visibility_ESAPI_Same_Password_Repeats_Twice pretty_name: ESAPI Same Password Repeats Twice - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Empty_Password_In_Connection_String: categories: @@ -23928,6 +25941,7 @@ rules: group: top10-id-authn-failures name: Groovy_Low_Visibility_Empty_Password_In_Connection_String pretty_name: Empty Password In Connection String - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Escape_False: categories: @@ -23943,6 +25957,7 @@ rules: group: top10-injection name: Groovy_Low_Visibility_Escape_False pretty_name: Escape False - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Exposure_of_System_Data: categories: @@ -23957,6 +25972,7 @@ rules: group: top10-broken-access-control name: Groovy_Low_Visibility_Exposure_of_System_Data pretty_name: Exposure of System Data - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Heap_Inspection: categories: @@ -23971,6 +25987,7 @@ rules: group: top10-broken-access-control name: Groovy_Low_Visibility_Heap_Inspection pretty_name: Heap Inspection - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Improper_Build_Of_Sql_Mapping: categories: @@ -23987,6 +26004,7 @@ rules: group: top10-injection name: Groovy_Low_Visibility_Improper_Build_Of_Sql_Mapping pretty_name: Improper Build Of Sql Mapping - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Improper_Exception_Handling: categories: @@ -23999,6 +26017,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Improper_Exception_Handling pretty_name: Improper Exception Handling - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Improper_Resource_Locking: categories: @@ -24012,6 +26031,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Improper_Resource_Locking pretty_name: Improper Resource Locking - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Improper_Resource_Shutdown_or_Release: categories: @@ -24025,6 +26045,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Improper_Resource_Shutdown_or_Release pretty_name: Improper Resource Shutdown or Release - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Improper_Session_Management: categories: @@ -24038,6 +26059,7 @@ rules: group: top10-broken-access-control name: Groovy_Low_Visibility_Improper_Session_Management pretty_name: Improper Session Management - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Improper_Transaction_Handling: categories: @@ -24052,6 +26074,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Improper_Transaction_Handling pretty_name: Improper Transaction Handling - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Information_Exposure_Through_Debug_Log: categories: @@ -24065,6 +26088,7 @@ rules: group: top10-broken-access-control name: Groovy_Low_Visibility_Information_Exposure_Through_Debug_Log pretty_name: Information Exposure Through Debug Log - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Information_Exposure_Through_Server_Log: categories: @@ -24078,6 +26102,7 @@ rules: group: top10-broken-access-control name: Groovy_Low_Visibility_Information_Exposure_Through_Server_Log pretty_name: Information Exposure Through Server Log - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Information_Exposure_Through_an_Error_Message: categories: @@ -24091,6 +26116,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Information_Exposure_Through_an_Error_Message pretty_name: Information Exposure Through an Error Message - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Information_Leak_Through_Comments: categories: @@ -24106,6 +26132,7 @@ rules: group: top10-broken-access-control name: Groovy_Low_Visibility_Information_Leak_Through_Comments pretty_name: Information Leak Through Comments - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Information_Leak_Through_Persistent_Cookies: categories: @@ -24119,6 +26146,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Information_Leak_Through_Persistent_Cookies pretty_name: Information Leak Through Persistent Cookies - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Information_Leak_Through_Shell_Error_Message: categories: @@ -24134,6 +26162,7 @@ rules: group: top10-broken-access-control name: Groovy_Low_Visibility_Information_Leak_Through_Shell_Error_Message pretty_name: Information Leak Through Shell Error Message - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Insufficient_Session_Expiration: categories: @@ -24148,6 +26177,7 @@ rules: group: top10-id-authn-failures name: Groovy_Low_Visibility_Insufficient_Session_Expiration pretty_name: Insufficient Session Expiration - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Insufficiently_Protected_Credentials: categories: @@ -24162,6 +26192,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Insufficiently_Protected_Credentials pretty_name: Insufficiently Protected Credentials - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Integer_Overflow: categories: @@ -24178,6 +26209,7 @@ rules: group: top10-injection name: Groovy_Low_Visibility_Integer_Overflow pretty_name: Integer Overflow - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Integer_Underflow: categories: @@ -24192,6 +26224,7 @@ rules: group: top10-injection name: Groovy_Low_Visibility_Integer_Underflow pretty_name: Integer Underflow - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Leaving_Temporary_File: categories: @@ -24204,6 +26237,7 @@ rules: group: top10-broken-access-control name: Groovy_Low_Visibility_Leaving_Temporary_File pretty_name: Leaving Temporary File - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Log_Forging: categories: @@ -24216,6 +26250,7 @@ rules: group: top10-security-logging-monitoring-failures name: Groovy_Low_Visibility_Log_Forging pretty_name: Log Forging - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Logic_Time_Bomb: categories: @@ -24229,6 +26264,7 @@ rules: group: top10-security-logging-monitoring-failures name: Groovy_Low_Visibility_Logic_Time_Bomb pretty_name: Logic Time Bomb - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Missing_Password_Field_Masking: categories: @@ -24242,6 +26278,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Missing_Password_Field_Masking pretty_name: Missing Password Field Masking - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Not_Using_a_Random_IV_with_CBC_Mode: categories: @@ -24256,6 +26293,7 @@ rules: group: top10-crypto-failures name: Groovy_Low_Visibility_Not_Using_a_Random_IV_with_CBC_Mode pretty_name: Not Using a Random IV with CBC Mode - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Object_Hijack: categories: @@ -24270,6 +26308,7 @@ rules: group: top10-injection name: Groovy_Low_Visibility_Object_Hijack pretty_name: Object Hijack - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Off_by_One_Error: categories: @@ -24283,6 +26322,7 @@ rules: group: top10-injection name: Groovy_Low_Visibility_Off_by_One_Error pretty_name: Off by One Error - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Open_Redirect: categories: @@ -24297,6 +26337,7 @@ rules: group: top10-broken-access-control name: Groovy_Low_Visibility_Open_Redirect pretty_name: Open Redirect - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Parse_Double_DoS: categories: @@ -24309,6 +26350,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Parse_Double_DoS pretty_name: Parse Double DoS - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Plaintext_Storage_in_a_Cookie: categories: @@ -24320,6 +26362,7 @@ rules: group: top10-security-misconfiguration name: Groovy_Low_Visibility_Plaintext_Storage_in_a_Cookie pretty_name: Plaintext Storage in a Cookie - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Potenial_UTF7_XSS: categories: @@ -24335,6 +26378,7 @@ rules: group: top10-injection name: Groovy_Low_Visibility_Potenial_UTF7_XSS pretty_name: Potenial UTF7 XSS - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Potential_ReDoS: categories: @@ -24350,6 +26394,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Potential_ReDoS pretty_name: Potential ReDoS - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Potential_ReDoS_By_Injection: categories: @@ -24365,6 +26410,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Potential_ReDoS_By_Injection pretty_name: Potential ReDoS By Injection - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Potential_ReDoS_In_Match: categories: @@ -24380,6 +26426,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Potential_ReDoS_In_Match pretty_name: Potential ReDoS In Match - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Potential_ReDoS_In_Replace: categories: @@ -24395,6 +26442,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Potential_ReDoS_In_Replace pretty_name: Potential ReDoS In Replace - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Potential_ReDoS_In_Static_Field: categories: @@ -24410,6 +26458,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Potential_ReDoS_In_Static_Field pretty_name: Potential ReDoS In Static Field - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Public_Static_Final_References_Mutable_Object: categories: @@ -24424,6 +26473,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Public_Static_Final_References_Mutable_Object pretty_name: Public Static Final References Mutable Object - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Race_Condition: categories: @@ -24440,6 +26490,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Race_Condition pretty_name: Race Condition - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Race_Condition_Format_Flaw: categories: @@ -24456,6 +26507,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Race_Condition_Format_Flaw pretty_name: Race Condition Format Flaw - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Reliance_on_Cookies_in_a_Decision: categories: @@ -24470,6 +26522,7 @@ rules: group: top10-software-data-integrity-failures name: Groovy_Low_Visibility_Reliance_on_Cookies_in_a_Decision pretty_name: Reliance on Cookies in a Decision - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Reliance_on_DNS_Lookups_in_a_Decision: categories: @@ -24484,6 +26537,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Reliance_on_DNS_Lookups_in_a_Decision pretty_name: Reliance on DNS Lookups in a Decision - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Reversible_One_Way_Hash: categories: @@ -24500,6 +26554,7 @@ rules: group: top10-crypto-failures name: Groovy_Low_Visibility_Reversible_One_Way_Hash pretty_name: Reversible One Way Hash - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Sensitive_Cookie_in_HTTPS_Session_Without_Secure_Attribute: categories: @@ -24513,6 +26568,7 @@ rules: group: top10-security-misconfiguration name: Groovy_Low_Visibility_Sensitive_Cookie_in_HTTPS_Session_Without_Secure_Attribute pretty_name: Sensitive Cookie in HTTPS Session Without Secure Attribute - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Serializable_Class_Containing_Sensitive_Data: categories: @@ -24527,6 +26583,7 @@ rules: group: top10-broken-access-control name: Groovy_Low_Visibility_Serializable_Class_Containing_Sensitive_Data pretty_name: Serializable Class Containing Sensitive Data - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Spring_defaultHtmlEscape_Not_True: categories: @@ -24540,6 +26597,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Spring_defaultHtmlEscape_Not_True pretty_name: Spring defaultHtmlEscape Not True - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Storing_Passwords_in_a_Recoverable_Format: categories: @@ -24558,6 +26616,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Storing_Passwords_in_a_Recoverable_Format pretty_name: Storing Passwords in a Recoverable Format - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_TOCTOU: categories: @@ -24573,6 +26632,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_TOCTOU pretty_name: TOCTOU - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables: categories: @@ -24586,6 +26646,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables pretty_name: Trust Boundary Violation in Session Variables - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Uncaught_Exception: categories: @@ -24598,6 +26659,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Uncaught_Exception pretty_name: Uncaught Exception - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Unchecked_Return_Value_to_NULL_Pointer_Dereference: categories: @@ -24612,6 +26674,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Unchecked_Return_Value_to_NULL_Pointer_Dereference pretty_name: Unchecked Return Value to NULL Pointer Dereference - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Uncontrolled_Format_String: categories: @@ -24625,6 +26688,7 @@ rules: group: top10-injection name: Groovy_Low_Visibility_Uncontrolled_Format_String pretty_name: Uncontrolled Format String - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Uncontrolled_Memory_Allocation: categories: @@ -24639,6 +26703,7 @@ rules: group: top10-injection name: Groovy_Low_Visibility_Uncontrolled_Memory_Allocation pretty_name: Uncontrolled Memory Allocation - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Unsynchronized_Access_To_Shared_Data: categories: @@ -24653,6 +26718,7 @@ rules: group: top10-insecure-design name: Groovy_Low_Visibility_Unsynchronized_Access_To_Shared_Data pretty_name: Unsynchronized Access To Shared Data - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Use_Of_Hardcoded_Password: categories: @@ -24666,6 +26732,7 @@ rules: group: top10-id-authn-failures name: Groovy_Low_Visibility_Use_Of_Hardcoded_Password pretty_name: Use Of Hardcoded Password - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Use_Of_getenv: categories: @@ -24680,6 +26747,7 @@ rules: group: top10-injection name: Groovy_Low_Visibility_Use_Of_getenv pretty_name: Use Of getenv - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: categories: @@ -24692,6 +26760,7 @@ rules: group: top10-crypto-failures name: Groovy_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm pretty_name: Use of Broken or Risky Cryptographic Algorithm - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Use_of_Client_Side_Authentication: categories: @@ -24706,6 +26775,7 @@ rules: group: top10-id-authn-failures name: Groovy_Low_Visibility_Use_of_Client_Side_Authentication pretty_name: Use of Client Side Authentication - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Use_of_Hard_coded_Security_Constants: categories: @@ -24719,6 +26789,7 @@ rules: group: top10-security-misconfiguration name: Groovy_Low_Visibility_Use_of_Hard_coded_Security_Constants pretty_name: Use of Hard coded Security Constants - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Use_of_RSA_Algorithm_without_OAEP: categories: @@ -24732,6 +26803,7 @@ rules: group: top10-crypto-failures name: Groovy_Low_Visibility_Use_of_RSA_Algorithm_without_OAEP pretty_name: Use of RSA Algorithm without OAEP - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Low_Visibility_Using_Referer_Field_for_Authentication: categories: @@ -24745,6 +26817,7 @@ rules: group: top10-id-authn-failures name: Groovy_Low_Visibility_Using_Referer_Field_for_Authentication pretty_name: Using Referer Field for Authentication - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Absolute_Path_Traversal: categories: @@ -24760,6 +26833,7 @@ rules: group: top10-broken-access-control name: Groovy_Medium_Threat_Absolute_Path_Traversal pretty_name: Absolute Path Traversal - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_CGI_Reflected_XSS_All_Clients: categories: @@ -24775,6 +26849,7 @@ rules: group: top10-injection name: Groovy_Medium_Threat_CGI_Reflected_XSS_All_Clients pretty_name: CGI Reflected XSS All Clients - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_CGI_Stored_XSS: categories: @@ -24790,6 +26865,7 @@ rules: group: top10-injection name: Groovy_Medium_Threat_CGI_Stored_XSS pretty_name: CGI Stored XSS - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_CSRF: categories: @@ -24805,6 +26881,7 @@ rules: group: top10-injection name: Groovy_Medium_Threat_CSRF pretty_name: CSRF - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Cleartext_Submission_of_Sensitive_Information: categories: @@ -24818,6 +26895,7 @@ rules: group: top10-broken-access-control name: Groovy_Medium_Threat_Cleartext_Submission_of_Sensitive_Information pretty_name: Cleartext Submission of Sensitive Information - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_DB_Parameter_Tampering: categories: @@ -24831,6 +26909,7 @@ rules: group: top10-broken-access-control name: Groovy_Medium_Threat_DB_Parameter_Tampering pretty_name: DB Parameter Tampering - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Dangerous_File_Inclusion: categories: @@ -24844,6 +26923,7 @@ rules: group: top10-software-data-integrity-failures name: Groovy_Medium_Threat_Dangerous_File_Inclusion pretty_name: Dangerous File Inclusion - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Direct_Use_of_Unsafe_JNI: categories: @@ -24858,6 +26938,7 @@ rules: group: top10-injection name: Groovy_Medium_Threat_Direct_Use_of_Unsafe_JNI pretty_name: Direct Use of Unsafe JNI - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_DoS_by_Sleep: categories: @@ -24870,6 +26951,7 @@ rules: group: top10-insecure-design name: Groovy_Medium_Threat_DoS_by_Sleep pretty_name: DoS by Sleep - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_External_Control_of_Critical_State_Data: categories: @@ -24884,6 +26966,7 @@ rules: group: top10-insecure-design name: Groovy_Medium_Threat_External_Control_of_Critical_State_Data pretty_name: External Control of Critical State Data - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_External_Control_of_System_or_Config_Setting: categories: @@ -24896,6 +26979,7 @@ rules: group: top10-security-misconfiguration name: Groovy_Medium_Threat_External_Control_of_System_or_Config_Setting pretty_name: External Control of System or Config Setting - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_HTTP_Response_Splitting: categories: @@ -24910,6 +26994,7 @@ rules: group: top10-injection name: Groovy_Medium_Threat_HTTP_Response_Splitting pretty_name: HTTP Response Splitting - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Hardcoded_password_in_Connection_String: categories: @@ -24923,6 +27008,7 @@ rules: group: top10-security-misconfiguration name: Groovy_Medium_Threat_Hardcoded_password_in_Connection_String pretty_name: Hardcoded password in Connection String - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_HttpOnlyCookies: categories: @@ -24935,6 +27021,7 @@ rules: group: top10-security-misconfiguration name: Groovy_Medium_Threat_HttpOnlyCookies pretty_name: HttpOnlyCookies - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_HttpOnlyCookies_In_Config: categories: @@ -24947,6 +27034,7 @@ rules: group: top10-security-misconfiguration name: Groovy_Medium_Threat_HttpOnlyCookies_In_Config pretty_name: HttpOnlyCookies In Config - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Improper_Locking: categories: @@ -24960,6 +27048,7 @@ rules: group: top10-insecure-design name: Groovy_Medium_Threat_Improper_Locking pretty_name: Improper Locking - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Input_Path_Not_Canonicalized: categories: @@ -24973,6 +27062,7 @@ rules: group: top10-insecure-design name: Groovy_Medium_Threat_Input_Path_Not_Canonicalized pretty_name: Input Path Not Canonicalized - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Multiple_Binds_to_the_Same_Port: categories: @@ -24986,6 +27076,7 @@ rules: group: top10-insecure-design name: Groovy_Medium_Threat_Multiple_Binds_to_the_Same_Port pretty_name: Multiple Binds to the Same Port - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Parameter_Tampering: categories: @@ -25000,6 +27091,7 @@ rules: group: top10-insecure-design name: Groovy_Medium_Threat_Parameter_Tampering pretty_name: Parameter Tampering - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Plaintext_Storage_of_a_Password: categories: @@ -25012,6 +27104,7 @@ rules: group: top10-insecure-design name: Groovy_Medium_Threat_Plaintext_Storage_of_a_Password pretty_name: Plaintext Storage of a Password - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Privacy_Violation: categories: @@ -25027,6 +27120,7 @@ rules: group: top10-broken-access-control name: Groovy_Medium_Threat_Privacy_Violation pretty_name: Privacy Violation - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Process_Control: categories: @@ -25041,6 +27135,7 @@ rules: group: top10-injection name: Groovy_Medium_Threat_Process_Control pretty_name: Process Control - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_ReDoS_From_Regex_Injection: categories: @@ -25056,6 +27151,7 @@ rules: group: top10-insecure-design name: Groovy_Medium_Threat_ReDoS_From_Regex_Injection pretty_name: ReDoS From Regex Injection - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_ReDoS_In_Match: categories: @@ -25071,6 +27167,7 @@ rules: group: top10-insecure-design name: Groovy_Medium_Threat_ReDoS_In_Match pretty_name: ReDoS In Match - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_ReDoS_In_Pattern: categories: @@ -25086,6 +27183,7 @@ rules: group: top10-insecure-design name: Groovy_Medium_Threat_ReDoS_In_Pattern pretty_name: ReDoS In Pattern - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_ReDoS_In_Replace: categories: @@ -25101,6 +27199,7 @@ rules: group: top10-insecure-design name: Groovy_Medium_Threat_ReDoS_In_Replace pretty_name: ReDoS In Replace - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Relative_Path_Traversal: categories: @@ -25115,6 +27214,7 @@ rules: group: top10-broken-access-control name: Groovy_Medium_Threat_Relative_Path_Traversal pretty_name: Relative Path Traversal - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Reliance_on_Cookies_without_Validation: categories: @@ -25129,6 +27229,7 @@ rules: group: top10-software-data-integrity-failures name: Groovy_Medium_Threat_Reliance_on_Cookies_without_Validation pretty_name: Reliance on Cookies without Validation - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_SQL_Injection_Evasion_Attack: categories: @@ -25145,6 +27246,7 @@ rules: group: top10-injection name: Groovy_Medium_Threat_SQL_Injection_Evasion_Attack pretty_name: SQL Injection Evasion Attack - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Same_Seed_in_PRNG: categories: @@ -25158,6 +27260,7 @@ rules: group: top10-crypto-failures name: Groovy_Medium_Threat_Same_Seed_in_PRNG pretty_name: Same Seed in PRNG - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Session_Fixation: categories: @@ -25172,6 +27275,7 @@ rules: group: top10-id-authn-failures name: Groovy_Medium_Threat_Session_Fixation pretty_name: Session Fixation - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Spring_ModelView_Injection: categories: @@ -25187,6 +27291,7 @@ rules: group: top10-injection name: Groovy_Medium_Threat_Spring_ModelView_Injection pretty_name: Spring ModelView Injection - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Stored_Absolute_Path_Traversal: categories: @@ -25202,6 +27307,7 @@ rules: group: top10-broken-access-control name: Groovy_Medium_Threat_Stored_Absolute_Path_Traversal pretty_name: Stored Absolute Path Traversal - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Stored_Command_Injection: categories: @@ -25218,6 +27324,7 @@ rules: group: top10-injection name: Groovy_Medium_Threat_Stored_Command_Injection pretty_name: Stored Command Injection - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Stored_LDAP_Injection: categories: @@ -25233,6 +27340,7 @@ rules: group: top10-injection name: Groovy_Medium_Threat_Stored_LDAP_Injection pretty_name: Stored LDAP Injection - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Stored_Relative_Path_Traversal: categories: @@ -25247,6 +27355,7 @@ rules: group: top10-broken-access-control name: Groovy_Medium_Threat_Stored_Relative_Path_Traversal pretty_name: Stored Relative Path Traversal - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Unchecked_Input_for_Loop_Condition: categories: @@ -25261,6 +27370,7 @@ rules: group: top10-insecure-design name: Groovy_Medium_Threat_Unchecked_Input_for_Loop_Condition pretty_name: Unchecked Input for Loop Condition - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Unnormalize_Input_String: categories: @@ -25276,6 +27386,7 @@ rules: group: top10-injection name: Groovy_Medium_Threat_Unnormalize_Input_String pretty_name: Unnormalize Input String - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Unvalidated_Forwards: categories: @@ -25288,6 +27399,7 @@ rules: group: top10-injection name: Groovy_Medium_Threat_Unvalidated_Forwards pretty_name: Unvalidated Forwards - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Use_of_Cryptographically_Weak_PRNG: categories: @@ -25301,6 +27413,7 @@ rules: group: top10-crypto-failures name: Groovy_Medium_Threat_Use_of_Cryptographically_Weak_PRNG pretty_name: Use of Cryptographically Weak PRNG - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key: categories: @@ -25314,6 +27427,7 @@ rules: group: top10-crypto-failures name: Groovy_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key pretty_name: Use of Hard coded Cryptographic Key - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Use_of_Insufficiently_Random_Values: categories: @@ -25327,6 +27441,7 @@ rules: group: top10-crypto-failures name: Groovy_Medium_Threat_Use_of_Insufficiently_Random_Values pretty_name: Use of Insufficiently Random Values - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Use_of_Native_Language: categories: @@ -25340,6 +27455,7 @@ rules: group: top10-injection name: Groovy_Medium_Threat_Use_of_Native_Language pretty_name: Use of Native Language - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Use_of_System_exit: categories: @@ -25353,6 +27469,7 @@ rules: group: top10-insecure-design name: Groovy_Medium_Threat_Use_of_System_exit pretty_name: Use of System exit - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Use_of_a_One_Way_Hash_with_a_Predictable_Salt: categories: @@ -25367,6 +27484,7 @@ rules: group: top10-crypto-failures name: Groovy_Medium_Threat_Use_of_a_One_Way_Hash_with_a_Predictable_Salt pretty_name: Use of a One Way Hash with a Predictable Salt - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Medium_Threat_Use_of_a_One_Way_Hash_without_a_Salt: categories: @@ -25381,6 +27499,7 @@ rules: group: top10-crypto-failures name: Groovy_Medium_Threat_Use_of_a_One_Way_Hash_without_a_Salt pretty_name: Use of a One Way Hash without a Salt - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Stored_Stored_Boundary_Violation: categories: @@ -25396,6 +27515,7 @@ rules: group: top10-insecure-design name: Groovy_Stored_Stored_Boundary_Violation pretty_name: Stored Boundary Violation - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Stored_Stored_Code_Injection: categories: @@ -25412,6 +27532,7 @@ rules: group: top10-injection name: Groovy_Stored_Stored_Code_Injection pretty_name: Stored Code Injection - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Stored_Stored_HTTP_Response_Splitting: categories: @@ -25426,6 +27547,7 @@ rules: group: top10-injection name: Groovy_Stored_Stored_HTTP_Response_Splitting pretty_name: Stored HTTP Response Splitting - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Stored_Stored_Open_Redirect: categories: @@ -25440,6 +27562,7 @@ rules: group: top10-broken-access-control name: Groovy_Stored_Stored_Open_Redirect pretty_name: Stored Open Redirect - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Stored_Stored_XPath_Injection: categories: @@ -25455,6 +27578,7 @@ rules: group: top10-injection name: Groovy_Stored_Stored_XPath_Injection pretty_name: Stored XPath Injection - Groovy + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_AWS_Lambda_DynamoDB_NoSQL_Injection: categories: @@ -25471,6 +27595,7 @@ rules: group: top10-injection name: JavaScript_AWS_Lambda_DynamoDB_NoSQL_Injection pretty_name: DynamoDB NoSQL Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_AWS_Lambda_Permission_Manipulation_in_S3: categories: @@ -25484,6 +27609,7 @@ rules: group: top10-broken-access-control name: JavaScript_AWS_Lambda_Permission_Manipulation_in_S3 pretty_name: Permission Manipulation in S3 - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_AWS_Lambda_Race_Condition_Concurrent_Instances: categories: @@ -25498,6 +27624,7 @@ rules: group: top10-insecure-design name: JavaScript_AWS_Lambda_Race_Condition_Concurrent_Instances pretty_name: Race Condition Concurrent Instances - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_AWS_Lambda_Unrestricted_Read_S3: categories: @@ -25512,6 +27639,7 @@ rules: group: top10-broken-access-control name: JavaScript_AWS_Lambda_Unrestricted_Read_S3 pretty_name: Unrestricted Read S3 - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_AWS_Lambda_Unrestricted_Write_S3: categories: @@ -25526,6 +27654,7 @@ rules: group: top10-broken-access-control name: JavaScript_AWS_Lambda_Unrestricted_Write_S3 pretty_name: Unrestricted Write S3 - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_AWS_Lambda_User_Based_SDK_Configurations: categories: @@ -25538,6 +27667,7 @@ rules: group: top10-security-misconfiguration name: JavaScript_AWS_Lambda_User_Based_SDK_Configurations pretty_name: User Based SDK Configurations - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Angular_Angular_Client_DOM_XSS: categories: @@ -25553,6 +27683,7 @@ rules: group: top10-injection name: JavaScript_Angular_Angular_Client_DOM_XSS pretty_name: Angular Client DOM XSS - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Angular_Angular_Client_Stored_DOM_XSS: categories: @@ -25568,6 +27699,7 @@ rules: group: top10-injection name: JavaScript_Angular_Angular_Client_Stored_DOM_XSS pretty_name: Angular Client Stored DOM XSS - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Angular_Angular_Deprecated_API: categories: @@ -25580,6 +27712,7 @@ rules: group: top10-insecure-design name: JavaScript_Angular_Angular_Deprecated_API pretty_name: Angular Deprecated API - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Angular_Angular_Improper_Type_Pipe_Usage: categories: @@ -25592,6 +27725,7 @@ rules: group: top10-insecure-design name: JavaScript_Angular_Angular_Improper_Type_Pipe_Usage pretty_name: Angular Improper Type Pipe Usage - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Angular_Angular_Usage_of_Unsafe_DOM_Sanitizer: categories: @@ -25606,6 +27740,7 @@ rules: group: top10-injection name: JavaScript_Angular_Angular_Usage_of_Unsafe_DOM_Sanitizer pretty_name: Angular Usage of Unsafe DOM Sanitizer - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Best_Coding_Practice_Avoid_the_Use_of_FinalizationRegistry: categories: @@ -25619,6 +27754,7 @@ rules: group: top10-insecure-design name: JavaScript_Best_Coding_Practice_Avoid_the_Use_of_FinalizationRegistry pretty_name: Avoid the Use of FinalizationRegistry - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Best_Coding_Practice_Avoid_the_Use_of_WeakRef: categories: @@ -25632,6 +27768,7 @@ rules: group: top10-insecure-design name: JavaScript_Best_Coding_Practice_Avoid_the_Use_of_WeakRef pretty_name: Avoid the Use of WeakRef - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Best_Coding_Practice_Hardcoded_Absolute_Path: categories: @@ -25646,6 +27783,7 @@ rules: group: top10-software-data-integrity-failures name: JavaScript_Best_Coding_Practice_Hardcoded_Absolute_Path pretty_name: Hardcoded Absolute Path - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Best_Coding_Practice_React_Multiple_Classes_With_Same_Name: categories: @@ -25659,6 +27797,7 @@ rules: group: top10-insecure-design name: JavaScript_Best_Coding_Practice_React_Multiple_Classes_With_Same_Name pretty_name: React Multiple Classes With Same Name - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Best_Coding_Practice_Use_Of_Multiple_Mixins: categories: @@ -25673,6 +27812,7 @@ rules: group: top10-insecure-design name: JavaScript_Best_Coding_Practice_Use_Of_Multiple_Mixins pretty_name: Use Of Multiple Mixins - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Cordova_Cordova_Code_Injection: categories: @@ -25689,6 +27829,7 @@ rules: group: top10-injection name: JavaScript_Cordova_Cordova_Code_Injection pretty_name: Cordova Code Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Cordova_Cordova_File_Disclosure: categories: @@ -25703,6 +27844,7 @@ rules: group: top10-broken-access-control name: JavaScript_Cordova_Cordova_File_Disclosure pretty_name: Cordova File Disclosure - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Cordova_Cordova_File_Manipulation: categories: @@ -25716,6 +27858,7 @@ rules: group: top10-broken-access-control name: JavaScript_Cordova_Cordova_File_Manipulation pretty_name: Cordova File Manipulation - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Cordova_Cordova_Insufficient_Domain_Whitelist: categories: @@ -25728,6 +27871,7 @@ rules: group: top10-security-misconfiguration name: JavaScript_Cordova_Cordova_Insufficient_Domain_Whitelist pretty_name: Cordova Insufficient Domain Whitelist - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Cordova_Cordova_Missing_Content_Security_Policy: categories: @@ -25741,6 +27885,7 @@ rules: group: top10-id-authn-failures name: JavaScript_Cordova_Cordova_Missing_Content_Security_Policy pretty_name: Cordova Missing Content Security Policy - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Cordova_Cordova_Open_Redirect: categories: @@ -25755,6 +27900,7 @@ rules: group: top10-broken-access-control name: JavaScript_Cordova_Cordova_Open_Redirect pretty_name: Cordova Open Redirect - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Cordova_Cordova_Permissive_Content_Security_Policy: categories: @@ -25768,6 +27914,7 @@ rules: group: top10-id-authn-failures name: JavaScript_Cordova_Cordova_Permissive_Content_Security_Policy pretty_name: Cordova Permissive Content Security Policy - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Cordova_Cordova_Privacy_Violation: categories: @@ -25783,6 +27930,7 @@ rules: group: top10-broken-access-control name: JavaScript_Cordova_Cordova_Privacy_Violation pretty_name: Cordova Privacy Violation - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_High_Risk_Client_DOM_Code_Injection: categories: @@ -25800,6 +27948,7 @@ rules: group: top10-injection name: JavaScript_High_Risk_Client_DOM_Code_Injection pretty_name: Client DOM Code Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_High_Risk_Client_DOM_Stored_Code_Injection: categories: @@ -25817,6 +27966,7 @@ rules: group: top10-injection name: JavaScript_High_Risk_Client_DOM_Stored_Code_Injection pretty_name: Client DOM Stored Code Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_High_Risk_Client_DOM_Stored_XSS: categories: @@ -25833,6 +27983,7 @@ rules: group: top10-injection name: JavaScript_High_Risk_Client_DOM_Stored_XSS pretty_name: Client DOM Stored XSS - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_High_Risk_Client_DOM_XSS: categories: @@ -25849,6 +28000,7 @@ rules: group: top10-injection name: JavaScript_High_Risk_Client_DOM_XSS pretty_name: Client DOM XSS - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_High_Risk_Client_Dynamic_File_Inclusion: categories: @@ -25863,6 +28015,7 @@ rules: group: top10-software-data-integrity-failures name: JavaScript_High_Risk_Client_Dynamic_File_Inclusion pretty_name: Client Dynamic File Inclusion - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_High_Risk_Client_Resource_Injection: categories: @@ -25878,6 +28031,7 @@ rules: group: top10-injection name: JavaScript_High_Risk_Client_Resource_Injection pretty_name: Client Resource Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_High_Risk_Client_SQL_Injection: categories: @@ -25895,6 +28049,7 @@ rules: group: top10-injection name: JavaScript_High_Risk_Client_SQL_Injection pretty_name: Client SQL Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_High_Risk_Client_Second_Order_Sql_Injection: categories: @@ -25912,6 +28067,7 @@ rules: group: top10-injection name: JavaScript_High_Risk_Client_Second_Order_Sql_Injection pretty_name: Client Second Order Sql Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_High_Risk_Deserialization_of_Untrusted_Data: categories: @@ -25927,6 +28083,7 @@ rules: group: top10-software-data-integrity-failures name: JavaScript_High_Risk_Deserialization_of_Untrusted_Data pretty_name: Deserialization of Untrusted Data - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_High_Risk_Prototype_Pollution: categories: @@ -25941,6 +28098,7 @@ rules: group: top10-injection name: JavaScript_High_Risk_Prototype_Pollution pretty_name: Prototype Pollution - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Jelly_Jelly_Injection: categories: @@ -25958,6 +28116,7 @@ rules: group: top10-injection name: JavaScript_Jelly_Jelly_Injection pretty_name: Jelly Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Jelly_Jelly_XSS: categories: @@ -25974,6 +28133,7 @@ rules: group: top10-injection name: JavaScript_Jelly_Jelly_XSS pretty_name: Jelly XSS - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Cookies_Inspection: categories: @@ -25985,6 +28145,7 @@ rules: group: top10-security-misconfiguration name: JavaScript_Low_Visibility_Client_Cookies_Inspection pretty_name: Client Cookies Inspection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Cross_Session_Contamination: categories: @@ -25999,6 +28160,7 @@ rules: group: top10-broken-access-control name: JavaScript_Low_Visibility_Client_Cross_Session_Contamination pretty_name: Client Cross Session Contamination - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_DOM_Open_Redirect: categories: @@ -26013,6 +28175,7 @@ rules: group: top10-broken-access-control name: JavaScript_Low_Visibility_Client_DOM_Open_Redirect pretty_name: Client DOM Open Redirect - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Empty_Password: categories: @@ -26026,6 +28189,7 @@ rules: group: top10-id-authn-failures name: JavaScript_Low_Visibility_Client_Empty_Password pretty_name: Client Empty Password - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_HTML5_Easy_To_Guess_Database_Name: categories: @@ -26039,6 +28203,7 @@ rules: group: top10-crypto-failures name: JavaScript_Low_Visibility_Client_HTML5_Easy_To_Guess_Database_Name pretty_name: Client HTML5 Easy To Guess Database Name - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_HTML5_Heuristic_Session_Insecure_Storage: categories: @@ -26052,6 +28217,7 @@ rules: group: top10-broken-access-control name: JavaScript_Low_Visibility_Client_HTML5_Heuristic_Session_Insecure_Storage pretty_name: Client HTML5 Heuristic Session Insecure Storage - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Hardcoded_Domain: categories: @@ -26065,6 +28231,7 @@ rules: group: top10-software-data-integrity-failures name: JavaScript_Low_Visibility_Client_Hardcoded_Domain pretty_name: Client Hardcoded Domain - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Heuristic_Poor_XSS_Validation: categories: @@ -26080,6 +28247,7 @@ rules: group: top10-injection name: JavaScript_Low_Visibility_Client_Heuristic_Poor_XSS_Validation pretty_name: Client Heuristic Poor XSS Validation - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Insecure_Randomness: categories: @@ -26093,6 +28261,7 @@ rules: group: top10-crypto-failures name: JavaScript_Low_Visibility_Client_Insecure_Randomness pretty_name: Client Insecure Randomness - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Insufficient_Key_Size: categories: @@ -26108,6 +28277,7 @@ rules: group: top10-crypto-failures name: JavaScript_Low_Visibility_Client_Insufficient_Key_Size pretty_name: Client Insufficient Key Size - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_JQuery_Deprecated_Symbols: categories: @@ -26121,6 +28291,7 @@ rules: group: top10-insecure-design name: JavaScript_Low_Visibility_Client_JQuery_Deprecated_Symbols pretty_name: Client JQuery Deprecated Symbols - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Located_JQuery_Outdated_Lib_File: categories: @@ -26134,6 +28305,7 @@ rules: group: top10-vulnerable-components name: JavaScript_Low_Visibility_Client_Located_JQuery_Outdated_Lib_File pretty_name: Client Located JQuery Outdated Lib File - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Negative_Content_Length: categories: @@ -26146,6 +28318,7 @@ rules: group: top10-injection name: JavaScript_Low_Visibility_Client_Negative_Content_Length pretty_name: Client Negative Content Length - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Null_Password: categories: @@ -26159,6 +28332,7 @@ rules: group: top10-id-authn-failures name: JavaScript_Low_Visibility_Client_Null_Password pretty_name: Client Null Password - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Overly_Permissive_Message_Posting: categories: @@ -26171,6 +28345,7 @@ rules: group: top10-security-misconfiguration name: JavaScript_Low_Visibility_Client_Overly_Permissive_Message_Posting pretty_name: Client Overly Permissive Message Posting - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Password_In_Comment: categories: @@ -26186,6 +28361,7 @@ rules: group: top10-id-authn-failures name: JavaScript_Low_Visibility_Client_Password_In_Comment pretty_name: Client Password In Comment - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Password_Weak_Encryption: categories: @@ -26199,6 +28375,7 @@ rules: group: top10-crypto-failures name: JavaScript_Low_Visibility_Client_Password_Weak_Encryption pretty_name: Client Password Weak Encryption - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Potential_Ad_Hoc_Ajax: categories: @@ -26212,6 +28389,7 @@ rules: group: top10-injection name: JavaScript_Low_Visibility_Client_Potential_Ad_Hoc_Ajax pretty_name: Client Potential Ad Hoc Ajax - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Potential_DOM_Open_Redirect: categories: @@ -26226,6 +28404,7 @@ rules: group: top10-broken-access-control name: JavaScript_Low_Visibility_Client_Potential_DOM_Open_Redirect pretty_name: Client Potential DOM Open Redirect - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Potential_ReDoS_In_Match: categories: @@ -26241,6 +28420,7 @@ rules: group: top10-insecure-design name: JavaScript_Low_Visibility_Client_Potential_ReDoS_In_Match pretty_name: Client Potential ReDoS In Match - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Potential_ReDoS_In_Replace: categories: @@ -26256,6 +28436,7 @@ rules: group: top10-insecure-design name: JavaScript_Low_Visibility_Client_Potential_ReDoS_In_Replace pretty_name: Client Potential ReDoS In Replace - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Regex_Injection: categories: @@ -26271,6 +28452,7 @@ rules: group: top10-injection name: JavaScript_Low_Visibility_Client_Regex_Injection pretty_name: Client Regex Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Remote_File_Inclusion: categories: @@ -26284,6 +28466,7 @@ rules: group: top10-software-data-integrity-failures name: JavaScript_Low_Visibility_Client_Remote_File_Inclusion pretty_name: Client Remote File Inclusion - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Server_Empty_Password: categories: @@ -26297,6 +28480,7 @@ rules: group: top10-id-authn-failures name: JavaScript_Low_Visibility_Client_Server_Empty_Password pretty_name: Client Server Empty Password - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Use_Of_Deprecated_SQL_Database: categories: @@ -26309,6 +28493,7 @@ rules: group: top10-vulnerable-components name: JavaScript_Low_Visibility_Client_Use_Of_Deprecated_SQL_Database pretty_name: Client Use Of Deprecated SQL Database - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Use_Of_Iframe_Without_Sandbox: categories: @@ -26322,6 +28507,7 @@ rules: group: top10-software-data-integrity-failures name: JavaScript_Low_Visibility_Client_Use_Of_Iframe_Without_Sandbox pretty_name: Client Use Of Iframe Without Sandbox - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Weak_Cryptographic_Hash: categories: @@ -26337,6 +28523,7 @@ rules: group: top10-crypto-failures name: JavaScript_Low_Visibility_Client_Weak_Cryptographic_Hash pretty_name: Client Weak Cryptographic Hash - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Weak_Encryption: categories: @@ -26349,6 +28536,7 @@ rules: group: top10-crypto-failures name: JavaScript_Low_Visibility_Client_Weak_Encryption pretty_name: Client Weak Encryption - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Client_Weak_Password_Authentication: categories: @@ -26364,6 +28552,7 @@ rules: group: top10-id-authn-failures name: JavaScript_Low_Visibility_Client_Weak_Password_Authentication pretty_name: Client Weak Password Authentication - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Information_Exposure_Through_Query_Strings: categories: @@ -26378,6 +28567,7 @@ rules: group: top10-insecure-design name: JavaScript_Low_Visibility_Information_Exposure_Through_Query_Strings pretty_name: Information Exposure Through Query Strings - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Insufficiently_Protected_Credentials: categories: @@ -26392,6 +28582,7 @@ rules: group: top10-insecure-design name: JavaScript_Low_Visibility_Insufficiently_Protected_Credentials pretty_name: Insufficiently Protected Credentials - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Not_Using_a_Random_IV: categories: @@ -26406,6 +28597,7 @@ rules: group: top10-crypto-failures name: JavaScript_Low_Visibility_Not_Using_a_Random_IV pretty_name: Not Using a Random IV - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy: categories: @@ -26419,6 +28611,7 @@ rules: group: top10-id-authn-failures name: JavaScript_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy pretty_name: Overly Permissive Cross Origin Resource Sharing Policy - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Potential_Clickjacking_on_Legacy_Browsers: categories: @@ -26432,6 +28625,7 @@ rules: group: top10-injection name: JavaScript_Low_Visibility_Potential_Clickjacking_on_Legacy_Browsers pretty_name: Potential Clickjacking on Legacy Browsers - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_React_Deprecated: categories: @@ -26445,6 +28639,7 @@ rules: group: top10-insecure-design name: JavaScript_Low_Visibility_React_Deprecated pretty_name: React Deprecated - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Unsafe_Use_Of_Target_blank: categories: @@ -26460,6 +28655,7 @@ rules: group: top10-insecure-design name: JavaScript_Low_Visibility_Unsafe_Use_Of_Target_blank pretty_name: Unsafe Use Of Target blank - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Low_Visibility_Use_Of_Controlled_Input_On_Sensitive_Field: categories: @@ -26473,6 +28669,7 @@ rules: group: top10-broken-access-control name: JavaScript_Low_Visibility_Use_Of_Controlled_Input_On_Sensitive_Field pretty_name: Use Of Controlled Input On Sensitive Field - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_AngularJS_SCE_Disabled: categories: @@ -26488,6 +28685,7 @@ rules: group: top10-injection name: JavaScript_Medium_Threat_AngularJS_SCE_Disabled pretty_name: AngularJS SCE Disabled - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_CSV_Injection: categories: @@ -26503,6 +28701,7 @@ rules: group: top10-injection name: JavaScript_Medium_Threat_CSV_Injection pretty_name: CSV Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_CSS_Injection: categories: @@ -26517,6 +28716,7 @@ rules: group: top10-injection name: JavaScript_Medium_Threat_Client_CSS_Injection pretty_name: Client CSS Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_Cross_Frame_Scripting_Attack: categories: @@ -26532,6 +28732,7 @@ rules: group: top10-injection name: JavaScript_Medium_Threat_Client_Cross_Frame_Scripting_Attack pretty_name: Client Cross Frame Scripting Attack - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_DB_Parameter_Tampering: categories: @@ -26545,6 +28746,7 @@ rules: group: top10-broken-access-control name: JavaScript_Medium_Threat_Client_DB_Parameter_Tampering pretty_name: Client DB Parameter Tampering - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_DOM_CSRF: categories: @@ -26560,6 +28762,7 @@ rules: group: top10-injection name: JavaScript_Medium_Threat_Client_DOM_CSRF pretty_name: Client DOM CSRF - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_DOM_Cookie_Poisoning: categories: @@ -26574,6 +28777,7 @@ rules: group: top10-insecure-design name: JavaScript_Medium_Threat_Client_DOM_Cookie_Poisoning pretty_name: Client DOM Cookie Poisoning - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_DoS_By_Sleep: categories: @@ -26586,6 +28790,7 @@ rules: group: top10-insecure-design name: JavaScript_Medium_Threat_Client_DoS_By_Sleep pretty_name: Client DoS By Sleep - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_HTML5_Information_Exposure: categories: @@ -26599,6 +28804,7 @@ rules: group: top10-broken-access-control name: JavaScript_Medium_Threat_Client_HTML5_Information_Exposure pretty_name: Client HTML5 Information Exposure - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_HTML5_Insecure_Storage: categories: @@ -26612,6 +28818,7 @@ rules: group: top10-insecure-design name: JavaScript_Medium_Threat_Client_HTML5_Insecure_Storage pretty_name: Client HTML5 Insecure Storage - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_HTML5_Store_Sensitive_data_In_Web_Storage: categories: @@ -26625,6 +28832,7 @@ rules: group: top10-insecure-design name: JavaScript_Medium_Threat_Client_HTML5_Store_Sensitive_data_In_Web_Storage pretty_name: Client HTML5 Store Sensitive data In Web Storage - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_Header_Manipulation: categories: @@ -26639,6 +28847,7 @@ rules: group: top10-injection name: JavaScript_Medium_Threat_Client_Header_Manipulation pretty_name: Client Header Manipulation - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_Path_Manipulation: categories: @@ -26652,6 +28861,7 @@ rules: group: top10-insecure-design name: JavaScript_Medium_Threat_Client_Path_Manipulation pretty_name: Client Path Manipulation - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_Potential_Code_Injection: categories: @@ -26668,6 +28878,7 @@ rules: group: top10-injection name: JavaScript_Medium_Threat_Client_Potential_Code_Injection pretty_name: Client Potential Code Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_Potential_XSS: categories: @@ -26683,6 +28894,7 @@ rules: group: top10-injection name: JavaScript_Medium_Threat_Client_Potential_XSS pretty_name: Client Potential XSS - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_Privacy_Violation: categories: @@ -26698,6 +28910,7 @@ rules: group: top10-broken-access-control name: JavaScript_Medium_Threat_Client_Privacy_Violation pretty_name: Client Privacy Violation - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_ReDoS_From_Regex_Injection: categories: @@ -26713,6 +28926,7 @@ rules: group: top10-insecure-design name: JavaScript_Medium_Threat_Client_ReDoS_From_Regex_Injection pretty_name: Client ReDoS From Regex Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_ReDoS_In_Match: categories: @@ -26728,6 +28942,7 @@ rules: group: top10-insecure-design name: JavaScript_Medium_Threat_Client_ReDoS_In_Match pretty_name: Client ReDoS In Match - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_ReDoS_In_Replace: categories: @@ -26743,6 +28958,7 @@ rules: group: top10-insecure-design name: JavaScript_Medium_Threat_Client_ReDoS_In_Replace pretty_name: Client ReDoS In Replace - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_ReDos_In_RegExp: categories: @@ -26758,6 +28974,7 @@ rules: group: top10-insecure-design name: JavaScript_Medium_Threat_Client_ReDos_In_RegExp pretty_name: Client ReDos In RegExp - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_Reflected_File_Download: categories: @@ -26771,6 +28988,7 @@ rules: group: top10-broken-access-control name: JavaScript_Medium_Threat_Client_Reflected_File_Download pretty_name: Client Reflected File Download - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_Sandbox_Allows_Scripts_With_Same_Origin: categories: @@ -26784,6 +29002,7 @@ rules: group: top10-software-data-integrity-failures name: JavaScript_Medium_Threat_Client_Sandbox_Allows_Scripts_With_Same_Origin pretty_name: Client Sandbox Allows Scripts With Same Origin - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_Untrusted_Activex: categories: @@ -26798,6 +29017,7 @@ rules: group: top10-vulnerable-components name: JavaScript_Medium_Threat_Client_Untrusted_Activex pretty_name: Client Untrusted Activex - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_Use_Of_JQuery_Deprecated_Version: categories: @@ -26811,6 +29031,7 @@ rules: group: top10-insecure-design name: JavaScript_Medium_Threat_Client_Use_Of_JQuery_Deprecated_Version pretty_name: Client Use Of JQuery Deprecated Version - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Client_XPATH_Injection: categories: @@ -26826,6 +29047,7 @@ rules: group: top10-injection name: JavaScript_Medium_Threat_Client_XPATH_Injection pretty_name: Client XPATH Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Frameable_Login_Page: categories: @@ -26839,6 +29061,7 @@ rules: group: top10-software-data-integrity-failures name: JavaScript_Medium_Threat_Frameable_Login_Page pretty_name: Frameable Login Page - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Insecure_Value_of_the_SameSite_Cookie_Attribute_in_Code: categories: @@ -26852,6 +29075,7 @@ rules: group: top10-broken-access-control name: JavaScript_Medium_Threat_Insecure_Value_of_the_SameSite_Cookie_Attribute_in_Code pretty_name: Insecure Value of the SameSite Cookie Attribute in Code - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_JWT_Sensitive_Information_Exposure: categories: @@ -26865,6 +29089,7 @@ rules: group: top10-broken-access-control name: JavaScript_Medium_Threat_JWT_Sensitive_Information_Exposure pretty_name: JWT Sensitive Information Exposure - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_JWT_Use_Of_Hardcoded_Secret: categories: @@ -26880,6 +29105,7 @@ rules: group: top10-id-authn-failures name: JavaScript_Medium_Threat_JWT_Use_Of_Hardcoded_Secret pretty_name: JWT Use Of Hardcoded Secret - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Missing_HSTS_Header: categories: @@ -26893,6 +29119,7 @@ rules: group: top10-id-authn-failures name: JavaScript_Medium_Threat_Missing_HSTS_Header pretty_name: Missing HSTS Header - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_Unchecked_Input_For_Loop_Condition: categories: @@ -26907,6 +29134,7 @@ rules: group: top10-insecure-design name: JavaScript_Medium_Threat_Unchecked_Input_For_Loop_Condition pretty_name: Unchecked Input For Loop Condition - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Medium_Threat_XML_External_Entities_XXE: categories: @@ -26921,6 +29149,7 @@ rules: group: top10-security-misconfiguration name: JavaScript_Medium_Threat_XML_External_Entities_XXE pretty_name: XML External Entities XXE - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_ReactNative_Clipboard_Information_Leakage: categories: @@ -26933,6 +29162,7 @@ rules: group: top10-broken-access-control name: JavaScript_ReactNative_Clipboard_Information_Leakage pretty_name: Clipboard Information Leakage - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_ReactNative_Insecure_Text_Entry: categories: @@ -26945,6 +29175,7 @@ rules: group: top10-insecure-design name: JavaScript_ReactNative_Insecure_Text_Entry pretty_name: Insecure Text Entry - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_ReactNative_Insufficient_Transport_Layer_Security: categories: @@ -26957,6 +29188,7 @@ rules: group: top10-security-misconfiguration name: JavaScript_ReactNative_Insufficient_Transport_Layer_Security pretty_name: Insufficient Transport Layer Security - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_ReactNative_Missing_Root_Or_Jailbreak_Check: categories: @@ -26969,6 +29201,7 @@ rules: group: top10-insecure-design name: JavaScript_ReactNative_Missing_Root_Or_Jailbreak_Check pretty_name: Missing Root Or Jailbreak Check - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_ReactNative_Unencrypted_Sensitive_Data_Storage: categories: @@ -26981,6 +29214,7 @@ rules: group: top10-broken-access-control name: JavaScript_ReactNative_Unencrypted_Sensitive_Data_Storage pretty_name: Unencrypted Sensitive Data Storage - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_SAPUI5_Client_Manual_CSRF_Token_Handling: categories: @@ -26996,6 +29230,7 @@ rules: group: top10-injection name: JavaScript_SAPUI5_Client_Manual_CSRF_Token_Handling pretty_name: Client Manual CSRF Token Handling - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_SAPUI5_Client_Manual_XHR_Handling: categories: @@ -27009,6 +29244,7 @@ rules: group: top10-security-misconfiguration name: JavaScript_SAPUI5_Client_Manual_XHR_Handling pretty_name: Client Manual XHR Handling - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_SAPUI5_SAPUI5_Custom_OData_Model: categories: @@ -27022,6 +29258,7 @@ rules: group: top10-software-data-integrity-failures name: JavaScript_SAPUI5_SAPUI5_Custom_OData_Model pretty_name: SAPUI5 Custom OData Model - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_SAPUI5_SAPUI5_Deprecated_Symbols: categories: @@ -27035,6 +29272,7 @@ rules: group: top10-insecure-design name: JavaScript_SAPUI5_SAPUI5_Deprecated_Symbols pretty_name: SAPUI5 Deprecated Symbols - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_SAPUI5_SAPUI5_Hardcoded_UserId_In_Comments: categories: @@ -27048,6 +29286,7 @@ rules: group: top10-broken-access-control name: JavaScript_SAPUI5_SAPUI5_Hardcoded_UserId_In_Comments pretty_name: SAPUI5 Hardcoded UserId In Comments - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_SAPUI5_SAPUI5_OData_Call_Without_Batch_Mode: categories: @@ -27061,6 +29300,7 @@ rules: group: top10-software-data-integrity-failures name: JavaScript_SAPUI5_SAPUI5_OData_Call_Without_Batch_Mode pretty_name: SAPUI5 OData Call Without Batch Mode - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_SAPUI5_SAPUI5_Potential_Malicious_File_Upload: categories: @@ -27075,6 +29315,7 @@ rules: group: top10-insecure-design name: JavaScript_SAPUI5_SAPUI5_Potential_Malicious_File_Upload pretty_name: SAPUI5 Potential Malicious File Upload - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_SAPUI5_SAPUI5_Use_Of_Hardcoded_URL: categories: @@ -27088,6 +29329,7 @@ rules: group: top10-broken-access-control name: JavaScript_SAPUI5_SAPUI5_Use_Of_Hardcoded_URL pretty_name: SAPUI5 Use Of Hardcoded URL - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Absolute_Path_Traversal: categories: @@ -27103,6 +29345,7 @@ rules: group: top10-broken-access-control name: JavaScript_Server_Side_Vulnerabilities_Absolute_Path_Traversal pretty_name: Absolute Path Traversal - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_CSRF: categories: @@ -27118,6 +29361,7 @@ rules: group: top10-injection name: JavaScript_Server_Side_Vulnerabilities_CSRF pretty_name: CSRF - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Cleartext_Storage_Of_Sensitive_Information: categories: @@ -27131,6 +29375,7 @@ rules: group: top10-insecure-design name: JavaScript_Server_Side_Vulnerabilities_Cleartext_Storage_Of_Sensitive_Information pretty_name: Cleartext Storage Of Sensitive Information - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Code_Injection: categories: @@ -27148,6 +29393,7 @@ rules: group: top10-injection name: JavaScript_Server_Side_Vulnerabilities_Code_Injection pretty_name: Code Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Command_Injection: categories: @@ -27165,6 +29411,7 @@ rules: group: top10-injection name: JavaScript_Server_Side_Vulnerabilities_Command_Injection pretty_name: Command Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Comparing_instead_of_Assigning: categories: @@ -27178,6 +29425,7 @@ rules: group: top10-insecure-design name: JavaScript_Server_Side_Vulnerabilities_Comparing_instead_of_Assigning pretty_name: Comparing instead of Assigning - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Cookie_Poisoning: categories: @@ -27192,6 +29440,7 @@ rules: group: top10-insecure-design name: JavaScript_Server_Side_Vulnerabilities_Cookie_Poisoning pretty_name: Cookie Poisoning - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Divide_By_Zero: categories: @@ -27204,6 +29453,7 @@ rules: group: top10-insecure-design name: JavaScript_Server_Side_Vulnerabilities_Divide_By_Zero pretty_name: Divide By Zero - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Dynamic_File_Inclusion: categories: @@ -27217,6 +29467,7 @@ rules: group: top10-software-data-integrity-failures name: JavaScript_Server_Side_Vulnerabilities_Dynamic_File_Inclusion pretty_name: Dynamic File Inclusion - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Excessive_Data_Exposure: categories: @@ -27230,6 +29481,7 @@ rules: group: top10-broken-access-control name: JavaScript_Server_Side_Vulnerabilities_Excessive_Data_Exposure pretty_name: Excessive Data Exposure - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Expression_is_Always_False: categories: @@ -27242,6 +29494,7 @@ rules: group: top10-insecure-design name: JavaScript_Server_Side_Vulnerabilities_Expression_is_Always_False pretty_name: Expression is Always False - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Expression_is_Always_True: categories: @@ -27254,6 +29507,7 @@ rules: group: top10-insecure-design name: JavaScript_Server_Side_Vulnerabilities_Expression_is_Always_True pretty_name: Expression is Always True - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_HTTP_Response_Splitting: categories: @@ -27268,6 +29522,7 @@ rules: group: top10-injection name: JavaScript_Server_Side_Vulnerabilities_HTTP_Response_Splitting pretty_name: HTTP Response Splitting - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Hardcoded_password_in_Connection_String: categories: @@ -27281,6 +29536,7 @@ rules: group: top10-security-misconfiguration name: JavaScript_Server_Side_Vulnerabilities_Hardcoded_password_in_Connection_String pretty_name: Hardcoded password in Connection String - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Information_Exposure_Through_Directory_Listing: categories: @@ -27294,6 +29550,7 @@ rules: group: top10-broken-access-control name: JavaScript_Server_Side_Vulnerabilities_Information_Exposure_Through_Directory_Listing pretty_name: Information Exposure Through Directory Listing - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Information_Exposure_Through_Log_Files: categories: @@ -27306,6 +29563,7 @@ rules: group: top10-security-logging-monitoring-failures name: JavaScript_Server_Side_Vulnerabilities_Information_Exposure_Through_Log_Files pretty_name: Information Exposure Through Log Files - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Information_Exposure_Through_an_Error_Message: categories: @@ -27319,6 +29577,7 @@ rules: group: top10-insecure-design name: JavaScript_Server_Side_Vulnerabilities_Information_Exposure_Through_an_Error_Message pretty_name: Information Exposure Through an Error Message - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Insecure_Direct_Object_References: categories: @@ -27332,6 +29591,7 @@ rules: group: top10-broken-access-control name: JavaScript_Server_Side_Vulnerabilities_Insecure_Direct_Object_References pretty_name: Insecure Direct Object References - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Insecure_Storage_of_Sensitive_Data: categories: @@ -27345,6 +29605,7 @@ rules: group: top10-broken-access-control name: JavaScript_Server_Side_Vulnerabilities_Insecure_Storage_of_Sensitive_Data pretty_name: Insecure Storage of Sensitive Data - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_JSON_Hijacking: categories: @@ -27360,6 +29621,7 @@ rules: group: top10-injection name: JavaScript_Server_Side_Vulnerabilities_JSON_Hijacking pretty_name: JSON Hijacking - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_JWT_Excessive_Expiration_Time: categories: @@ -27374,6 +29636,7 @@ rules: group: top10-id-authn-failures name: JavaScript_Server_Side_Vulnerabilities_JWT_Excessive_Expiration_Time pretty_name: JWT Excessive Expiration Time - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_JWT_Lack_Of_Expiration_Time: categories: @@ -27388,6 +29651,7 @@ rules: group: top10-id-authn-failures name: JavaScript_Server_Side_Vulnerabilities_JWT_Lack_Of_Expiration_Time pretty_name: JWT Lack Of Expiration Time - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_JWT_No_Expiration_Time_Validation: categories: @@ -27402,6 +29666,7 @@ rules: group: top10-id-authn-failures name: JavaScript_Server_Side_Vulnerabilities_JWT_No_Expiration_Time_Validation pretty_name: JWT No Expiration Time Validation - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_JWT_No_NotBefore_Validation: categories: @@ -27414,6 +29679,7 @@ rules: group: top10-id-authn-failures name: JavaScript_Server_Side_Vulnerabilities_JWT_No_NotBefore_Validation pretty_name: JWT No NotBefore Validation - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_JWT_No_Signature_Verification: categories: @@ -27429,6 +29695,7 @@ rules: group: top10-id-authn-failures name: JavaScript_Server_Side_Vulnerabilities_JWT_No_Signature_Verification pretty_name: JWT No Signature Verification - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_JWT_Use_Of_None_Algorithm: categories: @@ -27443,6 +29710,7 @@ rules: group: top10-id-authn-failures name: JavaScript_Server_Side_Vulnerabilities_JWT_Use_Of_None_Algorithm pretty_name: JWT Use Of None Algorithm - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Log_Forging: categories: @@ -27455,6 +29723,7 @@ rules: group: top10-security-logging-monitoring-failures name: JavaScript_Server_Side_Vulnerabilities_Log_Forging pretty_name: Log Forging - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Missing_CSP_Header: categories: @@ -27468,6 +29737,7 @@ rules: group: top10-id-authn-failures name: JavaScript_Server_Side_Vulnerabilities_Missing_CSP_Header pretty_name: Missing CSP Header - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Missing_Default_Case_In_Switch_Statement: categories: @@ -27481,6 +29751,7 @@ rules: group: top10-insecure-design name: JavaScript_Server_Side_Vulnerabilities_Missing_Default_Case_In_Switch_Statement pretty_name: Missing Default Case In Switch Statement - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Missing_Encryption_of_Sensitive_Data: categories: @@ -27494,6 +29765,7 @@ rules: group: top10-insecure-design name: JavaScript_Server_Side_Vulnerabilities_Missing_Encryption_of_Sensitive_Data pretty_name: Missing Encryption of Sensitive Data - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_MongoDB_NoSQL_Injection: categories: @@ -27511,6 +29783,7 @@ rules: group: top10-injection name: JavaScript_Server_Side_Vulnerabilities_MongoDB_NoSQL_Injection pretty_name: MongoDB NoSQL Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Null_Password: categories: @@ -27524,6 +29797,7 @@ rules: group: top10-insecure-design name: JavaScript_Server_Side_Vulnerabilities_Null_Password pretty_name: Null Password - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Omitted_Break_Statement_In_Switch: categories: @@ -27539,6 +29813,7 @@ rules: group: top10-insecure-design name: JavaScript_Server_Side_Vulnerabilities_Omitted_Break_Statement_In_Switch pretty_name: Omitted Break Statement In Switch - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Open_Redirect: categories: @@ -27553,6 +29828,7 @@ rules: group: top10-broken-access-control name: JavaScript_Server_Side_Vulnerabilities_Open_Redirect pretty_name: Open Redirect - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Parameter_Tampering: categories: @@ -27567,6 +29843,7 @@ rules: group: top10-insecure-design name: JavaScript_Server_Side_Vulnerabilities_Parameter_Tampering pretty_name: Parameter Tampering - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Password_Weak_Encryption: categories: @@ -27580,6 +29857,7 @@ rules: group: top10-crypto-failures name: JavaScript_Server_Side_Vulnerabilities_Password_Weak_Encryption pretty_name: Password Weak Encryption - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Plaintext_Storage_of_a_Password: categories: @@ -27592,6 +29870,7 @@ rules: group: top10-insecure-design name: JavaScript_Server_Side_Vulnerabilities_Plaintext_Storage_of_a_Password pretty_name: Plaintext Storage of a Password - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Poor_Database_Access_Control: categories: @@ -27605,6 +29884,7 @@ rules: group: top10-broken-access-control name: JavaScript_Server_Side_Vulnerabilities_Poor_Database_Access_Control pretty_name: Poor Database Access Control - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Potentially_Vulnerable_To_CSRF: categories: @@ -27620,6 +29900,7 @@ rules: group: top10-injection name: JavaScript_Server_Side_Vulnerabilities_Potentially_Vulnerable_To_CSRF pretty_name: Potentially Vulnerable To CSRF - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Privacy_Violation: categories: @@ -27635,6 +29916,7 @@ rules: group: top10-broken-access-control name: JavaScript_Server_Side_Vulnerabilities_Privacy_Violation pretty_name: Privacy Violation - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_ReDoS_in_RegExp: categories: @@ -27650,6 +29932,7 @@ rules: group: top10-insecure-design name: JavaScript_Server_Side_Vulnerabilities_ReDoS_in_RegExp pretty_name: ReDoS in RegExp - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Reflected_XSS: categories: @@ -27666,6 +29949,7 @@ rules: group: top10-injection name: JavaScript_Server_Side_Vulnerabilities_Reflected_XSS pretty_name: Reflected XSS - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Relative_Path_Traversal: categories: @@ -27680,6 +29964,7 @@ rules: group: top10-broken-access-control name: JavaScript_Server_Side_Vulnerabilities_Relative_Path_Traversal pretty_name: Relative Path Traversal - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_SQL_Injection: categories: @@ -27697,6 +29982,7 @@ rules: group: top10-injection name: JavaScript_Server_Side_Vulnerabilities_SQL_Injection pretty_name: SQL Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_SSL_Verification_Bypass: categories: @@ -27711,6 +29997,7 @@ rules: group: top10-software-data-integrity-failures name: JavaScript_Server_Side_Vulnerabilities_SSL_Verification_Bypass pretty_name: SSL Verification Bypass - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_SSRF: categories: @@ -27726,6 +30013,7 @@ rules: group: top10-server-side-request-forgery name: JavaScript_Server_Side_Vulnerabilities_SSRF pretty_name: SSRF - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Second_Order_SQL_Injection: categories: @@ -27743,6 +30031,7 @@ rules: group: top10-injection name: JavaScript_Server_Side_Vulnerabilities_Second_Order_SQL_Injection pretty_name: Second Order SQL Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Security_Misconfiguration: categories: @@ -27756,6 +30045,7 @@ rules: group: top10-security-misconfiguration name: JavaScript_Server_Side_Vulnerabilities_Security_Misconfiguration pretty_name: Security Misconfiguration - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Sensitive_Information_Over_HTTP: categories: @@ -27769,6 +30059,7 @@ rules: group: top10-broken-access-control name: JavaScript_Server_Side_Vulnerabilities_Sensitive_Information_Over_HTTP pretty_name: Sensitive Information Over HTTP - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Server_DoS_by_Loop: categories: @@ -27781,6 +30072,7 @@ rules: group: top10-insecure-design name: JavaScript_Server_Side_Vulnerabilities_Server_DoS_by_Loop pretty_name: Server DoS by Loop - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Server_DoS_by_Sleep: categories: @@ -27793,6 +30085,7 @@ rules: group: top10-insecure-design name: JavaScript_Server_Side_Vulnerabilities_Server_DoS_by_Sleep pretty_name: Server DoS by Sleep - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Stored_Code_Injection: categories: @@ -27809,6 +30102,7 @@ rules: group: top10-injection name: JavaScript_Server_Side_Vulnerabilities_Stored_Code_Injection pretty_name: Stored Code Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Stored_Path_Traversal: categories: @@ -27826,6 +30120,7 @@ rules: group: top10-broken-access-control name: JavaScript_Server_Side_Vulnerabilities_Stored_Path_Traversal pretty_name: Stored Path Traversal - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Stored_XSS: categories: @@ -27842,6 +30137,7 @@ rules: group: top10-injection name: JavaScript_Server_Side_Vulnerabilities_Stored_XSS pretty_name: Stored XSS - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Uncontrolled_Format_String: categories: @@ -27855,6 +30151,7 @@ rules: group: top10-injection name: JavaScript_Server_Side_Vulnerabilities_Uncontrolled_Format_String pretty_name: Uncontrolled Format String - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Unprotected_Cookie: categories: @@ -27868,6 +30165,7 @@ rules: group: top10-security-misconfiguration name: JavaScript_Server_Side_Vulnerabilities_Unprotected_Cookie pretty_name: Unprotected Cookie - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Unrestricted_File_Upload: categories: @@ -27882,6 +30180,7 @@ rules: group: top10-insecure-design name: JavaScript_Server_Side_Vulnerabilities_Unrestricted_File_Upload pretty_name: Unrestricted File Upload - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Unsafe_Object_Binding: categories: @@ -27896,6 +30195,7 @@ rules: group: top10-software-data-integrity-failures name: JavaScript_Server_Side_Vulnerabilities_Unsafe_Object_Binding pretty_name: Unsafe Object Binding - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Use_Of_HTTP_Sensitive_Data_Exposure: categories: @@ -27909,6 +30209,7 @@ rules: group: top10-broken-access-control name: JavaScript_Server_Side_Vulnerabilities_Use_Of_HTTP_Sensitive_Data_Exposure pretty_name: Use Of HTTP Sensitive Data Exposure - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Use_Of_Hardcoded_Password: categories: @@ -27922,6 +30223,7 @@ rules: group: top10-id-authn-failures name: JavaScript_Server_Side_Vulnerabilities_Use_Of_Hardcoded_Password pretty_name: Use Of Hardcoded Password - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Use_of_Broken_or_Risky_Cryptographic_Algorithm: categories: @@ -27934,6 +30236,7 @@ rules: group: top10-crypto-failures name: JavaScript_Server_Side_Vulnerabilities_Use_of_Broken_or_Risky_Cryptographic_Algorithm pretty_name: Use of Broken or Risky Cryptographic Algorithm - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Use_of_Deprecated_or_Obsolete_Functions: categories: @@ -27947,6 +30250,7 @@ rules: group: top10-insecure-design name: JavaScript_Server_Side_Vulnerabilities_Use_of_Deprecated_or_Obsolete_Functions pretty_name: Use of Deprecated or Obsolete Functions - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Use_of_Insufficiently_Random_Values: categories: @@ -27960,6 +30264,7 @@ rules: group: top10-crypto-failures name: JavaScript_Server_Side_Vulnerabilities_Use_of_Insufficiently_Random_Values pretty_name: Use of Insufficiently Random Values - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Declaration_of_Multiple_Vue_Components_per_File: categories: @@ -27973,6 +30278,7 @@ rules: group: top10-insecure-design name: JavaScript_Vue_Declaration_of_Multiple_Vue_Components_per_File pretty_name: Declaration of Multiple Vue Components per File - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Declaration_of_Vue_Component_Data_as_Property: categories: @@ -27986,6 +30292,7 @@ rules: group: top10-insecure-design name: JavaScript_Vue_Declaration_of_Vue_Component_Data_as_Property pretty_name: Declaration of Vue Component Data as Property - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Inconsistent_Component_Top_Level_Elements_Ordering: categories: @@ -27999,6 +30306,7 @@ rules: group: top10-insecure-design name: JavaScript_Vue_Inconsistent_Component_Top_Level_Elements_Ordering pretty_name: Inconsistent Component Top Level Elements Ordering - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Inconsistent_use_of_Directive_Shorthands: categories: @@ -28012,6 +30320,7 @@ rules: group: top10-insecure-design name: JavaScript_Vue_Inconsistent_use_of_Directive_Shorthands pretty_name: Inconsistent use of Directive Shorthands - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Use_of_Implicit_Types_on_Vue_Component_Props: categories: @@ -28025,6 +30334,7 @@ rules: group: top10-insecure-design name: JavaScript_Vue_Use_of_Implicit_Types_on_Vue_Component_Props pretty_name: Use of Implicit Types on Vue Component Props - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Use_of_Single_Word_Named_Vue_Components: categories: @@ -28038,6 +30348,7 @@ rules: group: top10-insecure-design name: JavaScript_Vue_Use_of_Single_Word_Named_Vue_Components pretty_name: Use of Single Word Named Vue Components - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Use_of_vif_and_vfor_On_Same_Element: categories: @@ -28051,6 +30362,7 @@ rules: group: top10-insecure-design name: JavaScript_Vue_Use_of_vif_and_vfor_On_Same_Element pretty_name: Use of vif and vfor On Same Element - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Vue_DOM_XSS: categories: @@ -28066,6 +30378,7 @@ rules: group: top10-injection name: JavaScript_Vue_Vue_DOM_XSS pretty_name: Vue DOM XSS - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_XS_XS_CSRF: categories: @@ -28081,6 +30394,7 @@ rules: group: top10-injection name: JavaScript_XS_XS_CSRF pretty_name: XS CSRF - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_XS_XS_Code_Injection: categories: @@ -28098,6 +30412,7 @@ rules: group: top10-injection name: JavaScript_XS_XS_Code_Injection pretty_name: XS Code Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_XS_XS_Log_Injection: categories: @@ -28110,6 +30425,7 @@ rules: group: top10-security-logging-monitoring-failures name: JavaScript_XS_XS_Log_Injection pretty_name: XS Log Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_XS_XS_Open_Redirect: categories: @@ -28124,6 +30440,7 @@ rules: group: top10-broken-access-control name: JavaScript_XS_XS_Open_Redirect pretty_name: XS Open Redirect - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_XS_XS_Overly_Permissive_CORS: categories: @@ -28138,6 +30455,7 @@ rules: group: top10-broken-access-control name: JavaScript_XS_XS_Overly_Permissive_CORS pretty_name: XS Overly Permissive CORS - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_XS_XS_Parameter_Tampering: categories: @@ -28152,6 +30470,7 @@ rules: group: top10-insecure-design name: JavaScript_XS_XS_Parameter_Tampering pretty_name: XS Parameter Tampering - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_XS_XS_Potentially_Vulnerable_To_Clickjacking: categories: @@ -28165,6 +30484,7 @@ rules: group: top10-injection name: JavaScript_XS_XS_Potentially_Vulnerable_To_Clickjacking pretty_name: XS Potentially Vulnerable To Clickjacking - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_XS_XS_Reflected_XSS: categories: @@ -28181,6 +30501,7 @@ rules: group: top10-injection name: JavaScript_XS_XS_Reflected_XSS pretty_name: XS Reflected XSS - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_XS_XS_Response_Splitting: categories: @@ -28195,6 +30516,7 @@ rules: group: top10-injection name: JavaScript_XS_XS_Response_Splitting pretty_name: XS Response Splitting - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_XS_XS_SQL_Injection: categories: @@ -28212,6 +30534,7 @@ rules: group: top10-injection name: JavaScript_XS_XS_SQL_Injection pretty_name: XS SQL Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_XS_XS_Second_Order_SQL_Injection: categories: @@ -28229,6 +30552,7 @@ rules: group: top10-injection name: JavaScript_XS_XS_Second_Order_SQL_Injection pretty_name: XS Second Order SQL Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_XS_XS_Stored_Code_Injection: categories: @@ -28246,6 +30570,7 @@ rules: group: top10-injection name: JavaScript_XS_XS_Stored_Code_Injection pretty_name: XS Stored Code Injection - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_XS_XS_Stored_XSS: categories: @@ -28262,6 +30587,7 @@ rules: group: top10-injection name: JavaScript_XS_XS_Stored_XSS pretty_name: XS Stored XSS - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_XS_XS_Unencrypted_Data_Transfer: categories: @@ -28275,6 +30601,7 @@ rules: group: top10-crypto-failures name: JavaScript_XS_XS_Unencrypted_Data_Transfer pretty_name: XS Unencrypted Data Transfer - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_XS_XS_Use_Of_Hardcoded_URL: categories: @@ -28290,6 +30617,7 @@ rules: group: top10-id-authn-failures name: JavaScript_XS_XS_Use_Of_Hardcoded_URL pretty_name: XS Use Of Hardcoded URL - JavaScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_AWS_Lambda_AWS_Credentials_Leak: categories: @@ -28304,6 +30632,7 @@ rules: group: top10-broken-access-control name: Java_AWS_Lambda_AWS_Credentials_Leak pretty_name: AWS Credentials Leak - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_AWS_Lambda_DynamoDB_NoSQL_Injection: categories: @@ -28320,6 +30649,7 @@ rules: group: top10-injection name: Java_AWS_Lambda_DynamoDB_NoSQL_Injection pretty_name: DynamoDB NoSQL Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_AWS_Lambda_Hardcoded_AWS_Credentials: categories: @@ -28335,6 +30665,7 @@ rules: group: top10-id-authn-failures name: Java_AWS_Lambda_Hardcoded_AWS_Credentials pretty_name: Hardcoded AWS Credentials - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_AWS_Lambda_Permission_Manipulation_in_S3: categories: @@ -28348,6 +30679,7 @@ rules: group: top10-broken-access-control name: Java_AWS_Lambda_Permission_Manipulation_in_S3 pretty_name: Permission Manipulation in S3 - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_AWS_Lambda_Race_Condition_Global_Scope: categories: @@ -28361,6 +30693,7 @@ rules: group: top10-insecure-design name: Java_AWS_Lambda_Race_Condition_Global_Scope pretty_name: Race Condition Global Scope - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_AWS_Lambda_Unrestricted_Delete_S3: categories: @@ -28375,6 +30708,7 @@ rules: group: top10-broken-access-control name: Java_AWS_Lambda_Unrestricted_Delete_S3 pretty_name: Unrestricted Delete S3 - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_AWS_Lambda_Unrestricted_Read_S3: categories: @@ -28389,6 +30723,7 @@ rules: group: top10-broken-access-control name: Java_AWS_Lambda_Unrestricted_Read_S3 pretty_name: Unrestricted Read S3 - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_AWS_Lambda_Unrestricted_Write_S3: categories: @@ -28403,6 +30738,7 @@ rules: group: top10-broken-access-control name: Java_AWS_Lambda_Unrestricted_Write_S3 pretty_name: Unrestricted Write S3 - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_AWS_Lambda_Use_of_Hardcoded_Cryptographic_Key_On_Server: categories: @@ -28416,6 +30752,7 @@ rules: group: top10-crypto-failures name: Java_AWS_Lambda_Use_of_Hardcoded_Cryptographic_Key_On_Server pretty_name: Use of Hardcoded Cryptographic Key On Server - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_AWS_Lambda_User_Based_SDK_Configurations: categories: @@ -28428,6 +30765,7 @@ rules: group: top10-security-misconfiguration name: Java_AWS_Lambda_User_Based_SDK_Configurations pretty_name: User Based SDK Configurations - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Accessible_Content_Provider: categories: @@ -28441,6 +30779,7 @@ rules: group: top10-broken-access-control name: Java_Android_Accessible_Content_Provider pretty_name: Accessible Content Provider - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Allowed_Backup: categories: @@ -28454,6 +30793,7 @@ rules: group: top10-broken-access-control name: Java_Android_Allowed_Backup pretty_name: Allowed Backup - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Android_Improper_Resource_Shutdown_or_Release: categories: @@ -28467,6 +30807,7 @@ rules: group: top10-insecure-design name: Java_Android_Android_Improper_Resource_Shutdown_or_Release pretty_name: Android Improper Resource Shutdown or Release - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Client_Side_Injection: categories: @@ -28483,6 +30824,7 @@ rules: group: top10-injection name: Java_Android_Client_Side_Injection pretty_name: Client Side Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Client_Side_ReDoS: categories: @@ -28498,6 +30840,7 @@ rules: group: top10-insecure-design name: Java_Android_Client_Side_ReDoS pretty_name: Client Side ReDoS - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Copy_Paste_Buffer_Caching: categories: @@ -28511,6 +30854,7 @@ rules: group: top10-broken-access-control name: Java_Android_Copy_Paste_Buffer_Caching pretty_name: Copy Paste Buffer Caching - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Debuggable_App: categories: @@ -28524,6 +30868,7 @@ rules: group: top10-broken-access-control name: Java_Android_Debuggable_App pretty_name: Debuggable App - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Exported_Content_Provider_Without_Protective_Permissions: categories: @@ -28537,6 +30882,7 @@ rules: group: top10-broken-access-control name: Java_Android_Exported_Content_Provider_Without_Protective_Permissions pretty_name: Exported Content Provider Without Protective Permissions - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Exported_Service_Without_Permissions: categories: @@ -28550,6 +30896,7 @@ rules: group: top10-broken-access-control name: Java_Android_Exported_Service_Without_Permissions pretty_name: Exported Service Without Permissions - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Exported_Service_Without_Protective_Permissions: categories: @@ -28563,6 +30910,7 @@ rules: group: top10-broken-access-control name: Java_Android_Exported_Service_Without_Protective_Permissions pretty_name: Exported Service Without Protective Permissions - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Exposure_Of_Resource_To_Other_Applications: categories: @@ -28576,6 +30924,7 @@ rules: group: top10-broken-access-control name: Java_Android_Exposure_Of_Resource_To_Other_Applications pretty_name: Exposure Of Resource To Other Applications - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Failure_To_Implement_Least_Privilege: categories: @@ -28590,6 +30939,7 @@ rules: group: top10-broken-access-control name: Java_Android_Failure_To_Implement_Least_Privilege pretty_name: Failure To Implement Least Privilege - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_General_Android_Find_Request_Permissions: categories: @@ -28603,6 +30953,7 @@ rules: group: top10-broken-access-control name: Java_Android_General_Android_Find_Request_Permissions pretty_name: General Android Find Request Permissions - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Hardcoded_Password_In_Gradle: categories: @@ -28616,6 +30967,7 @@ rules: group: top10-id-authn-failures name: Java_Android_Hardcoded_Password_In_Gradle pretty_name: Hardcoded Password In Gradle - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Implicit_Intent_With_Read_Write_Permissions: categories: @@ -28629,6 +30981,7 @@ rules: group: top10-broken-access-control name: Java_Android_Implicit_Intent_With_Read_Write_Permissions pretty_name: Implicit Intent With Read Write Permissions - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Improper_Verification_Of_Intent_By_Broadcast_Receiver: categories: @@ -28643,6 +30996,7 @@ rules: group: top10-software-data-integrity-failures name: Java_Android_Improper_Verification_Of_Intent_By_Broadcast_Receiver pretty_name: Improper Verification Of Intent By Broadcast Receiver - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Information_Leak_Through_Response_Caching: categories: @@ -28656,6 +31010,7 @@ rules: group: top10-broken-access-control name: Java_Android_Information_Leak_Through_Response_Caching pretty_name: Information Leak Through Response Caching - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Insecure_Android_SDK_Version: categories: @@ -28669,6 +31024,7 @@ rules: group: top10-vulnerable-components name: Java_Android_Insecure_Android_SDK_Version pretty_name: Insecure Android SDK Version - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Insecure_Data_Storage: categories: @@ -28682,6 +31038,7 @@ rules: group: top10-insecure-design name: Java_Android_Insecure_Data_Storage pretty_name: Insecure Data Storage - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Insecure_Data_Storage_Usage: categories: @@ -28695,6 +31052,7 @@ rules: group: top10-insecure-design name: Java_Android_Insecure_Data_Storage_Usage pretty_name: Insecure Data Storage Usage - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Insecure_HTTP_Connections_Enabled: categories: @@ -28708,6 +31066,7 @@ rules: group: top10-crypto-failures name: Java_Android_Insecure_HTTP_Connections_Enabled pretty_name: Insecure HTTP Connections Enabled - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Insecure_WebView_Usage: categories: @@ -28722,6 +31081,7 @@ rules: group: top10-software-data-integrity-failures name: Java_Android_Insecure_WebView_Usage pretty_name: Insecure WebView Usage - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Insufficient_Application_Layer_Protect: categories: @@ -28735,6 +31095,7 @@ rules: group: top10-insecure-design name: Java_Android_Insufficient_Application_Layer_Protect pretty_name: Insufficient Application Layer Protect - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Insufficient_Sensitive_Application_Layer: categories: @@ -28749,6 +31110,7 @@ rules: group: top10-broken-access-control name: Java_Android_Insufficient_Sensitive_Application_Layer pretty_name: Insufficient Sensitive Application Layer - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Keyboard_Cache_Information_Leak: categories: @@ -28762,6 +31124,7 @@ rules: group: top10-broken-access-control name: Java_Android_Keyboard_Cache_Information_Leak pretty_name: Keyboard Cache Information Leak - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Malicious_Program: categories: @@ -28776,6 +31139,7 @@ rules: group: supply-chain-malicious-dependency name: Java_Android_Malicious_Program pretty_name: Malicious Program - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Missing_Certificate_Pinning: categories: @@ -28788,6 +31152,7 @@ rules: group: top10-id-authn-failures name: Java_Android_Missing_Certificate_Pinning pretty_name: Missing Certificate Pinning - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Missing_Device_Lock_Verification: categories: @@ -28801,6 +31166,7 @@ rules: group: top10-software-data-integrity-failures name: Java_Android_Missing_Device_Lock_Verification pretty_name: Missing Device Lock Verification - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Missing_Rooted_Device_Check: categories: @@ -28814,6 +31180,7 @@ rules: group: top10-insecure-design name: Java_Android_Missing_Rooted_Device_Check pretty_name: Missing Rooted Device Check - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_No_Installer_Verification_Implemented: categories: @@ -28827,6 +31194,7 @@ rules: group: top10-software-data-integrity-failures name: Java_Android_No_Installer_Verification_Implemented pretty_name: No Installer Verification Implemented - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Non_Encrypted_Data_Storage: categories: @@ -28840,6 +31208,7 @@ rules: group: top10-insecure-design name: Java_Android_Non_Encrypted_Data_Storage pretty_name: Non Encrypted Data Storage - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Passing_Non_Encrypted_Data_Between_Activities: categories: @@ -28853,6 +31222,7 @@ rules: group: top10-crypto-failures name: Java_Android_Passing_Non_Encrypted_Data_Between_Activities pretty_name: Passing Non Encrypted Data Between Activities - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Poor_Authorization_and_Authentication: categories: @@ -28867,6 +31237,7 @@ rules: group: top10-id-authn-failures name: Java_Android_Poor_Authorization_and_Authentication pretty_name: Poor Authorization and Authentication - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_ProGuard_Obfuscation_Not_In_Use: categories: @@ -28880,6 +31251,7 @@ rules: group: top10-insecure-design name: Java_Android_ProGuard_Obfuscation_Not_In_Use pretty_name: ProGuard Obfuscation Not In Use - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Reuse_Of_Cryptographic_Key: categories: @@ -28893,6 +31265,7 @@ rules: group: top10-id-authn-failures name: Java_Android_Reuse_Of_Cryptographic_Key pretty_name: Reuse Of Cryptographic Key - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Screen_Caching: categories: @@ -28906,6 +31279,7 @@ rules: group: top10-broken-access-control name: Java_Android_Screen_Caching pretty_name: Screen Caching - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Side_Channel_Data_Leakage: categories: @@ -28920,6 +31294,7 @@ rules: group: top10-broken-access-control name: Java_Android_Side_Channel_Data_Leakage pretty_name: Side Channel Data Leakage - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Unsafe_Permission_Check: categories: @@ -28933,6 +31308,7 @@ rules: group: top10-broken-access-control name: Java_Android_Unsafe_Permission_Check pretty_name: Unsafe Permission Check - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Unvalidated_Self_Signed_Certificate: categories: @@ -28945,6 +31321,7 @@ rules: group: top10-id-authn-failures name: Java_Android_Unvalidated_Self_Signed_Certificate pretty_name: Unvalidated Self Signed Certificate - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Use_Of_Implicit_Intent_For_Sensitive_Communication: categories: @@ -28958,6 +31335,7 @@ rules: group: top10-insecure-design name: Java_Android_Use_Of_Implicit_Intent_For_Sensitive_Communication pretty_name: Use Of Implicit Intent For Sensitive Communication - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Use_of_Native_Language: categories: @@ -28971,6 +31349,7 @@ rules: group: top10-injection name: Java_Android_Use_of_Native_Language pretty_name: Use of Native Language - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Use_of_WebView_AddJavascriptInterface: categories: @@ -28986,6 +31365,7 @@ rules: group: top10-vulnerable-components name: Java_Android_Use_of_WebView_AddJavascriptInterface pretty_name: Use of WebView AddJavascriptInterface - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Weak_Encryption: categories: @@ -29000,6 +31380,7 @@ rules: group: top10-crypto-failures name: Java_Android_Weak_Encryption pretty_name: Weak Encryption - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_WebView_Cache_Information_Leak: categories: @@ -29013,6 +31394,7 @@ rules: group: top10-broken-access-control name: Java_Android_WebView_Cache_Information_Leak pretty_name: WebView Cache Information Leak - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Access_Specifier_Manipulation: categories: @@ -29026,6 +31408,7 @@ rules: group: top10-broken-access-control name: Java_Best_Coding_Practice_Access_Specifier_Manipulation pretty_name: Access Specifier Manipulation - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Array_Declared_Public_Final_and_Static: categories: @@ -29039,6 +31422,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Array_Declared_Public_Final_and_Static pretty_name: Array Declared Public Final and Static - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Assigning_instead_of_Comparing: categories: @@ -29052,6 +31436,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Assigning_instead_of_Comparing pretty_name: Assigning instead of Comparing - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Call_to_Thread_run: categories: @@ -29065,6 +31450,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Call_to_Thread_run pretty_name: Call to Thread run - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Catch_NullPointerException: categories: @@ -29078,6 +31464,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Catch_NullPointerException pretty_name: Catch NullPointerException - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Comparing_instead_of_Assigning: categories: @@ -29091,6 +31478,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Comparing_instead_of_Assigning pretty_name: Comparing instead of Assigning - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Comparison_of_Classes_By_Name: categories: @@ -29104,6 +31492,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Comparison_of_Classes_By_Name pretty_name: Comparison of Classes By Name - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Confusing_Naming: categories: @@ -29118,6 +31507,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Confusing_Naming pretty_name: Confusing Naming - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Critical_Public_Variable_Without_Final_Modifier: categories: @@ -29131,6 +31521,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Critical_Public_Variable_Without_Final_Modifier pretty_name: Critical Public Variable Without Final Modifier - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Dead_Code: categories: @@ -29143,6 +31534,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Dead_Code pretty_name: Dead Code - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: @@ -29156,6 +31548,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception pretty_name: Declaration Of Catch For Generic Exception - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Declaration_of_Throws_for_Generic_Exception: categories: @@ -29169,6 +31562,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Declaration_of_Throws_for_Generic_Exception pretty_name: Declaration of Throws for Generic Exception - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action: categories: @@ -29182,6 +31576,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action pretty_name: Detection of Error Condition Without Action - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Direct_Use_of_Sockets: categories: @@ -29195,6 +31590,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Direct_Use_of_Sockets pretty_name: Direct Use of Sockets - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Direct_Use_of_Threads: categories: @@ -29208,6 +31604,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Direct_Use_of_Threads pretty_name: Direct Use of Threads - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Dynamic_File_Inclusion: categories: @@ -29221,6 +31618,7 @@ rules: group: top10-software-data-integrity-failures name: Java_Best_Coding_Practice_Dynamic_File_Inclusion pretty_name: Dynamic File Inclusion - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Dynamic_SQL_Queries: categories: @@ -29237,6 +31635,7 @@ rules: group: top10-injection name: Java_Best_Coding_Practice_Dynamic_SQL_Queries pretty_name: Dynamic SQL Queries - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Dynamic_Set_Of_Null_SecurityManager: categories: @@ -29250,6 +31649,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Dynamic_Set_Of_Null_SecurityManager pretty_name: Dynamic Set Of Null SecurityManager - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_ESAPI_Banned_API: categories: @@ -29264,6 +31664,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_ESAPI_Banned_API pretty_name: ESAPI Banned API - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Empty_Methods: categories: @@ -29276,6 +31677,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Empty_Methods pretty_name: Empty Methods - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Empty_Synchronized_Block: categories: @@ -29288,6 +31690,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Empty_Synchronized_Block pretty_name: Empty Synchronized Block - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Empty_TryBlocks: categories: @@ -29301,6 +31704,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Empty_TryBlocks pretty_name: Empty TryBlocks - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Explicit_Call_to_Finalize: categories: @@ -29314,6 +31718,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Explicit_Call_to_Finalize pretty_name: Explicit Call to Finalize - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: categories: @@ -29327,6 +31732,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere pretty_name: Exposure of Resource to Wrong Sphere - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Expression_is_Always_False: categories: @@ -29339,6 +31745,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Expression_is_Always_False pretty_name: Expression is Always False - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Expression_is_Always_True: categories: @@ -29351,6 +31758,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Expression_is_Always_True pretty_name: Expression is Always True - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Failure_to_Catch_All_Exceptions_in_Servlet: categories: @@ -29364,6 +31772,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Failure_to_Catch_All_Exceptions_in_Servlet pretty_name: Failure to Catch All Exceptions in Servlet - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_GOTO_Statement: categories: @@ -29381,6 +31790,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_GOTO_Statement pretty_name: GOTO Statement - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Hardcoded_Absolute_Path: categories: @@ -29395,6 +31805,7 @@ rules: group: top10-software-data-integrity-failures name: Java_Best_Coding_Practice_Hardcoded_Absolute_Path pretty_name: Hardcoded Absolute Path - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Hardcoded_Connection_String: categories: @@ -29410,6 +31821,7 @@ rules: group: top10-id-authn-failures name: Java_Best_Coding_Practice_Hardcoded_Connection_String pretty_name: Hardcoded Connection String - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Improper_Initialization: categories: @@ -29424,6 +31836,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Improper_Initialization pretty_name: Improper Initialization - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Incorrect_Block_Delimitation: categories: @@ -29437,6 +31850,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Incorrect_Block_Delimitation pretty_name: Incorrect Block Delimitation - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Incorrect_Conversion_between_Numeric_Types: categories: @@ -29452,6 +31866,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Incorrect_Conversion_between_Numeric_Types pretty_name: Incorrect Conversion between Numeric Types - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Input_Not_Normalized: categories: @@ -29465,6 +31880,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Input_Not_Normalized pretty_name: Input Not Normalized - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Insufficient_Logging_of_Database_Actions: categories: @@ -29477,6 +31893,7 @@ rules: group: top10-security-logging-monitoring-failures name: Java_Best_Coding_Practice_Insufficient_Logging_of_Database_Actions pretty_name: Insufficient Logging of Database Actions - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Insufficient_Logging_of_Exceptions: categories: @@ -29489,6 +31906,7 @@ rules: group: top10-security-logging-monitoring-failures name: Java_Best_Coding_Practice_Insufficient_Logging_of_Exceptions pretty_name: Insufficient Logging of Exceptions - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined: categories: @@ -29501,6 +31919,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined pretty_name: Just One of Equals and Hash code Defined - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Leftover_Debug_Code: categories: @@ -29515,6 +31934,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Leftover_Debug_Code pretty_name: Leftover Debug Code - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Missing_Default_Case_In_Switch_Statement: categories: @@ -29528,6 +31948,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Missing_Default_Case_In_Switch_Statement pretty_name: Missing Default Case In Switch Statement - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Missing_XML_Validation: categories: @@ -29541,6 +31962,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Missing_XML_Validation pretty_name: Missing XML Validation - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Non_serializable_Object_Stored_in_Session: categories: @@ -29554,6 +31976,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Non_serializable_Object_Stored_in_Session pretty_name: Non serializable Object Stored in Session - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Not_Static_Final_Logger: categories: @@ -29566,6 +31989,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Not_Static_Final_Logger pretty_name: Not Static Final Logger - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Null_Pointer_Dereference: categories: @@ -29581,6 +32005,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Null_Pointer_Dereference pretty_name: Null Pointer Dereference - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Omitted_Break_Statement_In_Switch: categories: @@ -29596,6 +32021,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Omitted_Break_Statement_In_Switch pretty_name: Omitted Break Statement In Switch - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Pages_Without_Global_Error_Handler: categories: @@ -29610,6 +32036,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Pages_Without_Global_Error_Handler pretty_name: Pages Without Global Error Handler - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Portability_Flaw_In_File_Separator: categories: @@ -29623,6 +32050,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Portability_Flaw_In_File_Separator pretty_name: Portability Flaw In File Separator - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Potential_SpringShell: categories: @@ -29636,6 +32064,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Potential_SpringShell pretty_name: Potential SpringShell - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J: categories: @@ -29651,6 +32080,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J pretty_name: Potential Usage of Vulnerable Log4J - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Potentially_Serializable_Class_With_Sensitive_Data: categories: @@ -29665,6 +32095,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Potentially_Serializable_Class_With_Sensitive_Data pretty_name: Potentially Serializable Class With Sensitive Data - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Public_Static_Field_Not_Marked_Final: categories: @@ -29678,6 +32109,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Public_Static_Field_Not_Marked_Final pretty_name: Public Static Field Not Marked Final - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Reachable_Assertion: categories: @@ -29692,6 +32124,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Reachable_Assertion pretty_name: Reachable Assertion - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Redirect_Without_Exit: categories: @@ -29705,6 +32138,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Redirect_Without_Exit pretty_name: Redirect Without Exit - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Reliance_On_Untrusted_Inputs_In_Security_Decision: categories: @@ -29719,6 +32153,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Reliance_On_Untrusted_Inputs_In_Security_Decision pretty_name: Reliance On Untrusted Inputs In Security Decision - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Return_Inside_Finally_Block: categories: @@ -29732,6 +32167,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Return_Inside_Finally_Block pretty_name: Return Inside Finally Block - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Suspicious_Endpoints: categories: @@ -29746,6 +32182,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Suspicious_Endpoints pretty_name: Suspicious Endpoints - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Unchecked_Error_Condition: categories: @@ -29758,6 +32195,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Unchecked_Error_Condition pretty_name: Unchecked Error Condition - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Unchecked_Return_Value: categories: @@ -29771,6 +32209,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Unchecked_Return_Value pretty_name: Unchecked Return Value - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Unclosed_Objects: categories: @@ -29784,6 +32223,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Unclosed_Objects pretty_name: Unclosed Objects - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Uncontrolled_Recursion: categories: @@ -29798,6 +32238,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Uncontrolled_Recursion pretty_name: Uncontrolled Recursion - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Undocumented_API: categories: @@ -29814,6 +32255,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Undocumented_API pretty_name: Undocumented API - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Unsafe_BiDi_Unicode_Data: categories: @@ -29830,6 +32272,7 @@ rules: group: top10-injection name: Java_Best_Coding_Practice_Unsafe_BiDi_Unicode_Data pretty_name: Unsafe BiDi Unicode Data - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Unsafe_Homoglyphs_Unicode_Data: categories: @@ -29846,6 +32289,7 @@ rules: group: top10-injection name: Java_Best_Coding_Practice_Unsafe_Homoglyphs_Unicode_Data pretty_name: Unsafe Homoglyphs Unicode Data - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Unused_Variable: categories: @@ -29859,6 +32303,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Unused_Variable pretty_name: Unused Variable - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Use_Of_Uninitialized_Variables: categories: @@ -29872,6 +32317,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Use_Of_Uninitialized_Variables pretty_name: Use Of Uninitialized Variables - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Use_of_Inner_Class_Containing_Sensitive_Data: categories: @@ -29886,6 +32332,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Use_of_Inner_Class_Containing_Sensitive_Data pretty_name: Use of Inner Class Containing Sensitive Data - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Use_of_Obsolete_Functions: categories: @@ -29899,6 +32346,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Use_of_Obsolete_Functions pretty_name: Use of Obsolete Functions - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Use_of_System_Output_Stream: categories: @@ -29911,6 +32359,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Use_of_System_Output_Stream pretty_name: Use of System Output Stream - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Use_of_System_exit: categories: @@ -29924,6 +32373,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Use_of_System_exit pretty_name: Use of System exit - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Use_of_Wrong_Operator_in_String_Comparison: categories: @@ -29937,6 +32387,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_Use_of_Wrong_Operator_in_String_Comparison pretty_name: Use of Wrong Operator in String Comparison - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_clone_Method_Without_super_clone: categories: @@ -29950,6 +32401,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_clone_Method_Without_super_clone pretty_name: clone Method Without super clone - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_finalize_Method_Declared_Public: categories: @@ -29963,6 +32415,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_finalize_Method_Declared_Public pretty_name: finalize Method Declared Public - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_finalize_Method_Without_super_finalize: categories: @@ -29975,6 +32428,7 @@ rules: group: top10-insecure-design name: Java_Best_Coding_Practice_finalize_Method_Without_super_finalize pretty_name: finalize Method Without super finalize - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Exploitable_Path_Java_Find_Imports: categories: @@ -29986,6 +32440,7 @@ rules: group: top10-injection name: Java_Exploitable_Path_Java_Find_Imports pretty_name: Java Find Imports - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Exploitable_Path_Java_Find_Methods: categories: @@ -29998,6 +32453,7 @@ rules: group: top10-injection name: Java_Exploitable_Path_Java_Find_Methods pretty_name: Java Find Methods - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_GWT_GWT_DOM_XSS: categories: @@ -30013,6 +32469,7 @@ rules: group: top10-injection name: Java_GWT_GWT_DOM_XSS pretty_name: GWT DOM XSS - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_GWT_GWT_Reflected_XSS: categories: @@ -30029,6 +32486,7 @@ rules: group: top10-injection name: Java_GWT_GWT_Reflected_XSS pretty_name: GWT Reflected XSS - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_GWT_JSON_Hijacking: categories: @@ -30044,6 +32502,7 @@ rules: group: top10-injection name: Java_GWT_JSON_Hijacking pretty_name: JSON Hijacking - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Heuristic_Heuristic_2nd_Order_SQL_Injection: categories: @@ -30060,6 +32519,7 @@ rules: group: top10-injection name: Java_Heuristic_Heuristic_2nd_Order_SQL_Injection pretty_name: Heuristic 2nd Order SQL Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Heuristic_Heuristic_CGI_Stored_XSS: categories: @@ -30075,6 +32535,7 @@ rules: group: top10-injection name: Java_Heuristic_Heuristic_CGI_Stored_XSS pretty_name: Heuristic CGI Stored XSS - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Heuristic_Heuristic_CSRF: categories: @@ -30090,6 +32551,7 @@ rules: group: top10-injection name: Java_Heuristic_Heuristic_CSRF pretty_name: Heuristic CSRF - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Heuristic_Heuristic_DB_Parameter_Tampering: categories: @@ -30103,6 +32565,7 @@ rules: group: top10-broken-access-control name: Java_Heuristic_Heuristic_DB_Parameter_Tampering pretty_name: Heuristic DB Parameter Tampering - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Heuristic_Heuristic_Parameter_Tampering: categories: @@ -30117,6 +32580,7 @@ rules: group: top10-insecure-design name: Java_Heuristic_Heuristic_Parameter_Tampering pretty_name: Heuristic Parameter Tampering - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Heuristic_Heuristic_SQL_Injection: categories: @@ -30133,6 +32597,7 @@ rules: group: top10-injection name: Java_Heuristic_Heuristic_SQL_Injection pretty_name: Heuristic SQL Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Heuristic_Heuristic_Stored_XSS: categories: @@ -30148,6 +32613,7 @@ rules: group: top10-injection name: Java_Heuristic_Heuristic_Stored_XSS pretty_name: Heuristic Stored XSS - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_High_Risk_Code_Injection: categories: @@ -30165,6 +32631,7 @@ rules: group: top10-injection name: Java_High_Risk_Code_Injection pretty_name: Code Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_High_Risk_Command_Injection: categories: @@ -30182,6 +32649,7 @@ rules: group: top10-injection name: Java_High_Risk_Command_Injection pretty_name: Command Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_High_Risk_Connection_String_Injection: categories: @@ -30197,6 +32665,7 @@ rules: group: top10-injection name: Java_High_Risk_Connection_String_Injection pretty_name: Connection String Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_High_Risk_Deserialization_of_Untrusted_Data: categories: @@ -30212,6 +32681,7 @@ rules: group: top10-software-data-integrity-failures name: Java_High_Risk_Deserialization_of_Untrusted_Data pretty_name: Deserialization of Untrusted Data - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_High_Risk_Deserialization_of_Untrusted_Data_in_JMS: categories: @@ -30227,6 +32697,7 @@ rules: group: top10-software-data-integrity-failures name: Java_High_Risk_Deserialization_of_Untrusted_Data_in_JMS pretty_name: Deserialization of Untrusted Data in JMS - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_High_Risk_Expression_Language_Injection_EL: categories: @@ -30244,6 +32715,7 @@ rules: group: top10-injection name: Java_High_Risk_Expression_Language_Injection_EL pretty_name: Expression Language Injection EL - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_High_Risk_Expression_Language_Injection_MVEL: categories: @@ -30261,6 +32733,7 @@ rules: group: top10-injection name: Java_High_Risk_Expression_Language_Injection_MVEL pretty_name: Expression Language Injection MVEL - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_High_Risk_Expression_Language_Injection_OGNL: categories: @@ -30278,6 +32751,7 @@ rules: group: top10-injection name: Java_High_Risk_Expression_Language_Injection_OGNL pretty_name: Expression Language Injection OGNL - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_High_Risk_Expression_Language_Injection_SPEL: categories: @@ -30295,6 +32769,7 @@ rules: group: top10-injection name: Java_High_Risk_Expression_Language_Injection_SPEL pretty_name: Expression Language Injection SPEL - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_High_Risk_JSF_Local_File_Inclusion: categories: @@ -30310,6 +32785,7 @@ rules: group: top10-injection name: Java_High_Risk_JSF_Local_File_Inclusion pretty_name: JSF Local File Inclusion - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_High_Risk_LDAP_Injection: categories: @@ -30326,6 +32802,7 @@ rules: group: top10-injection name: Java_High_Risk_LDAP_Injection pretty_name: LDAP Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_High_Risk_Mongo_NoSQL_Injection: categories: @@ -30341,6 +32818,7 @@ rules: group: top10-injection name: Java_High_Risk_Mongo_NoSQL_Injection pretty_name: Mongo NoSQL Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_High_Risk_Reflected_XSS_All_Clients: categories: @@ -30357,6 +32835,7 @@ rules: group: top10-injection name: Java_High_Risk_Reflected_XSS_All_Clients pretty_name: Reflected XSS All Clients - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_High_Risk_Resource_Injection: categories: @@ -30372,6 +32851,7 @@ rules: group: top10-injection name: Java_High_Risk_Resource_Injection pretty_name: Resource Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_High_Risk_SQL_Injection: categories: @@ -30389,6 +32869,7 @@ rules: group: top10-injection name: Java_High_Risk_SQL_Injection pretty_name: SQL Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_High_Risk_Second_Order_SQL_Injection: categories: @@ -30406,6 +32887,7 @@ rules: group: top10-injection name: Java_High_Risk_Second_Order_SQL_Injection pretty_name: Second Order SQL Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_High_Risk_Stored_XSS: categories: @@ -30422,6 +32904,7 @@ rules: group: top10-injection name: Java_High_Risk_Stored_XSS pretty_name: Stored XSS - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_High_Risk_Unsafe_JNDI_Lookup: categories: @@ -30438,6 +32921,7 @@ rules: group: top10-injection name: Java_High_Risk_Unsafe_JNDI_Lookup pretty_name: Unsafe JNDI Lookup - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_High_Risk_Unsafe_Reflection: categories: @@ -30453,6 +32937,7 @@ rules: group: top10-injection name: Java_High_Risk_Unsafe_Reflection pretty_name: Unsafe Reflection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_High_Risk_XPath_Injection: categories: @@ -30469,6 +32954,7 @@ rules: group: top10-injection name: Java_High_Risk_XPath_Injection pretty_name: XPath Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Authorization_Bypass_Through_User_Controlled_SQL_PrimaryKey: categories: @@ -30483,6 +32969,7 @@ rules: group: top10-broken-access-control name: Java_Low_Visibility_Authorization_Bypass_Through_User_Controlled_SQL_PrimaryKey pretty_name: Authorization Bypass Through User Controlled SQL PrimaryKey - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Blind_SQL_Injections: categories: @@ -30499,6 +32986,7 @@ rules: group: top10-injection name: Java_Low_Visibility_Blind_SQL_Injections pretty_name: Blind SQL Injections - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Channel_Accessible_by_NonEndpoint: categories: @@ -30514,6 +33002,7 @@ rules: group: top10-id-authn-failures name: Java_Low_Visibility_Channel_Accessible_by_NonEndpoint pretty_name: Channel Accessible by NonEndpoint - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Citrus_Developer_Mode_Enabled: categories: @@ -30527,6 +33016,7 @@ rules: group: top10-vulnerable-components name: Java_Low_Visibility_Citrus_Developer_Mode_Enabled pretty_name: Citrus Developer Mode Enabled - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Cleansing_Canonicalization_and_Comparison_Errors: categories: @@ -30540,6 +33030,7 @@ rules: group: top10-injection name: Java_Low_Visibility_Cleansing_Canonicalization_and_Comparison_Errors pretty_name: Cleansing Canonicalization and Comparison Errors - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Collapse_of_Data_into_Unsafe_Value: categories: @@ -30553,6 +33044,7 @@ rules: group: top10-injection name: Java_Low_Visibility_Collapse_of_Data_into_Unsafe_Value pretty_name: Collapse of Data into Unsafe Value - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Command_Argument_Injection: categories: @@ -30567,6 +33059,7 @@ rules: group: top10-injection name: Java_Low_Visibility_Command_Argument_Injection pretty_name: Command Argument Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Cookie_Overly_Broad_Path: categories: @@ -30580,6 +33073,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Cookie_Overly_Broad_Path pretty_name: Cookie Overly Broad Path - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Creation_of_Temp_File_With_Insecure_Permissions: categories: @@ -30594,6 +33088,7 @@ rules: group: top10-broken-access-control name: Java_Low_Visibility_Creation_of_Temp_File_With_Insecure_Permissions pretty_name: Creation of Temp File With Insecure Permissions - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Creation_of_Temp_File_in_Dir_with_Incorrect_Permissions: categories: @@ -30608,6 +33103,7 @@ rules: group: top10-broken-access-control name: Java_Low_Visibility_Creation_of_Temp_File_in_Dir_with_Incorrect_Permissions pretty_name: Creation of Temp File in Dir with Incorrect Permissions - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Cross_Site_History_Manipulation: categories: @@ -30623,6 +33119,7 @@ rules: group: top10-software-data-integrity-failures name: Java_Low_Visibility_Cross_Site_History_Manipulation pretty_name: Cross Site History Manipulation - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_DB_Control_of_System_or_Config_Setting: categories: @@ -30635,6 +33132,7 @@ rules: group: top10-security-misconfiguration name: Java_Low_Visibility_DB_Control_of_System_or_Config_Setting pretty_name: DB Control of System or Config Setting - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Data_Leak_Between_Sessions: categories: @@ -30651,6 +33149,7 @@ rules: group: top10-broken-access-control name: Java_Low_Visibility_Data_Leak_Between_Sessions pretty_name: Data Leak Between Sessions - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Divide_By_Zero: categories: @@ -30663,6 +33162,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Divide_By_Zero pretty_name: Divide By Zero - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_ESAPI_Same_Password_Repeats_Twice: categories: @@ -30676,6 +33176,7 @@ rules: group: top10-id-authn-failures name: Java_Low_Visibility_ESAPI_Same_Password_Repeats_Twice pretty_name: ESAPI Same Password Repeats Twice - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Empty_Password_In_Connection_String: categories: @@ -30689,6 +33190,7 @@ rules: group: top10-id-authn-failures name: Java_Low_Visibility_Empty_Password_In_Connection_String pretty_name: Empty Password In Connection String - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Escape_False: categories: @@ -30704,6 +33206,7 @@ rules: group: top10-injection name: Java_Low_Visibility_Escape_False pretty_name: Escape False - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Exposure_of_System_Data: categories: @@ -30718,6 +33221,7 @@ rules: group: top10-broken-access-control name: Java_Low_Visibility_Exposure_of_System_Data pretty_name: Exposure of System Data - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_File_Permissions_World_Readable: categories: @@ -30731,6 +33235,7 @@ rules: group: top10-broken-access-control name: Java_Low_Visibility_File_Permissions_World_Readable pretty_name: File Permissions World Readable - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Heap_Inspection: categories: @@ -30745,6 +33250,7 @@ rules: group: top10-broken-access-control name: Java_Low_Visibility_Heap_Inspection pretty_name: Heap Inspection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Improper_Build_Of_Sql_Mapping: categories: @@ -30761,6 +33267,7 @@ rules: group: top10-injection name: Java_Low_Visibility_Improper_Build_Of_Sql_Mapping pretty_name: Improper Build Of Sql Mapping - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Improper_Exception_Handling: categories: @@ -30773,6 +33280,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Improper_Exception_Handling pretty_name: Improper Exception Handling - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Improper_Resource_Access_Authorization: categories: @@ -30786,6 +33294,7 @@ rules: group: top10-broken-access-control name: Java_Low_Visibility_Improper_Resource_Access_Authorization pretty_name: Improper Resource Access Authorization - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Improper_Resource_Locking: categories: @@ -30799,6 +33308,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Improper_Resource_Locking pretty_name: Improper Resource Locking - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Improper_Resource_Shutdown_or_Release: categories: @@ -30812,6 +33322,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Improper_Resource_Shutdown_or_Release pretty_name: Improper Resource Shutdown or Release - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Improper_Session_Management: categories: @@ -30825,6 +33336,7 @@ rules: group: top10-broken-access-control name: Java_Low_Visibility_Improper_Session_Management pretty_name: Improper Session Management - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Improper_Transaction_Handling: categories: @@ -30839,6 +33351,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Improper_Transaction_Handling pretty_name: Improper Transaction Handling - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Incorrect_Permission_Assignment_For_Critical_Resources: categories: @@ -30852,6 +33365,7 @@ rules: group: top10-broken-access-control name: Java_Low_Visibility_Incorrect_Permission_Assignment_For_Critical_Resources pretty_name: Incorrect Permission Assignment For Critical Resources - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Information_Exposure_Through_Debug_Log: categories: @@ -30865,6 +33379,7 @@ rules: group: top10-broken-access-control name: Java_Low_Visibility_Information_Exposure_Through_Debug_Log pretty_name: Information Exposure Through Debug Log - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Information_Exposure_Through_Query_String: categories: @@ -30878,6 +33393,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Information_Exposure_Through_Query_String pretty_name: Information Exposure Through Query String - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Information_Exposure_Through_Server_Log: categories: @@ -30891,6 +33407,7 @@ rules: group: top10-broken-access-control name: Java_Low_Visibility_Information_Exposure_Through_Server_Log pretty_name: Information Exposure Through Server Log - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Information_Exposure_Through_an_Error_Message: categories: @@ -30904,6 +33421,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Information_Exposure_Through_an_Error_Message pretty_name: Information Exposure Through an Error Message - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Information_Leak_Through_Comments: categories: @@ -30919,6 +33437,7 @@ rules: group: top10-broken-access-control name: Java_Low_Visibility_Information_Leak_Through_Comments pretty_name: Information Leak Through Comments - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Information_Leak_Through_Persistent_Cookies: categories: @@ -30932,6 +33451,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Information_Leak_Through_Persistent_Cookies pretty_name: Information Leak Through Persistent Cookies - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Information_Leak_Through_Shell_Error_Message: categories: @@ -30947,6 +33467,7 @@ rules: group: top10-broken-access-control name: Java_Low_Visibility_Information_Leak_Through_Shell_Error_Message pretty_name: Information Leak Through Shell Error Message - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Insufficient_Session_Expiration: categories: @@ -30961,6 +33482,7 @@ rules: group: top10-id-authn-failures name: Java_Low_Visibility_Insufficient_Session_Expiration pretty_name: Insufficient Session Expiration - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Insufficiently_Protected_Credentials: categories: @@ -30975,6 +33497,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Insufficiently_Protected_Credentials pretty_name: Insufficiently Protected Credentials - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Integer_Overflow: categories: @@ -30991,6 +33514,7 @@ rules: group: top10-injection name: Java_Low_Visibility_Integer_Overflow pretty_name: Integer Overflow - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Integer_Underflow: categories: @@ -31005,6 +33529,7 @@ rules: group: top10-injection name: Java_Low_Visibility_Integer_Underflow pretty_name: Integer Underflow - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_JWT_Excessive_Expiration_Time: categories: @@ -31019,6 +33544,7 @@ rules: group: top10-id-authn-failures name: Java_Low_Visibility_JWT_Excessive_Expiration_Time pretty_name: JWT Excessive Expiration Time - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_JWT_Use_Of_None_Algorithm: categories: @@ -31033,6 +33559,7 @@ rules: group: top10-id-authn-failures name: Java_Low_Visibility_JWT_Use_Of_None_Algorithm pretty_name: JWT Use Of None Algorithm - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Leaving_Temporary_File: categories: @@ -31045,6 +33572,7 @@ rules: group: top10-broken-access-control name: Java_Low_Visibility_Leaving_Temporary_File pretty_name: Leaving Temporary File - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Log_Forging: categories: @@ -31057,6 +33585,7 @@ rules: group: top10-security-logging-monitoring-failures name: Java_Low_Visibility_Log_Forging pretty_name: Log Forging - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Logic_Time_Bomb: categories: @@ -31070,6 +33599,7 @@ rules: group: top10-security-logging-monitoring-failures name: Java_Low_Visibility_Logic_Time_Bomb pretty_name: Logic Time Bomb - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Missing_Content_Security_Policy: categories: @@ -31083,6 +33613,7 @@ rules: group: top10-id-authn-failures name: Java_Low_Visibility_Missing_Content_Security_Policy pretty_name: Missing Content Security Policy - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Missing_Password_Field_Masking: categories: @@ -31096,6 +33627,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Missing_Password_Field_Masking pretty_name: Missing Password Field Masking - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Missing_X_Frame_Options: categories: @@ -31110,6 +33642,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Missing_X_Frame_Options pretty_name: Missing X Frame Options - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Not_Using_a_Random_IV_with_CBC_Mode: categories: @@ -31124,6 +33657,7 @@ rules: group: top10-crypto-failures name: Java_Low_Visibility_Not_Using_a_Random_IV_with_CBC_Mode pretty_name: Not Using a Random IV with CBC Mode - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Object_Hijack: categories: @@ -31138,6 +33672,7 @@ rules: group: top10-injection name: Java_Low_Visibility_Object_Hijack pretty_name: Object Hijack - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Off_by_One_Error: categories: @@ -31151,6 +33686,7 @@ rules: group: top10-injection name: Java_Low_Visibility_Off_by_One_Error pretty_name: Off by One Error - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Open_Redirect: categories: @@ -31165,6 +33701,7 @@ rules: group: top10-broken-access-control name: Java_Low_Visibility_Open_Redirect pretty_name: Open Redirect - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy: categories: @@ -31178,6 +33715,7 @@ rules: group: top10-id-authn-failures name: Java_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy pretty_name: Overly Permissive Cross Origin Resource Sharing Policy - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Parse_Double_DoS: categories: @@ -31190,6 +33728,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Parse_Double_DoS pretty_name: Parse Double DoS - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Password_In_Comment: categories: @@ -31205,6 +33744,7 @@ rules: group: top10-id-authn-failures name: Java_Low_Visibility_Password_In_Comment pretty_name: Password In Comment - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Permissive_Content_Security_Policy: categories: @@ -31218,6 +33758,7 @@ rules: group: top10-id-authn-failures name: Java_Low_Visibility_Permissive_Content_Security_Policy pretty_name: Permissive Content Security Policy - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Plaintext_Storage_in_a_Cookie: categories: @@ -31229,6 +33770,7 @@ rules: group: top10-security-misconfiguration name: Java_Low_Visibility_Plaintext_Storage_in_a_Cookie pretty_name: Plaintext Storage in a Cookie - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Portability_Flaw_Locale_Dependent_Comparison: categories: @@ -31242,6 +33784,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Portability_Flaw_Locale_Dependent_Comparison pretty_name: Portability Flaw Locale Dependent Comparison - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Potential_ReDoS: categories: @@ -31257,6 +33800,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Potential_ReDoS pretty_name: Potential ReDoS - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Potential_ReDoS_By_Injection: categories: @@ -31272,6 +33816,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Potential_ReDoS_By_Injection pretty_name: Potential ReDoS By Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Potential_ReDoS_In_Match: categories: @@ -31287,6 +33832,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Potential_ReDoS_In_Match pretty_name: Potential ReDoS In Match - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Potential_ReDoS_In_Replace: categories: @@ -31302,6 +33848,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Potential_ReDoS_In_Replace pretty_name: Potential ReDoS In Replace - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Potential_ReDoS_In_Static_Field: categories: @@ -31317,6 +33864,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Potential_ReDoS_In_Static_Field pretty_name: Potential ReDoS In Static Field - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Private_Array_Returned_From_A_Public_Method: categories: @@ -31330,6 +33878,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Private_Array_Returned_From_A_Public_Method pretty_name: Private Array Returned From A Public Method - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Public_Data_Assigned_to_Private_Array: categories: @@ -31343,6 +33892,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Public_Data_Assigned_to_Private_Array pretty_name: Public Data Assigned to Private Array - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Public_Static_Final_References_Mutable_Object: categories: @@ -31357,6 +33907,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Public_Static_Final_References_Mutable_Object pretty_name: Public Static Final References Mutable Object - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Race_Condition: categories: @@ -31373,6 +33924,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Race_Condition pretty_name: Race Condition - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Race_Condition_Format_Flaw: categories: @@ -31389,6 +33941,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Race_Condition_Format_Flaw pretty_name: Race Condition Format Flaw - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Reflected_Environment_Injection: categories: @@ -31401,6 +33954,7 @@ rules: group: top10-security-misconfiguration name: Java_Low_Visibility_Reflected_Environment_Injection pretty_name: Reflected Environment Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Reliance_on_Cookies_in_a_Decision: categories: @@ -31415,6 +33969,7 @@ rules: group: top10-software-data-integrity-failures name: Java_Low_Visibility_Reliance_on_Cookies_in_a_Decision pretty_name: Reliance on Cookies in a Decision - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Reliance_on_DNS_Lookups_in_a_Decision: categories: @@ -31429,6 +33984,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Reliance_on_DNS_Lookups_in_a_Decision pretty_name: Reliance on DNS Lookups in a Decision - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Reversible_One_Way_Hash: categories: @@ -31445,6 +34001,7 @@ rules: group: top10-crypto-failures name: Java_Low_Visibility_Reversible_One_Way_Hash pretty_name: Reversible One Way Hash - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Sensitive_Cookie_in_HTTPS_Session_Without_Secure_Attribute: categories: @@ -31458,6 +34015,7 @@ rules: group: top10-security-misconfiguration name: Java_Low_Visibility_Sensitive_Cookie_in_HTTPS_Session_Without_Secure_Attribute pretty_name: Sensitive Cookie in HTTPS Session Without Secure Attribute - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Serializable_Class_Containing_Sensitive_Data: categories: @@ -31472,6 +34030,7 @@ rules: group: top10-broken-access-control name: Java_Low_Visibility_Serializable_Class_Containing_Sensitive_Data pretty_name: Serializable Class Containing Sensitive Data - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Stored_Command_Argument_Injection: categories: @@ -31486,6 +34045,7 @@ rules: group: top10-injection name: Java_Low_Visibility_Stored_Command_Argument_Injection pretty_name: Stored Command Argument Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Stored_Environment_Injection: categories: @@ -31498,6 +34058,7 @@ rules: group: top10-security-misconfiguration name: Java_Low_Visibility_Stored_Environment_Injection pretty_name: Stored Environment Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Stored_Log_Forging: categories: @@ -31510,6 +34071,7 @@ rules: group: top10-security-logging-monitoring-failures name: Java_Low_Visibility_Stored_Log_Forging pretty_name: Stored Log Forging - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Storing_Passwords_in_a_Recoverable_Format: categories: @@ -31528,6 +34090,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Storing_Passwords_in_a_Recoverable_Format pretty_name: Storing Passwords in a Recoverable Format - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Suspected_XSS: categories: @@ -31543,6 +34106,7 @@ rules: group: top10-injection name: Java_Low_Visibility_Suspected_XSS pretty_name: Suspected XSS - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_TOCTOU: categories: @@ -31558,6 +34122,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_TOCTOU pretty_name: TOCTOU - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_TruffleHog_HighEntropy_Strings: categories: @@ -31573,6 +34138,7 @@ rules: group: top10-id-authn-failures name: Java_Low_Visibility_TruffleHog_HighEntropy_Strings pretty_name: TruffleHog HighEntropy Strings - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_TruffleHog_Regex_Matches: categories: @@ -31588,6 +34154,7 @@ rules: group: top10-id-authn-failures name: Java_Low_Visibility_TruffleHog_Regex_Matches pretty_name: TruffleHog Regex Matches - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables: categories: @@ -31601,6 +34168,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables pretty_name: Trust Boundary Violation in Session Variables - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_UTF7_XSS: categories: @@ -31616,6 +34184,7 @@ rules: group: top10-injection name: Java_Low_Visibility_UTF7_XSS pretty_name: UTF7 XSS - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Uncaught_Exception: categories: @@ -31628,6 +34197,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Uncaught_Exception pretty_name: Uncaught Exception - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Unchecked_Return_Value_to_NULL_Pointer_Dereference: categories: @@ -31642,6 +34212,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Unchecked_Return_Value_to_NULL_Pointer_Dereference pretty_name: Unchecked Return Value to NULL Pointer Dereference - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Uncontrolled_Format_String: categories: @@ -31655,6 +34226,7 @@ rules: group: top10-injection name: Java_Low_Visibility_Uncontrolled_Format_String pretty_name: Uncontrolled Format String - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Uncontrolled_Memory_Allocation: categories: @@ -31669,6 +34241,7 @@ rules: group: top10-injection name: Java_Low_Visibility_Uncontrolled_Memory_Allocation pretty_name: Uncontrolled Memory Allocation - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Unrestricted_File_Upload: categories: @@ -31683,6 +34256,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Unrestricted_File_Upload pretty_name: Unrestricted File Upload - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Unsynchronized_Access_To_Shared_Data: categories: @@ -31697,6 +34271,7 @@ rules: group: top10-insecure-design name: Java_Low_Visibility_Unsynchronized_Access_To_Shared_Data pretty_name: Unsynchronized Access To Shared Data - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Use_Of_Hardcoded_Password: categories: @@ -31710,6 +34285,7 @@ rules: group: top10-id-authn-failures name: Java_Low_Visibility_Use_Of_Hardcoded_Password pretty_name: Use Of Hardcoded Password - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Use_Of_Hardcoded_Password_In_Config: categories: @@ -31722,6 +34298,7 @@ rules: group: top10-security-misconfiguration name: Java_Low_Visibility_Use_Of_Hardcoded_Password_In_Config pretty_name: Use Of Hardcoded Password In Config - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Use_Of_getenv: categories: @@ -31736,6 +34313,7 @@ rules: group: top10-injection name: Java_Low_Visibility_Use_Of_getenv pretty_name: Use Of getenv - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: categories: @@ -31748,6 +34326,7 @@ rules: group: top10-crypto-failures name: Java_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm pretty_name: Use of Broken or Risky Cryptographic Algorithm - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Use_of_Client_Side_Authentication: categories: @@ -31762,6 +34341,7 @@ rules: group: top10-id-authn-failures name: Java_Low_Visibility_Use_of_Client_Side_Authentication pretty_name: Use of Client Side Authentication - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Use_of_Hard_coded_Security_Constants: categories: @@ -31775,6 +34355,7 @@ rules: group: top10-security-misconfiguration name: Java_Low_Visibility_Use_of_Hard_coded_Security_Constants pretty_name: Use of Hard coded Security Constants - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Use_of_Non_Cryptographic_Random: categories: @@ -31788,6 +34369,7 @@ rules: group: top10-crypto-failures name: Java_Low_Visibility_Use_of_Non_Cryptographic_Random pretty_name: Use of Non Cryptographic Random - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Use_of_RSA_Algorithm_without_OAEP: categories: @@ -31801,6 +34383,7 @@ rules: group: top10-crypto-failures name: Java_Low_Visibility_Use_of_RSA_Algorithm_without_OAEP pretty_name: Use of RSA Algorithm without OAEP - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Low_Visibility_Using_Referer_Field_for_Authentication: categories: @@ -31814,6 +34397,7 @@ rules: group: top10-id-authn-failures name: Java_Low_Visibility_Using_Referer_Field_for_Authentication pretty_name: Using Referer Field for Authentication - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Absolute_Path_Traversal: categories: @@ -31829,6 +34413,7 @@ rules: group: top10-broken-access-control name: Java_Medium_Threat_Absolute_Path_Traversal pretty_name: Absolute Path Traversal - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_CGI_Reflected_XSS_All_Clients: categories: @@ -31844,6 +34429,7 @@ rules: group: top10-injection name: Java_Medium_Threat_CGI_Reflected_XSS_All_Clients pretty_name: CGI Reflected XSS All Clients - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_CGI_Stored_XSS: categories: @@ -31859,6 +34445,7 @@ rules: group: top10-injection name: Java_Medium_Threat_CGI_Stored_XSS pretty_name: CGI Stored XSS - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_CSRF: categories: @@ -31874,6 +34461,7 @@ rules: group: top10-injection name: Java_Medium_Threat_CSRF pretty_name: CSRF - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Cleartext_Submission_of_Sensitive_Information: categories: @@ -31887,6 +34475,7 @@ rules: group: top10-broken-access-control name: Java_Medium_Threat_Cleartext_Submission_of_Sensitive_Information pretty_name: Cleartext Submission of Sensitive Information - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Client_State_Saving_Method_JSF: categories: @@ -31901,6 +34490,7 @@ rules: group: top10-insecure-design name: Java_Medium_Threat_Client_State_Saving_Method_JSF pretty_name: Client State Saving Method JSF - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_DB_Parameter_Tampering: categories: @@ -31914,6 +34504,7 @@ rules: group: top10-broken-access-control name: Java_Medium_Threat_DB_Parameter_Tampering pretty_name: DB Parameter Tampering - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Dangerous_File_Inclusion: categories: @@ -31927,6 +34518,7 @@ rules: group: top10-software-data-integrity-failures name: Java_Medium_Threat_Dangerous_File_Inclusion pretty_name: Dangerous File Inclusion - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Direct_Use_of_Unsafe_JNI: categories: @@ -31941,6 +34533,7 @@ rules: group: top10-injection name: Java_Medium_Threat_Direct_Use_of_Unsafe_JNI pretty_name: Direct Use of Unsafe JNI - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_DoS_by_Sleep: categories: @@ -31953,6 +34546,7 @@ rules: group: top10-insecure-design name: Java_Medium_Threat_DoS_by_Sleep pretty_name: DoS by Sleep - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Download_of_Code_Without_Integrity_Check: categories: @@ -31967,6 +34561,7 @@ rules: group: top10-software-data-integrity-failures name: Java_Medium_Threat_Download_of_Code_Without_Integrity_Check pretty_name: Download of Code Without Integrity Check - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Excessive_Data_Exposure: categories: @@ -31980,6 +34575,7 @@ rules: group: top10-broken-access-control name: Java_Medium_Threat_Excessive_Data_Exposure pretty_name: Excessive Data Exposure - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_External_Control_of_Critical_State_Data: categories: @@ -31994,6 +34590,7 @@ rules: group: top10-insecure-design name: Java_Medium_Threat_External_Control_of_Critical_State_Data pretty_name: External Control of Critical State Data - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_External_Control_of_System_or_Config_Setting: categories: @@ -32006,6 +34603,7 @@ rules: group: top10-security-misconfiguration name: Java_Medium_Threat_External_Control_of_System_or_Config_Setting pretty_name: External Control of System or Config Setting - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Frameable_Login_Page: categories: @@ -32019,6 +34617,7 @@ rules: group: top10-software-data-integrity-failures name: Java_Medium_Threat_Frameable_Login_Page pretty_name: Frameable Login Page - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_HTTP_Response_Splitting: categories: @@ -32033,6 +34632,7 @@ rules: group: top10-injection name: Java_Medium_Threat_HTTP_Response_Splitting pretty_name: HTTP Response Splitting - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Hardcoded_password_in_Connection_String: categories: @@ -32046,6 +34646,7 @@ rules: group: top10-security-misconfiguration name: Java_Medium_Threat_Hardcoded_password_in_Connection_String pretty_name: Hardcoded password in Connection String - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_HttpOnlyCookies: categories: @@ -32058,6 +34659,7 @@ rules: group: top10-security-misconfiguration name: Java_Medium_Threat_HttpOnlyCookies pretty_name: HttpOnlyCookies - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_HttpOnlyCookies_In_Config: categories: @@ -32070,6 +34672,7 @@ rules: group: top10-security-misconfiguration name: Java_Medium_Threat_HttpOnlyCookies_In_Config pretty_name: HttpOnlyCookies In Config - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Improper_Locking: categories: @@ -32083,6 +34686,7 @@ rules: group: top10-insecure-design name: Java_Medium_Threat_Improper_Locking pretty_name: Improper Locking - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Improper_Restriction_of_Stored_XXE_Ref: categories: @@ -32097,6 +34701,7 @@ rules: group: top10-security-misconfiguration name: Java_Medium_Threat_Improper_Restriction_of_Stored_XXE_Ref pretty_name: Improper Restriction of Stored XXE Ref - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Improper_Restriction_of_XXE_Ref: categories: @@ -32111,6 +34716,7 @@ rules: group: top10-security-misconfiguration name: Java_Medium_Threat_Improper_Restriction_of_XXE_Ref pretty_name: Improper Restriction of XXE Ref - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Inadequate_Encryption_Strength: categories: @@ -32125,6 +34731,7 @@ rules: group: top10-crypto-failures name: Java_Medium_Threat_Inadequate_Encryption_Strength pretty_name: Inadequate Encryption Strength - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Input_Path_Not_Canonicalized: categories: @@ -32138,6 +34745,7 @@ rules: group: top10-insecure-design name: Java_Medium_Threat_Input_Path_Not_Canonicalized pretty_name: Input Path Not Canonicalized - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_JSF_CSRF: categories: @@ -32153,6 +34761,7 @@ rules: group: top10-injection name: Java_Medium_Threat_JSF_CSRF pretty_name: JSF CSRF - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_JSF_Managed_Bean_PII_Leak: categories: @@ -32168,6 +34777,7 @@ rules: group: top10-broken-access-control name: Java_Medium_Threat_JSF_Managed_Bean_PII_Leak pretty_name: JSF Managed Bean PII Leak - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_JWT_Lack_Of_Expiration_Time: categories: @@ -32182,6 +34792,7 @@ rules: group: top10-id-authn-failures name: Java_Medium_Threat_JWT_Lack_Of_Expiration_Time pretty_name: JWT Lack Of Expiration Time - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_JWT_No_Signature_Verification: categories: @@ -32196,6 +34807,7 @@ rules: group: top10-id-authn-failures name: Java_Medium_Threat_JWT_No_Signature_Verification pretty_name: JWT No Signature Verification - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_JWT_Sensitive_Information_Exposure: categories: @@ -32209,6 +34821,7 @@ rules: group: top10-broken-access-control name: Java_Medium_Threat_JWT_Sensitive_Information_Exposure pretty_name: JWT Sensitive Information Exposure - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_JWT_Use_Of_Hardcoded_Secret: categories: @@ -32224,6 +34837,7 @@ rules: group: top10-id-authn-failures name: Java_Medium_Threat_JWT_Use_Of_Hardcoded_Secret pretty_name: JWT Use Of Hardcoded Secret - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Misconfigured_Deserialization_Filter: categories: @@ -32237,6 +34851,7 @@ rules: group: top10-security-misconfiguration name: Java_Medium_Threat_Misconfigured_Deserialization_Filter pretty_name: Misconfigured Deserialization Filter - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Missing_HSTS_Header: categories: @@ -32250,6 +34865,7 @@ rules: group: top10-id-authn-failures name: Java_Medium_Threat_Missing_HSTS_Header pretty_name: Missing HSTS Header - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Multiple_Binds_to_the_Same_Port: categories: @@ -32263,6 +34879,7 @@ rules: group: top10-insecure-design name: Java_Medium_Threat_Multiple_Binds_to_the_Same_Port pretty_name: Multiple Binds to the Same Port - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Parameter_Tampering: categories: @@ -32277,6 +34894,7 @@ rules: group: top10-insecure-design name: Java_Medium_Threat_Parameter_Tampering pretty_name: Parameter Tampering - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Plaintext_Storage_of_a_Password: categories: @@ -32289,6 +34907,7 @@ rules: group: top10-insecure-design name: Java_Medium_Threat_Plaintext_Storage_of_a_Password pretty_name: Plaintext Storage of a Password - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Privacy_Violation: categories: @@ -32304,6 +34923,7 @@ rules: group: top10-broken-access-control name: Java_Medium_Threat_Privacy_Violation pretty_name: Privacy Violation - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Process_Control: categories: @@ -32318,6 +34938,7 @@ rules: group: top10-injection name: Java_Medium_Threat_Process_Control pretty_name: Process Control - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_ReDoS_From_Regex_Injection: categories: @@ -32333,6 +34954,7 @@ rules: group: top10-insecure-design name: Java_Medium_Threat_ReDoS_From_Regex_Injection pretty_name: ReDoS From Regex Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_ReDoS_In_Match: categories: @@ -32348,6 +34970,7 @@ rules: group: top10-insecure-design name: Java_Medium_Threat_ReDoS_In_Match pretty_name: ReDoS In Match - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_ReDoS_In_Pattern: categories: @@ -32363,6 +34986,7 @@ rules: group: top10-insecure-design name: Java_Medium_Threat_ReDoS_In_Pattern pretty_name: ReDoS In Pattern - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_ReDoS_In_Replace: categories: @@ -32378,6 +35002,7 @@ rules: group: top10-insecure-design name: Java_Medium_Threat_ReDoS_In_Replace pretty_name: ReDoS In Replace - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Relative_Path_Traversal: categories: @@ -32392,6 +35017,7 @@ rules: group: top10-broken-access-control name: Java_Medium_Threat_Relative_Path_Traversal pretty_name: Relative Path Traversal - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Reliance_on_Cookies_without_Validation: categories: @@ -32406,6 +35032,7 @@ rules: group: top10-software-data-integrity-failures name: Java_Medium_Threat_Reliance_on_Cookies_without_Validation pretty_name: Reliance on Cookies without Validation - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_SQL_Injection_Evasion_Attack: categories: @@ -32422,6 +35049,7 @@ rules: group: top10-injection name: Java_Medium_Threat_SQL_Injection_Evasion_Attack pretty_name: SQL Injection Evasion Attack - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_SSL_Verification_Bypass: categories: @@ -32436,6 +35064,7 @@ rules: group: top10-software-data-integrity-failures name: Java_Medium_Threat_SSL_Verification_Bypass pretty_name: SSL Verification Bypass - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_SSRF: categories: @@ -32451,6 +35080,7 @@ rules: group: top10-server-side-request-forgery name: Java_Medium_Threat_SSRF pretty_name: SSRF - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Same_Seed_in_PRNG: categories: @@ -32464,6 +35094,7 @@ rules: group: top10-crypto-failures name: Java_Medium_Threat_Same_Seed_in_PRNG pretty_name: Same Seed in PRNG - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Session_Fixation: categories: @@ -32478,6 +35109,7 @@ rules: group: top10-id-authn-failures name: Java_Medium_Threat_Session_Fixation pretty_name: Session Fixation - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Stored_Absolute_Path_Traversal: categories: @@ -32493,6 +35125,7 @@ rules: group: top10-broken-access-control name: Java_Medium_Threat_Stored_Absolute_Path_Traversal pretty_name: Stored Absolute Path Traversal - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Stored_Command_Injection: categories: @@ -32509,6 +35142,7 @@ rules: group: top10-injection name: Java_Medium_Threat_Stored_Command_Injection pretty_name: Stored Command Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Stored_LDAP_Injection: categories: @@ -32524,6 +35158,7 @@ rules: group: top10-injection name: Java_Medium_Threat_Stored_LDAP_Injection pretty_name: Stored LDAP Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Stored_Relative_Path_Traversal: categories: @@ -32538,6 +35173,7 @@ rules: group: top10-broken-access-control name: Java_Medium_Threat_Stored_Relative_Path_Traversal pretty_name: Stored Relative Path Traversal - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Unchecked_Input_for_Loop_Condition: categories: @@ -32552,6 +35188,7 @@ rules: group: top10-insecure-design name: Java_Medium_Threat_Unchecked_Input_for_Loop_Condition pretty_name: Unchecked Input for Loop Condition - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Unnormalize_Input_String: categories: @@ -32567,6 +35204,7 @@ rules: group: top10-injection name: Java_Medium_Threat_Unnormalize_Input_String pretty_name: Unnormalize Input String - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Unsafe_Object_Binding: categories: @@ -32581,6 +35219,7 @@ rules: group: top10-software-data-integrity-failures name: Java_Medium_Threat_Unsafe_Object_Binding pretty_name: Unsafe Object Binding - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Unvalidated_Forwards: categories: @@ -32593,6 +35232,7 @@ rules: group: top10-injection name: Java_Medium_Threat_Unvalidated_Forwards pretty_name: Unvalidated Forwards - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Unvalidated_SSL_Certificate_Hostname: categories: @@ -32607,6 +35247,7 @@ rules: group: top10-id-authn-failures name: Java_Medium_Threat_Unvalidated_SSL_Certificate_Hostname pretty_name: Unvalidated SSL Certificate Hostname - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Use_of_Cryptographically_Weak_PRNG: categories: @@ -32620,6 +35261,7 @@ rules: group: top10-crypto-failures name: Java_Medium_Threat_Use_of_Cryptographically_Weak_PRNG pretty_name: Use of Cryptographically Weak PRNG - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key: categories: @@ -32633,6 +35275,7 @@ rules: group: top10-crypto-failures name: Java_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key pretty_name: Use of Hard coded Cryptographic Key - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Use_of_Insufficiently_Random_Values: categories: @@ -32646,6 +35289,7 @@ rules: group: top10-crypto-failures name: Java_Medium_Threat_Use_of_Insufficiently_Random_Values pretty_name: Use of Insufficiently Random Values - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Use_of_Native_Language: categories: @@ -32659,6 +35303,7 @@ rules: group: top10-injection name: Java_Medium_Threat_Use_of_Native_Language pretty_name: Use of Native Language - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Use_of_a_One_Way_Hash_with_a_Predictable_Salt: categories: @@ -32673,6 +35318,7 @@ rules: group: top10-crypto-failures name: Java_Medium_Threat_Use_of_a_One_Way_Hash_with_a_Predictable_Salt pretty_name: Use of a One Way Hash with a Predictable Salt - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_Use_of_a_One_Way_Hash_without_a_Salt: categories: @@ -32687,6 +35333,7 @@ rules: group: top10-crypto-failures name: Java_Medium_Threat_Use_of_a_One_Way_Hash_without_a_Salt pretty_name: Use of a One Way Hash without a Salt - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Medium_Threat_XQuery_Injection: categories: @@ -32702,6 +35349,7 @@ rules: group: top10-injection name: Java_Medium_Threat_XQuery_Injection pretty_name: XQuery Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Potential_Potential_Code_Injection: categories: @@ -32718,6 +35366,7 @@ rules: group: top10-injection name: Java_Potential_Potential_Code_Injection pretty_name: Potential Code Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Potential_Potential_Command_Injection: categories: @@ -32734,6 +35383,7 @@ rules: group: top10-injection name: Java_Potential_Potential_Command_Injection pretty_name: Potential Command Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Potential_Potential_Connection_String_Injection: categories: @@ -32748,6 +35398,7 @@ rules: group: top10-injection name: Java_Potential_Potential_Connection_String_Injection pretty_name: Potential Connection String Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Potential_Potential_GWT_Reflected_XSS: categories: @@ -32763,6 +35414,7 @@ rules: group: top10-injection name: Java_Potential_Potential_GWT_Reflected_XSS pretty_name: Potential GWT Reflected XSS - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Potential_Potential_Hardcoded_password_in_Connection_String: categories: @@ -32776,6 +35428,7 @@ rules: group: top10-security-misconfiguration name: Java_Potential_Potential_Hardcoded_password_in_Connection_String pretty_name: Potential Hardcoded password in Connection String - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Potential_Potential_IO_Reflected_XSS_All_Clients: categories: @@ -32791,6 +35444,7 @@ rules: group: top10-injection name: Java_Potential_Potential_IO_Reflected_XSS_All_Clients pretty_name: Potential IO Reflected XSS All Clients - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Potential_Potential_I_Reflected_XSS_All_Clients: categories: @@ -32806,6 +35460,7 @@ rules: group: top10-injection name: Java_Potential_Potential_I_Reflected_XSS_All_Clients pretty_name: Potential I Reflected XSS All Clients - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Potential_Potential_LDAP_Injection: categories: @@ -32821,6 +35476,7 @@ rules: group: top10-injection name: Java_Potential_Potential_LDAP_Injection pretty_name: Potential LDAP Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Potential_Potential_O_Reflected_XSS_All_Clients: categories: @@ -32836,6 +35492,7 @@ rules: group: top10-injection name: Java_Potential_Potential_O_Reflected_XSS_All_Clients pretty_name: Potential O Reflected XSS All Clients - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Potential_Potential_Parameter_Tampering: categories: @@ -32850,6 +35507,7 @@ rules: group: top10-insecure-design name: Java_Potential_Potential_Parameter_Tampering pretty_name: Potential Parameter Tampering - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Potential_Potential_Resource_Injection: categories: @@ -32864,6 +35522,7 @@ rules: group: top10-injection name: Java_Potential_Potential_Resource_Injection pretty_name: Potential Resource Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Potential_Potential_SQL_Injection: categories: @@ -32880,6 +35539,7 @@ rules: group: top10-injection name: Java_Potential_Potential_SQL_Injection pretty_name: Potential SQL Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Potential_Potential_Stored_XSS: categories: @@ -32895,6 +35555,7 @@ rules: group: top10-injection name: Java_Potential_Potential_Stored_XSS pretty_name: Potential Stored XSS - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Potential_Potential_UTF7_XSS: categories: @@ -32910,6 +35571,7 @@ rules: group: top10-injection name: Java_Potential_Potential_UTF7_XSS pretty_name: Potential UTF7 XSS - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Potential_Potential_Use_of_Hard_coded_Cryptographic_Key: categories: @@ -32923,6 +35585,7 @@ rules: group: top10-crypto-failures name: Java_Potential_Potential_Use_of_Hard_coded_Cryptographic_Key pretty_name: Potential Use of Hard coded Cryptographic Key - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Potential_Potential_XPath_Injection: categories: @@ -32938,6 +35601,7 @@ rules: group: top10-injection name: Java_Potential_Potential_XPath_Injection pretty_name: Potential XPath Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Potential_Potential_XXE_Injection: categories: @@ -32951,6 +35615,7 @@ rules: group: top10-security-misconfiguration name: Java_Potential_Potential_XXE_Injection pretty_name: Potential XXE Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_Argon2_Insecure_Parameters: categories: @@ -32964,6 +35629,7 @@ rules: group: top10-insecure-design name: Java_Spring_Spring_Argon2_Insecure_Parameters pretty_name: Spring Argon2 Insecure Parameters - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_BCrypt_Insecure_Parameters: categories: @@ -32977,6 +35643,7 @@ rules: group: top10-insecure-design name: Java_Spring_Spring_BCrypt_Insecure_Parameters pretty_name: Spring BCrypt Insecure Parameters - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_CSRF: categories: @@ -32991,6 +35658,7 @@ rules: group: top10-injection name: Java_Spring_Spring_CSRF pretty_name: Spring CSRF - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_Comparison_Timing_Attack: categories: @@ -33005,6 +35673,7 @@ rules: group: top10-insecure-design name: Java_Spring_Spring_Comparison_Timing_Attack pretty_name: Spring Comparison Timing Attack - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_Missing_Content_Security_Policy: categories: @@ -33017,6 +35686,7 @@ rules: group: top10-id-authn-failures name: Java_Spring_Spring_Missing_Content_Security_Policy pretty_name: Spring Missing Content Security Policy - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_Missing_Expect_CT_Header: categories: @@ -33029,6 +35699,7 @@ rules: group: top10-insecure-design name: Java_Spring_Spring_Missing_Expect_CT_Header pretty_name: Spring Missing Expect CT Header - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_Missing_Function_Level_Authorization: categories: @@ -33042,6 +35713,7 @@ rules: group: top10-broken-access-control name: Java_Spring_Spring_Missing_Function_Level_Authorization pretty_name: Spring Missing Function Level Authorization - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_Missing_HSTS_Header: categories: @@ -33054,6 +35726,7 @@ rules: group: top10-id-authn-failures name: Java_Spring_Spring_Missing_HSTS_Header pretty_name: Spring Missing HSTS Header - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_Missing_Object_Level_Authorization: categories: @@ -33067,6 +35740,7 @@ rules: group: top10-broken-access-control name: Java_Spring_Spring_Missing_Object_Level_Authorization pretty_name: Spring Missing Object Level Authorization - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_Missing_XSS_Protection_Header: categories: @@ -33079,6 +35753,7 @@ rules: group: top10-insecure-design name: Java_Spring_Spring_Missing_XSS_Protection_Header pretty_name: Spring Missing XSS Protection Header - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_Missing_X_Content_Type_Options: categories: @@ -33091,6 +35766,7 @@ rules: group: top10-insecure-design name: Java_Spring_Spring_Missing_X_Content_Type_Options pretty_name: Spring Missing X Content Type Options - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_Missing_X_Frame_Options: categories: @@ -33104,6 +35780,7 @@ rules: group: top10-insecure-design name: Java_Spring_Spring_Missing_X_Frame_Options pretty_name: Spring Missing X Frame Options - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_ModelView_Injection: categories: @@ -33118,6 +35795,7 @@ rules: group: top10-injection name: Java_Spring_Spring_ModelView_Injection pretty_name: Spring ModelView Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy: categories: @@ -33130,6 +35808,7 @@ rules: group: top10-id-authn-failures name: Java_Spring_Spring_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy pretty_name: Spring Overly Permissive Cross Origin Resource Sharing Policy - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_PBKDF2_Insecure_Parameters: categories: @@ -33143,6 +35822,7 @@ rules: group: top10-insecure-design name: Java_Spring_Spring_PBKDF2_Insecure_Parameters pretty_name: Spring PBKDF2 Insecure Parameters - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_Permissive_Content_Security_Policy: categories: @@ -33155,6 +35835,7 @@ rules: group: top10-id-authn-failures name: Java_Spring_Spring_Permissive_Content_Security_Policy pretty_name: Spring Permissive Content Security Policy - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_SCrypt_Insecure_Parameters: categories: @@ -33168,6 +35849,7 @@ rules: group: top10-insecure-design name: Java_Spring_Spring_SCrypt_Insecure_Parameters pretty_name: Spring SCrypt Insecure Parameters - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_Use_Of_Hardcoded_Password: categories: @@ -33180,6 +35862,7 @@ rules: group: top10-id-authn-failures name: Java_Spring_Spring_Use_Of_Hardcoded_Password pretty_name: Spring Use Of Hardcoded Password - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_Use_of_Broken_or_Risky_Cryptographic_Primitive: categories: @@ -33191,6 +35874,7 @@ rules: group: top10-crypto-failures name: Java_Spring_Spring_Use_of_Broken_or_Risky_Cryptographic_Primitive pretty_name: Spring Use of Broken or Risky Cryptographic Primitive - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_View_SPEL_Injection: categories: @@ -33207,6 +35891,7 @@ rules: group: top10-injection name: Java_Spring_Spring_View_SPEL_Injection pretty_name: Spring View SPEL Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_XSRF: categories: @@ -33221,6 +35906,7 @@ rules: group: top10-server-side-request-forgery name: Java_Spring_Spring_XSRF pretty_name: Spring XSRF - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_defaultHtmlEscape_Not_True: categories: @@ -33232,6 +35918,7 @@ rules: group: top10-insecure-design name: Java_Spring_Spring_defaultHtmlEscape_Not_True pretty_name: Spring defaultHtmlEscape Not True - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Stored_Stored_Boundary_Violation: categories: @@ -33247,6 +35934,7 @@ rules: group: top10-insecure-design name: Java_Stored_Stored_Boundary_Violation pretty_name: Stored Boundary Violation - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Stored_Stored_Code_Injection: categories: @@ -33263,6 +35951,7 @@ rules: group: top10-injection name: Java_Stored_Stored_Code_Injection pretty_name: Stored Code Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Stored_Stored_HTTP_Response_Splitting: categories: @@ -33277,6 +35966,7 @@ rules: group: top10-injection name: Java_Stored_Stored_HTTP_Response_Splitting pretty_name: Stored HTTP Response Splitting - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Stored_Stored_Mongo_NoSQL_Injection: categories: @@ -33291,6 +35981,7 @@ rules: group: top10-injection name: Java_Stored_Stored_Mongo_NoSQL_Injection pretty_name: Stored Mongo NoSQL Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Stored_Stored_Open_Redirect: categories: @@ -33305,6 +35996,7 @@ rules: group: top10-broken-access-control name: Java_Stored_Stored_Open_Redirect pretty_name: Stored Open Redirect - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Stored_Stored_XPath_Injection: categories: @@ -33320,6 +36012,7 @@ rules: group: top10-injection name: Java_Stored_Stored_XPath_Injection pretty_name: Stored XPath Injection - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts2_Action_Field_Without_Validator: categories: @@ -33332,6 +36025,7 @@ rules: group: top10-injection name: Java_Struts_Struts2_Action_Field_Without_Validator pretty_name: Struts2 Action Field Without Validator - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts2_Duplicate_Action_Field_Validators: categories: @@ -33346,6 +36040,7 @@ rules: group: top10-insecure-design name: Java_Struts_Struts2_Duplicate_Action_Field_Validators pretty_name: Struts2 Duplicate Action Field Validators - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts2_Duplicate_Validators: categories: @@ -33360,6 +36055,7 @@ rules: group: top10-insecure-design name: Java_Struts_Struts2_Duplicate_Validators pretty_name: Struts2 Duplicate Validators - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts2_Undeclared_Validator: categories: @@ -33374,6 +36070,7 @@ rules: group: top10-insecure-design name: Java_Struts_Struts2_Undeclared_Validator pretty_name: Struts2 Undeclared Validator - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts2_Validation_File_Without_Action: categories: @@ -33387,6 +36084,7 @@ rules: group: top10-injection name: Java_Struts_Struts2_Validation_File_Without_Action pretty_name: Struts2 Validation File Without Action - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts2_Validator_Without_Action_Field: categories: @@ -33400,6 +36098,7 @@ rules: group: top10-injection name: Java_Struts_Struts2_Validator_Without_Action_Field pretty_name: Struts2 Validator Without Action Field - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts_Duplicate_Config_Files: categories: @@ -33413,6 +36112,7 @@ rules: group: top10-insecure-design name: Java_Struts_Struts_Duplicate_Config_Files pretty_name: Struts Duplicate Config Files - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts_Duplicate_Form_Bean: categories: @@ -33426,6 +36126,7 @@ rules: group: top10-insecure-design name: Java_Struts_Struts_Duplicate_Form_Bean pretty_name: Struts Duplicate Form Bean - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts_Duplicate_Validation_Files: categories: @@ -33439,6 +36140,7 @@ rules: group: top10-insecure-design name: Java_Struts_Struts_Duplicate_Validation_Files pretty_name: Struts Duplicate Validation Files - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts_Duplicate_Validation_Forms: categories: @@ -33453,6 +36155,7 @@ rules: group: top10-insecure-design name: Java_Struts_Struts_Duplicate_Validation_Forms pretty_name: Struts Duplicate Validation Forms - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts_Form_Does_Not_Extend_Validation_Class: categories: @@ -33467,6 +36170,7 @@ rules: group: top10-injection name: Java_Struts_Struts_Form_Does_Not_Extend_Validation_Class pretty_name: Struts Form Does Not Extend Validation Class - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts_Form_Field_Without_Validator: categories: @@ -33481,6 +36185,7 @@ rules: group: top10-injection name: Java_Struts_Struts_Form_Field_Without_Validator pretty_name: Struts Form Field Without Validator - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts_Incomplete_Validate_Method_Definition: categories: @@ -33494,6 +36199,7 @@ rules: group: top10-injection name: Java_Struts_Struts_Incomplete_Validate_Method_Definition pretty_name: Struts Incomplete Validate Method Definition - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts_Mapping_to_Missing_Form_Bean: categories: @@ -33507,6 +36213,7 @@ rules: group: top10-insecure-design name: Java_Struts_Struts_Mapping_to_Missing_Form_Bean pretty_name: Struts Mapping to Missing Form Bean - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts_Missing_Form_Bean_Name: categories: @@ -33520,6 +36227,7 @@ rules: group: top10-insecure-design name: Java_Struts_Struts_Missing_Form_Bean_Name pretty_name: Struts Missing Form Bean Name - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts_Missing_Form_Bean_Type: categories: @@ -33533,6 +36241,7 @@ rules: group: top10-insecure-design name: Java_Struts_Struts_Missing_Form_Bean_Type pretty_name: Struts Missing Form Bean Type - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts_Missing_Forward_Name: categories: @@ -33547,6 +36256,7 @@ rules: group: top10-insecure-design name: Java_Struts_Struts_Missing_Forward_Name pretty_name: Struts Missing Forward Name - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts_Non_Private_Field_In_ActionForm_Class: categories: @@ -33560,6 +36270,7 @@ rules: group: top10-insecure-design name: Java_Struts_Struts_Non_Private_Field_In_ActionForm_Class pretty_name: Struts Non Private Field In ActionForm Class - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts_Thread_Safety_Violation_In_Action_Class: categories: @@ -33576,6 +36287,7 @@ rules: group: top10-insecure-design name: Java_Struts_Struts_Thread_Safety_Violation_In_Action_Class pretty_name: Struts Thread Safety Violation In Action Class - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts_Unused_Action_Form: categories: @@ -33590,6 +36302,7 @@ rules: group: top10-insecure-design name: Java_Struts_Struts_Unused_Action_Form pretty_name: Struts Unused Action Form - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts_Unused_Validation_Form: categories: @@ -33603,6 +36316,7 @@ rules: group: top10-insecure-design name: Java_Struts_Struts_Unused_Validation_Form pretty_name: Struts Unused Validation Form - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts_Unvalidated_Action_Form: categories: @@ -33615,6 +36329,7 @@ rules: group: top10-injection name: Java_Struts_Struts_Unvalidated_Action_Form pretty_name: Struts Unvalidated Action Form - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts_Use_of_Relative_Path_in_Config: categories: @@ -33629,6 +36344,7 @@ rules: group: top10-security-misconfiguration name: Java_Struts_Struts_Use_of_Relative_Path_in_Config pretty_name: Struts Use of Relative Path in Config - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts_Validation_Turned_Off: categories: @@ -33643,6 +36359,7 @@ rules: group: top10-injection name: Java_Struts_Struts_Validation_Turned_Off pretty_name: Struts Validation Turned Off - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Struts_Struts_Validator_Without_Form_Field: categories: @@ -33656,6 +36373,7 @@ rules: group: top10-injection name: Java_Struts_Struts_Validator_Without_Form_Field pretty_name: Struts Validator Without Form Field - Java + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavasScript_Visualforce_Remoting_VF_Remoting_Client_Potential_CSRF: categories: @@ -33671,6 +36389,7 @@ rules: group: top10-injection name: JavasScript_Visualforce_Remoting_VF_Remoting_Client_Potential_CSRF pretty_name: VF Remoting Client Potential CSRF - JavasScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavasScript_Visualforce_Remoting_VF_Remoting_Client_Potential_Code_Injection: categories: @@ -33687,6 +36406,7 @@ rules: group: top10-injection name: JavasScript_Visualforce_Remoting_VF_Remoting_Client_Potential_Code_Injection pretty_name: VF Remoting Client Potential Code Injection - JavasScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavasScript_Visualforce_Remoting_VF_Remoting_Client_Potential_XSS: categories: @@ -33702,6 +36422,7 @@ rules: group: top10-injection name: JavasScript_Visualforce_Remoting_VF_Remoting_Client_Potential_XSS pretty_name: VF Remoting Client Potential XSS - JavasScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Kony_Kony_Code_Injection: categories: @@ -33719,6 +36440,7 @@ rules: group: top10-injection name: Javascript_Kony_Kony_Code_Injection pretty_name: Kony Code Injection - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Kony_Kony_Deprecated_Functions: categories: @@ -33732,6 +36454,7 @@ rules: group: top10-insecure-design name: Javascript_Kony_Kony_Deprecated_Functions pretty_name: Kony Deprecated Functions - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Kony_Kony_Hardcoded_EncryptionKey: categories: @@ -33745,6 +36468,7 @@ rules: group: top10-crypto-failures name: Javascript_Kony_Kony_Hardcoded_EncryptionKey pretty_name: Kony Hardcoded EncryptionKey - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Kony_Kony_Information_Leakage: categories: @@ -33759,6 +36483,7 @@ rules: group: top10-broken-access-control name: Javascript_Kony_Kony_Information_Leakage pretty_name: Kony Information Leakage - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Kony_Kony_Path_Injection: categories: @@ -33773,6 +36498,7 @@ rules: group: top10-insecure-design name: Javascript_Kony_Kony_Path_Injection pretty_name: Kony Path Injection - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Kony_Kony_Reflected_XSS: categories: @@ -33789,6 +36515,7 @@ rules: group: top10-injection name: Javascript_Kony_Kony_Reflected_XSS pretty_name: Kony Reflected XSS - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Kony_Kony_SQL_Injection: categories: @@ -33806,6 +36533,7 @@ rules: group: top10-injection name: Javascript_Kony_Kony_SQL_Injection pretty_name: Kony SQL Injection - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Kony_Kony_Second_Order_SQL_Injection: categories: @@ -33823,6 +36551,7 @@ rules: group: top10-injection name: Javascript_Kony_Kony_Second_Order_SQL_Injection pretty_name: Kony Second Order SQL Injection - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Kony_Kony_Stored_Code_Injection: categories: @@ -33840,6 +36569,7 @@ rules: group: top10-injection name: Javascript_Kony_Kony_Stored_Code_Injection pretty_name: Kony Stored Code Injection - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Kony_Kony_Stored_XSS: categories: @@ -33856,6 +36586,7 @@ rules: group: top10-injection name: Javascript_Kony_Kony_Stored_XSS pretty_name: Kony Stored XSS - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Kony_Kony_URL_Injection: categories: @@ -33870,6 +36601,7 @@ rules: group: top10-broken-access-control name: Javascript_Kony_Kony_URL_Injection pretty_name: Kony URL Injection - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Kony_Kony_Unsecure_Browser_Configuration: categories: @@ -33883,6 +36615,7 @@ rules: group: top10-security-misconfiguration name: Javascript_Kony_Kony_Unsecure_Browser_Configuration pretty_name: Kony Unsecure Browser Configuration - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Kony_Kony_Unsecure_iOSBrowser_Configuration: categories: @@ -33896,6 +36629,7 @@ rules: group: top10-security-misconfiguration name: Javascript_Kony_Kony_Unsecure_iOSBrowser_Configuration pretty_name: Kony Unsecure iOSBrowser Configuration - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Kony_Kony_Use_WeakEncryption: categories: @@ -33910,6 +36644,7 @@ rules: group: top10-crypto-failures name: Javascript_Kony_Kony_Use_WeakEncryption pretty_name: Kony Use WeakEncryption - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Kony_Kony_Use_WeakHash: categories: @@ -33926,6 +36661,7 @@ rules: group: top10-crypto-failures name: Javascript_Kony_Kony_Use_WeakHash pretty_name: Kony Use WeakHash - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Lightning_Lightning_Aura_Attribute_With_Object_Type: categories: @@ -33939,6 +36675,7 @@ rules: group: top10-insecure-design name: Javascript_Lightning_Lightning_Aura_Attribute_With_Object_Type pretty_name: Lightning Aura Attribute With Object Type - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Lightning_Lightning_Component_Bad_Naming: categories: @@ -33953,6 +36690,7 @@ rules: group: top10-insecure-design name: Javascript_Lightning_Lightning_Component_Bad_Naming pretty_name: Lightning Component Bad Naming - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Lightning_Lightning_DOM_XSS: categories: @@ -33969,6 +36707,7 @@ rules: group: top10-injection name: Javascript_Lightning_Lightning_DOM_XSS pretty_name: Lightning DOM XSS - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Lightning_Lightning_Data_Retrieval_Without_Wire_Decorator: categories: @@ -33981,6 +36720,7 @@ rules: group: top10-injection name: Javascript_Lightning_Lightning_Data_Retrieval_Without_Wire_Decorator pretty_name: Lightning Data Retrieval Without Wire Decorator - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Lightning_Lightning_Dynamic_Href_In_Anchor_Tag: categories: @@ -33994,6 +36734,7 @@ rules: group: top10-injection name: Javascript_Lightning_Lightning_Dynamic_Href_In_Anchor_Tag pretty_name: Lightning Dynamic Href In Anchor Tag - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Lightning_Lightning_Stored_XSS: categories: @@ -34010,6 +36751,7 @@ rules: group: top10-injection name: Javascript_Lightning_Lightning_Stored_XSS pretty_name: Lightning Stored XSS - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Lightning_Lightning_Use_of_Aura_Component: categories: @@ -34023,6 +36765,7 @@ rules: group: top10-vulnerable-components name: Javascript_Lightning_Lightning_Use_of_Aura_Component pretty_name: Lightning Use of Aura Component - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Lightning_Lightning_Use_of_LWC_Event_Bubbling: categories: @@ -34036,6 +36779,7 @@ rules: group: top10-vulnerable-components name: Javascript_Lightning_Lightning_Use_of_LWC_Event_Bubbling pretty_name: Lightning Use of LWC Event Bubbling - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Javascript_Lightning_Lightning_Use_of_Same_Controller_Method_In_Different_Components: categories: @@ -34050,6 +36794,7 @@ rules: name: Javascript_Lightning_Lightning_Use_of_Same_Controller_Method_In_Different_Components pretty_name: Lightning Use of Same Controller Method In Different Components - Javascript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Accessible_Content_Provider: categories: @@ -34063,6 +36808,7 @@ rules: group: top10-broken-access-control name: Kotlin_Android_Accessible_Content_Provider pretty_name: Accessible Content Provider - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Allowed_Backup: categories: @@ -34076,6 +36822,7 @@ rules: group: top10-broken-access-control name: Kotlin_Android_Allowed_Backup pretty_name: Allowed Backup - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Client_Side_Injection: categories: @@ -34092,6 +36839,7 @@ rules: group: top10-injection name: Kotlin_Android_Client_Side_Injection pretty_name: Client Side Injection - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Client_Side_ReDoS: categories: @@ -34107,6 +36855,7 @@ rules: group: top10-insecure-design name: Kotlin_Android_Client_Side_ReDoS pretty_name: Client Side ReDoS - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Communication_Over_HTTP: categories: @@ -34120,6 +36869,7 @@ rules: group: top10-crypto-failures name: Kotlin_Android_Communication_Over_HTTP pretty_name: Communication Over HTTP - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Copy_Paste_Buffer_Caching: categories: @@ -34133,6 +36883,7 @@ rules: group: top10-broken-access-control name: Kotlin_Android_Copy_Paste_Buffer_Caching pretty_name: Copy Paste Buffer Caching - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Debuggable_App: categories: @@ -34146,6 +36897,7 @@ rules: group: top10-broken-access-control name: Kotlin_Android_Debuggable_App pretty_name: Debuggable App - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_DeviceId_Authentication: categories: @@ -34159,6 +36911,7 @@ rules: group: top10-id-authn-failures name: Kotlin_Android_DeviceId_Authentication pretty_name: DeviceId Authentication - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Exported_Content_Provider_Without_Protective_Permissions: categories: @@ -34172,6 +36925,7 @@ rules: group: top10-broken-access-control name: Kotlin_Android_Exported_Content_Provider_Without_Protective_Permissions pretty_name: Exported Content Provider Without Protective Permissions - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Exported_Service_Without_Permissions: categories: @@ -34185,6 +36939,7 @@ rules: group: top10-broken-access-control name: Kotlin_Android_Exported_Service_Without_Permissions pretty_name: Exported Service Without Permissions - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Exported_Service_Without_Protective_Permissions: categories: @@ -34198,6 +36953,7 @@ rules: group: top10-broken-access-control name: Kotlin_Android_Exported_Service_Without_Protective_Permissions pretty_name: Exported Service Without Protective Permissions - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Failure_to_Implement_Least_Privilege: categories: @@ -34212,6 +36968,7 @@ rules: group: top10-broken-access-control name: Kotlin_Android_Failure_to_Implement_Least_Privilege pretty_name: Failure to Implement Least Privilege - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Hardcoded_Password_In_Gradle: categories: @@ -34225,6 +36982,7 @@ rules: group: top10-id-authn-failures name: Kotlin_Android_Hardcoded_Password_In_Gradle pretty_name: Hardcoded Password In Gradle - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Implicit_Intent_With_Read_Write_Permissions: categories: @@ -34238,6 +36996,7 @@ rules: group: top10-broken-access-control name: Kotlin_Android_Implicit_Intent_With_Read_Write_Permissions pretty_name: Implicit Intent With Read Write Permissions - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Improper_Certificate_Validation: categories: @@ -34250,6 +37009,7 @@ rules: group: top10-id-authn-failures name: Kotlin_Android_Improper_Certificate_Validation pretty_name: Improper Certificate Validation - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Improper_Verification_Of_Intent_By_Broadcast_Receiver: categories: @@ -34264,6 +37024,7 @@ rules: group: top10-software-data-integrity-failures name: Kotlin_Android_Improper_Verification_Of_Intent_By_Broadcast_Receiver pretty_name: Improper Verification Of Intent By Broadcast Receiver - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Insecure_Android_SDK_Version: categories: @@ -34277,6 +37038,7 @@ rules: group: top10-vulnerable-components name: Kotlin_Android_Insecure_Android_SDK_Version pretty_name: Insecure Android SDK Version - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Insecure_Cipher_Mode: categories: @@ -34291,6 +37053,7 @@ rules: group: top10-crypto-failures name: Kotlin_Android_Insecure_Cipher_Mode pretty_name: Insecure Cipher Mode - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Insecure_Data_Storage_Usage: categories: @@ -34304,6 +37067,7 @@ rules: group: top10-insecure-design name: Kotlin_Android_Insecure_Data_Storage_Usage pretty_name: Insecure Data Storage Usage - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Insecure_HTTP_Connections_Enabled: categories: @@ -34317,6 +37081,7 @@ rules: group: top10-crypto-failures name: Kotlin_Android_Insecure_HTTP_Connections_Enabled pretty_name: Insecure HTTP Connections Enabled - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Insecure_Sensitive_Data_Storage: categories: @@ -34329,6 +37094,7 @@ rules: group: top10-id-authn-failures name: Kotlin_Android_Insecure_Sensitive_Data_Storage pretty_name: Insecure Sensitive Data Storage - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Insecure_WebView_Usage: categories: @@ -34343,6 +37109,7 @@ rules: group: top10-software-data-integrity-failures name: Kotlin_Android_Insecure_WebView_Usage pretty_name: Insecure WebView Usage - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Missing_Rooted_Device_Check: categories: @@ -34356,6 +37123,7 @@ rules: group: top10-insecure-design name: Kotlin_Android_Missing_Rooted_Device_Check pretty_name: Missing Rooted Device Check - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Non_Encrypted_Data_Storage: categories: @@ -34369,6 +37137,7 @@ rules: group: top10-insecure-design name: Kotlin_Android_Non_Encrypted_Data_Storage pretty_name: Non Encrypted Data Storage - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Passing_Non_Encrypted_Data_Between_Activities: categories: @@ -34382,6 +37151,7 @@ rules: group: top10-crypto-failures name: Kotlin_Android_Passing_Non_Encrypted_Data_Between_Activities pretty_name: Passing Non Encrypted Data Between Activities - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Privacy_Violation: categories: @@ -34397,6 +37167,7 @@ rules: group: top10-broken-access-control name: Kotlin_Android_Privacy_Violation pretty_name: Privacy Violation - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_ProGuard_Obfuscation_Not_In_Use: categories: @@ -34410,6 +37181,7 @@ rules: group: top10-insecure-design name: Kotlin_Android_ProGuard_Obfuscation_Not_In_Use pretty_name: ProGuard Obfuscation Not In Use - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Reuse_of_Cryptographic_Key: categories: @@ -34423,6 +37195,7 @@ rules: group: top10-id-authn-failures name: Kotlin_Android_Reuse_of_Cryptographic_Key pretty_name: Reuse of Cryptographic Key - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Screen_Caching: categories: @@ -34436,6 +37209,7 @@ rules: group: top10-broken-access-control name: Kotlin_Android_Screen_Caching pretty_name: Screen Caching - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Sensitive_Information_Over_HTTP: categories: @@ -34450,6 +37224,7 @@ rules: group: top10-broken-access-control name: Kotlin_Android_Sensitive_Information_Over_HTTP pretty_name: Sensitive Information Over HTTP - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Unsafe_Permission_Check: categories: @@ -34463,6 +37238,7 @@ rules: group: top10-broken-access-control name: Kotlin_Android_Unsafe_Permission_Check pretty_name: Unsafe Permission Check - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Use_Of_Implicit_Intent_For_Sensitive_Communication: categories: @@ -34476,6 +37252,7 @@ rules: group: top10-insecure-design name: Kotlin_Android_Use_Of_Implicit_Intent_For_Sensitive_Communication pretty_name: Use Of Implicit Intent For Sensitive Communication - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Use_of_WebView_AddJavascriptInterface: categories: @@ -34491,6 +37268,7 @@ rules: group: top10-vulnerable-components name: Kotlin_Android_Use_of_WebView_AddJavascriptInterface pretty_name: Use of WebView AddJavascriptInterface - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_WebView_Cache_Information_Leak: categories: @@ -34504,6 +37282,7 @@ rules: group: top10-broken-access-control name: Kotlin_Android_WebView_Cache_Information_Leak pretty_name: WebView Cache Information Leak - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Webview_DOM_XSS: categories: @@ -34519,6 +37298,7 @@ rules: group: top10-injection name: Kotlin_Android_Webview_DOM_XSS pretty_name: Webview DOM XSS - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J: categories: @@ -34534,6 +37314,7 @@ rules: group: top10-insecure-design name: Kotlin_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J pretty_name: Potential Usage of Vulnerable Log4J - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_High_Risk_Code_Injection: categories: @@ -34551,6 +37332,7 @@ rules: group: top10-injection name: Kotlin_High_Risk_Code_Injection pretty_name: Code Injection - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_High_Risk_Command_Injection: categories: @@ -34568,6 +37350,7 @@ rules: group: top10-injection name: Kotlin_High_Risk_Command_Injection pretty_name: Command Injection - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_High_Risk_Connection_String_Injection: categories: @@ -34583,6 +37366,7 @@ rules: group: top10-injection name: Kotlin_High_Risk_Connection_String_Injection pretty_name: Connection String Injection - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_High_Risk_Deserialization_of_Untrusted_Data: categories: @@ -34598,6 +37382,7 @@ rules: group: top10-software-data-integrity-failures name: Kotlin_High_Risk_Deserialization_of_Untrusted_Data pretty_name: Deserialization of Untrusted Data - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_High_Risk_Expression_Language_Injection_MVEL: categories: @@ -34615,6 +37400,7 @@ rules: group: top10-injection name: Kotlin_High_Risk_Expression_Language_Injection_MVEL pretty_name: Expression Language Injection MVEL - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_High_Risk_Expression_Language_Injection_SPEL: categories: @@ -34632,6 +37418,7 @@ rules: group: top10-injection name: Kotlin_High_Risk_Expression_Language_Injection_SPEL pretty_name: Expression Language Injection SPEL - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_High_Risk_LDAP_Injection: categories: @@ -34648,6 +37435,7 @@ rules: group: top10-injection name: Kotlin_High_Risk_LDAP_Injection pretty_name: LDAP Injection - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_High_Risk_Reflected_XSS: categories: @@ -34664,6 +37452,7 @@ rules: group: top10-injection name: Kotlin_High_Risk_Reflected_XSS pretty_name: Reflected XSS - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_High_Risk_Resource_Injection: categories: @@ -34679,6 +37468,7 @@ rules: group: top10-injection name: Kotlin_High_Risk_Resource_Injection pretty_name: Resource Injection - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_High_Risk_SQL_Injection: categories: @@ -34696,6 +37486,7 @@ rules: group: top10-injection name: Kotlin_High_Risk_SQL_Injection pretty_name: SQL Injection - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_High_Risk_Second_Order_SQL_Injection: categories: @@ -34713,6 +37504,7 @@ rules: group: top10-injection name: Kotlin_High_Risk_Second_Order_SQL_Injection pretty_name: Second Order SQL Injection - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_High_Risk_Stored_XSS: categories: @@ -34729,6 +37521,7 @@ rules: group: top10-injection name: Kotlin_High_Risk_Stored_XSS pretty_name: Stored XSS - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_High_Risk_Unsafe_Reflection: categories: @@ -34744,6 +37537,7 @@ rules: group: top10-injection name: Kotlin_High_Risk_Unsafe_Reflection pretty_name: Unsafe Reflection - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_High_Risk_XPath_Injection: categories: @@ -34760,6 +37554,7 @@ rules: group: top10-injection name: Kotlin_High_Risk_XPath_Injection pretty_name: XPath Injection - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Low_Visibility_Command_Argument_Injection: categories: @@ -34774,6 +37569,7 @@ rules: group: top10-injection name: Kotlin_Low_Visibility_Command_Argument_Injection pretty_name: Command Argument Injection - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Low_Visibility_Deprecated_API: categories: @@ -34787,6 +37583,7 @@ rules: group: top10-insecure-design name: Kotlin_Low_Visibility_Deprecated_API pretty_name: Deprecated API - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Low_Visibility_JWT_Excessive_Expiration_Time: categories: @@ -34801,6 +37598,7 @@ rules: group: top10-id-authn-failures name: Kotlin_Low_Visibility_JWT_Excessive_Expiration_Time pretty_name: JWT Excessive Expiration Time - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Low_Visibility_JWT_Use_Of_None_Algorithm: categories: @@ -34815,6 +37613,7 @@ rules: group: top10-id-authn-failures name: Kotlin_Low_Visibility_JWT_Use_Of_None_Algorithm pretty_name: JWT Use Of None Algorithm - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Low_Visibility_Password_In_Comment: categories: @@ -34830,6 +37629,7 @@ rules: group: top10-id-authn-failures name: Kotlin_Low_Visibility_Password_In_Comment pretty_name: Password In Comment - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Low_Visibility_Stored_Command_Argument_Injection: categories: @@ -34844,6 +37644,7 @@ rules: group: top10-injection name: Kotlin_Low_Visibility_Stored_Command_Argument_Injection pretty_name: Stored Command Argument Injection - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: categories: @@ -34856,6 +37657,7 @@ rules: group: top10-crypto-failures name: Kotlin_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm pretty_name: Use of Broken or Risky Cryptographic Algorithm - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Low_Visibility_Use_of_Hardcoded_Password: categories: @@ -34869,6 +37671,7 @@ rules: group: top10-id-authn-failures name: Kotlin_Low_Visibility_Use_of_Hardcoded_Password pretty_name: Use of Hardcoded Password - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Low_Visibility_Use_of_Non_Cryptographic_Random: categories: @@ -34882,6 +37685,7 @@ rules: group: top10-crypto-failures name: Kotlin_Low_Visibility_Use_of_Non_Cryptographic_Random pretty_name: Use of Non Cryptographic Random - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Low_Visibility_Use_of_RSA_Algorithm_without_OAEP: categories: @@ -34895,6 +37699,7 @@ rules: group: top10-crypto-failures name: Kotlin_Low_Visibility_Use_of_RSA_Algorithm_without_OAEP pretty_name: Use of RSA Algorithm without OAEP - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Medium_Threat_HttpOnlyCookies: categories: @@ -34907,6 +37712,7 @@ rules: group: top10-security-misconfiguration name: Kotlin_Medium_Threat_HttpOnlyCookies pretty_name: HttpOnlyCookies - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Medium_Threat_JWT_Lack_Of_Expiration_Time: categories: @@ -34921,6 +37727,7 @@ rules: group: top10-id-authn-failures name: Kotlin_Medium_Threat_JWT_Lack_Of_Expiration_Time pretty_name: JWT Lack Of Expiration Time - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Medium_Threat_JWT_No_Signature_Verification: categories: @@ -34935,6 +37742,7 @@ rules: group: top10-id-authn-failures name: Kotlin_Medium_Threat_JWT_No_Signature_Verification pretty_name: JWT No Signature Verification - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Medium_Threat_JWT_Sensitive_Information_Exposure: categories: @@ -34948,6 +37756,7 @@ rules: group: top10-broken-access-control name: Kotlin_Medium_Threat_JWT_Sensitive_Information_Exposure pretty_name: JWT Sensitive Information Exposure - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Medium_Threat_JWT_Use_Of_Hardcoded_Secret: categories: @@ -34963,6 +37772,7 @@ rules: group: top10-id-authn-failures name: Kotlin_Medium_Threat_JWT_Use_Of_Hardcoded_Secret pretty_name: JWT Use Of Hardcoded Secret - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Medium_Threat_Plaintext_Storage_of_a_Password: categories: @@ -34975,6 +37785,7 @@ rules: group: top10-insecure-design name: Kotlin_Medium_Threat_Plaintext_Storage_of_a_Password pretty_name: Plaintext Storage of a Password - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Medium_Threat_Same_Seed_in_PRNG: categories: @@ -34988,6 +37799,7 @@ rules: group: top10-crypto-failures name: Kotlin_Medium_Threat_Same_Seed_in_PRNG pretty_name: Same Seed in PRNG - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Medium_Threat_Stored_Command_Injection: categories: @@ -35004,6 +37816,7 @@ rules: group: top10-injection name: Kotlin_Medium_Threat_Stored_Command_Injection pretty_name: Stored Command Injection - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Medium_Threat_Stored_LDAP_Injection: categories: @@ -35019,6 +37832,7 @@ rules: group: top10-injection name: Kotlin_Medium_Threat_Stored_LDAP_Injection pretty_name: Stored LDAP Injection - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Medium_Threat_Unchecked_Input_for_Loop_Condition: categories: @@ -35033,6 +37847,7 @@ rules: group: top10-insecure-design name: Kotlin_Medium_Threat_Unchecked_Input_for_Loop_Condition pretty_name: Unchecked Input for Loop Condition - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Medium_Threat_Use_of_Cryptographically_Weak_PRNG: categories: @@ -35046,6 +37861,7 @@ rules: group: top10-crypto-failures name: Kotlin_Medium_Threat_Use_of_Cryptographically_Weak_PRNG pretty_name: Use of Cryptographically Weak PRNG - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Medium_Threat_Use_of_Hardcoded_Cryptographic_Key: categories: @@ -35059,6 +37875,7 @@ rules: group: top10-crypto-failures name: Kotlin_Medium_Threat_Use_of_Hardcoded_Cryptographic_Key pretty_name: Use of Hardcoded Cryptographic Key - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Medium_Threat_Use_of_a_One_Way_Hash_with_a_Predictable_Salt: categories: @@ -35073,6 +37890,7 @@ rules: group: top10-crypto-failures name: Kotlin_Medium_Threat_Use_of_a_One_Way_Hash_with_a_Predictable_Salt pretty_name: Use of a One Way Hash with a Predictable Salt - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Medium_Threat_Use_of_a_One_Way_Hash_without_a_Salt: categories: @@ -35087,6 +37905,7 @@ rules: group: top10-crypto-failures name: Kotlin_Medium_Threat_Use_of_a_One_Way_Hash_without_a_Salt pretty_name: Use of a One Way Hash without a Salt - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Spring_Spring_View_Manipulation: categories: @@ -35103,6 +37922,7 @@ rules: group: top10-injection name: Kotlin_Spring_Spring_View_Manipulation pretty_name: Spring View Manipulation - Kotlin + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Lua_Best_Coding_Practice_Empty_Methods: categories: @@ -35115,6 +37935,7 @@ rules: group: top10-insecure-design name: Lua_Best_Coding_Practice_Empty_Methods pretty_name: Empty Methods - Lua + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Best_Coding_Practice_Dead_Code: categories: @@ -35127,6 +37948,7 @@ rules: group: top10-insecure-design name: ObjectiveC_Best_Coding_Practice_Dead_Code pretty_name: Dead Code - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Best_Coding_Practice_Dynamic_SQL_Queries: categories: @@ -35143,6 +37965,7 @@ rules: group: top10-injection name: ObjectiveC_Best_Coding_Practice_Dynamic_SQL_Queries pretty_name: Dynamic SQL Queries - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Best_Coding_Practice_Empty_Methods: categories: @@ -35155,6 +37978,7 @@ rules: group: top10-insecure-design name: ObjectiveC_Best_Coding_Practice_Empty_Methods pretty_name: Empty Methods - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Best_Coding_Practice_Expression_is_Always_False: categories: @@ -35167,6 +37991,7 @@ rules: group: top10-insecure-design name: ObjectiveC_Best_Coding_Practice_Expression_is_Always_False pretty_name: Expression is Always False - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Best_Coding_Practice_Expression_is_Always_True: categories: @@ -35179,6 +38004,7 @@ rules: group: top10-insecure-design name: ObjectiveC_Best_Coding_Practice_Expression_is_Always_True pretty_name: Expression is Always True - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Best_Coding_Practice_Missing_Colon_In_Selector: categories: @@ -35192,6 +38018,7 @@ rules: group: top10-insecure-design name: ObjectiveC_Best_Coding_Practice_Missing_Colon_In_Selector pretty_name: Missing Colon In Selector - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_High_Risk_App_Transport_Security_Bypass: categories: @@ -35206,6 +38033,7 @@ rules: group: top10-security-misconfiguration name: ObjectiveC_High_Risk_App_Transport_Security_Bypass pretty_name: App Transport Security Bypass - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_High_Risk_Deserialization_of_Untrusted_Data: categories: @@ -35221,6 +38049,7 @@ rules: group: top10-software-data-integrity-failures name: ObjectiveC_High_Risk_Deserialization_of_Untrusted_Data pretty_name: Deserialization of Untrusted Data - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_High_Risk_Information_Exposure_Through_Extension: categories: @@ -35235,6 +38064,7 @@ rules: group: top10-broken-access-control name: ObjectiveC_High_Risk_Information_Exposure_Through_Extension pretty_name: Information Exposure Through Extension - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_High_Risk_Reflected_XSS_All_Clients: categories: @@ -35251,6 +38081,7 @@ rules: group: top10-injection name: ObjectiveC_High_Risk_Reflected_XSS_All_Clients pretty_name: Reflected XSS All Clients - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_High_Risk_SQL_Injection: categories: @@ -35268,6 +38099,7 @@ rules: group: top10-injection name: ObjectiveC_High_Risk_SQL_Injection pretty_name: SQL Injection - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_High_Risk_Second_Order_SQL_Injection: categories: @@ -35285,6 +38117,7 @@ rules: group: top10-injection name: ObjectiveC_High_Risk_Second_Order_SQL_Injection pretty_name: Second Order SQL Injection - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_High_Risk_Stored_XSS: categories: @@ -35301,6 +38134,7 @@ rules: group: top10-injection name: ObjectiveC_High_Risk_Stored_XSS pretty_name: Stored XSS - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_High_Risk_Third_Party_Keyboards_On_Sensitive_Field: categories: @@ -35315,6 +38149,7 @@ rules: group: top10-software-data-integrity-failures name: ObjectiveC_High_Risk_Third_Party_Keyboards_On_Sensitive_Field pretty_name: Third Party Keyboards On Sensitive Field - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_High_Risk_Universal_XSS: categories: @@ -35331,6 +38166,7 @@ rules: group: top10-injection name: ObjectiveC_High_Risk_Universal_XSS pretty_name: Universal XSS - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_High_Risk_Unsafe_Reflection: categories: @@ -35346,6 +38182,7 @@ rules: group: top10-injection name: ObjectiveC_High_Risk_Unsafe_Reflection pretty_name: Unsafe Reflection - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Allowed_Backup: categories: @@ -35359,6 +38196,7 @@ rules: group: top10-broken-access-control name: ObjectiveC_Low_Visibility_Allowed_Backup pretty_name: Allowed Backup - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Empty_Password: categories: @@ -35372,6 +38210,7 @@ rules: group: top10-id-authn-failures name: ObjectiveC_Low_Visibility_Empty_Password pretty_name: Empty Password - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Functions_Apple_Recommends_To_Avoid: categories: @@ -35385,6 +38224,7 @@ rules: group: top10-vulnerable-components name: ObjectiveC_Low_Visibility_Functions_Apple_Recommends_To_Avoid pretty_name: Functions Apple Recommends To Avoid - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Heap_Inspection: categories: @@ -35399,6 +38239,7 @@ rules: group: top10-broken-access-control name: ObjectiveC_Low_Visibility_Heap_Inspection pretty_name: Heap Inspection - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Improper_Resource_Shutdown_or_Release: categories: @@ -35412,6 +38253,7 @@ rules: group: top10-insecure-design name: ObjectiveC_Low_Visibility_Improper_Resource_Shutdown_or_Release pretty_name: Improper Resource Shutdown or Release - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Incorrect_Initialization: categories: @@ -35425,6 +38267,7 @@ rules: group: top10-insecure-design name: ObjectiveC_Low_Visibility_Incorrect_Initialization pretty_name: Incorrect Initialization - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Information_Exposure_Through_an_Error_Message: categories: @@ -35438,6 +38281,7 @@ rules: group: top10-insecure-design name: ObjectiveC_Low_Visibility_Information_Exposure_Through_an_Error_Message pretty_name: Information Exposure Through an Error Message - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Information_Leak_Through_Response_Caching: categories: @@ -35451,6 +38295,7 @@ rules: group: top10-broken-access-control name: ObjectiveC_Low_Visibility_Information_Leak_Through_Response_Caching pretty_name: Information Leak Through Response Caching - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Insufficient_Encryption_Key_Size: categories: @@ -35465,6 +38310,7 @@ rules: group: top10-crypto-failures name: ObjectiveC_Low_Visibility_Insufficient_Encryption_Key_Size pretty_name: Insufficient Encryption Key Size - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Log_Forging: categories: @@ -35477,6 +38323,7 @@ rules: group: top10-security-logging-monitoring-failures name: ObjectiveC_Low_Visibility_Log_Forging pretty_name: Log Forging - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Memory_Leak: categories: @@ -35490,6 +38337,7 @@ rules: group: top10-broken-access-control name: ObjectiveC_Low_Visibility_Memory_Leak pretty_name: Memory Leak - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Missing_Certificate_Pinning: categories: @@ -35502,6 +38350,7 @@ rules: group: top10-id-authn-failures name: ObjectiveC_Low_Visibility_Missing_Certificate_Pinning pretty_name: Missing Certificate Pinning - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Missing_Device_Lock_Verification: categories: @@ -35515,6 +38364,7 @@ rules: group: top10-software-data-integrity-failures name: ObjectiveC_Low_Visibility_Missing_Device_Lock_Verification pretty_name: Missing Device Lock Verification - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Missing_Jailbreak_Check: categories: @@ -35528,6 +38378,7 @@ rules: group: top10-insecure-design name: ObjectiveC_Low_Visibility_Missing_Jailbreak_Check pretty_name: Missing Jailbreak Check - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Null_Password: categories: @@ -35541,6 +38392,7 @@ rules: group: top10-insecure-design name: ObjectiveC_Low_Visibility_Null_Password pretty_name: Null Password - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Password_In_Comment: categories: @@ -35556,6 +38408,7 @@ rules: group: top10-id-authn-failures name: ObjectiveC_Low_Visibility_Password_In_Comment pretty_name: Password In Comment - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Plain_Text_Transport_Layer: categories: @@ -35569,6 +38422,7 @@ rules: group: top10-insecure-design name: ObjectiveC_Low_Visibility_Plain_Text_Transport_Layer pretty_name: Plain Text Transport Layer - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Poor_Authorization_and_Authentication: categories: @@ -35583,6 +38437,7 @@ rules: group: top10-id-authn-failures name: ObjectiveC_Low_Visibility_Poor_Authorization_and_Authentication pretty_name: Poor Authorization and Authentication - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Potential_ReDoS: categories: @@ -35598,6 +38453,7 @@ rules: group: top10-insecure-design name: ObjectiveC_Low_Visibility_Potential_ReDoS pretty_name: Potential ReDoS - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Sensitive_Data_In_Temp_Folders: categories: @@ -35611,6 +38467,7 @@ rules: group: top10-broken-access-control name: ObjectiveC_Low_Visibility_Sensitive_Data_In_Temp_Folders pretty_name: Sensitive Data In Temp Folders - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Third_Party_Keyboard_Enabled: categories: @@ -35624,6 +38481,7 @@ rules: group: top10-software-data-integrity-failures name: ObjectiveC_Low_Visibility_Third_Party_Keyboard_Enabled pretty_name: Third Party Keyboard Enabled - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Unchecked_Return_Value: categories: @@ -35637,6 +38495,7 @@ rules: group: top10-insecure-design name: ObjectiveC_Low_Visibility_Unchecked_Return_Value pretty_name: Unchecked Return Value - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: categories: @@ -35649,6 +38508,7 @@ rules: group: top10-crypto-failures name: ObjectiveC_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm pretty_name: Use of Broken or Risky Cryptographic Algorithm - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Use_of_Hardcoded_Cryptographic_Key: categories: @@ -35662,6 +38522,7 @@ rules: group: top10-crypto-failures name: ObjectiveC_Low_Visibility_Use_of_Hardcoded_Cryptographic_Key pretty_name: Use of Hardcoded Cryptographic Key - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Use_of_Hardcoded_Password: categories: @@ -35675,6 +38536,7 @@ rules: group: top10-id-authn-failures name: ObjectiveC_Low_Visibility_Use_of_Hardcoded_Password pretty_name: Use of Hardcoded Password - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Use_of_Insufficiently_Random_Values: categories: @@ -35688,6 +38550,7 @@ rules: group: top10-crypto-failures name: ObjectiveC_Low_Visibility_Use_of_Insufficiently_Random_Values pretty_name: Use of Insufficiently Random Values - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_Use_of_Obsolete_Functions: categories: @@ -35701,6 +38564,7 @@ rules: group: top10-insecure-design name: ObjectiveC_Low_Visibility_Use_of_Obsolete_Functions pretty_name: Use of Obsolete Functions - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Low_Visibility_iOS_Improper_Resource_Release_Shutdown: categories: @@ -35714,6 +38578,7 @@ rules: group: top10-insecure-design name: ObjectiveC_Low_Visibility_iOS_Improper_Resource_Release_Shutdown pretty_name: iOS Improper Resource Release Shutdown - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Medium_Threat_Autocorrection_Keystroke_Logging: categories: @@ -35729,6 +38594,7 @@ rules: group: top10-broken-access-control name: ObjectiveC_Medium_Threat_Autocorrection_Keystroke_Logging pretty_name: Autocorrection Keystroke Logging - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Medium_Threat_Cut_And_Paste_Leakage: categories: @@ -35742,6 +38608,7 @@ rules: group: top10-broken-access-control name: ObjectiveC_Medium_Threat_Cut_And_Paste_Leakage pretty_name: Cut And Paste Leakage - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Medium_Threat_Format_String_Attack: categories: @@ -35755,6 +38622,7 @@ rules: group: top10-injection name: ObjectiveC_Medium_Threat_Format_String_Attack pretty_name: Format String Attack - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Medium_Threat_Improper_Certificate_Validation: categories: @@ -35767,6 +38635,7 @@ rules: group: top10-id-authn-failures name: ObjectiveC_Medium_Threat_Improper_Certificate_Validation pretty_name: Improper Certificate Validation - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Medium_Threat_Information_Exposure_Through_Query_String: categories: @@ -35780,6 +38649,7 @@ rules: group: top10-insecure-design name: ObjectiveC_Medium_Threat_Information_Exposure_Through_Query_String pretty_name: Information Exposure Through Query String - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Medium_Threat_Insecure_Data_Storage: categories: @@ -35793,6 +38663,7 @@ rules: group: top10-insecure-design name: ObjectiveC_Medium_Threat_Insecure_Data_Storage pretty_name: Insecure Data Storage - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Medium_Threat_Insufficient_Transport_Layer_Input: categories: @@ -35806,6 +38677,7 @@ rules: group: top10-security-misconfiguration name: ObjectiveC_Medium_Threat_Insufficient_Transport_Layer_Input pretty_name: Insufficient Transport Layer Input - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Medium_Threat_Insufficient_Transport_Layer_Output: categories: @@ -35819,6 +38691,7 @@ rules: group: top10-security-misconfiguration name: ObjectiveC_Medium_Threat_Insufficient_Transport_Layer_Output pretty_name: Insufficient Transport Layer Output - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Medium_Threat_Missing_Encryption_of_Sensitive_Data: categories: @@ -35832,6 +38705,7 @@ rules: group: top10-insecure-design name: ObjectiveC_Medium_Threat_Missing_Encryption_of_Sensitive_Data pretty_name: Missing Encryption of Sensitive Data - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Medium_Threat_Parameter_Tampering: categories: @@ -35846,6 +38720,7 @@ rules: group: top10-insecure-design name: ObjectiveC_Medium_Threat_Parameter_Tampering pretty_name: Parameter Tampering - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Medium_Threat_Path_Traversal: categories: @@ -35863,6 +38738,7 @@ rules: group: top10-broken-access-control name: ObjectiveC_Medium_Threat_Path_Traversal pretty_name: Path Traversal - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Medium_Threat_ReDoS: categories: @@ -35877,6 +38753,7 @@ rules: group: top10-insecure-design name: ObjectiveC_Medium_Threat_ReDoS pretty_name: ReDoS - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Medium_Threat_Screen_Caching: categories: @@ -35890,6 +38767,7 @@ rules: group: top10-broken-access-control name: ObjectiveC_Medium_Threat_Screen_Caching pretty_name: Screen Caching - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Medium_Threat_Side_Channel_Data_Leakage: categories: @@ -35903,6 +38781,7 @@ rules: group: top10-broken-access-control name: ObjectiveC_Medium_Threat_Side_Channel_Data_Leakage pretty_name: Side Channel Data Leakage - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Medium_Threat_XML_External_Entity: categories: @@ -35917,6 +38796,7 @@ rules: group: top10-security-misconfiguration name: ObjectiveC_Medium_Threat_XML_External_Entity pretty_name: XML External Entity - ObjectiveC + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_High_Risk_Code_Injection: categories: @@ -35934,6 +38814,7 @@ rules: group: top10-injection name: PHP_High_Risk_Code_Injection pretty_name: Code Injection - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_High_Risk_Command_Injection: categories: @@ -35951,6 +38832,7 @@ rules: group: top10-injection name: PHP_High_Risk_Command_Injection pretty_name: Command Injection - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_High_Risk_File_Disclosure: categories: @@ -35966,6 +38848,7 @@ rules: group: top10-broken-access-control name: PHP_High_Risk_File_Disclosure pretty_name: File Disclosure - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_High_Risk_File_Inclusion: categories: @@ -35981,6 +38864,7 @@ rules: group: top10-injection name: PHP_High_Risk_File_Inclusion pretty_name: File Inclusion - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_High_Risk_File_Manipulation: categories: @@ -35995,6 +38879,7 @@ rules: group: top10-broken-access-control name: PHP_High_Risk_File_Manipulation pretty_name: File Manipulation - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_High_Risk_LDAP_Injection: categories: @@ -36011,6 +38896,7 @@ rules: group: top10-injection name: PHP_High_Risk_LDAP_Injection pretty_name: LDAP Injection - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_High_Risk_Reflected_XSS_All_Clients: categories: @@ -36027,6 +38913,7 @@ rules: group: top10-injection name: PHP_High_Risk_Reflected_XSS_All_Clients pretty_name: Reflected XSS All Clients - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_High_Risk_Reflection_Injection: categories: @@ -36042,6 +38929,7 @@ rules: group: top10-injection name: PHP_High_Risk_Reflection_Injection pretty_name: Reflection Injection - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_High_Risk_Remote_File_Inclusion: categories: @@ -36056,6 +38944,7 @@ rules: group: top10-software-data-integrity-failures name: PHP_High_Risk_Remote_File_Inclusion pretty_name: Remote File Inclusion - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_High_Risk_SQL_Injection: categories: @@ -36073,6 +38962,7 @@ rules: group: top10-injection name: PHP_High_Risk_SQL_Injection pretty_name: SQL Injection - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_High_Risk_Second_Order_SQL_Injection: categories: @@ -36090,6 +38980,7 @@ rules: group: top10-injection name: PHP_High_Risk_Second_Order_SQL_Injection pretty_name: Second Order SQL Injection - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_High_Risk_Stored_XSS: categories: @@ -36106,6 +38997,7 @@ rules: group: top10-injection name: PHP_High_Risk_Stored_XSS pretty_name: Stored XSS - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_High_Risk_XPath_Injection: categories: @@ -36122,6 +39014,7 @@ rules: group: top10-injection name: PHP_High_Risk_XPath_Injection pretty_name: XPath Injection - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_CSRF: categories: @@ -36137,6 +39030,7 @@ rules: group: top10-injection name: PHP_Medium_Threat_CSRF pretty_name: CSRF - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_DB_Parameter_Tampering: categories: @@ -36150,6 +39044,7 @@ rules: group: top10-broken-access-control name: PHP_Medium_Threat_DB_Parameter_Tampering pretty_name: DB Parameter Tampering - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Deserialization_of_Untrusted_Data: categories: @@ -36164,6 +39059,7 @@ rules: group: top10-software-data-integrity-failures name: PHP_Medium_Threat_Deserialization_of_Untrusted_Data pretty_name: Deserialization of Untrusted Data - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_DoS_by_Sleep: categories: @@ -36176,6 +39072,7 @@ rules: group: top10-insecure-design name: PHP_Medium_Threat_DoS_by_Sleep pretty_name: DoS by Sleep - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_HTTP_Response_Splitting: categories: @@ -36190,6 +39087,7 @@ rules: group: top10-injection name: PHP_Medium_Threat_HTTP_Response_Splitting pretty_name: HTTP Response Splitting - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Header_Injection: categories: @@ -36204,6 +39102,7 @@ rules: group: top10-injection name: PHP_Medium_Threat_Header_Injection pretty_name: Header Injection - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_HttpOnlyCookies: categories: @@ -36216,6 +39115,7 @@ rules: group: top10-security-misconfiguration name: PHP_Medium_Threat_HttpOnlyCookies pretty_name: HttpOnlyCookies - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Improper_Control_of_Dynamically_Identified_Variables: categories: @@ -36229,6 +39129,7 @@ rules: group: top10-insecure-design name: PHP_Medium_Threat_Improper_Control_of_Dynamically_Identified_Variables pretty_name: Improper Control of Dynamically Identified Variables - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Improper_Neutralization_of_SQL_Command: categories: @@ -36245,6 +39146,7 @@ rules: group: top10-injection name: PHP_Medium_Threat_Improper_Neutralization_of_SQL_Command pretty_name: Improper Neutralization of SQL Command - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Improper_Restriction_of_Stored_XXE_Ref: categories: @@ -36259,6 +39161,7 @@ rules: group: top10-security-misconfiguration name: PHP_Medium_Threat_Improper_Restriction_of_Stored_XXE_Ref pretty_name: Improper Restriction of Stored XXE Ref - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Improper_Restriction_of_XXE_Ref: categories: @@ -36273,6 +39176,7 @@ rules: group: top10-security-misconfiguration name: PHP_Medium_Threat_Improper_Restriction_of_XXE_Ref pretty_name: Improper Restriction of XXE Ref - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Inappropriate_Encoding_for_Output_Context: categories: @@ -36287,6 +39191,7 @@ rules: group: top10-injection name: PHP_Medium_Threat_Inappropriate_Encoding_for_Output_Context pretty_name: Inappropriate Encoding for Output Context - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Insecure_Randomness: categories: @@ -36300,6 +39205,7 @@ rules: group: top10-crypto-failures name: PHP_Medium_Threat_Insecure_Randomness pretty_name: Insecure Randomness - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Missing_HSTS_Header: categories: @@ -36313,6 +39219,7 @@ rules: group: top10-id-authn-failures name: PHP_Medium_Threat_Missing_HSTS_Header pretty_name: Missing HSTS Header - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Object_Injection: categories: @@ -36327,6 +39234,7 @@ rules: group: top10-software-data-integrity-failures name: PHP_Medium_Threat_Object_Injection pretty_name: Object Injection - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Open_Redirect: categories: @@ -36341,6 +39249,7 @@ rules: group: top10-broken-access-control name: PHP_Medium_Threat_Open_Redirect pretty_name: Open Redirect - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Parameter_Tampering: categories: @@ -36355,6 +39264,7 @@ rules: group: top10-insecure-design name: PHP_Medium_Threat_Parameter_Tampering pretty_name: Parameter Tampering - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Path_Traversal: categories: @@ -36372,6 +39282,7 @@ rules: group: top10-broken-access-control name: PHP_Medium_Threat_Path_Traversal pretty_name: Path Traversal - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Privacy_Violation: categories: @@ -36387,6 +39298,7 @@ rules: group: top10-broken-access-control name: PHP_Medium_Threat_Privacy_Violation pretty_name: Privacy Violation - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Reflected_File_Download: categories: @@ -36400,6 +39312,7 @@ rules: group: top10-broken-access-control name: PHP_Medium_Threat_Reflected_File_Download pretty_name: Reflected File Download - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_SSL_Verification_Bypass: categories: @@ -36414,6 +39327,7 @@ rules: group: top10-software-data-integrity-failures name: PHP_Medium_Threat_SSL_Verification_Bypass pretty_name: SSL Verification Bypass - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Session_Fixation: categories: @@ -36428,6 +39342,7 @@ rules: group: top10-id-authn-failures name: PHP_Medium_Threat_Session_Fixation pretty_name: Session Fixation - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Stored_Code_Injection: categories: @@ -36444,6 +39359,7 @@ rules: group: top10-injection name: PHP_Medium_Threat_Stored_Code_Injection pretty_name: Stored Code Injection - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Stored_Command_Injection: categories: @@ -36460,6 +39376,7 @@ rules: group: top10-injection name: PHP_Medium_Threat_Stored_Command_Injection pretty_name: Stored Command Injection - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Stored_File_Inclusion: categories: @@ -36474,6 +39391,7 @@ rules: group: top10-injection name: PHP_Medium_Threat_Stored_File_Inclusion pretty_name: Stored File Inclusion - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Stored_File_Manipulation: categories: @@ -36487,6 +39405,7 @@ rules: group: top10-broken-access-control name: PHP_Medium_Threat_Stored_File_Manipulation pretty_name: Stored File Manipulation - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Stored_LDAP_Injection: categories: @@ -36502,6 +39421,7 @@ rules: group: top10-injection name: PHP_Medium_Threat_Stored_LDAP_Injection pretty_name: Stored LDAP Injection - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Stored_Reflection_Injection: categories: @@ -36516,6 +39436,7 @@ rules: group: top10-injection name: PHP_Medium_Threat_Stored_Reflection_Injection pretty_name: Stored Reflection Injection - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Stored_Remote_File_Inclusion: categories: @@ -36530,6 +39451,7 @@ rules: group: top10-injection name: PHP_Medium_Threat_Stored_Remote_File_Inclusion pretty_name: Stored Remote File Inclusion - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Stored_XPath_Injection: categories: @@ -36545,6 +39467,7 @@ rules: group: top10-injection name: PHP_Medium_Threat_Stored_XPath_Injection pretty_name: Stored XPath Injection - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PHP_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key: categories: @@ -36558,6 +39481,7 @@ rules: group: top10-crypto-failures name: PHP_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key pretty_name: Use of Hard coded Cryptographic Key - PHP + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Best_Coding_Practice_Unchecked_Error_Condition: categories: @@ -36570,6 +39494,7 @@ rules: group: top10-insecure-design name: PLSQL_Best_Coding_Practice_Unchecked_Error_Condition pretty_name: Unchecked Error Condition - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Best_Coding_Practice_Use_of_Potentially_Dangerous_Function: categories: @@ -36584,6 +39509,7 @@ rules: group: top10-insecure-design name: PLSQL_Best_Coding_Practice_Use_of_Potentially_Dangerous_Function pretty_name: Use of Potentially Dangerous Function - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_High_Risk_Reflected_XSS_All_Clients: categories: @@ -36600,6 +39526,7 @@ rules: group: top10-injection name: PLSQL_High_Risk_Reflected_XSS_All_Clients pretty_name: Reflected XSS All Clients - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_High_Risk_Resource_Injection: categories: @@ -36615,6 +39542,7 @@ rules: group: top10-injection name: PLSQL_High_Risk_Resource_Injection pretty_name: Resource Injection - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_High_Risk_SQL_Injection: categories: @@ -36632,6 +39560,7 @@ rules: group: top10-injection name: PLSQL_High_Risk_SQL_Injection pretty_name: SQL Injection - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_High_Risk_Second_Order_SQL_Injection: categories: @@ -36649,6 +39578,7 @@ rules: group: top10-injection name: PLSQL_High_Risk_Second_Order_SQL_Injection pretty_name: Second Order SQL Injection - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_High_Risk_Stored_XSS: categories: @@ -36665,6 +39595,7 @@ rules: group: top10-injection name: PLSQL_High_Risk_Stored_XSS pretty_name: Stored XSS - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Low_Visibility_Authorization_Bypass_Through_User_Controlled_SQL_PrimaryKey: categories: @@ -36679,6 +39610,7 @@ rules: group: top10-broken-access-control name: PLSQL_Low_Visibility_Authorization_Bypass_Through_User_Controlled_SQL_PrimaryKey pretty_name: Authorization Bypass Through User Controlled SQL PrimaryKey - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Low_Visibility_Default_Definer_Rights_in_Method_Definition: categories: @@ -36693,6 +39625,7 @@ rules: group: top10-insecure-design name: PLSQL_Low_Visibility_Default_Definer_Rights_in_Method_Definition pretty_name: Default Definer Rights in Method Definition - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Low_Visibility_Exposure_of_System_Data: categories: @@ -36707,6 +39640,7 @@ rules: group: top10-broken-access-control name: PLSQL_Low_Visibility_Exposure_of_System_Data pretty_name: Exposure of System Data - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Low_Visibility_Improper_Resource_Shutdown_or_Release: categories: @@ -36720,6 +39654,7 @@ rules: group: top10-insecure-design name: PLSQL_Low_Visibility_Improper_Resource_Shutdown_or_Release pretty_name: Improper Resource Shutdown or Release - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Low_Visibility_Reversible_One_Way_Hash: categories: @@ -36736,6 +39671,7 @@ rules: group: top10-crypto-failures name: PLSQL_Low_Visibility_Reversible_One_Way_Hash pretty_name: Reversible One Way Hash - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables: categories: @@ -36749,6 +39685,7 @@ rules: group: top10-insecure-design name: PLSQL_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables pretty_name: Trust Boundary Violation in Session Variables - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Low_Visibility_Use_Of_Broken_Or_Risky_Cryptographic_Algorithm: categories: @@ -36761,6 +39698,7 @@ rules: group: top10-crypto-failures name: PLSQL_Low_Visibility_Use_Of_Broken_Or_Risky_Cryptographic_Algorithm pretty_name: Use Of Broken Or Risky Cryptographic Algorithm - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Low_Visibility_Use_Of_Hardcoded_Password: categories: @@ -36774,6 +39712,7 @@ rules: group: top10-id-authn-failures name: PLSQL_Low_Visibility_Use_Of_Hardcoded_Password pretty_name: Use Of Hardcoded Password - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Medium_Threat_Dangling_Database_Cursor: categories: @@ -36788,6 +39727,7 @@ rules: group: top10-injection name: PLSQL_Medium_Threat_Dangling_Database_Cursor pretty_name: Dangling Database Cursor - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Medium_Threat_Default_Definer_Rights_in_Package_or_Object_Definition: categories: @@ -36802,6 +39742,7 @@ rules: group: top10-insecure-design name: PLSQL_Medium_Threat_Default_Definer_Rights_in_Package_or_Object_Definition pretty_name: Default Definer Rights in Package or Object Definition - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Medium_Threat_DoS_By_Sleep: categories: @@ -36814,6 +39755,7 @@ rules: group: top10-insecure-design name: PLSQL_Medium_Threat_DoS_By_Sleep pretty_name: DoS By Sleep - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Medium_Threat_HTTP_Response_Splitting: categories: @@ -36828,6 +39770,7 @@ rules: group: top10-injection name: PLSQL_Medium_Threat_HTTP_Response_Splitting pretty_name: HTTP Response Splitting - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Medium_Threat_Improper_Privilege_Management: categories: @@ -36841,6 +39784,7 @@ rules: group: top10-insecure-design name: PLSQL_Medium_Threat_Improper_Privilege_Management pretty_name: Improper Privilege Management - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Medium_Threat_Open_Redirect: categories: @@ -36855,6 +39799,7 @@ rules: group: top10-broken-access-control name: PLSQL_Medium_Threat_Open_Redirect pretty_name: Open Redirect - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Medium_Threat_Parameter_Tampering: categories: @@ -36869,6 +39814,7 @@ rules: group: top10-insecure-design name: PLSQL_Medium_Threat_Parameter_Tampering pretty_name: Parameter Tampering - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Medium_Threat_Plaintext_Storage_of_a_Password: categories: @@ -36881,6 +39827,7 @@ rules: group: top10-insecure-design name: PLSQL_Medium_Threat_Plaintext_Storage_of_a_Password pretty_name: Plaintext Storage of a Password - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Medium_Threat_Privacy_Violation: categories: @@ -36896,6 +39843,7 @@ rules: group: top10-broken-access-control name: PLSQL_Medium_Threat_Privacy_Violation pretty_name: Privacy Violation - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Medium_Threat_Use_of_Insufficiently_Random_Values: categories: @@ -36909,6 +39857,7 @@ rules: group: top10-crypto-failures name: PLSQL_Medium_Threat_Use_of_Insufficiently_Random_Values pretty_name: Use of Insufficiently Random Values - PLSQL + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Best_Coding_Practice_Empty_Methods: categories: @@ -36921,6 +39870,7 @@ rules: group: top10-insecure-design name: Perl_Best_Coding_Practice_Empty_Methods pretty_name: Empty Methods - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Best_Coding_Practice_Hardcoded_Absolute_Path: categories: @@ -36935,6 +39885,7 @@ rules: group: top10-software-data-integrity-failures name: Perl_Best_Coding_Practice_Hardcoded_Absolute_Path pretty_name: Hardcoded Absolute Path - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Best_Coding_Practice_Prepending_Leading_Zeroes_To_Integer_Literals: categories: @@ -36949,6 +39900,7 @@ rules: group: top10-insecure-design name: Perl_Best_Coding_Practice_Prepending_Leading_Zeroes_To_Integer_Literals pretty_name: Prepending Leading Zeroes To Integer Literals - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Best_Coding_Practice_Reusing_Variable_Names_In_Subscopes: categories: @@ -36961,6 +39913,7 @@ rules: group: top10-insecure-design name: Perl_Best_Coding_Practice_Reusing_Variable_Names_In_Subscopes pretty_name: Reusing Variable Names In Subscopes - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Best_Coding_Practice_Using_Perl4_Package_Names: categories: @@ -36974,6 +39927,7 @@ rules: group: top10-insecure-design name: Perl_Best_Coding_Practice_Using_Perl4_Package_Names pretty_name: Using Perl4 Package Names - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Best_Coding_Practice_Using_Subroutine_Prototypes: categories: @@ -36988,6 +39942,7 @@ rules: group: top10-insecure-design name: Perl_Best_Coding_Practice_Using_Subroutine_Prototypes pretty_name: Using Subroutine Prototypes - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_High_Risk_Code_Injection: categories: @@ -37005,6 +39960,7 @@ rules: group: top10-injection name: Perl_High_Risk_Code_Injection pretty_name: Code Injection - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_High_Risk_Command_Injection: categories: @@ -37022,6 +39978,7 @@ rules: group: top10-injection name: Perl_High_Risk_Command_Injection pretty_name: Command Injection - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_High_Risk_Connection_String_Injection: categories: @@ -37037,6 +39994,7 @@ rules: group: top10-injection name: Perl_High_Risk_Connection_String_Injection pretty_name: Connection String Injection - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_High_Risk_LDAP_Injection: categories: @@ -37053,6 +40011,7 @@ rules: group: top10-injection name: Perl_High_Risk_LDAP_Injection pretty_name: LDAP Injection - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_High_Risk_Reflected_XSS_All_Clients: categories: @@ -37069,6 +40028,7 @@ rules: group: top10-injection name: Perl_High_Risk_Reflected_XSS_All_Clients pretty_name: Reflected XSS All Clients - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_High_Risk_Remote_File_Inclusion: categories: @@ -37083,6 +40043,7 @@ rules: group: top10-software-data-integrity-failures name: Perl_High_Risk_Remote_File_Inclusion pretty_name: Remote File Inclusion - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_High_Risk_Resource_Injection: categories: @@ -37098,6 +40059,7 @@ rules: group: top10-injection name: Perl_High_Risk_Resource_Injection pretty_name: Resource Injection - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_High_Risk_SQL_Injection: categories: @@ -37115,6 +40077,7 @@ rules: group: top10-injection name: Perl_High_Risk_SQL_Injection pretty_name: SQL Injection - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_High_Risk_Second_Order_SQL_Injection: categories: @@ -37132,6 +40095,7 @@ rules: group: top10-injection name: Perl_High_Risk_Second_Order_SQL_Injection pretty_name: Second Order SQL Injection - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_High_Risk_Stored_XSS: categories: @@ -37148,6 +40112,7 @@ rules: group: top10-injection name: Perl_High_Risk_Stored_XSS pretty_name: Stored XSS - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Low_Visibility_Import_of_Deprecated_Modules: categories: @@ -37161,6 +40126,7 @@ rules: group: top10-insecure-design name: Perl_Low_Visibility_Import_of_Deprecated_Modules pretty_name: Import of Deprecated Modules - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Low_Visibility_Improper_Filtering_of_Special_Elements: categories: @@ -37175,6 +40141,7 @@ rules: group: top10-insecure-design name: Perl_Low_Visibility_Improper_Filtering_of_Special_Elements pretty_name: Improper Filtering of Special Elements - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Low_Visibility_Information_Exposure_Through_an_Error_Message: categories: @@ -37188,6 +40155,7 @@ rules: group: top10-insecure-design name: Perl_Low_Visibility_Information_Exposure_Through_an_Error_Message pretty_name: Information Exposure Through an Error Message - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Low_Visibility_Log_Forging: categories: @@ -37200,6 +40168,7 @@ rules: group: top10-security-logging-monitoring-failures name: Perl_Low_Visibility_Log_Forging pretty_name: Log Forging - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Low_Visibility_Not_Checking_Regular_Expressions_Results: categories: @@ -37213,6 +40182,7 @@ rules: group: top10-insecure-design name: Perl_Low_Visibility_Not_Checking_Regular_Expressions_Results pretty_name: Not Checking Regular Expressions Results - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Low_Visibility_Overloading_Reserved_Keywords_or_Subroutines: categories: @@ -37225,6 +40195,7 @@ rules: group: top10-insecure-design name: Perl_Low_Visibility_Overloading_Reserved_Keywords_or_Subroutines pretty_name: Overloading Reserved Keywords or Subroutines - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Low_Visibility_Permissive_Regular_Expression: categories: @@ -37238,6 +40209,7 @@ rules: group: top10-insecure-design name: Perl_Low_Visibility_Permissive_Regular_Expression pretty_name: Permissive Regular Expression - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Low_Visibility_Prohibit_Indirect_Object_Call_Syntax: categories: @@ -37252,6 +40224,7 @@ rules: group: top10-insecure-design name: Perl_Low_Visibility_Prohibit_Indirect_Object_Call_Syntax pretty_name: Prohibit Indirect Object Call Syntax - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Low_Visibility_Signifying_Inheritence_At_Runtime: categories: @@ -37264,6 +40237,7 @@ rules: group: top10-insecure-design name: Perl_Low_Visibility_Signifying_Inheritence_At_Runtime pretty_name: Signifying Inheritence At Runtime - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Low_Visibility_Unchecked_Return_Value: categories: @@ -37277,6 +40251,7 @@ rules: group: top10-insecure-design name: Perl_Low_Visibility_Unchecked_Return_Value pretty_name: Unchecked Return Value - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: categories: @@ -37289,6 +40264,7 @@ rules: group: top10-crypto-failures name: Perl_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm pretty_name: Use of Broken or Risky Cryptographic Algorithm - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Low_Visibility_Use_of_Deprecated_or_Obsolete_Functions: categories: @@ -37302,6 +40278,7 @@ rules: group: top10-insecure-design name: Perl_Low_Visibility_Use_of_Deprecated_or_Obsolete_Functions pretty_name: Use of Deprecated or Obsolete Functions - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Low_Visibility_Variables_Outside_The_Scope_of_a_Regex: categories: @@ -37314,6 +40291,7 @@ rules: group: top10-insecure-design name: Perl_Low_Visibility_Variables_Outside_The_Scope_of_a_Regex pretty_name: Variables Outside The Scope of a Regex - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Medium_Threat_CSRF: categories: @@ -37329,6 +40307,7 @@ rules: group: top10-injection name: Perl_Medium_Threat_CSRF pretty_name: CSRF - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Medium_Threat_DoS_by_Sleep: categories: @@ -37341,6 +40320,7 @@ rules: group: top10-insecure-design name: Perl_Medium_Threat_DoS_by_Sleep pretty_name: DoS by Sleep - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Medium_Threat_Improper_Restriction_of_XXE_Ref: categories: @@ -37355,6 +40335,7 @@ rules: group: top10-security-misconfiguration name: Perl_Medium_Threat_Improper_Restriction_of_XXE_Ref pretty_name: Improper Restriction of XXE Ref - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Medium_Threat_Missing_Encryption_of_Sensitive_Data: categories: @@ -37368,6 +40349,7 @@ rules: group: top10-insecure-design name: Perl_Medium_Threat_Missing_Encryption_of_Sensitive_Data pretty_name: Missing Encryption of Sensitive Data - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Medium_Threat_Parameter_Tampering: categories: @@ -37382,6 +40364,7 @@ rules: group: top10-insecure-design name: Perl_Medium_Threat_Parameter_Tampering pretty_name: Parameter Tampering - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Medium_Threat_Path_Traversal: categories: @@ -37399,6 +40382,7 @@ rules: group: top10-broken-access-control name: Perl_Medium_Threat_Path_Traversal pretty_name: Path Traversal - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Medium_Threat_Privacy_Violation: categories: @@ -37414,6 +40398,7 @@ rules: group: top10-broken-access-control name: Perl_Medium_Threat_Privacy_Violation pretty_name: Privacy Violation - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Medium_Threat_Stored_Code_Injection: categories: @@ -37430,6 +40415,7 @@ rules: group: top10-injection name: Perl_Medium_Threat_Stored_Code_Injection pretty_name: Stored Code Injection - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Medium_Threat_Stored_Command_Injection: categories: @@ -37446,6 +40432,7 @@ rules: group: top10-injection name: Perl_Medium_Threat_Stored_Command_Injection pretty_name: Stored Command Injection - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Medium_Threat_Stored_LDAP_Injection: categories: @@ -37461,6 +40448,7 @@ rules: group: top10-injection name: Perl_Medium_Threat_Stored_LDAP_Injection pretty_name: Stored LDAP Injection - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Medium_Threat_Stored_Path_Traversal: categories: @@ -37478,6 +40466,7 @@ rules: group: top10-broken-access-control name: Perl_Medium_Threat_Stored_Path_Traversal pretty_name: Stored Path Traversal - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Medium_Threat_Uncontrolled_Format_String: categories: @@ -37491,6 +40480,7 @@ rules: group: top10-injection name: Perl_Medium_Threat_Uncontrolled_Format_String pretty_name: Uncontrolled Format String - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Medium_Threat_Uncontrolled_Memory_Allocation: categories: @@ -37505,6 +40495,7 @@ rules: group: top10-injection name: Perl_Medium_Threat_Uncontrolled_Memory_Allocation pretty_name: Uncontrolled Memory Allocation - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Medium_Threat_Unprotected_Transport_of_Credentials: categories: @@ -37518,6 +40509,7 @@ rules: group: top10-crypto-failures name: Perl_Medium_Threat_Unprotected_Transport_of_Credentials pretty_name: Unprotected Transport of Credentials - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Medium_Threat_Use_Of_Hardcoded_Password: categories: @@ -37531,6 +40523,7 @@ rules: group: top10-id-authn-failures name: Perl_Medium_Threat_Use_Of_Hardcoded_Password pretty_name: Use Of Hardcoded Password - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Medium_Threat_Use_of_Two_Argument_Form_of_Open: categories: @@ -37547,6 +40540,7 @@ rules: group: top10-injection name: Perl_Medium_Threat_Use_of_Two_Argument_Form_of_Open pretty_name: Use of Two Argument Form of Open - Perl + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: @@ -37560,6 +40554,7 @@ rules: group: top10-insecure-design name: Php_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception pretty_name: Declaration Of Catch For Generic Exception - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action: categories: @@ -37573,6 +40568,7 @@ rules: group: top10-insecure-design name: Php_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action pretty_name: Detection of Error Condition Without Action - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Dynamic_SQL_Queries: categories: @@ -37589,6 +40585,7 @@ rules: group: top10-injection name: Php_Best_Coding_Practice_Dynamic_SQL_Queries pretty_name: Dynamic SQL Queries - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: categories: @@ -37602,6 +40599,7 @@ rules: group: top10-insecure-design name: Php_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere pretty_name: Exposure of Resource to Wrong Sphere - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Hardcoded_Absolute_Path: categories: @@ -37616,6 +40614,7 @@ rules: group: top10-software-data-integrity-failures name: Php_Best_Coding_Practice_Hardcoded_Absolute_Path pretty_name: Hardcoded Absolute Path - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Possible_Global_Variable_Overwrite: categories: @@ -37628,6 +40627,7 @@ rules: group: top10-insecure-design name: Php_Best_Coding_Practice_Possible_Global_Variable_Overwrite pretty_name: Possible Global Variable Overwrite - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Unchecked_Error_Condition: categories: @@ -37640,6 +40640,7 @@ rules: group: top10-insecure-design name: Php_Best_Coding_Practice_Unchecked_Error_Condition pretty_name: Unchecked Error Condition - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Unclosed_Objects: categories: @@ -37653,6 +40654,7 @@ rules: group: top10-insecure-design name: Php_Best_Coding_Practice_Unclosed_Objects pretty_name: Unclosed Objects - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Use_Of_Namespace: categories: @@ -37665,6 +40667,7 @@ rules: group: top10-insecure-design name: Php_Best_Coding_Practice_Use_Of_Namespace pretty_name: Use Of Namespace - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Use_Of_Private_Static_Variable: categories: @@ -37677,6 +40680,7 @@ rules: group: top10-insecure-design name: Php_Best_Coding_Practice_Use_Of_Private_Static_Variable pretty_name: Use Of Private Static Variable - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Use_Of_Super_GLOBALS: categories: @@ -37690,6 +40694,7 @@ rules: group: top10-insecure-design name: Php_Best_Coding_Practice_Use_Of_Super_GLOBALS pretty_name: Use Of Super GLOBALS - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Low_Visibility_Blind_SQL_Injections: categories: @@ -37706,6 +40711,7 @@ rules: group: top10-injection name: Php_Low_Visibility_Blind_SQL_Injections pretty_name: Blind SQL Injections - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Low_Visibility_Cross_Site_History_Manipulation: categories: @@ -37721,6 +40727,7 @@ rules: group: top10-software-data-integrity-failures name: Php_Low_Visibility_Cross_Site_History_Manipulation pretty_name: Cross Site History Manipulation - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Low_Visibility_Deprecated_Functions: categories: @@ -37734,6 +40741,7 @@ rules: group: top10-insecure-design name: Php_Low_Visibility_Deprecated_Functions pretty_name: Deprecated Functions - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Low_Visibility_ESAPI_Same_Password_Repeats_Twice: categories: @@ -37747,6 +40755,7 @@ rules: group: top10-id-authn-failures name: Php_Low_Visibility_ESAPI_Same_Password_Repeats_Twice pretty_name: ESAPI Same Password Repeats Twice - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Low_Visibility_Improper_Exception_Handling: categories: @@ -37759,6 +40768,7 @@ rules: group: top10-insecure-design name: Php_Low_Visibility_Improper_Exception_Handling pretty_name: Improper Exception Handling - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Low_Visibility_Improper_Transaction_Handling: categories: @@ -37773,6 +40783,7 @@ rules: group: top10-insecure-design name: Php_Low_Visibility_Improper_Transaction_Handling pretty_name: Improper Transaction Handling - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Low_Visibility_Incorrect_Implementation_of_Authentication_Algorithm: categories: @@ -37786,6 +40797,7 @@ rules: group: top10-id-authn-failures name: Php_Low_Visibility_Incorrect_Implementation_of_Authentication_Algorithm pretty_name: Incorrect Implementation of Authentication Algorithm - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Low_Visibility_Information_Exposure_Through_an_Error_Message: categories: @@ -37799,6 +40811,7 @@ rules: group: top10-insecure-design name: Php_Low_Visibility_Information_Exposure_Through_an_Error_Message pretty_name: Information Exposure Through an Error Message - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Low_Visibility_Information_Leak_Through_Persistent_Cookies: categories: @@ -37812,6 +40825,7 @@ rules: group: top10-insecure-design name: Php_Low_Visibility_Information_Leak_Through_Persistent_Cookies pretty_name: Information Leak Through Persistent Cookies - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Low_Visibility_Insufficiently_Protected_Credentials: categories: @@ -37826,6 +40840,7 @@ rules: group: top10-insecure-design name: Php_Low_Visibility_Insufficiently_Protected_Credentials pretty_name: Insufficiently Protected Credentials - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Low_Visibility_Log_Forging: categories: @@ -37838,6 +40853,7 @@ rules: group: top10-security-logging-monitoring-failures name: Php_Low_Visibility_Log_Forging pretty_name: Log Forging - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Low_Visibility_Possible_Flow_Control: categories: @@ -37852,6 +40868,7 @@ rules: group: top10-injection name: Php_Low_Visibility_Possible_Flow_Control pretty_name: Possible Flow Control - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Low_Visibility_Reliance_on_Cookies_in_a_Decision: categories: @@ -37866,6 +40883,7 @@ rules: group: top10-software-data-integrity-failures name: Php_Low_Visibility_Reliance_on_Cookies_in_a_Decision pretty_name: Reliance on Cookies in a Decision - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Low_Visibility_Reliance_on_DNS_Lookups_in_a_Decision: categories: @@ -37880,6 +40898,7 @@ rules: group: top10-insecure-design name: Php_Low_Visibility_Reliance_on_DNS_Lookups_in_a_Decision pretty_name: Reliance on DNS Lookups in a Decision - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables: categories: @@ -37893,6 +40912,7 @@ rules: group: top10-insecure-design name: Php_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables pretty_name: Trust Boundary Violation in Session Variables - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Low_Visibility_Unsafe_Use_Of_Target_Blank: categories: @@ -37908,6 +40928,7 @@ rules: group: top10-insecure-design name: Php_Low_Visibility_Unsafe_Use_Of_Target_Blank pretty_name: Unsafe Use Of Target Blank - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Low_Visibility_Use_Of_Hardcoded_Password: categories: @@ -37921,6 +40942,7 @@ rules: group: top10-id-authn-failures name: Php_Low_Visibility_Use_Of_Hardcoded_Password pretty_name: Use Of Hardcoded Password - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: categories: @@ -37933,6 +40955,7 @@ rules: group: top10-crypto-failures name: Php_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm pretty_name: Use of Broken or Risky Cryptographic Algorithm - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Low_Visibility_XSS_Evasion_Attack: categories: @@ -37948,6 +40971,7 @@ rules: group: top10-injection name: Php_Low_Visibility_XSS_Evasion_Attack pretty_name: XSS Evasion Attack - Php + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_AWS_Lambda_AWS_Credentials_Leak: categories: @@ -37961,6 +40985,7 @@ rules: group: top10-broken-access-control name: Python_AWS_Lambda_AWS_Credentials_Leak pretty_name: AWS Credentials Leak - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_AWS_Lambda_DynamoDB_NoSQL_Injection: categories: @@ -37977,6 +41002,7 @@ rules: group: top10-injection name: Python_AWS_Lambda_DynamoDB_NoSQL_Injection pretty_name: DynamoDB NoSQL Injection - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_AWS_Lambda_Hardcoded_AWS_Credentials: categories: @@ -37992,6 +41018,7 @@ rules: group: top10-id-authn-failures name: Python_AWS_Lambda_Hardcoded_AWS_Credentials pretty_name: Hardcoded AWS Credentials - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_AWS_Lambda_Permission_Manipulation_in_S3: categories: @@ -38005,6 +41032,7 @@ rules: group: top10-broken-access-control name: Python_AWS_Lambda_Permission_Manipulation_in_S3 pretty_name: Permission Manipulation in S3 - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_AWS_Lambda_Race_Condition_Concurrent_Instances: categories: @@ -38019,6 +41047,7 @@ rules: group: top10-insecure-design name: Python_AWS_Lambda_Race_Condition_Concurrent_Instances pretty_name: Race Condition Concurrent Instances - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_AWS_Lambda_Unrestricted_Read_S3: categories: @@ -38033,6 +41062,7 @@ rules: group: top10-broken-access-control name: Python_AWS_Lambda_Unrestricted_Read_S3 pretty_name: Unrestricted Read S3 - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_AWS_Lambda_Unrestricted_Write_S3: categories: @@ -38047,6 +41077,7 @@ rules: group: top10-broken-access-control name: Python_AWS_Lambda_Unrestricted_Write_S3 pretty_name: Unrestricted Write S3 - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_AWS_Lambda_Use_of_Hardcoded_Cryptographic_Key_On_Server: categories: @@ -38060,6 +41091,7 @@ rules: group: top10-crypto-failures name: Python_AWS_Lambda_Use_of_Hardcoded_Cryptographic_Key_On_Server pretty_name: Use of Hardcoded Cryptographic Key On Server - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_AWS_Lambda_User_Based_SDK_Configurations: categories: @@ -38072,6 +41104,7 @@ rules: group: top10-security-misconfiguration name: Python_AWS_Lambda_User_Based_SDK_Configurations pretty_name: User Based SDK Configurations - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Best_Coding_Practice_Hardcoded_Absolute_Path: categories: @@ -38086,6 +41119,7 @@ rules: group: top10-software-data-integrity-failures name: Python_Best_Coding_Practice_Hardcoded_Absolute_Path pretty_name: Hardcoded Absolute Path - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Exploitable_Path_Python_Find_Imports: categories: @@ -38098,6 +41132,7 @@ rules: group: top10-injection name: Python_Exploitable_Path_Python_Find_Imports pretty_name: Python Find Imports - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Exploitable_Path_Python_Find_Methods: categories: @@ -38110,6 +41145,7 @@ rules: group: top10-injection name: Python_Exploitable_Path_Python_Find_Methods pretty_name: Python Find Methods - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_High_Risk_Code_Injection: categories: @@ -38127,6 +41163,7 @@ rules: group: top10-injection name: Python_High_Risk_Code_Injection pretty_name: Code Injection - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_High_Risk_Command_Injection: categories: @@ -38144,6 +41181,7 @@ rules: group: top10-injection name: Python_High_Risk_Command_Injection pretty_name: Command Injection - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_High_Risk_Connection_String_Injection: categories: @@ -38159,6 +41197,7 @@ rules: group: top10-injection name: Python_High_Risk_Connection_String_Injection pretty_name: Connection String Injection - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_High_Risk_LDAP_Injection: categories: @@ -38175,6 +41214,7 @@ rules: group: top10-injection name: Python_High_Risk_LDAP_Injection pretty_name: LDAP Injection - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_High_Risk_Local_File_Inclusion: categories: @@ -38189,6 +41229,7 @@ rules: group: top10-software-data-integrity-failures name: Python_High_Risk_Local_File_Inclusion pretty_name: Local File Inclusion - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_High_Risk_OS_Access_Violation: categories: @@ -38206,6 +41247,7 @@ rules: group: top10-injection name: Python_High_Risk_OS_Access_Violation pretty_name: OS Access Violation - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_High_Risk_Reflected_XSS_All_Clients: categories: @@ -38222,6 +41264,7 @@ rules: group: top10-injection name: Python_High_Risk_Reflected_XSS_All_Clients pretty_name: Reflected XSS All Clients - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_High_Risk_Resource_Injection: categories: @@ -38237,6 +41280,7 @@ rules: group: top10-injection name: Python_High_Risk_Resource_Injection pretty_name: Resource Injection - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_High_Risk_SQL_Injection: categories: @@ -38254,6 +41298,7 @@ rules: group: top10-injection name: Python_High_Risk_SQL_Injection pretty_name: SQL Injection - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_High_Risk_Second_Order_SQL_Injection: categories: @@ -38271,6 +41316,7 @@ rules: group: top10-injection name: Python_High_Risk_Second_Order_SQL_Injection pretty_name: Second Order SQL Injection - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_High_Risk_Stored_XSS: categories: @@ -38287,6 +41333,7 @@ rules: group: top10-injection name: Python_High_Risk_Stored_XSS pretty_name: Stored XSS - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_High_Risk_Unsafe_Deserialization: categories: @@ -38302,6 +41349,7 @@ rules: group: top10-software-data-integrity-failures name: Python_High_Risk_Unsafe_Deserialization pretty_name: Unsafe Deserialization - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_High_Risk_XPath_Injection: categories: @@ -38318,6 +41366,7 @@ rules: group: top10-injection name: Python_High_Risk_XPath_Injection pretty_name: XPath Injection - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Low_Visibility_Command_Argument_Injection: categories: @@ -38332,6 +41381,7 @@ rules: group: top10-injection name: Python_Low_Visibility_Command_Argument_Injection pretty_name: Command Argument Injection - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Low_Visibility_Cross_Site_History_Manipulation: categories: @@ -38347,6 +41397,7 @@ rules: group: top10-software-data-integrity-failures name: Python_Low_Visibility_Cross_Site_History_Manipulation pretty_name: Cross Site History Manipulation - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Low_Visibility_Debug_Enabled: categories: @@ -38359,6 +41410,7 @@ rules: group: top10-security-misconfiguration name: Python_Low_Visibility_Debug_Enabled pretty_name: Debug Enabled - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Low_Visibility_Django_Improper_Resource_Access_Authorization: categories: @@ -38372,6 +41424,7 @@ rules: group: top10-broken-access-control name: Python_Low_Visibility_Django_Improper_Resource_Access_Authorization pretty_name: Django Improper Resource Access Authorization - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Low_Visibility_Django_Information_Exposure_Through_an_Error_Message: categories: @@ -38385,6 +41438,7 @@ rules: group: top10-insecure-design name: Python_Low_Visibility_Django_Information_Exposure_Through_an_Error_Message pretty_name: Django Information Exposure Through an Error Message - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Low_Visibility_Django_Missing_Function_Level_Authorization: categories: @@ -38399,6 +41453,7 @@ rules: group: top10-broken-access-control name: Python_Low_Visibility_Django_Missing_Function_Level_Authorization pretty_name: Django Missing Function Level Authorization - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Low_Visibility_Improper_Resource_Shutdown_or_Release: categories: @@ -38412,6 +41467,7 @@ rules: group: top10-insecure-design name: Python_Low_Visibility_Improper_Resource_Shutdown_or_Release pretty_name: Improper Resource Shutdown or Release - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Low_Visibility_Information_Exposure_Through_an_Error_Message: categories: @@ -38425,6 +41481,7 @@ rules: group: top10-insecure-design name: Python_Low_Visibility_Information_Exposure_Through_an_Error_Message pretty_name: Information Exposure Through an Error Message - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Low_Visibility_Insufficiently_Protected_Credentials: categories: @@ -38439,6 +41496,7 @@ rules: group: top10-insecure-design name: Python_Low_Visibility_Insufficiently_Protected_Credentials pretty_name: Insufficiently Protected Credentials - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Low_Visibility_Log_Forging: categories: @@ -38451,6 +41509,7 @@ rules: group: top10-security-logging-monitoring-failures name: Python_Low_Visibility_Log_Forging pretty_name: Log Forging - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Low_Visibility_Missing_Content_Security_Policy: categories: @@ -38464,6 +41523,7 @@ rules: group: top10-id-authn-failures name: Python_Low_Visibility_Missing_Content_Security_Policy pretty_name: Missing Content Security Policy - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy: categories: @@ -38477,6 +41537,7 @@ rules: group: top10-id-authn-failures name: Python_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy pretty_name: Overly Permissive Cross Origin Resource Sharing Policy - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Low_Visibility_Password_In_Comment: categories: @@ -38492,6 +41553,7 @@ rules: group: top10-id-authn-failures name: Python_Low_Visibility_Password_In_Comment pretty_name: Password In Comment - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Low_Visibility_Permissive_Content_Security_Policy: categories: @@ -38505,6 +41567,7 @@ rules: group: top10-id-authn-failures name: Python_Low_Visibility_Permissive_Content_Security_Policy pretty_name: Permissive Content Security Policy - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Low_Visibility_ReDoS_Injection: categories: @@ -38520,6 +41583,7 @@ rules: group: top10-insecure-design name: Python_Low_Visibility_ReDoS_Injection pretty_name: ReDoS Injection - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Low_Visibility_Stored_Code_Injection: categories: @@ -38536,6 +41600,7 @@ rules: group: top10-injection name: Python_Low_Visibility_Stored_Code_Injection pretty_name: Stored Code Injection - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Low_Visibility_Stored_Command_Argument_Injection: categories: @@ -38550,6 +41615,7 @@ rules: group: top10-injection name: Python_Low_Visibility_Stored_Command_Argument_Injection pretty_name: Stored Command Argument Injection - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables: categories: @@ -38563,6 +41629,7 @@ rules: group: top10-insecure-design name: Python_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables pretty_name: Trust Boundary Violation in Session Variables - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Low_Visibility_Use_Of_Hardcoded_Password: categories: @@ -38576,6 +41643,7 @@ rules: group: top10-id-authn-failures name: Python_Low_Visibility_Use_Of_Hardcoded_Password pretty_name: Use Of Hardcoded Password - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: categories: @@ -38588,6 +41656,7 @@ rules: group: top10-crypto-failures name: Python_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm pretty_name: Use of Broken or Risky Cryptographic Algorithm - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_CSRF: categories: @@ -38603,6 +41672,7 @@ rules: group: top10-injection name: Python_Medium_Threat_CSRF pretty_name: CSRF - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_Communication_Over_HTTP: categories: @@ -38616,6 +41686,7 @@ rules: group: top10-crypto-failures name: Python_Medium_Threat_Communication_Over_HTTP pretty_name: Communication Over HTTP - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_Cookie_Poisoning: categories: @@ -38630,6 +41701,7 @@ rules: group: top10-insecure-design name: Python_Medium_Threat_Cookie_Poisoning pretty_name: Cookie Poisoning - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_DB_Parameter_Tampering: categories: @@ -38643,6 +41715,7 @@ rules: group: top10-broken-access-control name: Python_Medium_Threat_DB_Parameter_Tampering pretty_name: DB Parameter Tampering - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_Django_Missing_Object_Level_Authorization: categories: @@ -38657,6 +41730,7 @@ rules: group: top10-broken-access-control name: Python_Medium_Threat_Django_Missing_Object_Level_Authorization pretty_name: Django Missing Object Level Authorization - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_DoS_by_Sleep: categories: @@ -38669,6 +41743,7 @@ rules: group: top10-insecure-design name: Python_Medium_Threat_DoS_by_Sleep pretty_name: DoS by Sleep - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_Filtering_Sensitive_Logs: categories: @@ -38681,6 +41756,7 @@ rules: group: top10-security-logging-monitoring-failures name: Python_Medium_Threat_Filtering_Sensitive_Logs pretty_name: Filtering Sensitive Logs - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_Hardcoded_Password_in_Connection_String: categories: @@ -38694,6 +41770,7 @@ rules: group: top10-security-misconfiguration name: Python_Medium_Threat_Hardcoded_Password_in_Connection_String pretty_name: Hardcoded Password in Connection String - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_Header_Injection: categories: @@ -38708,6 +41785,7 @@ rules: group: top10-injection name: Python_Medium_Threat_Header_Injection pretty_name: Header Injection - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_HttpOnlyCookies_In_Config: categories: @@ -38720,6 +41798,7 @@ rules: group: top10-security-misconfiguration name: Python_Medium_Threat_HttpOnlyCookies_In_Config pretty_name: HttpOnlyCookies In Config - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_Improper_Restriction_of_XXE_Ref: categories: @@ -38734,6 +41813,7 @@ rules: group: top10-security-misconfiguration name: Python_Medium_Threat_Improper_Restriction_of_XXE_Ref pretty_name: Improper Restriction of XXE Ref - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_Insecure_Randomness: categories: @@ -38747,6 +41827,7 @@ rules: group: top10-crypto-failures name: Python_Medium_Threat_Insecure_Randomness pretty_name: Insecure Randomness - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_Missing_HSTS_Header: categories: @@ -38760,6 +41841,7 @@ rules: group: top10-id-authn-failures name: Python_Medium_Threat_Missing_HSTS_Header pretty_name: Missing HSTS Header - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_Missing_Secure_In_Config: categories: @@ -38773,6 +41855,7 @@ rules: group: top10-security-misconfiguration name: Python_Medium_Threat_Missing_Secure_In_Config pretty_name: Missing Secure In Config - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_Object_Access_Violation: categories: @@ -38786,6 +41869,7 @@ rules: group: top10-injection name: Python_Medium_Threat_Object_Access_Violation pretty_name: Object Access Violation - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_Open_Redirect: categories: @@ -38800,6 +41884,7 @@ rules: group: top10-broken-access-control name: Python_Medium_Threat_Open_Redirect pretty_name: Open Redirect - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_Parameter_Tampering: categories: @@ -38814,6 +41899,7 @@ rules: group: top10-insecure-design name: Python_Medium_Threat_Parameter_Tampering pretty_name: Parameter Tampering - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_Path_Traversal: categories: @@ -38831,6 +41917,7 @@ rules: group: top10-broken-access-control name: Python_Medium_Threat_Path_Traversal pretty_name: Path Traversal - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_Privacy_Violation: categories: @@ -38846,6 +41933,7 @@ rules: group: top10-broken-access-control name: Python_Medium_Threat_Privacy_Violation pretty_name: Privacy Violation - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_ReDoS_In_Replace: categories: @@ -38861,6 +41949,7 @@ rules: group: top10-insecure-design name: Python_Medium_Threat_ReDoS_In_Replace pretty_name: ReDoS In Replace - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_SSL_Verification_Bypass: categories: @@ -38875,6 +41964,7 @@ rules: group: top10-software-data-integrity-failures name: Python_Medium_Threat_SSL_Verification_Bypass pretty_name: SSL Verification Bypass - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_SSRF: categories: @@ -38890,6 +41980,7 @@ rules: group: top10-server-side-request-forgery name: Python_Medium_Threat_SSRF pretty_name: SSRF - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_Stored_Command_Injection: categories: @@ -38906,6 +41997,7 @@ rules: group: top10-injection name: Python_Medium_Threat_Stored_Command_Injection pretty_name: Stored Command Injection - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_Stored_LDAP_Injection: categories: @@ -38921,6 +42013,7 @@ rules: group: top10-injection name: Python_Medium_Threat_Stored_LDAP_Injection pretty_name: Stored LDAP Injection - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_Unchecked_Input_for_Loop_Condition: categories: @@ -38935,6 +42028,7 @@ rules: group: top10-insecure-design name: Python_Medium_Threat_Unchecked_Input_for_Loop_Condition pretty_name: Unchecked Input for Loop Condition - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_Uncontrolled_Format_String: categories: @@ -38948,6 +42042,7 @@ rules: group: top10-injection name: Python_Medium_Threat_Uncontrolled_Format_String pretty_name: Uncontrolled Format String - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Python_Medium_Threat_Use_of_Hardcoded_Cryptographic_Key: categories: @@ -38961,6 +42056,7 @@ rules: group: top10-crypto-failures name: Python_Medium_Threat_Use_of_Hardcoded_Cryptographic_Key pretty_name: Use of Hardcoded Cryptographic Key - Python + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html RPG_High_Risk_Buffer_Overrun: categories: @@ -38974,6 +42070,7 @@ rules: group: top10-injection name: RPG_High_Risk_Buffer_Overrun pretty_name: Buffer Overrun - RPG + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html RPG_High_Risk_Control_Language_Injection: categories: @@ -38991,6 +42088,7 @@ rules: group: top10-injection name: RPG_High_Risk_Control_Language_Injection pretty_name: Control Language Injection - RPG + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html RPG_High_Risk_SQL_Injection: categories: @@ -39008,6 +42106,7 @@ rules: group: top10-injection name: RPG_High_Risk_SQL_Injection pretty_name: SQL Injection - RPG + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html RPG_Low_Visibility_Ignored_Error_Conditions: categories: @@ -39021,6 +42120,7 @@ rules: group: top10-insecure-design name: RPG_Low_Visibility_Ignored_Error_Conditions pretty_name: Ignored Error Conditions - RPG + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html RPG_Low_Visibility_Improper_Resource_Shutdown_or_Release: categories: @@ -39034,6 +42134,7 @@ rules: group: top10-insecure-design name: RPG_Low_Visibility_Improper_Resource_Shutdown_or_Release pretty_name: Improper Resource Shutdown or Release - RPG + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html RPG_Low_Visibility_Information_Exposure_Through_Dump: categories: @@ -39047,6 +42148,7 @@ rules: group: top10-broken-access-control name: RPG_Low_Visibility_Information_Exposure_Through_Dump pretty_name: Information Exposure Through Dump - RPG + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html RPG_Low_Visibility_Integer_Overflow: categories: @@ -39063,6 +42165,7 @@ rules: group: top10-injection name: RPG_Low_Visibility_Integer_Overflow pretty_name: Integer Overflow - RPG + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html RPG_Low_Visibility_Library_Search_Order_Hijacking: categories: @@ -39076,6 +42179,7 @@ rules: group: top10-injection name: RPG_Low_Visibility_Library_Search_Order_Hijacking pretty_name: Library Search Order Hijacking - RPG + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html RPG_Low_Visibility_Use_Of_Hardcoded_Password: categories: @@ -39089,6 +42193,7 @@ rules: group: top10-id-authn-failures name: RPG_Low_Visibility_Use_Of_Hardcoded_Password pretty_name: Use Of Hardcoded Password - RPG + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html RPG_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: categories: @@ -39101,6 +42206,7 @@ rules: group: top10-crypto-failures name: RPG_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm pretty_name: Use of Broken or Risky Cryptographic Algorithm - RPG + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html RPG_Medium_Threat_DoS_by_Sleep: categories: @@ -39113,6 +42219,7 @@ rules: group: top10-insecure-design name: RPG_Medium_Threat_DoS_by_Sleep pretty_name: DoS by Sleep - RPG + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html RPG_Medium_Threat_ReDoS: categories: @@ -39127,6 +42234,7 @@ rules: group: top10-insecure-design name: RPG_Medium_Threat_ReDoS pretty_name: ReDoS - RPG + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html RPG_Medium_Threat_Reflected_Path_Traversal: categories: @@ -39142,6 +42250,7 @@ rules: group: top10-broken-access-control name: RPG_Medium_Threat_Reflected_Path_Traversal pretty_name: Reflected Path Traversal - RPG + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Best_Coding_Practice_Caching_False_In_Production: categories: @@ -39154,6 +42263,7 @@ rules: group: top10-insecure-design name: Ruby_Best_Coding_Practice_Caching_False_In_Production pretty_name: Caching False In Production - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: @@ -39167,6 +42277,7 @@ rules: group: top10-insecure-design name: Ruby_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception pretty_name: Declaration Of Catch For Generic Exception - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Best_Coding_Practice_Dynamic_Render_Path: categories: @@ -39180,6 +42291,7 @@ rules: group: top10-insecure-design name: Ruby_Best_Coding_Practice_Dynamic_Render_Path pretty_name: Dynamic Render Path - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Best_Coding_Practice_Dynamic_SQL_Queries: categories: @@ -39196,6 +42308,7 @@ rules: group: top10-injection name: Ruby_Best_Coding_Practice_Dynamic_SQL_Queries pretty_name: Dynamic SQL Queries - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Best_Coding_Practice_Global_Variables_Without_Meaningful_Name: categories: @@ -39209,6 +42322,7 @@ rules: group: top10-insecure-design name: Ruby_Best_Coding_Practice_Global_Variables_Without_Meaningful_Name pretty_name: Global Variables Without Meaningful Name - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Best_Coding_Practice_Hardcoded_Absolute_Path: categories: @@ -39223,6 +42337,7 @@ rules: group: top10-software-data-integrity-failures name: Ruby_Best_Coding_Practice_Hardcoded_Absolute_Path pretty_name: Hardcoded Absolute Path - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Best_Coding_Practice_Import_Relative_To_File: categories: @@ -39236,6 +42351,7 @@ rules: group: top10-insecure-design name: Ruby_Best_Coding_Practice_Import_Relative_To_File pretty_name: Import Relative To File - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Best_Coding_Practice_Unchecked_Error_Condition: categories: @@ -39248,6 +42364,7 @@ rules: group: top10-insecure-design name: Ruby_Best_Coding_Practice_Unchecked_Error_Condition pretty_name: Unchecked Error Condition - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Best_Coding_Practice_Unclosed_Objects: categories: @@ -39261,6 +42378,7 @@ rules: group: top10-insecure-design name: Ruby_Best_Coding_Practice_Unclosed_Objects pretty_name: Unclosed Objects - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Best_Coding_Practice_Use_Of_Global_Variables: categories: @@ -39274,6 +42392,7 @@ rules: group: top10-insecure-design name: Ruby_Best_Coding_Practice_Use_Of_Global_Variables pretty_name: Use Of Global Variables - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_High_Risk_Code_Injection: categories: @@ -39291,6 +42410,7 @@ rules: group: top10-injection name: Ruby_High_Risk_Code_Injection pretty_name: Code Injection - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_High_Risk_Command_Injection: categories: @@ -39308,6 +42428,7 @@ rules: group: top10-injection name: Ruby_High_Risk_Command_Injection pretty_name: Command Injection - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_High_Risk_Reflected_XSS_All_Clients: categories: @@ -39324,6 +42445,7 @@ rules: group: top10-injection name: Ruby_High_Risk_Reflected_XSS_All_Clients pretty_name: Reflected XSS All Clients - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_High_Risk_Remote_File_Inclusion: categories: @@ -39338,6 +42460,7 @@ rules: group: top10-software-data-integrity-failures name: Ruby_High_Risk_Remote_File_Inclusion pretty_name: Remote File Inclusion - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_High_Risk_SQL_Injection: categories: @@ -39355,6 +42478,7 @@ rules: group: top10-injection name: Ruby_High_Risk_SQL_Injection pretty_name: SQL Injection - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_High_Risk_Second_Order_SQL_Injection: categories: @@ -39372,6 +42496,7 @@ rules: group: top10-injection name: Ruby_High_Risk_Second_Order_SQL_Injection pretty_name: Second Order SQL Injection - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_High_Risk_Stored_XSS: categories: @@ -39388,6 +42513,7 @@ rules: group: top10-injection name: Ruby_High_Risk_Stored_XSS pretty_name: Stored XSS - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Attr_accessible_Not_Set: categories: @@ -39401,6 +42527,7 @@ rules: group: top10-security-misconfiguration name: Ruby_Low_Visibility_Attr_accessible_Not_Set pretty_name: Attr accessible Not Set - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Blind_SQL_Injections: categories: @@ -39417,6 +42544,7 @@ rules: group: top10-injection name: Ruby_Low_Visibility_Blind_SQL_Injections pretty_name: Blind SQL Injections - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Connection_String_Injection: categories: @@ -39431,6 +42559,7 @@ rules: group: top10-injection name: Ruby_Low_Visibility_Connection_String_Injection pretty_name: Connection String Injection - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Cross_Site_History_Manipulation: categories: @@ -39446,6 +42575,7 @@ rules: group: top10-software-data-integrity-failures name: Ruby_Low_Visibility_Cross_Site_History_Manipulation pretty_name: Cross Site History Manipulation - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_DB_Information_Leak: categories: @@ -39459,6 +42589,7 @@ rules: group: top10-broken-access-control name: Ruby_Low_Visibility_DB_Information_Leak pretty_name: DB Information Leak - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Disabling_SAFE_Mode: categories: @@ -39473,6 +42604,7 @@ rules: group: top10-injection name: Ruby_Low_Visibility_Disabling_SAFE_Mode pretty_name: Disabling SAFE Mode - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Full_Error_Reports_In_Production: categories: @@ -39486,6 +42618,7 @@ rules: group: top10-insecure-design name: Ruby_Low_Visibility_Full_Error_Reports_In_Production pretty_name: Full Error Reports In Production - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Improper_Exception_Handling: categories: @@ -39498,6 +42631,7 @@ rules: group: top10-insecure-design name: Ruby_Low_Visibility_Improper_Exception_Handling pretty_name: Improper Exception Handling - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Improper_Transaction_Handling: categories: @@ -39512,6 +42646,7 @@ rules: group: top10-insecure-design name: Ruby_Low_Visibility_Improper_Transaction_Handling pretty_name: Improper Transaction Handling - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Information_Exposure_Through_an_Error_Message: categories: @@ -39525,6 +42660,7 @@ rules: group: top10-insecure-design name: Ruby_Low_Visibility_Information_Exposure_Through_an_Error_Message pretty_name: Information Exposure Through an Error Message - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Information_Leak_Through_Persistent_Cookies: categories: @@ -39538,6 +42674,7 @@ rules: group: top10-insecure-design name: Ruby_Low_Visibility_Information_Leak_Through_Persistent_Cookies pretty_name: Information Leak Through Persistent Cookies - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Insufficiently_Protected_Credentials: categories: @@ -39552,6 +42689,7 @@ rules: group: top10-insecure-design name: Ruby_Low_Visibility_Insufficiently_Protected_Credentials pretty_name: Insufficiently Protected Credentials - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Interactive_Render_Path: categories: @@ -39565,6 +42703,7 @@ rules: group: top10-insecure-design name: Ruby_Low_Visibility_Interactive_Render_Path pretty_name: Interactive Render Path - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Leftover_Debug_Code: categories: @@ -39579,6 +42718,7 @@ rules: group: top10-insecure-design name: Ruby_Low_Visibility_Leftover_Debug_Code pretty_name: Leftover Debug Code - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Local_File_Inclusion: categories: @@ -39592,6 +42732,7 @@ rules: group: top10-software-data-integrity-failures name: Ruby_Low_Visibility_Local_File_Inclusion pretty_name: Local File Inclusion - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Log_Forging: categories: @@ -39604,6 +42745,7 @@ rules: group: top10-security-logging-monitoring-failures name: Ruby_Low_Visibility_Log_Forging pretty_name: Log Forging - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_No_Protection_From_Forgery: categories: @@ -39619,6 +42761,7 @@ rules: group: top10-injection name: Ruby_Low_Visibility_No_Protection_From_Forgery pretty_name: No Protection From Forgery - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_No_Session_Expiration: categories: @@ -39633,6 +42776,7 @@ rules: group: top10-id-authn-failures name: Ruby_Low_Visibility_No_Session_Expiration pretty_name: No Session Expiration - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Open_Redirect: categories: @@ -39647,6 +42791,7 @@ rules: group: top10-broken-access-control name: Ruby_Low_Visibility_Open_Redirect pretty_name: Open Redirect - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Personal_Info_In_Session: categories: @@ -39660,6 +42805,7 @@ rules: group: top10-insecure-design name: Ruby_Low_Visibility_Personal_Info_In_Session pretty_name: Personal Info In Session - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables: categories: @@ -39673,6 +42819,7 @@ rules: group: top10-insecure-design name: Ruby_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables pretty_name: Trust Boundary Violation in Session Variables - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Use_Of_Hardcoded_Password: categories: @@ -39686,6 +42833,7 @@ rules: group: top10-id-authn-failures name: Ruby_Low_Visibility_Use_Of_Hardcoded_Password pretty_name: Use Of Hardcoded Password - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Use_Of_Sanitize_Instead_Of_h: categories: @@ -39701,6 +42849,7 @@ rules: group: top10-injection name: Ruby_Low_Visibility_Use_Of_Sanitize_Instead_Of_h pretty_name: Use Of Sanitize Instead Of h - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Use_Of_raw: categories: @@ -39716,6 +42865,7 @@ rules: group: top10-injection name: Ruby_Low_Visibility_Use_Of_raw pretty_name: Use Of raw - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: categories: @@ -39728,6 +42878,7 @@ rules: group: top10-crypto-failures name: Ruby_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm pretty_name: Use of Broken or Risky Cryptographic Algorithm - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_Use_of_Dangerous_Functions: categories: @@ -39741,6 +42892,7 @@ rules: group: top10-vulnerable-components name: Ruby_Low_Visibility_Use_of_Dangerous_Functions pretty_name: Use of Dangerous Functions - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Low_Visibility_XSS_Evasion_Attack: categories: @@ -39756,6 +42908,7 @@ rules: group: top10-injection name: Ruby_Low_Visibility_XSS_Evasion_Attack pretty_name: XSS Evasion Attack - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_CSRF: categories: @@ -39771,6 +42924,7 @@ rules: group: top10-injection name: Ruby_Medium_Threat_CSRF pretty_name: CSRF - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_DB_Parameter_Tampering: categories: @@ -39784,6 +42938,7 @@ rules: group: top10-broken-access-control name: Ruby_Medium_Threat_DB_Parameter_Tampering pretty_name: DB Parameter Tampering - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_DB_Tampering: categories: @@ -39799,6 +42954,7 @@ rules: group: top10-injection name: Ruby_Medium_Threat_DB_Tampering pretty_name: DB Tampering - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_DOS_To_Symbol: categories: @@ -39811,6 +42967,7 @@ rules: group: top10-insecure-design name: Ruby_Medium_Threat_DOS_To_Symbol pretty_name: DOS To Symbol - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_Dangerous_Send: categories: @@ -39827,6 +42984,7 @@ rules: group: top10-injection name: Ruby_Medium_Threat_Dangerous_Send pretty_name: Dangerous Send - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_Default_Routes: categories: @@ -39839,6 +42997,7 @@ rules: group: top10-insecure-design name: Ruby_Medium_Threat_Default_Routes pretty_name: Default Routes - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_DoS_by_Sleep: categories: @@ -39851,6 +43010,7 @@ rules: group: top10-insecure-design name: Ruby_Medium_Threat_DoS_by_Sleep pretty_name: DoS by Sleep - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_Download_Arbitrary_File: categories: @@ -39864,6 +43024,7 @@ rules: group: top10-broken-access-control name: Ruby_Medium_Threat_Download_Arbitrary_File pretty_name: Download Arbitrary File - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_Filtering_Sensitive_Logs: categories: @@ -39876,6 +43037,7 @@ rules: group: top10-security-logging-monitoring-failures name: Ruby_Medium_Threat_Filtering_Sensitive_Logs pretty_name: Filtering Sensitive Logs - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_Hardcoded_Session_Secret_Token: categories: @@ -39891,6 +43053,7 @@ rules: group: top10-id-authn-failures name: Ruby_Medium_Threat_Hardcoded_Session_Secret_Token pretty_name: Hardcoded Session Secret Token - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_Http_Only_Set_To_False: categories: @@ -39906,6 +43069,7 @@ rules: group: top10-injection name: Ruby_Medium_Threat_Http_Only_Set_To_False pretty_name: Http Only Set To False - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_Insecure_Randomness: categories: @@ -39919,6 +43083,7 @@ rules: group: top10-crypto-failures name: Ruby_Medium_Threat_Insecure_Randomness pretty_name: Insecure Randomness - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_Insufficient_Format_Validation: categories: @@ -39932,6 +43097,7 @@ rules: group: top10-injection name: Ruby_Medium_Threat_Insufficient_Format_Validation pretty_name: Insufficient Format Validation - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_Nonvalidated_File_Upload: categories: @@ -39946,6 +43112,7 @@ rules: group: top10-insecure-design name: Ruby_Medium_Threat_Nonvalidated_File_Upload pretty_name: Nonvalidated File Upload - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_Parameter_Tampering: categories: @@ -39960,6 +43127,7 @@ rules: group: top10-insecure-design name: Ruby_Medium_Threat_Parameter_Tampering pretty_name: Parameter Tampering - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_Path_Traversal: categories: @@ -39977,6 +43145,7 @@ rules: group: top10-broken-access-control name: Ruby_Medium_Threat_Path_Traversal pretty_name: Path Traversal - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_Privacy_Violation: categories: @@ -39992,6 +43161,7 @@ rules: group: top10-broken-access-control name: Ruby_Medium_Threat_Privacy_Violation pretty_name: Privacy Violation - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_Privilege_Escalation: categories: @@ -40005,6 +43175,7 @@ rules: group: top10-broken-access-control name: Ruby_Medium_Threat_Privilege_Escalation pretty_name: Privilege Escalation - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_Remote_Code_Execution: categories: @@ -40021,6 +43192,7 @@ rules: group: top10-injection name: Ruby_Medium_Threat_Remote_Code_Execution pretty_name: Remote Code Execution - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_SSL_Verification_Bypass: categories: @@ -40035,6 +43207,7 @@ rules: group: top10-software-data-integrity-failures name: Ruby_Medium_Threat_SSL_Verification_Bypass pretty_name: SSL Verification Bypass - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_Short_Session_Key: categories: @@ -40049,6 +43222,7 @@ rules: group: top10-crypto-failures name: Ruby_Medium_Threat_Short_Session_Key pretty_name: Short Session Key - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_Stored_Code_Injection: categories: @@ -40065,6 +43239,7 @@ rules: group: top10-injection name: Ruby_Medium_Threat_Stored_Code_Injection pretty_name: Stored Code Injection - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_Unsafe_Mass_Assignment: categories: @@ -40079,6 +43254,7 @@ rules: group: top10-software-data-integrity-failures name: Ruby_Medium_Threat_Unsafe_Mass_Assignment pretty_name: Unsafe Mass Assignment - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key: categories: @@ -40092,6 +43268,7 @@ rules: group: top10-crypto-failures name: Ruby_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key pretty_name: Use of Hard coded Cryptographic Key - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Vulnerable_Outdated_Versions_Outdated_JSON_GEM_Remote_Code: categories: @@ -40107,6 +43284,7 @@ rules: group: top10-injection name: Ruby_Vulnerable_Outdated_Versions_Outdated_JSON_GEM_Remote_Code pretty_name: Outdated JSON GEM Remote Code - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Vulnerable_Outdated_Versions_Outdated_JSON_Remote_Code_Execution: categories: @@ -40123,6 +43301,7 @@ rules: group: top10-injection name: Ruby_Vulnerable_Outdated_Versions_Outdated_JSON_Remote_Code_Execution pretty_name: Outdated JSON Remote Code Execution - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_Bypass_Access_Control: categories: @@ -40136,6 +43315,7 @@ rules: group: top10-vulnerable-components name: Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_Bypass_Access_Control pretty_name: Outdated Rails Allows Bypass Access Control - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_Cross_Site_Request_Forgery: categories: @@ -40151,6 +43331,7 @@ rules: group: top10-vulnerable-components name: Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_Cross_Site_Request_Forgery pretty_name: Outdated Rails Allows Cross Site Request Forgery - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_DOS_via_ActiveRecord: categories: @@ -40166,6 +43347,7 @@ rules: group: top10-insecure-design name: Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_DOS_via_ActiveRecord pretty_name: Outdated Rails Allows DOS via ActiveRecord - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_SQL_Injection: categories: @@ -40182,6 +43364,7 @@ rules: group: top10-injection name: Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_SQL_Injection pretty_name: Outdated Rails Allows SQL Injection - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_XSS: categories: @@ -40197,6 +43380,7 @@ rules: group: top10-injection name: Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_XSS pretty_name: Outdated Rails Allows XSS - Ruby + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J: categories: @@ -40212,6 +43396,7 @@ rules: group: top10-insecure-design name: Scala_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J pretty_name: Potential Usage of Vulnerable Log4J - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_High_Risk_Code_Injection: categories: @@ -40229,6 +43414,7 @@ rules: group: top10-injection name: Scala_High_Risk_Code_Injection pretty_name: Code Injection - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_High_Risk_Command_Injection: categories: @@ -40246,6 +43432,7 @@ rules: group: top10-injection name: Scala_High_Risk_Command_Injection pretty_name: Command Injection - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_High_Risk_Connection_String_Injection: categories: @@ -40261,6 +43448,7 @@ rules: group: top10-injection name: Scala_High_Risk_Connection_String_Injection pretty_name: Connection String Injection - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_High_Risk_Deserialization_of_Untrusted_Data: categories: @@ -40276,6 +43464,7 @@ rules: group: top10-software-data-integrity-failures name: Scala_High_Risk_Deserialization_of_Untrusted_Data pretty_name: Deserialization of Untrusted Data - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_High_Risk_LDAP_Injection: categories: @@ -40292,6 +43481,7 @@ rules: group: top10-injection name: Scala_High_Risk_LDAP_Injection pretty_name: LDAP Injection - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_High_Risk_Reflected_XSS_All_Clients: categories: @@ -40308,6 +43498,7 @@ rules: group: top10-injection name: Scala_High_Risk_Reflected_XSS_All_Clients pretty_name: Reflected XSS All Clients - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_High_Risk_Resource_Injection: categories: @@ -40323,6 +43514,7 @@ rules: group: top10-injection name: Scala_High_Risk_Resource_Injection pretty_name: Resource Injection - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_High_Risk_SQL_Injection: categories: @@ -40340,6 +43532,7 @@ rules: group: top10-injection name: Scala_High_Risk_SQL_Injection pretty_name: SQL Injection - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_High_Risk_Second_Order_SQL_Injection: categories: @@ -40357,6 +43550,7 @@ rules: group: top10-injection name: Scala_High_Risk_Second_Order_SQL_Injection pretty_name: Second Order SQL Injection - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_High_Risk_Stored_XSS: categories: @@ -40373,6 +43567,7 @@ rules: group: top10-injection name: Scala_High_Risk_Stored_XSS pretty_name: Stored XSS - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_High_Risk_Unsafe_Reflection: categories: @@ -40388,6 +43583,7 @@ rules: group: top10-injection name: Scala_High_Risk_Unsafe_Reflection pretty_name: Unsafe Reflection - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_High_Risk_XPath_Injection: categories: @@ -40404,6 +43600,7 @@ rules: group: top10-injection name: Scala_High_Risk_XPath_Injection pretty_name: XPath Injection - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Low_Visibility_Akka_Debug_Loglevel_Enabled: categories: @@ -40416,6 +43613,7 @@ rules: group: top10-security-misconfiguration name: Scala_Low_Visibility_Akka_Debug_Loglevel_Enabled pretty_name: Akka Debug Loglevel Enabled - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Low_Visibility_Akka_Disabling_Hostname_Verification: categories: @@ -40429,6 +43627,7 @@ rules: group: top10-software-data-integrity-failures name: Scala_Low_Visibility_Akka_Disabling_Hostname_Verification pretty_name: Akka Disabling Hostname Verification - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Low_Visibility_Akka_Encrypt_Data_Disabled: categories: @@ -40441,6 +43640,7 @@ rules: group: top10-security-misconfiguration name: Scala_Low_Visibility_Akka_Encrypt_Data_Disabled pretty_name: Akka Encrypt Data Disabled - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Low_Visibility_Akka_Missing_Max_Age: categories: @@ -40453,6 +43653,7 @@ rules: group: top10-security-misconfiguration name: Scala_Low_Visibility_Akka_Missing_Max_Age pretty_name: Akka Missing Max Age - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Low_Visibility_Akka_Serialize_Enabled: categories: @@ -40465,6 +43666,7 @@ rules: group: top10-security-misconfiguration name: Scala_Low_Visibility_Akka_Serialize_Enabled pretty_name: Akka Serialize Enabled - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Low_Visibility_Akka_Untrusted_Mode_Enabled: categories: @@ -40477,6 +43679,7 @@ rules: group: top10-security-misconfiguration name: Scala_Low_Visibility_Akka_Untrusted_Mode_Enabled pretty_name: Akka Untrusted Mode Enabled - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Low_Visibility_Akka_Verbose_Mode_Enabled: categories: @@ -40490,6 +43693,7 @@ rules: group: top10-insecure-design name: Scala_Low_Visibility_Akka_Verbose_Mode_Enabled pretty_name: Akka Verbose Mode Enabled - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Low_Visibility_Command_Argument_Injection: categories: @@ -40504,6 +43708,7 @@ rules: group: top10-injection name: Scala_Low_Visibility_Command_Argument_Injection pretty_name: Command Argument Injection - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Low_Visibility_Cross_Site_History_Manipulation: categories: @@ -40519,6 +43724,7 @@ rules: group: top10-software-data-integrity-failures name: Scala_Low_Visibility_Cross_Site_History_Manipulation pretty_name: Cross Site History Manipulation - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Low_Visibility_Deprecated_API: categories: @@ -40531,6 +43737,7 @@ rules: group: top10-insecure-design name: Scala_Low_Visibility_Deprecated_API pretty_name: Deprecated API - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Low_Visibility_Heap_Inspection: categories: @@ -40545,6 +43752,7 @@ rules: group: top10-broken-access-control name: Scala_Low_Visibility_Heap_Inspection pretty_name: Heap Inspection - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Low_Visibility_Integer_Overflow: categories: @@ -40561,6 +43769,7 @@ rules: group: top10-injection name: Scala_Low_Visibility_Integer_Overflow pretty_name: Integer Overflow - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Low_Visibility_Not_Using_a_Random_IV_with_CBC_Mode: categories: @@ -40575,6 +43784,7 @@ rules: group: top10-crypto-failures name: Scala_Low_Visibility_Not_Using_a_Random_IV_with_CBC_Mode pretty_name: Not Using a Random IV with CBC Mode - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Low_Visibility_Open_Redirect: categories: @@ -40589,6 +43799,7 @@ rules: group: top10-broken-access-control name: Scala_Low_Visibility_Open_Redirect pretty_name: Open Redirect - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy: categories: @@ -40602,6 +43813,7 @@ rules: group: top10-id-authn-failures name: Scala_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy pretty_name: Overly Permissive Cross Origin Resource Sharing Policy - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Low_Visibility_Potential_Stored_XSS: categories: @@ -40617,6 +43829,7 @@ rules: group: top10-injection name: Scala_Low_Visibility_Potential_Stored_XSS pretty_name: Potential Stored XSS - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: categories: @@ -40629,6 +43842,7 @@ rules: group: top10-crypto-failures name: Scala_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm pretty_name: Use of Broken or Risky Cryptographic Algorithm - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Low_Visibility_Use_of_Hard_coded_Security_Constants: categories: @@ -40642,6 +43856,7 @@ rules: group: top10-security-misconfiguration name: Scala_Low_Visibility_Use_of_Hard_coded_Security_Constants pretty_name: Use of Hard coded Security Constants - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Low_Visibility_Use_of_Non_Cryptographic_Random: categories: @@ -40655,6 +43870,7 @@ rules: group: top10-crypto-failures name: Scala_Low_Visibility_Use_of_Non_Cryptographic_Random pretty_name: Use of Non Cryptographic Random - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Low_Visibility_Use_of_RSA_Algorithm_without_OAEP: categories: @@ -40668,6 +43884,7 @@ rules: group: top10-crypto-failures name: Scala_Low_Visibility_Use_of_RSA_Algorithm_without_OAEP pretty_name: Use of RSA Algorithm without OAEP - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_Absolute_Path_Traversal: categories: @@ -40683,6 +43900,7 @@ rules: group: top10-broken-access-control name: Scala_Medium_Threat_Absolute_Path_Traversal pretty_name: Absolute Path Traversal - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_CSRF: categories: @@ -40698,6 +43916,7 @@ rules: group: top10-injection name: Scala_Medium_Threat_CSRF pretty_name: CSRF - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_Cleartext_Submission_of_Sensitive_Information: categories: @@ -40711,6 +43930,7 @@ rules: group: top10-broken-access-control name: Scala_Medium_Threat_Cleartext_Submission_of_Sensitive_Information pretty_name: Cleartext Submission of Sensitive Information - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_DB_Parameter_Tampering: categories: @@ -40724,6 +43944,7 @@ rules: group: top10-broken-access-control name: Scala_Medium_Threat_DB_Parameter_Tampering pretty_name: DB Parameter Tampering - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_Dangerous_File_Inclusion: categories: @@ -40737,6 +43958,7 @@ rules: group: top10-software-data-integrity-failures name: Scala_Medium_Threat_Dangerous_File_Inclusion pretty_name: Dangerous File Inclusion - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_DoS_by_Sleep: categories: @@ -40749,6 +43971,7 @@ rules: group: top10-insecure-design name: Scala_Medium_Threat_DoS_by_Sleep pretty_name: DoS by Sleep - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_External_XML_Entities_XXE: categories: @@ -40763,6 +43986,7 @@ rules: group: top10-security-misconfiguration name: Scala_Medium_Threat_External_XML_Entities_XXE pretty_name: External XML Entities XXE - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_HTTP_Response_Splitting: categories: @@ -40777,6 +44001,7 @@ rules: group: top10-injection name: Scala_Medium_Threat_HTTP_Response_Splitting pretty_name: HTTP Response Splitting - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_Hardcoded_password_in_Connection_String: categories: @@ -40790,6 +44015,7 @@ rules: group: top10-security-misconfiguration name: Scala_Medium_Threat_Hardcoded_password_in_Connection_String pretty_name: Hardcoded password in Connection String - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_HttpOnlyCookies: categories: @@ -40802,6 +44028,7 @@ rules: group: top10-security-misconfiguration name: Scala_Medium_Threat_HttpOnlyCookies pretty_name: HttpOnlyCookies - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_Improper_Locking: categories: @@ -40815,6 +44042,7 @@ rules: group: top10-insecure-design name: Scala_Medium_Threat_Improper_Locking pretty_name: Improper Locking - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_Inadequate_Encryption_Strength: categories: @@ -40829,6 +44057,7 @@ rules: group: top10-crypto-failures name: Scala_Medium_Threat_Inadequate_Encryption_Strength pretty_name: Inadequate Encryption Strength - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_Missing_Secure_Flag: categories: @@ -40842,6 +44071,7 @@ rules: group: top10-security-misconfiguration name: Scala_Medium_Threat_Missing_Secure_Flag pretty_name: Missing Secure Flag - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_Multiple_Binds_to_the_Same_Port: categories: @@ -40855,6 +44085,7 @@ rules: group: top10-insecure-design name: Scala_Medium_Threat_Multiple_Binds_to_the_Same_Port pretty_name: Multiple Binds to the Same Port - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_Parameter_Tampering: categories: @@ -40869,6 +44100,7 @@ rules: group: top10-insecure-design name: Scala_Medium_Threat_Parameter_Tampering pretty_name: Parameter Tampering - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_Plaintext_Storage_of_a_Password: categories: @@ -40881,6 +44113,7 @@ rules: group: top10-insecure-design name: Scala_Medium_Threat_Plaintext_Storage_of_a_Password pretty_name: Plaintext Storage of a Password - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_Privacy_Violation: categories: @@ -40896,6 +44129,7 @@ rules: group: top10-broken-access-control name: Scala_Medium_Threat_Privacy_Violation pretty_name: Privacy Violation - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_ReDoS_From_Regex_Injection: categories: @@ -40911,6 +44145,7 @@ rules: group: top10-insecure-design name: Scala_Medium_Threat_ReDoS_From_Regex_Injection pretty_name: ReDoS From Regex Injection - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_ReDoS_In_Match: categories: @@ -40926,6 +44161,7 @@ rules: group: top10-insecure-design name: Scala_Medium_Threat_ReDoS_In_Match pretty_name: ReDoS In Match - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_ReDoS_In_Pattern: categories: @@ -40941,6 +44177,7 @@ rules: group: top10-insecure-design name: Scala_Medium_Threat_ReDoS_In_Pattern pretty_name: ReDoS In Pattern - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_ReDoS_In_Replace: categories: @@ -40956,6 +44193,7 @@ rules: group: top10-insecure-design name: Scala_Medium_Threat_ReDoS_In_Replace pretty_name: ReDoS In Replace - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_Relative_Path_Traversal: categories: @@ -40971,6 +44209,7 @@ rules: group: top10-broken-access-control name: Scala_Medium_Threat_Relative_Path_Traversal pretty_name: Relative Path Traversal - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_SQL_Injection_Evasion_Attack: categories: @@ -40987,6 +44226,7 @@ rules: group: top10-injection name: Scala_Medium_Threat_SQL_Injection_Evasion_Attack pretty_name: SQL Injection Evasion Attack - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_SSL_Verification_Bypass: categories: @@ -41001,6 +44241,7 @@ rules: group: top10-software-data-integrity-failures name: Scala_Medium_Threat_SSL_Verification_Bypass pretty_name: SSL Verification Bypass - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_SSRF: categories: @@ -41016,6 +44257,7 @@ rules: group: top10-server-side-request-forgery name: Scala_Medium_Threat_SSRF pretty_name: SSRF - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_Same_Seed_in_PRNG: categories: @@ -41029,6 +44271,7 @@ rules: group: top10-crypto-failures name: Scala_Medium_Threat_Same_Seed_in_PRNG pretty_name: Same Seed in PRNG - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_Session_Fixation: categories: @@ -41043,6 +44286,7 @@ rules: group: top10-id-authn-failures name: Scala_Medium_Threat_Session_Fixation pretty_name: Session Fixation - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_Stored_External_XML_Entities_XXE: categories: @@ -41057,6 +44301,7 @@ rules: group: top10-security-misconfiguration name: Scala_Medium_Threat_Stored_External_XML_Entities_XXE pretty_name: Stored External XML Entities XXE - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_Stored_LDAP_Injection: categories: @@ -41072,6 +44317,7 @@ rules: group: top10-injection name: Scala_Medium_Threat_Stored_LDAP_Injection pretty_name: Stored LDAP Injection - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_Use_of_Cryptographically_Weak_PRNG: categories: @@ -41085,6 +44331,7 @@ rules: group: top10-crypto-failures name: Scala_Medium_Threat_Use_of_Cryptographically_Weak_PRNG pretty_name: Use of Cryptographically Weak PRNG - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key: categories: @@ -41098,6 +44345,7 @@ rules: group: top10-crypto-failures name: Scala_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key pretty_name: Use of Hard coded Cryptographic Key - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_Use_of_a_One_Way_Hash_with_a_Predictable_Salt: categories: @@ -41112,6 +44360,7 @@ rules: group: top10-crypto-failures name: Scala_Medium_Threat_Use_of_a_One_Way_Hash_with_a_Predictable_Salt pretty_name: Use of a One Way Hash with a Predictable Salt - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_Use_of_a_One_Way_Hash_without_a_Salt: categories: @@ -41126,6 +44375,7 @@ rules: group: top10-crypto-failures name: Scala_Medium_Threat_Use_of_a_One_Way_Hash_without_a_Salt pretty_name: Use of a One Way Hash without a Salt - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Medium_Threat_XQuery_Injection: categories: @@ -41141,6 +44391,7 @@ rules: group: top10-injection name: Scala_Medium_Threat_XQuery_Injection pretty_name: XQuery Injection - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Stored_Stored_Code_Injection: categories: @@ -41157,6 +44408,7 @@ rules: group: top10-injection name: Scala_Stored_Stored_Code_Injection pretty_name: Stored Code Injection - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Stored_Stored_HTTP_Response_Splitting: categories: @@ -41171,6 +44423,7 @@ rules: group: top10-injection name: Scala_Stored_Stored_HTTP_Response_Splitting pretty_name: Stored HTTP Response Splitting - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Stored_Stored_Open_Redirect: categories: @@ -41185,6 +44438,7 @@ rules: group: top10-broken-access-control name: Scala_Stored_Stored_Open_Redirect pretty_name: Stored Open Redirect - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Stored_Stored_XPath_Injection: categories: @@ -41200,6 +44454,7 @@ rules: group: top10-injection name: Scala_Stored_Stored_XPath_Injection pretty_name: Stored XPath Injection - Scala + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Best_Coding_Practices_Dynamic_SQL_Queries: categories: @@ -41216,6 +44471,7 @@ rules: group: top10-injection name: Swift_Best_Coding_Practices_Dynamic_SQL_Queries pretty_name: Dynamic SQL Queries - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Best_Coding_Practices_Empty_Methods: categories: @@ -41228,6 +44484,7 @@ rules: group: top10-insecure-design name: Swift_Best_Coding_Practices_Empty_Methods pretty_name: Empty Methods - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Best_Coding_Practices_Third_Party_Keyboard_Enabled: categories: @@ -41241,6 +44498,7 @@ rules: group: top10-software-data-integrity-failures name: Swift_Best_Coding_Practices_Third_Party_Keyboard_Enabled pretty_name: Third Party Keyboard Enabled - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_High_Risk_Information_Exposure_Through_Extension: categories: @@ -41255,6 +44513,7 @@ rules: group: top10-broken-access-control name: Swift_High_Risk_Information_Exposure_Through_Extension pretty_name: Information Exposure Through Extension - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_High_Risk_Resource_Updated_By_URL_Data: categories: @@ -41268,6 +44527,7 @@ rules: group: top10-software-data-integrity-failures name: Swift_High_Risk_Resource_Updated_By_URL_Data pretty_name: Resource Updated By URL Data - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_High_Risk_Sensitive_Information_over_HTTP: categories: @@ -41282,6 +44542,7 @@ rules: group: top10-broken-access-control name: Swift_High_Risk_Sensitive_Information_over_HTTP pretty_name: Sensitive Information over HTTP - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_High_Risk_Third_Party_Keyboards_On_Sensitive_Field: categories: @@ -41296,6 +44557,7 @@ rules: group: top10-software-data-integrity-failures name: Swift_High_Risk_Third_Party_Keyboards_On_Sensitive_Field pretty_name: Third Party Keyboards On Sensitive Field - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_High_Risk_URL_Scheme_Hijacking: categories: @@ -41310,6 +44572,7 @@ rules: group: top10-injection name: Swift_High_Risk_URL_Scheme_Hijacking pretty_name: URL Scheme Hijacking - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_High_Risk_Unencrypted_Sensitive_Information_in_Publicly_Accessible_iCloud_Storage: categories: @@ -41325,6 +44588,7 @@ rules: name: Swift_High_Risk_Unencrypted_Sensitive_Information_in_Publicly_Accessible_iCloud_Storage pretty_name: Unencrypted Sensitive Information in Publicly Accessible iCloud Storage - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_High_Risk_Unsafe_Reflection: categories: @@ -41340,6 +44604,7 @@ rules: group: top10-injection name: Swift_High_Risk_Unsafe_Reflection pretty_name: Unsafe Reflection - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Allowed_Backup: categories: @@ -41353,6 +44618,7 @@ rules: group: top10-broken-access-control name: Swift_Low_Visibility_Allowed_Backup pretty_name: Allowed Backup - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_App_Transport_Security_Bypass: categories: @@ -41366,6 +44632,7 @@ rules: group: top10-security-misconfiguration name: Swift_Low_Visibility_App_Transport_Security_Bypass pretty_name: App Transport Security Bypass - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Encrypted_Sensitive_Information_in_Publicly_Accessible_iCloud_Storage: categories: @@ -41380,6 +44647,7 @@ rules: name: Swift_Low_Visibility_Encrypted_Sensitive_Information_in_Publicly_Accessible_iCloud_Storage pretty_name: Encrypted Sensitive Information in Publicly Accessible iCloud Storage - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Functions_Apple_Recommends_To_Avoid: categories: @@ -41393,6 +44661,7 @@ rules: group: top10-vulnerable-components name: Swift_Low_Visibility_Functions_Apple_Recommends_To_Avoid pretty_name: Functions Apple Recommends To Avoid - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Heap_Inspection: categories: @@ -41407,6 +44676,7 @@ rules: group: top10-broken-access-control name: Swift_Low_Visibility_Heap_Inspection pretty_name: Heap Inspection - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Information_Leak_Through_Response_Caching: categories: @@ -41420,6 +44690,7 @@ rules: group: top10-broken-access-control name: Swift_Low_Visibility_Information_Leak_Through_Response_Caching pretty_name: Information Leak Through Response Caching - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Insufficient_Encryption_Key_Size: categories: @@ -41434,6 +44705,7 @@ rules: group: top10-crypto-failures name: Swift_Low_Visibility_Insufficient_Encryption_Key_Size pretty_name: Insufficient Encryption Key Size - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Missing_Certificate_Pinning: categories: @@ -41446,6 +44718,7 @@ rules: group: top10-id-authn-failures name: Swift_Low_Visibility_Missing_Certificate_Pinning pretty_name: Missing Certificate Pinning - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Missing_Device_Lock_Verification: categories: @@ -41459,6 +44732,7 @@ rules: group: top10-software-data-integrity-failures name: Swift_Low_Visibility_Missing_Device_Lock_Verification pretty_name: Missing Device Lock Verification - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Missing_Jailbreak_Check: categories: @@ -41472,6 +44746,7 @@ rules: group: top10-insecure-design name: Swift_Low_Visibility_Missing_Jailbreak_Check pretty_name: Missing Jailbreak Check - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Null_Password: categories: @@ -41485,6 +44760,7 @@ rules: group: top10-insecure-design name: Swift_Low_Visibility_Null_Password pretty_name: Null Password - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Parameter_Tampering: categories: @@ -41499,6 +44775,7 @@ rules: group: top10-insecure-design name: Swift_Low_Visibility_Parameter_Tampering pretty_name: Parameter Tampering - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Password_In_Comment: categories: @@ -41514,6 +44791,7 @@ rules: group: top10-id-authn-failures name: Swift_Low_Visibility_Password_In_Comment pretty_name: Password In Comment - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Private_Storage_SQL_Injection: categories: @@ -41530,6 +44808,7 @@ rules: group: top10-injection name: Swift_Low_Visibility_Private_Storage_SQL_Injection pretty_name: Private Storage SQL Injection - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Private_Storage_WebView_JavaScript_Injection: categories: @@ -41545,6 +44824,7 @@ rules: group: top10-injection name: Swift_Low_Visibility_Private_Storage_WebView_JavaScript_Injection pretty_name: Private Storage WebView JavaScript Injection - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Secret_Stored_Outside_of_Keychain: categories: @@ -41558,6 +44838,7 @@ rules: group: top10-insecure-design name: Swift_Low_Visibility_Secret_Stored_Outside_of_Keychain pretty_name: Secret Stored Outside of Keychain - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Self_SQL_Injection: categories: @@ -41574,6 +44855,7 @@ rules: group: top10-injection name: Swift_Low_Visibility_Self_SQL_Injection pretty_name: Self SQL Injection - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Self_WebView_JavaScript_Injection: categories: @@ -41589,6 +44871,7 @@ rules: group: top10-injection name: Swift_Low_Visibility_Self_WebView_JavaScript_Injection pretty_name: Self WebView JavaScript Injection - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Unencrypted_Sensitive_Information_in_Internal_Storage: categories: @@ -41602,6 +44885,7 @@ rules: group: top10-insecure-design name: Swift_Low_Visibility_Unencrypted_Sensitive_Information_in_Internal_Storage pretty_name: Unencrypted Sensitive Information in Internal Storage - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: categories: @@ -41614,6 +44898,7 @@ rules: group: top10-crypto-failures name: Swift_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm pretty_name: Use of Broken or Risky Cryptographic Algorithm - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Use_of_Hardcoded_Cryptographic_Key: categories: @@ -41627,6 +44912,7 @@ rules: group: top10-crypto-failures name: Swift_Low_Visibility_Use_of_Hardcoded_Cryptographic_Key pretty_name: Use of Hardcoded Cryptographic Key - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Use_of_Hardcoded_Password: categories: @@ -41640,6 +44926,7 @@ rules: group: top10-id-authn-failures name: Swift_Low_Visibility_Use_of_Hardcoded_Password pretty_name: Use of Hardcoded Password - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_Use_of_Insufficiently_Random_Values: categories: @@ -41653,6 +44940,7 @@ rules: group: top10-crypto-failures name: Swift_Low_Visibility_Use_of_Insufficiently_Random_Values pretty_name: Use of Insufficiently Random Values - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Low_Visibility_User_Information_in_Publicly_Accessible_iCloud_Storage: categories: @@ -41666,6 +44954,7 @@ rules: group: top10-insecure-design name: Swift_Low_Visibility_User_Information_in_Publicly_Accessible_iCloud_Storage pretty_name: User Information in Publicly Accessible iCloud Storage - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Medium_Threat_Autocorrection_Keystroke_Logging: categories: @@ -41681,6 +44970,7 @@ rules: group: top10-broken-access-control name: Swift_Medium_Threat_Autocorrection_Keystroke_Logging pretty_name: Autocorrection Keystroke Logging - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Medium_Threat_Communication_over_HTTP: categories: @@ -41694,6 +44984,7 @@ rules: group: top10-crypto-failures name: Swift_Medium_Threat_Communication_over_HTTP pretty_name: Communication over HTTP - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Medium_Threat_Format_String_Attack: categories: @@ -41707,6 +44998,7 @@ rules: group: top10-injection name: Swift_Medium_Threat_Format_String_Attack pretty_name: Format String Attack - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Medium_Threat_Improper_Certificate_Validation: categories: @@ -41719,6 +45011,7 @@ rules: group: top10-id-authn-failures name: Swift_Medium_Threat_Improper_Certificate_Validation pretty_name: Improper Certificate Validation - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Medium_Threat_Information_Exposure_Through_Query_String: categories: @@ -41732,6 +45025,7 @@ rules: group: top10-insecure-design name: Swift_Medium_Threat_Information_Exposure_Through_Query_String pretty_name: Information Exposure Through Query String - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Medium_Threat_Pasteboard_Leakage: categories: @@ -41745,6 +45039,7 @@ rules: group: top10-broken-access-control name: Swift_Medium_Threat_Pasteboard_Leakage pretty_name: Pasteboard Leakage - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Medium_Threat_Path_Traversal: categories: @@ -41762,6 +45057,7 @@ rules: group: top10-broken-access-control name: Swift_Medium_Threat_Path_Traversal pretty_name: Path Traversal - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Medium_Threat_Public_Storage_SQL_Injection: categories: @@ -41778,6 +45074,7 @@ rules: group: top10-injection name: Swift_Medium_Threat_Public_Storage_SQL_Injection pretty_name: Public Storage SQL Injection - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Medium_Threat_Public_Storage_WebView_JavaScript_Injection: categories: @@ -41793,6 +45090,7 @@ rules: group: top10-injection name: Swift_Medium_Threat_Public_Storage_WebView_JavaScript_Injection pretty_name: Public Storage WebView JavaScript Injection - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Medium_Threat_ReDoS: categories: @@ -41807,6 +45105,7 @@ rules: group: top10-insecure-design name: Swift_Medium_Threat_ReDoS pretty_name: ReDoS - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Medium_Threat_SQL_Injection_From_URL_Scheme: categories: @@ -41823,6 +45122,7 @@ rules: group: top10-injection name: Swift_Medium_Threat_SQL_Injection_From_URL_Scheme pretty_name: SQL Injection From URL Scheme - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Medium_Threat_Screen_Caching: categories: @@ -41836,6 +45136,7 @@ rules: group: top10-broken-access-control name: Swift_Medium_Threat_Screen_Caching pretty_name: Screen Caching - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Medium_Threat_Unencrypted_Sensitive_Information_in_External_Storage: categories: @@ -41849,6 +45150,7 @@ rules: group: top10-insecure-design name: Swift_Medium_Threat_Unencrypted_Sensitive_Information_in_External_Storage pretty_name: Unencrypted Sensitive Information in External Storage - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Medium_Threat_WebView_JavaScript_Injection_From_URL_Scheme: categories: @@ -41864,6 +45166,7 @@ rules: group: top10-injection name: Swift_Medium_Threat_WebView_JavaScript_Injection_From_URL_Scheme pretty_name: WebView JavaScript Injection From URL Scheme - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Swift_Medium_Threat_XML_External_Entity: categories: @@ -41878,6 +45181,7 @@ rules: group: top10-security-misconfiguration name: Swift_Medium_Threat_XML_External_Entity pretty_name: XML External Entity - Swift + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_Heuristic_Heuristic_Parameter_Tampering: categories: @@ -41892,6 +45196,7 @@ rules: group: top10-insecure-design name: VB6_Heuristic_Heuristic_Parameter_Tampering pretty_name: Heuristic Parameter Tampering - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_Heuristic_Heuristic_SQL_Injection: categories: @@ -41908,6 +45213,7 @@ rules: group: top10-injection name: VB6_Heuristic_Heuristic_SQL_Injection pretty_name: Heuristic SQL Injection - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_High_Risk_Code_Injection: categories: @@ -41925,6 +45231,7 @@ rules: group: top10-injection name: VB6_High_Risk_Code_Injection pretty_name: Code Injection - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_High_Risk_Command_Injection: categories: @@ -41942,6 +45249,7 @@ rules: group: top10-injection name: VB6_High_Risk_Command_Injection pretty_name: Command Injection - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_High_Risk_Connection_String_Injection: categories: @@ -41957,6 +45265,7 @@ rules: group: top10-injection name: VB6_High_Risk_Connection_String_Injection pretty_name: Connection String Injection - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_High_Risk_SQL_Injection: categories: @@ -41974,6 +45283,7 @@ rules: group: top10-injection name: VB6_High_Risk_SQL_Injection pretty_name: SQL Injection - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_High_Risk_Second_Order_SQL_Injection: categories: @@ -41991,6 +45301,7 @@ rules: group: top10-injection name: VB6_High_Risk_Second_Order_SQL_Injection pretty_name: Second Order SQL Injection - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_Low_Visibility_Bounds_Check_Disabled: categories: @@ -42005,6 +45316,7 @@ rules: group: top10-injection name: VB6_Low_Visibility_Bounds_Check_Disabled pretty_name: Bounds Check Disabled - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_Low_Visibility_Hardcoded_Absolute_Path: categories: @@ -42019,6 +45331,7 @@ rules: group: top10-software-data-integrity-failures name: VB6_Low_Visibility_Hardcoded_Absolute_Path pretty_name: Hardcoded Absolute Path - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_Low_Visibility_Improper_Error_Handling: categories: @@ -42031,6 +45344,7 @@ rules: group: top10-insecure-design name: VB6_Low_Visibility_Improper_Error_Handling pretty_name: Improper Error Handling - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_Low_Visibility_Information_Exposure_Through_an_Error_Message: categories: @@ -42044,6 +45358,7 @@ rules: group: top10-insecure-design name: VB6_Low_Visibility_Information_Exposure_Through_an_Error_Message pretty_name: Information Exposure Through an Error Message - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_Low_Visibility_Insecure_Randomness: categories: @@ -42057,6 +45372,7 @@ rules: group: top10-crypto-failures name: VB6_Low_Visibility_Insecure_Randomness pretty_name: Insecure Randomness - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_Low_Visibility_Insufficiently_Protected_Credentials: categories: @@ -42071,6 +45387,7 @@ rules: group: top10-insecure-design name: VB6_Low_Visibility_Insufficiently_Protected_Credentials pretty_name: Insufficiently Protected Credentials - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_Low_Visibility_Log_Forging: categories: @@ -42083,6 +45400,7 @@ rules: group: top10-security-logging-monitoring-failures name: VB6_Low_Visibility_Log_Forging pretty_name: Log Forging - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_Low_Visibility_Stored_Code_Injection: categories: @@ -42099,6 +45417,7 @@ rules: group: top10-injection name: VB6_Low_Visibility_Stored_Code_Injection pretty_name: Stored Code Injection - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_Low_Visibility_Use_Of_Hardcoded_Password: categories: @@ -42112,6 +45431,7 @@ rules: group: top10-id-authn-failures name: VB6_Low_Visibility_Use_Of_Hardcoded_Password pretty_name: Use Of Hardcoded Password - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_Medium_Threat_DoS_by_Sleep: categories: @@ -42124,6 +45444,7 @@ rules: group: top10-insecure-design name: VB6_Medium_Threat_DoS_by_Sleep pretty_name: DoS by Sleep - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_Medium_Threat_Hardcoded_password_in_Connection_String: categories: @@ -42137,6 +45458,7 @@ rules: group: top10-security-misconfiguration name: VB6_Medium_Threat_Hardcoded_password_in_Connection_String pretty_name: Hardcoded password in Connection String - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_Medium_Threat_Parameter_Tampering: categories: @@ -42151,6 +45473,7 @@ rules: group: top10-insecure-design name: VB6_Medium_Threat_Parameter_Tampering pretty_name: Parameter Tampering - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_Medium_Threat_Path_Traversal: categories: @@ -42168,6 +45491,7 @@ rules: group: top10-broken-access-control name: VB6_Medium_Threat_Path_Traversal pretty_name: Path Traversal - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VB6_Medium_Threat_Privacy_Violation: categories: @@ -42183,6 +45507,7 @@ rules: group: top10-broken-access-control name: VB6_Medium_Threat_Privacy_Violation pretty_name: Privacy Violation - VB6 + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Aptca_Methods_Call_Non_Aptca_Methods: categories: @@ -42196,6 +45521,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Aptca_Methods_Call_Non_Aptca_Methods pretty_name: Aptca Methods Call Non Aptca Methods - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Catch_NullPointerException: categories: @@ -42209,6 +45535,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Catch_NullPointerException pretty_name: Catch NullPointerException - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: @@ -42222,6 +45549,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception pretty_name: Declaration Of Catch For Generic Exception - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Deprecated_Methods: categories: @@ -42235,6 +45563,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Deprecated_Methods pretty_name: Deprecated Methods - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action: categories: @@ -42248,6 +45577,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action pretty_name: Detection of Error Condition Without Action - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Direct_Use_of_Sockets: categories: @@ -42261,6 +45591,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Direct_Use_of_Sockets pretty_name: Direct Use of Sockets - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Dynamic_SQL_Queries: categories: @@ -42277,6 +45608,7 @@ rules: group: top10-injection name: VbNet_Best_Coding_Practice_Dynamic_SQL_Queries pretty_name: Dynamic SQL Queries - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: categories: @@ -42290,6 +45622,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere pretty_name: Exposure of Resource to Wrong Sphere - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_GetLastWin32Error_Is_Not_Called_After_Pinvoke: categories: @@ -42303,6 +45636,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_GetLastWin32Error_Is_Not_Called_After_Pinvoke pretty_name: GetLastWin32Error Is Not Called After Pinvoke - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Hardcoded_Absolute_Path: categories: @@ -42317,6 +45651,7 @@ rules: group: top10-software-data-integrity-failures name: VbNet_Best_Coding_Practice_Hardcoded_Absolute_Path pretty_name: Hardcoded Absolute Path - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Hardcoded_Connection_String: categories: @@ -42332,6 +45667,7 @@ rules: group: top10-id-authn-failures name: VbNet_Best_Coding_Practice_Hardcoded_Connection_String pretty_name: Hardcoded Connection String - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined: categories: @@ -42344,6 +45680,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined pretty_name: Just One of Equals and Hash code Defined - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Leftover_Debug_Code: categories: @@ -42358,6 +45695,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Leftover_Debug_Code pretty_name: Leftover Debug Code - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Magic_Numbers: categories: @@ -42370,6 +45708,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Magic_Numbers pretty_name: Magic Numbers - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Missing_XML_Validation: categories: @@ -42383,6 +45722,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Missing_XML_Validation pretty_name: Missing XML Validation - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_NULL_Argument_to_Equals: categories: @@ -42395,6 +45735,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_NULL_Argument_to_Equals pretty_name: NULL Argument to Equals - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Non_Private_Static_Constructors: categories: @@ -42408,6 +45749,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Non_Private_Static_Constructors pretty_name: Non Private Static Constructors - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Pages_Without_Global_Error_Handler: categories: @@ -42422,6 +45764,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Pages_Without_Global_Error_Handler pretty_name: Pages Without Global Error Handler - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_PersistSecurityInfo_is_True: categories: @@ -42435,6 +45778,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_PersistSecurityInfo_is_True pretty_name: PersistSecurityInfo is True - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Threads_in_WebApp: categories: @@ -42448,6 +45792,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Threads_in_WebApp pretty_name: Threads in WebApp - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Unchecked_Error_Condition: categories: @@ -42460,6 +45805,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Unchecked_Error_Condition pretty_name: Unchecked Error Condition - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Unchecked_Return_Value: categories: @@ -42473,6 +45819,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Unchecked_Return_Value pretty_name: Unchecked Return Value - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Unclosed_Objects: categories: @@ -42486,6 +45833,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Unclosed_Objects pretty_name: Unclosed Objects - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Unvalidated_Arguments_Of_Public_Methods: categories: @@ -42498,6 +45846,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Unvalidated_Arguments_Of_Public_Methods pretty_name: Unvalidated Arguments Of Public Methods - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Use_Of_Uninitialized_Variables: categories: @@ -42511,6 +45860,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Use_Of_Uninitialized_Variables pretty_name: Use Of Uninitialized Variables - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Use_of_System_Output_Stream: categories: @@ -42523,6 +45873,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Use_of_System_Output_Stream pretty_name: Use of System Output Stream - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Visible_Pointers: categories: @@ -42535,6 +45886,7 @@ rules: group: top10-insecure-design name: VbNet_Best_Coding_Practice_Visible_Pointers pretty_name: Visible Pointers - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Heuristic_Heuristic_2nd_Order_SQL_Injection: categories: @@ -42551,6 +45903,7 @@ rules: group: top10-injection name: VbNet_Heuristic_Heuristic_2nd_Order_SQL_Injection pretty_name: Heuristic 2nd Order SQL Injection - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Heuristic_Heuristic_CSRF: categories: @@ -42566,6 +45919,7 @@ rules: group: top10-injection name: VbNet_Heuristic_Heuristic_CSRF pretty_name: Heuristic CSRF - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Heuristic_Heuristic_DB_Parameter_Tampering: categories: @@ -42579,6 +45933,7 @@ rules: group: top10-broken-access-control name: VbNet_Heuristic_Heuristic_DB_Parameter_Tampering pretty_name: Heuristic DB Parameter Tampering - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Heuristic_Heuristic_Parameter_Tampering: categories: @@ -42593,6 +45948,7 @@ rules: group: top10-insecure-design name: VbNet_Heuristic_Heuristic_Parameter_Tampering pretty_name: Heuristic Parameter Tampering - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Heuristic_Heuristic_SQL_Injection: categories: @@ -42609,6 +45965,7 @@ rules: group: top10-injection name: VbNet_Heuristic_Heuristic_SQL_Injection pretty_name: Heuristic SQL Injection - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Heuristic_Heuristic_Stored_XSS: categories: @@ -42624,6 +45981,7 @@ rules: group: top10-injection name: VbNet_Heuristic_Heuristic_Stored_XSS pretty_name: Heuristic Stored XSS - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_High_Risk_Code_Injection: categories: @@ -42641,6 +45999,7 @@ rules: group: top10-injection name: VbNet_High_Risk_Code_Injection pretty_name: Code Injection - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_High_Risk_Command_Injection: categories: @@ -42658,6 +46017,7 @@ rules: group: top10-injection name: VbNet_High_Risk_Command_Injection pretty_name: Command Injection - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_High_Risk_Connection_String_Injection: categories: @@ -42673,6 +46033,7 @@ rules: group: top10-injection name: VbNet_High_Risk_Connection_String_Injection pretty_name: Connection String Injection - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_High_Risk_Dangerous_File_Upload: categories: @@ -42688,6 +46049,7 @@ rules: group: top10-insecure-design name: VbNet_High_Risk_Dangerous_File_Upload pretty_name: Dangerous File Upload - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_High_Risk_LDAP_Injection: categories: @@ -42704,6 +46066,7 @@ rules: group: top10-injection name: VbNet_High_Risk_LDAP_Injection pretty_name: LDAP Injection - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_High_Risk_Reflected_XSS_All_Clients: categories: @@ -42720,6 +46083,7 @@ rules: group: top10-injection name: VbNet_High_Risk_Reflected_XSS_All_Clients pretty_name: Reflected XSS All Clients - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_High_Risk_Resource_Injection: categories: @@ -42735,6 +46099,7 @@ rules: group: top10-injection name: VbNet_High_Risk_Resource_Injection pretty_name: Resource Injection - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_High_Risk_SQL_Injection: categories: @@ -42752,6 +46117,7 @@ rules: group: top10-injection name: VbNet_High_Risk_SQL_Injection pretty_name: SQL Injection - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_High_Risk_Second_Order_SQL_Injection: categories: @@ -42769,6 +46135,7 @@ rules: group: top10-injection name: VbNet_High_Risk_Second_Order_SQL_Injection pretty_name: Second Order SQL Injection - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_High_Risk_Stored_XSS: categories: @@ -42785,6 +46152,7 @@ rules: group: top10-injection name: VbNet_High_Risk_Stored_XSS pretty_name: Stored XSS - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_High_Risk_UTF7_XSS: categories: @@ -42801,6 +46169,7 @@ rules: group: top10-injection name: VbNet_High_Risk_UTF7_XSS pretty_name: UTF7 XSS - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_High_Risk_XPath_Injection: categories: @@ -42817,6 +46186,7 @@ rules: group: top10-injection name: VbNet_High_Risk_XPath_Injection pretty_name: XPath Injection - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Blind_SQL_Injections: categories: @@ -42833,6 +46203,7 @@ rules: group: top10-injection name: VbNet_Low_Visibility_Blind_SQL_Injections pretty_name: Blind SQL Injections - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Cleansing_Canonicalization_and_Comparison_Errors: categories: @@ -42846,6 +46217,7 @@ rules: group: top10-injection name: VbNet_Low_Visibility_Cleansing_Canonicalization_and_Comparison_Errors pretty_name: Cleansing Canonicalization and Comparison Errors - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Client_Side_Only_Validation: categories: @@ -42859,6 +46231,7 @@ rules: group: top10-insecure-design name: VbNet_Low_Visibility_Client_Side_Only_Validation pretty_name: Client Side Only Validation - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Cross_Site_History_Manipulation: categories: @@ -42874,6 +46247,7 @@ rules: group: top10-software-data-integrity-failures name: VbNet_Low_Visibility_Cross_Site_History_Manipulation pretty_name: Cross Site History Manipulation - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Heap_Inspection: categories: @@ -42888,6 +46262,7 @@ rules: group: top10-broken-access-control name: VbNet_Low_Visibility_Heap_Inspection pretty_name: Heap Inspection - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Impersonation_Issue: categories: @@ -42901,6 +46276,7 @@ rules: group: top10-security-misconfiguration name: VbNet_Low_Visibility_Impersonation_Issue pretty_name: Impersonation Issue - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Improper_Encoding_Of_Output: categories: @@ -42916,6 +46292,7 @@ rules: group: top10-injection name: VbNet_Low_Visibility_Improper_Encoding_Of_Output pretty_name: Improper Encoding Of Output - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Improper_Exception_Handling: categories: @@ -42928,6 +46305,7 @@ rules: group: top10-insecure-design name: VbNet_Low_Visibility_Improper_Exception_Handling pretty_name: Improper Exception Handling - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Improper_Resource_Shutdown_or_Release: categories: @@ -42941,6 +46319,7 @@ rules: group: top10-insecure-design name: VbNet_Low_Visibility_Improper_Resource_Shutdown_or_Release pretty_name: Improper Resource Shutdown or Release - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Improper_Session_Management: categories: @@ -42954,6 +46333,7 @@ rules: group: top10-broken-access-control name: VbNet_Low_Visibility_Improper_Session_Management pretty_name: Improper Session Management - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Improper_Transaction_Handling: categories: @@ -42968,6 +46348,7 @@ rules: group: top10-insecure-design name: VbNet_Low_Visibility_Improper_Transaction_Handling pretty_name: Improper Transaction Handling - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Information_Exposure_Through_an_Error_Message: categories: @@ -42981,6 +46362,7 @@ rules: group: top10-insecure-design name: VbNet_Low_Visibility_Information_Exposure_Through_an_Error_Message pretty_name: Information Exposure Through an Error Message - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Information_Leak_Through_Persistent_Cookies: categories: @@ -42994,6 +46376,7 @@ rules: group: top10-insecure-design name: VbNet_Low_Visibility_Information_Leak_Through_Persistent_Cookies pretty_name: Information Leak Through Persistent Cookies - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Insufficiently_Protected_Credentials: categories: @@ -43008,6 +46391,7 @@ rules: group: top10-insecure-design name: VbNet_Low_Visibility_Insufficiently_Protected_Credentials pretty_name: Insufficiently Protected Credentials - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_JavaScript_Hijacking: categories: @@ -43023,6 +46407,7 @@ rules: group: top10-injection name: VbNet_Low_Visibility_JavaScript_Hijacking pretty_name: JavaScript Hijacking - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Leaving_Temporary_Files: categories: @@ -43035,6 +46420,7 @@ rules: group: top10-broken-access-control name: VbNet_Low_Visibility_Leaving_Temporary_Files pretty_name: Leaving Temporary Files - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Log_Forging: categories: @@ -43047,6 +46433,7 @@ rules: group: top10-security-logging-monitoring-failures name: VbNet_Low_Visibility_Log_Forging pretty_name: Log Forging - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Open_Redirect: categories: @@ -43061,6 +46448,7 @@ rules: group: top10-broken-access-control name: VbNet_Low_Visibility_Open_Redirect pretty_name: Open Redirect - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy: categories: @@ -43074,6 +46462,7 @@ rules: group: top10-id-authn-failures name: VbNet_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy pretty_name: Overly Permissive Cross Origin Resource Sharing Policy - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Session_Clearing_Problems: categories: @@ -43088,6 +46477,7 @@ rules: group: top10-id-authn-failures name: VbNet_Low_Visibility_Session_Clearing_Problems pretty_name: Session Clearing Problems - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Session_Poisoning: categories: @@ -43102,6 +46492,7 @@ rules: group: top10-insecure-design name: VbNet_Low_Visibility_Session_Poisoning pretty_name: Session Poisoning - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Stored_Code_Injection: categories: @@ -43118,6 +46509,7 @@ rules: group: top10-injection name: VbNet_Low_Visibility_Stored_Code_Injection pretty_name: Stored Code Injection - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Thread_Safety_Issue: categories: @@ -43132,6 +46524,7 @@ rules: group: top10-insecure-design name: VbNet_Low_Visibility_Thread_Safety_Issue pretty_name: Thread Safety Issue - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables: categories: @@ -43145,6 +46538,7 @@ rules: group: top10-insecure-design name: VbNet_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables pretty_name: Trust Boundary Violation in Session Variables - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_URL_Canonicalization_Issue: categories: @@ -43159,6 +46553,7 @@ rules: group: top10-injection name: VbNet_Low_Visibility_URL_Canonicalization_Issue pretty_name: URL Canonicalization Issue - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Use_Of_Hardcoded_Password: categories: @@ -43172,6 +46567,7 @@ rules: group: top10-id-authn-failures name: VbNet_Low_Visibility_Use_Of_Hardcoded_Password pretty_name: Use Of Hardcoded Password - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: categories: @@ -43184,6 +46580,7 @@ rules: group: top10-crypto-failures name: VbNet_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm pretty_name: Use of Broken or Risky Cryptographic Algorithm - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Low_Visibility_XSS_Evasion_Attack: categories: @@ -43199,6 +46596,7 @@ rules: group: top10-injection name: VbNet_Low_Visibility_XSS_Evasion_Attack pretty_name: XSS Evasion Attack - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_Buffer_Overflow: categories: @@ -43213,6 +46611,7 @@ rules: group: top10-injection name: VbNet_Medium_Threat_Buffer_Overflow pretty_name: Buffer Overflow - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_CGI_XSS: categories: @@ -43228,6 +46627,7 @@ rules: group: top10-injection name: VbNet_Medium_Threat_CGI_XSS pretty_name: CGI XSS - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_CSRF: categories: @@ -43243,6 +46643,7 @@ rules: group: top10-injection name: VbNet_Medium_Threat_CSRF pretty_name: CSRF - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_DB_Parameter_Tampering: categories: @@ -43256,6 +46657,7 @@ rules: group: top10-broken-access-control name: VbNet_Medium_Threat_DB_Parameter_Tampering pretty_name: DB Parameter Tampering - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_Data_Filter_Injection: categories: @@ -43269,6 +46671,7 @@ rules: group: top10-broken-access-control name: VbNet_Medium_Threat_Data_Filter_Injection pretty_name: Data Filter Injection - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_DoS_by_Sleep: categories: @@ -43281,6 +46684,7 @@ rules: group: top10-insecure-design name: VbNet_Medium_Threat_DoS_by_Sleep pretty_name: DoS by Sleep - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_HTTP_Response_Splitting: categories: @@ -43295,6 +46699,7 @@ rules: group: top10-injection name: VbNet_Medium_Threat_HTTP_Response_Splitting pretty_name: HTTP Response Splitting - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_Hardcoded_password_in_Connection_String: categories: @@ -43308,6 +46713,7 @@ rules: group: top10-security-misconfiguration name: VbNet_Medium_Threat_Hardcoded_password_in_Connection_String pretty_name: Hardcoded password in Connection String - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_Improper_Locking: categories: @@ -43321,6 +46727,7 @@ rules: group: top10-insecure-design name: VbNet_Medium_Threat_Improper_Locking pretty_name: Improper Locking - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_Integer_Overflow: categories: @@ -43337,6 +46744,7 @@ rules: group: top10-injection name: VbNet_Medium_Threat_Integer_Overflow pretty_name: Integer Overflow - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_No_Request_Validation: categories: @@ -43352,6 +46760,7 @@ rules: group: top10-injection name: VbNet_Medium_Threat_No_Request_Validation pretty_name: No Request Validation - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_Parameter_Tampering: categories: @@ -43366,6 +46775,7 @@ rules: group: top10-insecure-design name: VbNet_Medium_Threat_Parameter_Tampering pretty_name: Parameter Tampering - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_Path_Traversal: categories: @@ -43383,6 +46793,7 @@ rules: group: top10-broken-access-control name: VbNet_Medium_Threat_Path_Traversal pretty_name: Path Traversal - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_Privacy_Violation: categories: @@ -43398,6 +46809,7 @@ rules: group: top10-broken-access-control name: VbNet_Medium_Threat_Privacy_Violation pretty_name: Privacy Violation - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_Reflected_XSS_Specific_Clients: categories: @@ -43413,6 +46825,7 @@ rules: group: top10-injection name: VbNet_Medium_Threat_Reflected_XSS_Specific_Clients pretty_name: Reflected XSS Specific Clients - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_SQL_Injection_Evasion_Attack: categories: @@ -43429,6 +46842,7 @@ rules: group: top10-injection name: VbNet_Medium_Threat_SQL_Injection_Evasion_Attack pretty_name: SQL Injection Evasion Attack - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_Stored_Command_Injection: categories: @@ -43445,6 +46859,7 @@ rules: group: top10-injection name: VbNet_Medium_Threat_Stored_Command_Injection pretty_name: Stored Command Injection - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_Stored_LDAP_Injection: categories: @@ -43460,6 +46875,7 @@ rules: group: top10-injection name: VbNet_Medium_Threat_Stored_LDAP_Injection pretty_name: Stored LDAP Injection - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_Stored_XPath_Injection: categories: @@ -43475,6 +46891,7 @@ rules: group: top10-injection name: VbNet_Medium_Threat_Stored_XPath_Injection pretty_name: Stored XPath Injection - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_Unclosed_Connection: categories: @@ -43488,6 +46905,7 @@ rules: group: top10-insecure-design name: VbNet_Medium_Threat_Unclosed_Connection pretty_name: Unclosed Connection - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_Unsafe_Object_Binding: categories: @@ -43502,6 +46920,7 @@ rules: group: top10-software-data-integrity-failures name: VbNet_Medium_Threat_Unsafe_Object_Binding pretty_name: Unsafe Object Binding - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key: categories: @@ -43515,6 +46934,7 @@ rules: group: top10-crypto-failures name: VbNet_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key pretty_name: Use of Hard coded Cryptographic Key - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Medium_Threat_Value_Shadowing: categories: @@ -43529,6 +46949,7 @@ rules: group: top10-injection name: VbNet_Medium_Threat_Value_Shadowing pretty_name: Value Shadowing - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_WebConfig_CookieLess_Authentication: categories: @@ -43543,6 +46964,7 @@ rules: group: top10-insecure-design name: VbNet_WebConfig_CookieLess_Authentication pretty_name: CookieLess Authentication - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_WebConfig_CookieLess_Session: categories: @@ -43556,6 +46978,7 @@ rules: group: top10-broken-access-control name: VbNet_WebConfig_CookieLess_Session pretty_name: CookieLess Session - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_WebConfig_CustomError: categories: @@ -43569,6 +46992,7 @@ rules: group: top10-security-misconfiguration name: VbNet_WebConfig_CustomError pretty_name: CustomError - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_WebConfig_DebugEnabled: categories: @@ -43581,6 +47005,7 @@ rules: group: top10-security-misconfiguration name: VbNet_WebConfig_DebugEnabled pretty_name: DebugEnabled - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_WebConfig_Elmah_Enabled: categories: @@ -43597,6 +47022,7 @@ rules: group: top10-insecure-design name: VbNet_WebConfig_Elmah_Enabled pretty_name: Elmah Enabled - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_WebConfig_HardcodedCredentials: categories: @@ -43611,6 +47037,7 @@ rules: group: top10-id-authn-failures name: VbNet_WebConfig_HardcodedCredentials pretty_name: HardcodedCredentials - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_WebConfig_HttpOnlyCookies_XSS: categories: @@ -43624,6 +47051,7 @@ rules: group: top10-security-misconfiguration name: VbNet_WebConfig_HttpOnlyCookies_XSS pretty_name: HttpOnlyCookies XSS - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_WebConfig_Missing_X_Frame_Options: categories: @@ -43638,6 +47066,7 @@ rules: group: top10-insecure-design name: VbNet_WebConfig_Missing_X_Frame_Options pretty_name: Missing X Frame Options - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_WebConfig_NonUniqueFormName: categories: @@ -43651,6 +47080,7 @@ rules: group: top10-insecure-design name: VbNet_WebConfig_NonUniqueFormName pretty_name: NonUniqueFormName - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_WebConfig_Password_In_Configuration_File: categories: @@ -43663,6 +47093,7 @@ rules: group: top10-security-misconfiguration name: VbNet_WebConfig_Password_In_Configuration_File pretty_name: Password In Configuration File - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_WebConfig_RequireSSL: categories: @@ -43676,6 +47107,7 @@ rules: group: top10-security-misconfiguration name: VbNet_WebConfig_RequireSSL pretty_name: RequireSSL - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_WebConfig_SlidingExpiration: categories: @@ -43690,6 +47122,7 @@ rules: group: top10-id-authn-failures name: VbNet_WebConfig_SlidingExpiration pretty_name: SlidingExpiration - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_WebConfig_TraceEnabled: categories: @@ -43704,6 +47137,7 @@ rules: group: top10-insecure-design name: VbNet_WebConfig_TraceEnabled pretty_name: TraceEnabled - VbNet + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbScript_High_Risk_DOM_Code_Injection: categories: @@ -43721,6 +47155,7 @@ rules: group: top10-injection name: VbScript_High_Risk_DOM_Code_Injection pretty_name: DOM Code Injection - VbScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbScript_High_Risk_DOM_XSS: categories: @@ -43737,6 +47172,7 @@ rules: group: top10-injection name: VbScript_High_Risk_DOM_XSS pretty_name: DOM XSS - VbScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbScript_Low_Visibility_Cookies_Inspection: categories: @@ -43748,6 +47184,7 @@ rules: group: top10-security-misconfiguration name: VbScript_Low_Visibility_Cookies_Inspection pretty_name: Cookies Inspection - VbScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbScript_Low_Visibility_DOM_Open_Redirect: categories: @@ -43762,6 +47199,7 @@ rules: group: top10-broken-access-control name: VbScript_Low_Visibility_DOM_Open_Redirect pretty_name: DOM Open Redirect - VbScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbScript_Low_Visibility_Weak_Password_Authentication: categories: @@ -43775,6 +47213,7 @@ rules: group: top10-id-authn-failures name: VbScript_Low_Visibility_Weak_Password_Authentication pretty_name: Weak Password Authentication - VbScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbScript_Medium_Threat_Client_DoS_By_Sleep: categories: @@ -43787,6 +47226,7 @@ rules: group: top10-insecure-design name: VbScript_Medium_Threat_Client_DoS_By_Sleep pretty_name: Client DoS By Sleep - VbScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbScript_Medium_Threat_Client_Untrusted_Activex: categories: @@ -43801,6 +47241,7 @@ rules: group: top10-vulnerable-components name: VbScript_Medium_Threat_Client_Untrusted_Activex pretty_name: Client Untrusted Activex - VbScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbScript_Medium_Threat_DOM_CSRF: categories: @@ -43816,6 +47257,7 @@ rules: group: top10-injection name: VbScript_Medium_Threat_DOM_CSRF pretty_name: DOM CSRF - VbScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbScript_Medium_Threat_DOM_Cookie_Poisoning: categories: @@ -43830,6 +47272,7 @@ rules: group: top10-insecure-design name: VbScript_Medium_Threat_DOM_Cookie_Poisoning pretty_name: DOM Cookie Poisoning - VbScript + recommended: true ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html a05331ee-1653-45cb-91e6-13637a76e4f0: categories: @@ -43840,6 +47283,7 @@ rules: group: top10-insecure-design name: a05331ee-1653-45cb-91e6-13637a76e4f0 pretty_name: Deployment Without PodDisruptionBudget + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment#selector a0ab985d-660b-41f7-ac81-70957ee8e627: categories: @@ -43850,6 +47294,7 @@ rules: group: cloud-resources-public-access name: a0ab985d-660b-41f7-ac81-70957ee8e627 pretty_name: Storage Blob Service Container With Public Access + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts/blobservices/containers?tabs=json#containerproperties-object a0ae0a4e-712b-4115-8112-51b9eeed9d69: categories: @@ -43861,6 +47306,7 @@ rules: group: cloud-insecure-iam name: a0ae0a4e-712b-4115-8112-51b9eeed9d69 pretty_name: Lambda Functions With Full Privileges + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html a0bf7382-5d5a-4224-924c-3db8466026c9: categories: @@ -43870,6 +47316,7 @@ rules: group: top10-insecure-design name: a0bf7382-5d5a-4224-924c-3db8466026c9 pretty_name: Server URL Not Absolute + recommended: true ref: https://swagger.io/specification/#server-object a0f1bfe0-741e-473f-b3b2-13e66f856fab: categories: @@ -43883,6 +47330,7 @@ rules: group: cloud-insecure-iam name: a0f1bfe0-741e-473f-b3b2-13e66f856fab pretty_name: S3 Bucket Allows Put Action From All Principals + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html a1120ee4-a712-42d9-8fb5-22595fed643b: categories: @@ -43892,6 +47340,7 @@ rules: group: top10-security-logging-monitoring-failures name: a1120ee4-a712-42d9-8fb5-22595fed643b pretty_name: Elasticsearch Logs Disabled + recommended: true ref: https://www.pulumi.com/registry/packages/aws/api-docs/elasticsearch/domain/#logpublishingoptions_yaml a1423864-2fbc-4f46-bfe1-fbbf125c71c9: categories: @@ -43901,6 +47350,7 @@ rules: group: top10-crypto-failures name: a1423864-2fbc-4f46-bfe1-fbbf125c71c9 pretty_name: CodeBuild Not Encrypted + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_codebuild_module.html a14ad534-acbe-4a8e-9404-2f7e1045646e: categories: @@ -43911,6 +47361,7 @@ rules: group: cloud-resources-public-access name: a14ad534-acbe-4a8e-9404-2f7e1045646e pretty_name: HTTP Port Open To Internet + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html#ansible-collections-amazon-aws-ec2-group-module a186e82c-1078-4a7b-85d8-579561fde884: categories: @@ -43920,6 +47371,7 @@ rules: group: cloud-resources-public-access name: a186e82c-1078-4a7b-85d8-579561fde884 pretty_name: API Gateway without WAF + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafregional_web_acl_association#resource_arn a187ac47-8163-42ce-8a63-c115236be6fb: categories: @@ -43931,6 +47383,7 @@ rules: group: cloud-weak-configuration name: a187ac47-8163-42ce-8a63-c115236be6fb pretty_name: Azure Container Registry With No Locks + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_registry a19b2942-142e-4e2b-93b7-6cf6a6c8d90f: categories: @@ -43941,6 +47394,7 @@ rules: group: cloud-insecure-iam name: a19b2942-142e-4e2b-93b7-6cf6a6c8d90f pretty_name: AMI Shared With Multiple Accounts + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_ami_module.html a19c3bbd-c056-40d7-9e1c-eeb0634e320d: categories: @@ -43951,6 +47405,7 @@ rules: group: cloud-weak-configuration name: a19c3bbd-c056-40d7-9e1c-eeb0634e320d pretty_name: Additional Properties Too Restrictive + recommended: true ref: https://swagger.io/specification/#schema-object a1bc27c6-7115-48d8-bf9d-5a7e836845ba: categories: @@ -43962,6 +47417,7 @@ rules: group: supply-chain-scm-weak-configuration name: a1bc27c6-7115-48d8-bf9d-5a7e836845ba pretty_name: Run Using apt + recommended: true ref: https://github.com/containers/buildah/blob/main/docs/buildah-run.1.md a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2: categories: @@ -43972,6 +47428,7 @@ rules: group: top10-insecure-design name: a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2 pretty_name: Operation Without Successful HTTP Status Code (v2) + recommended: true ref: https://swagger.io/specification/v2/#operationObject a1ef9d2e-4163-40cb-bd92-04f0d602a15d: categories: @@ -43982,6 +47439,7 @@ rules: group: cloud-insecure-iam name: a1ef9d2e-4163-40cb-bd92-04f0d602a15d pretty_name: S3 Bucket ACL Allows Read to All Users + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html#parameter-permission a20be318-cac7-457b-911d-04cc6e812c25: categories: @@ -43992,6 +47450,7 @@ rules: group: cloud-resources-public-access name: a20be318-cac7-457b-911d-04cc6e812c25 pretty_name: Network ACL With Unrestricted Access To RDP + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl a21b8df3-c840-4b3d-a41a-10fb2afda171: categories: @@ -44002,6 +47461,7 @@ rules: group: cloud-weak-configuration name: a21b8df3-c840-4b3d-a41a-10fb2afda171 pretty_name: Not Proper Email Account In Use + recommended: true ref: https://cloud.google.com/deployment-manager/docs/configuration/set-access-control-resources a21c8da9-41bf-40cf-941d-330cf0d11fc7: categories: @@ -44012,6 +47472,7 @@ rules: group: cloud-insecure-iam name: a21c8da9-41bf-40cf-941d-330cf0d11fc7 pretty_name: Azure Active Directory Authentication + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/service_fabric_cluster#tenant_id a227ec01-f97a-4084-91a4-47b350c1db54: categories: @@ -44021,6 +47482,7 @@ rules: group: top10-security-logging-monitoring-failures name: a227ec01-f97a-4084-91a4-47b350c1db54 pretty_name: S3 Bucket Without Versioning + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html a25cd877-375c-4121-a640-730929936fac: categories: @@ -44030,6 +47492,7 @@ rules: group: top10-security-logging-monitoring-failures name: a25cd877-375c-4121-a640-730929936fac pretty_name: GuardDuty Detector Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-guardduty-detector.html a2f2800e-614b-4bc8-89e6-fec8afd24800: categories: @@ -44041,6 +47504,7 @@ rules: group: top10-crypto-failures name: a2f2800e-614b-4bc8-89e6-fec8afd24800 pretty_name: Serverless API Without Content Encoding + recommended: true ref: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-minimumcompressionsize a2f548f2-188c-4fff-b172-e9a6acb216bd: categories: @@ -44051,6 +47515,7 @@ rules: group: top10-crypto-failures name: a2f548f2-188c-4fff-b172-e9a6acb216bd pretty_name: Secretsmanager Secret Without KMS + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret#kms_key_id a2fdf451-89dd-451e-af92-bf6c0f4bab96: categories: @@ -44060,6 +47525,7 @@ rules: group: top10-security-logging-monitoring-failures name: a2fdf451-89dd-451e-af92-bf6c0f4bab96 pretty_name: Configuration Aggregator to All Regions Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_config_aggregator_module.html#parameter-organization_source a31a5a29-718a-4ff4-8001-a69e5e4d029e: categories: @@ -44071,6 +47537,7 @@ rules: group: cloud-weak-configuration name: a31a5a29-718a-4ff4-8001-a69e5e4d029e pretty_name: Instance With No VPC + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance a31b7b82-d994-48c4-bd21-3bab6c31827a: categories: @@ -44081,6 +47548,7 @@ rules: group: cloud-insecure-iam name: a31b7b82-d994-48c4-bd21-3bab6c31827a pretty_name: Deployment Has No PodAntiAffinity + recommended: true ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ a33e9173-b674-4dfb-9d82-cf3754816e4b: categories: @@ -44092,6 +47560,7 @@ rules: group: cloud-weak-configuration name: a33e9173-b674-4dfb-9d82-cf3754816e4b pretty_name: PSP Allows Containers To Share The Host Network Namespace + recommended: true ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b: categories: @@ -44102,6 +47571,7 @@ rules: group: cloud-weak-configuration name: a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b pretty_name: AD Admin Not Configured For SQL Server + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_active_directory_administrator a3aa0087-8228-4e7e-b202-dc9036972d02: categories: @@ -44111,6 +47581,7 @@ rules: group: cloud-insecure-iam name: a3aa0087-8228-4e7e-b202-dc9036972d02 pretty_name: Neptune Cluster With IAM Database Authentication Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-neptune-dbcluster.html#cfn-neptune-dbcluster-iamauthenabled a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd: categories: @@ -44121,6 +47592,7 @@ rules: group: top10-insecure-design name: a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd pretty_name: Security Group Ingress Has CIDR Not Recommended + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html a4247b11-890b-45df-bf42-350a7a3af9be: categories: @@ -44130,6 +47602,7 @@ rules: group: cloud-insecure-iam name: a4247b11-890b-45df-bf42-350a7a3af9be pretty_name: Security Scheme Using HTTP Digest + recommended: true ref: https://swagger.io/specification/#security-scheme-object a46928f1-43d7-4671-94e0-2dd99746f389: categories: @@ -44140,6 +47613,7 @@ rules: group: top10-crypto-failures name: a46928f1-43d7-4671-94e0-2dd99746f389 pretty_name: Schemes Uses HTTP + recommended: true ref: https://swagger.io/specification/v2/#swaggerObject a478af30-8c3a-404d-aa64-0b673cee509a: categories: @@ -44150,6 +47624,7 @@ rules: group: cloud-resources-public-access name: a478af30-8c3a-404d-aa64-0b673cee509a pretty_name: Redshift Using Default Port + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html#cfn-redshift-cluster-port a4966c4f-9141-48b8-a564-ffe9959945bc: categories: @@ -44163,6 +47638,7 @@ rules: group: cloud-insecure-iam name: a4966c4f-9141-48b8-a564-ffe9959945bc pretty_name: S3 Bucket With All Permissions + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket a4d32883-aac7-42e1-b403-9415af0f3846: categories: @@ -44172,6 +47648,7 @@ rules: group: top10-security-logging-monitoring-failures name: a4d32883-aac7-42e1-b403-9415af0f3846 pretty_name: Serverless API Access Logging Setting Undefined + recommended: true ref: https://www.serverless.com/framework/docs/providers/aws/guide/serverless.yml#logs a4dd69b8-49fa-45d2-a060-c76655405b05: categories: @@ -44183,6 +47660,7 @@ rules: group: top10-insecure-design name: a4dd69b8-49fa-45d2-a060-c76655405b05 pretty_name: Property 'explode' of Encoding Object Ignored + recommended: true ref: https://swagger.io/specification/#encoding-object a507daa5-0795-4380-960b-dd7bb7c56661: categories: @@ -44196,6 +47674,7 @@ rules: group: top10-crypto-failures name: a507daa5-0795-4380-960b-dd7bb7c56661 pretty_name: ELB Using Weak Ciphers + recommended: true ref: https://doc.crds.dev/github.com/crossplane/provider-aws/elbv2.aws.crossplane.io/Listener/v1alpha1@v0.29.0#spec-forProvider-sslPolicy a5366a50-932f-4085-896b-41402714a388: categories: @@ -44207,6 +47686,7 @@ rules: group: top10-crypto-failures name: a5366a50-932f-4085-896b-41402714a388 pretty_name: Connection Between CloudFront Origin Not Encrypted + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html a5375be3-521c-43bb-9eab-e2432e368ee4: categories: @@ -44218,6 +47698,7 @@ rules: group: top10-insecure-design name: a5375be3-521c-43bb-9eab-e2432e368ee4 pretty_name: Unknown Prefix (v3) + recommended: true ref: https://swagger.io/specification/#media-type-object a5530bd7-225a-48f9-91bb-f40b04200165: categories: @@ -44229,6 +47710,7 @@ rules: group: cloud-insecure-iam name: a5530bd7-225a-48f9-91bb-f40b04200165 pretty_name: Service Account Lookup Set To False + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ a5613650-32ec-4975-a305-31af783153ea: categories: @@ -44238,6 +47720,7 @@ rules: group: cloud-weak-configuration name: a5613650-32ec-4975-a305-31af783153ea pretty_name: Default Azure Storage Account Network Access Is Too Permissive + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action a58d1a2d-4078-4b80-855b-84cc3f7f4540: categories: @@ -44248,6 +47731,7 @@ rules: group: top10-crypto-failures name: a58d1a2d-4078-4b80-855b-84cc3f7f4540 pretty_name: IAM Group Inline Policies + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html a597e05a-c065-44e7-9cc8-742f572a504a: categories: @@ -44257,6 +47741,7 @@ rules: group: top10-security-logging-monitoring-failures name: a597e05a-c065-44e7-9cc8-742f572a504a pretty_name: RDS Instance Log Duration Disabled + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters a599b0d1-ff89-4cb8-9ece-9951854c06f6: categories: @@ -44267,6 +47752,7 @@ rules: group: top10-insecure-design name: a599b0d1-ff89-4cb8-9ece-9951854c06f6 pretty_name: Security Requirement Not Defined In Security Definition + recommended: true ref: https://swagger.io/specification/v2/#securityRequirementObject a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01: categories: @@ -44278,6 +47764,7 @@ rules: group: top10-software-data-integrity-failures name: a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01 pretty_name: SQL DB Instance Backup Disabled + recommended: true ref: https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances a62a99d1-8196-432f-8f80-3c100b05d62a: categories: @@ -44288,6 +47775,7 @@ rules: group: cloud-insecure-iam name: a62a99d1-8196-432f-8f80-3c100b05d62a pretty_name: Volume Mount With OS Directory Write Permissions + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#volume_mount a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3: categories: @@ -44297,6 +47785,7 @@ rules: group: top10-insecure-design name: a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3 pretty_name: Readiness Probe Is Not Configured + recommended: true ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes a6847dc6-f4ea-45ac-a81f-93291ae6c573: categories: @@ -44307,6 +47796,7 @@ rules: group: top10-crypto-failures name: a6847dc6-f4ea-45ac-a81f-93291ae6c573 pretty_name: Path Scheme Accepts HTTP (v2) + recommended: true ref: https://swagger.io/specification/v2/#operationObject a68da022-e95a-4bc2-97d3-481e0bd6d446: categories: @@ -44317,6 +47807,7 @@ rules: group: top10-insecure-design name: a68da022-e95a-4bc2-97d3-481e0bd6d446 pretty_name: Components Header Definition Is Unused + recommended: true ref: https://swagger.io/specification/#components-object a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9: categories: @@ -44326,6 +47817,7 @@ rules: group: cloud-weak-configuration name: a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9 pretty_name: PSP Set To Privileged + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#privileged a6cd52a1-3056-4910-96a5-894de9f3f3b3: categories: @@ -44337,6 +47829,7 @@ rules: group: cloud-insecure-iam name: a6cd52a1-3056-4910-96a5-894de9f3f3b3 pretty_name: Cloud Storage Anonymous or Publicly Accessible + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam#google_storage_bucket_iam_binding a6d27cf7-61dc-4bde-ae08-3b353b609f76: categories: @@ -44347,6 +47840,7 @@ rules: group: top10-crypto-failures name: a6d27cf7-61dc-4bde-ae08-3b353b609f76 pretty_name: Cloudfront Viewer Protocol Policy Allows HTTP + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html a6d774b6-d9ea-4bf4-8433-217bf15d2fb8: categories: @@ -44357,6 +47851,7 @@ rules: group: cloud-resources-public-access name: a6d774b6-d9ea-4bf4-8433-217bf15d2fb8 pretty_name: PostgresSQL Database Server Connection Throttling Disabled + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers/configurations?tabs=json a6f34658-fdfb-4154-9536-56d516f65828: categories: @@ -44366,6 +47861,7 @@ rules: group: cloud-insecure-iam name: a6f34658-fdfb-4154-9536-56d516f65828 pretty_name: Docker Daemon Socket is Exposed to Containers + recommended: true ref: https://kubernetes.io/docs/concepts/storage/volumes/ a71ecabe-03b6-456a-b3bc-d1a39aa20c98: categories: @@ -44375,6 +47871,7 @@ rules: group: cloud-weak-configuration name: a71ecabe-03b6-456a-b3bc-d1a39aa20c98 pretty_name: Serverless Function Without Tags + recommended: true ref: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-tags a737be28-37d8-4bff-aa6d-1be8aa0a0015: categories: @@ -44384,6 +47881,7 @@ rules: group: cloud-weak-configuration name: a737be28-37d8-4bff-aa6d-1be8aa0a0015 pretty_name: Workload Mounting With Sensitive OS Directory + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_path a77f4d07-c6e0-4a48-8b35-0eeb51576f4f: categories: @@ -44395,6 +47893,7 @@ rules: group: supply-chain-cicd-weak-configuration name: a77f4d07-c6e0-4a48-8b35-0eeb51576f4f pretty_name: Always Pull Images Admission Control Plugin Not Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ a7b520bb-2509-4fb0-be05-bc38f54c7a4c: categories: @@ -44405,6 +47904,7 @@ rules: group: cloud-weak-configuration name: a7b520bb-2509-4fb0-be05-bc38f54c7a4c pretty_name: MySQL Instance With Local Infile On + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags a7f8ac28-eed1-483d-87c8-4c325f022572: categories: @@ -44415,6 +47915,7 @@ rules: group: top10-crypto-failures name: a7f8ac28-eed1-483d-87c8-4c325f022572 pretty_name: Serverless Function Environment Variables Not Encrypted + recommended: true ref: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-kmskeyarn a8128dd2-89b0-464b-98e9-5d629041dfe0: categories: @@ -44425,6 +47926,7 @@ rules: group: cloud-weak-secrets-management name: a8128dd2-89b0-464b-98e9-5d629041dfe0 pretty_name: RAM Account Password Policy without Reuse Prevention + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#password_reuse_prevention a81573f9-3691-4d83-88a0-7d4af63e17a3: categories: @@ -44435,6 +47937,7 @@ rules: group: cloud-weak-configuration name: a81573f9-3691-4d83-88a0-7d4af63e17a3 pretty_name: Azure App Service Client Certificate Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#client_cert_enabled a829b715-cf75-4e92-b645-54c9b739edfb: categories: @@ -44445,6 +47948,7 @@ rules: group: cloud-resources-public-access name: a829b715-cf75-4e92-b645-54c9b739edfb pretty_name: Firewall Rule Allows Too Many Hosts To Access Redis Cache + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_firewall_rule a8852cc0-fd4b-4fc7-9372-1e43fad0732e: categories: @@ -44455,6 +47959,7 @@ rules: group: top10-insecure-design name: a8852cc0-fd4b-4fc7-9372-1e43fad0732e pretty_name: Account Admins Not Notified By Email + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2017-03-01-preview/servers/securityalertpolicies?tabs=json a88baa34-e2ad-44ea-ad6f-8cac87bc7c71: categories: @@ -44465,6 +47970,7 @@ rules: group: cloud-weak-secrets-management name: a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 pretty_name: Passwords And Secrets + recommended: true ref: https://docs.kics.io/latest/secrets/ a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1: categories: @@ -44475,6 +47981,7 @@ rules: group: cloud-resources-public-access name: a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1 pretty_name: EC2 Instance Has Public IP + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-assign_public_ip a8e859da-4a43-4e7f-94b8-25d6e3bf8e90: categories: @@ -44485,6 +47992,7 @@ rules: group: top10-insecure-design name: a8e859da-4a43-4e7f-94b8-25d6e3bf8e90 pretty_name: Items Undefined (v3) + recommended: true ref: https://swagger.io/specification/#schema-object a8fc2180-b3ac-4c93-bd0d-a55b974e4b07: categories: @@ -44495,6 +48003,7 @@ rules: group: top10-security-logging-monitoring-failures name: a8fc2180-b3ac-4c93-bd0d-a55b974e4b07 pretty_name: S3 Bucket Object Level CloudTrail Logging Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#event_selector a9174d31-d526-4ad9-ace4-ce7ddbf52e03: categories: @@ -44509,6 +48018,7 @@ rules: group: cloud-weak-configuration name: a9174d31-d526-4ad9-ace4-ce7ddbf52e03 pretty_name: Cluster Allows Unsafe Sysctls + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_unsafe_sysctls a9228976-10cf-4b5f-b902-9e962aad037a: categories: @@ -44518,6 +48028,7 @@ rules: group: top10-insecure-design name: a9228976-10cf-4b5f-b902-9e962aad037a pretty_name: Type Has Invalid Keyword (v3) + recommended: true ref: https://swagger.io/specification/#schema-object a92be1d5-d762-484a-86d6-8cd0907ba100: categories: @@ -44529,6 +48040,7 @@ rules: name: a92be1d5-d762-484a-86d6-8cd0907ba100 pretty_name: Response on operations that should have a body has undefined schema (v3) + recommended: true ref: https://swagger.io/docs/specification/describing-responses/ a964d6e3-8e1e-4d93-8120-61fa640dd55a: categories: @@ -44539,6 +48051,7 @@ rules: group: top10-insecure-design name: a964d6e3-8e1e-4d93-8120-61fa640dd55a pretty_name: IAM User Without Password Reset + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user-loginprofile.html a96bbc06-8cde-4295-ad3c-ee343a7f658e: categories: @@ -44549,6 +48062,7 @@ rules: group: top10-insecure-design name: a96bbc06-8cde-4295-ad3c-ee343a7f658e pretty_name: Default Invalid (v3) + recommended: true ref: https://swagger.io/specification/#schema-object a976d63f-af0e-46e8-b714-8c1a9c4bf768: categories: @@ -44559,6 +48073,7 @@ rules: group: top10-crypto-failures name: a976d63f-af0e-46e8-b714-8c1a9c4bf768 pretty_name: MSK Cluster Encryption Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-msk-cluster.html a97a340a-0063-418e-b3a1-3028941d0995: categories: @@ -44569,6 +48084,7 @@ rules: group: cloud-weak-configuration name: a97a340a-0063-418e-b3a1-3028941d0995 pretty_name: Pod or Container Without Security Context + recommended: true ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ a99130ab-4c0e-43aa-97f8-78d4fcb30024: categories: @@ -44578,6 +48094,7 @@ rules: group: top10-crypto-failures name: a99130ab-4c0e-43aa-97f8-78d4fcb30024 pretty_name: Encryption On Managed Disk Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk#encryption_settings a9a13d4f-f17a-491b-b074-f54bffffcb4a: categories: @@ -44587,6 +48104,7 @@ rules: group: cloud-weak-configuration name: a9a13d4f-f17a-491b-b074-f54bffffcb4a pretty_name: Service Account Token Automount Not Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#automount_service_account_token a9becca7-892a-4af7-b9e1-44bf20a4cd9a: categories: @@ -44596,6 +48114,7 @@ rules: group: top10-security-logging-monitoring-failures name: a9becca7-892a-4af7-b9e1-44bf20a4cd9a pretty_name: PostgreSQL Server Without Connection Throttling + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html a9c2f49d-0671-4fc9-9ece-f4e261e128d0: categories: @@ -44605,6 +48124,7 @@ rules: group: supply-chain-cicd-weak-configuration name: a9c2f49d-0671-4fc9-9ece-f4e261e128d0 pretty_name: Root Container Not Mounted Read-only + recommended: true ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ a9dfec39-a740-4105-bbd6-721ba163c053: categories: @@ -44616,6 +48136,7 @@ rules: group: cloud-weak-secrets-management name: a9dfec39-a740-4105-bbd6-721ba163c053 pretty_name: Ram Account Password Policy Not Required Minimum Length + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#minimum_password_length aa737abf-6b1d-4aba-95aa-5c160bd7f96e: categories: @@ -44625,6 +48146,7 @@ rules: group: cloud-weak-configuration name: aa737abf-6b1d-4aba-95aa-5c160bd7f96e pretty_name: Image Pull Policy Of The Container Is Not Set To Always + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image_pull_policy aa8f7a35-9923-4cad-bd61-a19b7f6aac91: categories: @@ -44634,6 +48156,7 @@ rules: group: cloud-insecure-iam name: aa8f7a35-9923-4cad-bd61-a19b7f6aac91 pretty_name: Non Kube System Pod With Host Mount + recommended: true ref: https://kubernetes.io/docs/concepts/storage/volumes/ aa93e17f-b6db-4162-9334-c70334e7ac28: categories: @@ -44645,6 +48168,7 @@ rules: group: top10-insecure-design name: aa93e17f-b6db-4162-9334-c70334e7ac28 pretty_name: Chown Flag Exists + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ aafa7d94-62de-4fbf-8838-b69ee217b0e6: categories: @@ -44657,6 +48181,7 @@ rules: group: cloud-insecure-iam name: aafa7d94-62de-4fbf-8838-b69ee217b0e6 pretty_name: Container Memory Requests Not Equal To It's Limits + recommended: true ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ab1263c2-81df-46f0-9f2c-0b62fdb68419: categories: @@ -44666,6 +48191,7 @@ rules: group: top10-insecure-design name: ab1263c2-81df-46f0-9f2c-0b62fdb68419 pretty_name: Security Field Undefined + recommended: true ref: https://swagger.io/specification/#security-requirement-object ab2af219-cd08-4233-b5a1-a788aac88b51: categories: @@ -44675,6 +48201,7 @@ rules: group: top10-insecure-design name: ab2af219-cd08-4233-b5a1-a788aac88b51 pretty_name: Property Defining Minimum Greater Than Maximum (v3) + recommended: true ref: https://swagger.io/specification/#schema-object ab871897-ec02-4835-9818-702536ee1dda: categories: @@ -44684,6 +48211,7 @@ rules: group: top10-insecure-design name: ab871897-ec02-4835-9818-702536ee1dda pretty_name: Parameters Name In Combination Not Unique (v2) + recommended: true ref: https://swagger.io/specification/v2/#parameterObject abb06e5f-ef9a-4a99-98c6-376d396bfcdf: categories: @@ -44694,6 +48222,7 @@ rules: group: cloud-insecure-iam name: abb06e5f-ef9a-4a99-98c6-376d396bfcdf pretty_name: SQS Queue Exposed + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue#policy abcb818b-5af7-4d72-aba9-6dd84956b451: categories: @@ -44703,6 +48232,7 @@ rules: group: cloud-weak-configuration name: abcb818b-5af7-4d72-aba9-6dd84956b451 pretty_name: Using Default Namespace + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#namespace abdb29d4-5ca1-4e91-800b-b3569bbd788c: categories: @@ -44713,6 +48243,7 @@ rules: group: top10-crypto-failures name: abdb29d4-5ca1-4e91-800b-b3569bbd788c pretty_name: Config Rule For Encrypted Volumes Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule ac1564a3-c324-4747-9fa1-9dfc234dace0: categories: @@ -44722,6 +48253,7 @@ rules: group: cloud-insecure-iam name: ac1564a3-c324-4747-9fa1-9dfc234dace0 pretty_name: Shared Host Network Namespace + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_network ac5a0bc0-a54c-45aa-90c3-15f7703b9132: categories: @@ -44731,6 +48263,7 @@ rules: group: top10-security-logging-monitoring-failures name: ac5a0bc0-a54c-45aa-90c3-15f7703b9132 pretty_name: Configuration Aggregator to All Regions Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_aggregator#all_regions acb6b4e2-a086-4f35-aefd-4db6ea51ada2: categories: @@ -44740,6 +48273,7 @@ rules: group: top10-security-logging-monitoring-failures name: acb6b4e2-a086-4f35-aefd-4db6ea51ada2 pretty_name: Elasticsearch Log Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#log_publishing_options acc78859-765e-4011-a229-a65ea57db252: categories: @@ -44753,6 +48287,7 @@ rules: group: cloud-insecure-iam name: acc78859-765e-4011-a229-a65ea57db252 pretty_name: S3 Bucket Allows Delete Action From All Principals + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html ace823d1-4432-4dee-945b-cdf11a5a6bd0: categories: @@ -44762,6 +48297,7 @@ rules: group: cloud-weak-configuration name: ace823d1-4432-4dee-945b-cdf11a5a6bd0 pretty_name: Function App HTTP2 Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#http2_enabled acfdbec6-4a17-471f-b412-169d77553332: categories: @@ -44773,6 +48309,7 @@ rules: group: cloud-weak-configuration name: acfdbec6-4a17-471f-b412-169d77553332 pretty_name: Google Container Node Pool Auto Repair Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool ad0875c1-0b39-4890-9149-173158ba3bba: categories: @@ -44783,6 +48320,7 @@ rules: group: top10-security-logging-monitoring-failures name: ad0875c1-0b39-4890-9149-173158ba3bba pretty_name: Cloud Storage Bucket Versioning Disabled + recommended: true ref: https://cloud.google.com/storage/docs/json_api/v1/buckets ad21e616-5026-4b9d-990d-5b007bfe679c: categories: @@ -44794,6 +48332,7 @@ rules: group: top10-insecure-design name: ad21e616-5026-4b9d-990d-5b007bfe679c pretty_name: Auto Scaling Group With No Associated ELB + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-group.html ad296c0d-8131-4d6b-b030-1b0e73a99ad3: categories: @@ -44804,6 +48343,7 @@ rules: group: cloud-insecure-iam name: ad296c0d-8131-4d6b-b030-1b0e73a99ad3 pretty_name: Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy ad432855-b7fb-4429-92a3-93b5ce34f0b1: categories: @@ -44814,6 +48354,7 @@ rules: group: cloud-resources-public-access name: ad432855-b7fb-4429-92a3-93b5ce34f0b1 pretty_name: Success Response Code Undefined for Delete Operation (v2) + recommended: true ref: https://swagger.io/specification/v2/#operation-object ad5b4e97-2850-4adf-be17-1d293e0b85ee: categories: @@ -44825,6 +48366,7 @@ rules: group: top10-crypto-failures name: ad5b4e97-2850-4adf-be17-1d293e0b85ee pretty_name: Glue Security Configuration Encryption Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/glue_security_configuration#encryption_configuration ad69e38a-d92e-4357-a8da-f2f29d545883: categories: @@ -44835,6 +48377,7 @@ rules: group: cloud-weak-configuration name: ad69e38a-d92e-4357-a8da-f2f29d545883 pretty_name: Pod or Container Without Security Context + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#security_context ad7444cf-817a-4765-a79e-2145f7981faf: categories: @@ -44847,6 +48390,7 @@ rules: group: cloud-resources-public-access name: ad7444cf-817a-4765-a79e-2145f7981faf pretty_name: Shield Advanced Not In Use + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-fms-policy.html ad9dabc7-7839-4bae-a957-aa9120013f39: categories: @@ -44856,6 +48400,7 @@ rules: group: cloud-insecure-iam name: ad9dabc7-7839-4bae-a957-aa9120013f39 pretty_name: Lambda With Vulnerable Policy + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission#action adcd0082-e90b-4b63-862b-21899f6e6a48: categories: @@ -44866,6 +48411,7 @@ rules: group: cloud-resources-public-access name: adcd0082-e90b-4b63-862b-21899f6e6a48 pretty_name: Security Groups With Meta IP + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html addc0eab-27f6-4c26-8526-d2ccd3732662: categories: @@ -44875,6 +48421,7 @@ rules: group: top10-insecure-design name: addc0eab-27f6-4c26-8526-d2ccd3732662 pretty_name: Schema Discriminator Mismatch Defined Properties (v2) + recommended: true ref: https://swagger.io/specification/v2/#schema-object ade36cf4-329f-4830-a83d-9db72c800507: categories: @@ -44885,6 +48432,7 @@ rules: group: cloud-resources-public-access name: ade36cf4-329f-4830-a83d-9db72c800507 pretty_name: MSSQL Server Public Network Access Enabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server#public_network_access_enabled ade74944-a674-4e00-859e-c6eab5bde441: categories: @@ -44896,6 +48444,7 @@ rules: group: top10-insecure-design name: ade74944-a674-4e00-859e-c6eab5bde441 pretty_name: Liveness Probe Is Not Defined + recommended: true ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#when-should-you-use-a-liveness-probe ae03f542-1423-402f-9cef-c834e7ee9583: categories: @@ -44906,6 +48455,7 @@ rules: group: cloud-weak-configuration name: ae03f542-1423-402f-9cef-c834e7ee9583 pretty_name: Lambda Functions Without Unique IAM Roles + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html ae13a37d-943b-47a7-a970-83c8598bcca3: categories: @@ -44915,6 +48465,7 @@ rules: group: top10-insecure-design name: ae13a37d-943b-47a7-a970-83c8598bcca3 pretty_name: Path Template is Empty (v3) + recommended: true ref: https://swagger.io/specification/#paths-object ae53ce91-42b5-46bf-a84f-9a13366a4f13: categories: @@ -44925,6 +48476,7 @@ rules: group: cloud-insecure-iam name: ae53ce91-42b5-46bf-a84f-9a13366a4f13 pretty_name: SNS Topic is Publicly Accessible + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-policy.html ae5b6871-7f45-42e0-bb4c-ab300c4d2026: categories: @@ -44936,6 +48488,7 @@ rules: group: cloud-insecure-iam name: ae5b6871-7f45-42e0-bb4c-ab300c4d2026 pretty_name: Privileged Containers Enabled + recommended: true ref: https://docs.docker.com/compose/compose-file/#privileged ae8827e2-4af9-4baa-9998-87539ae0d6f0: categories: @@ -44947,6 +48500,7 @@ rules: group: cloud-weak-secrets-management name: ae8827e2-4af9-4baa-9998-87539ae0d6f0 pretty_name: Peer Auto TLS Set To True + recommended: true ref: https://etcd.io/docs/v3.4/op-guide/security/ ae9c56a6-3ed1-4ac0-9b54-31267f51151d: categories: @@ -44957,6 +48511,7 @@ rules: group: supply-chain-scm-weak-configuration name: ae9c56a6-3ed1-4ac0-9b54-31267f51151d pretty_name: Apk Add Using Local Cache Path + recommended: true ref: https://docs.docker.com/engine/reference/builder/#run aecee30b-8ea1-4776-a99c-d6d600f0862f: categories: @@ -44966,6 +48521,7 @@ rules: group: cloud-insecure-iam name: aecee30b-8ea1-4776-a99c-d6d600f0862f pretty_name: API Key Exposed In Global Security (v3) + recommended: true ref: https://swagger.io/specification/#security-scheme-object aed98a2a-e680-497a-8886-277cea0f4514: categories: @@ -44977,6 +48533,7 @@ rules: group: cloud-weak-configuration name: aed98a2a-e680-497a-8886-277cea0f4514 pretty_name: PostgreSQL Misconfigured Logging Duration Flag + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags aee3c7d2-a811-4201-90c7-11c028be9a46: categories: @@ -44989,6 +48546,7 @@ rules: group: cloud-insecure-iam name: aee3c7d2-a811-4201-90c7-11c028be9a46 pretty_name: Container Requests Not Equal To It's Limits + recommended: true ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ af167837-9636-4086-b815-c239186b9dda: categories: @@ -44999,6 +48557,7 @@ rules: group: cloud-insecure-iam name: af167837-9636-4086-b815-c239186b9dda pretty_name: Cross-Account IAM Assume Role Policy Without ExternalId or MFA + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_role_module.html#parameter-assume_role_policy_document af173fde-95ea-4584-b904-bb3923ac4bda: categories: @@ -45010,6 +48569,7 @@ rules: group: cloud-weak-configuration name: af173fde-95ea-4584-b904-bb3923ac4bda pretty_name: Redshift Publicly Accessible + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster af96d737-0818-4162-8c41-40d969bd65d1: categories: @@ -45022,6 +48582,7 @@ rules: group: top10-security-logging-monitoring-failures name: af96d737-0818-4162-8c41-40d969bd65d1 pretty_name: CMK Rotation Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_kms_module.html#parameter-enable_key_rotation afa36afb-39fe-4d94-b9b6-afb236f7a03d: categories: @@ -45034,6 +48595,7 @@ rules: group: supply-chain-cicd-weak-configuration name: afa36afb-39fe-4d94-b9b6-afb236f7a03d pretty_name: Pod Security Policy Admission Control Plugin Not Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ afde15cf-9444-4126-8c62-41cd79db1d1d: categories: @@ -45043,6 +48605,7 @@ rules: group: cloud-weak-configuration name: afde15cf-9444-4126-8c62-41cd79db1d1d pretty_name: Pattern Undefined (v2) + recommended: true ref: https://swagger.io/specification/v2/#schemaObject afecd1f1-6378-4f7e-bb3b-60c35801fdd4: categories: @@ -45052,6 +48615,7 @@ rules: group: cloud-weak-configuration name: afecd1f1-6378-4f7e-bb3b-60c35801fdd4 pretty_name: ALB Deletion Protection Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#enable_deletion_protection b03a748a-542d-44f4-bb86-9199ab4fd2d5: categories: @@ -45062,6 +48626,7 @@ rules: group: cloud-weak-configuration name: b03a748a-542d-44f4-bb86-9199ab4fd2d5 pretty_name: Healthcheck Instruction Missing + recommended: true ref: https://docs.docker.com/engine/reference/builder/#healthcheck b05bb927-2df5-43cc-8d7b-6825c0e71625: categories: @@ -45072,6 +48637,7 @@ rules: group: top10-insecure-design name: b05bb927-2df5-43cc-8d7b-6825c0e71625 pretty_name: Components Example Definition Is Unused + recommended: true ref: https://swagger.io/specification/#components-object b0d3ef3f-845d-4b1b-83d6-63a5a380375f: categories: @@ -45082,6 +48648,7 @@ rules: group: top10-crypto-failures name: b0d3ef3f-845d-4b1b-83d6-63a5a380375f pretty_name: Secretsmanager Secret Encrypted With AWS Managed Key + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret#kms_key_id b139213e-7d24-49c2-8025-c18faa21ecaa: categories: @@ -45093,6 +48660,7 @@ rules: group: cloud-insecure-iam name: b139213e-7d24-49c2-8025-c18faa21ecaa pretty_name: Node Auto Upgrade Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#auto_upgrade b14d1bc4-a208-45db-92f0-e21f8e2588e9: categories: @@ -45104,6 +48672,7 @@ rules: group: cloud-insecure-iam name: b14d1bc4-a208-45db-92f0-e21f8e2588e9 pretty_name: Memory Limits Not Defined + recommended: true ref: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/ b161c11b-a59b-4431-9a29-4e19f63e6b27: categories: @@ -45113,6 +48682,7 @@ rules: group: cloud-insecure-iam name: b161c11b-a59b-4431-9a29-4e19f63e6b27 pretty_name: REST API With Vulnerable Policy + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api_policy#policy b16cdb37-ce15-4ab2-8401-d42b05d123fc: categories: @@ -45122,6 +48692,7 @@ rules: group: cloud-insecure-iam name: b16cdb37-ce15-4ab2-8401-d42b05d123fc pretty_name: API Gateway Without Configured Authorizer + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_api_gateway_module.html b16e8501-ef3c-44e1-a543-a093238099c9: categories: @@ -45131,6 +48702,7 @@ rules: group: supply-chain-scm-weak-configuration name: b16e8501-ef3c-44e1-a543-a093238099c9 pretty_name: Using Platform Flag with FROM Command + recommended: true ref: https://docs.docker.com/engine/reference/builder/#from b176e927-bbe2-44a6-a9c3-041417137e5f: categories: @@ -45141,6 +48713,7 @@ rules: group: cloud-weak-configuration name: b176e927-bbe2-44a6-a9c3-041417137e5f pretty_name: AD Admin Not Configured For SQL Server + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlserver_module.html#parameter-ad_user b17d8bb8-4c08-4785-867e-cb9e62a622aa: categories: @@ -45151,6 +48724,7 @@ rules: group: top10-crypto-failures name: b17d8bb8-4c08-4785-867e-cb9e62a622aa pretty_name: AKS Disk Encryption Set ID Undefined + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#disk_encryption_set_id b187edca-b81e-4fdc-aff4-aab57db45edb: categories: @@ -45161,6 +48735,7 @@ rules: group: cloud-weak-configuration name: b187edca-b81e-4fdc-aff4-aab57db45edb pretty_name: SQL DB Instance Publicly Accessible + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance b1a72f66-2236-4f3b-87ba-0da1b366956f: categories: @@ -45171,6 +48746,7 @@ rules: group: top10-crypto-failures name: b1a72f66-2236-4f3b-87ba-0da1b366956f pretty_name: SNS Topic Encrypted With AWS Managed Key + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#kms_master_key_id b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7: categories: @@ -45180,6 +48756,7 @@ rules: group: top10-insecure-design name: b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7 pretty_name: Invalid Contact Email (v3) + recommended: true ref: https://swagger.io/specification/#contact-object b1b20ae3-8fa7-4af5-a74d-a2145920fcb1: categories: @@ -45189,6 +48766,7 @@ rules: group: top10-insecure-design name: b1b20ae3-8fa7-4af5-a74d-a2145920fcb1 pretty_name: IAM Password Without Minimum Length + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user b1d51728-7270-4991-ac2f-fc26e2695b38: categories: @@ -45201,6 +48779,7 @@ rules: group: top10-crypto-failures name: b1d51728-7270-4991-ac2f-fc26e2695b38 pretty_name: Disk Encryption Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_disk b1ffa705-19a3-4b73-b9d0-0c97d0663842: categories: @@ -45212,6 +48791,7 @@ rules: group: cloud-insecure-iam name: b1ffa705-19a3-4b73-b9d0-0c97d0663842 pretty_name: IAM Role With Full Privileges + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role b2315cae-b110-4426-81e0-80bb8640cdd3: categories: @@ -45222,6 +48802,7 @@ rules: group: top10-crypto-failures name: b2315cae-b110-4426-81e0-80bb8640cdd3 pretty_name: Athena Database Not Encrypted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_database#encryption_configuration b23e9b98-0cb6-4fc9-b257-1f3270442678: categories: @@ -45232,6 +48813,7 @@ rules: group: top10-insecure-design name: b23e9b98-0cb6-4fc9-b257-1f3270442678 pretty_name: Deployment Without PodDisruptionBudget + recommended: true ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ b2418936-cd47-4ea2-8346-623c0bdb87bd: categories: @@ -45242,6 +48824,7 @@ rules: group: cloud-insecure-iam name: b2418936-cd47-4ea2-8346-623c0bdb87bd pretty_name: AKS RBAC Disabled + recommended: true ref: https://doc.crds.dev/github.com/crossplane/provider-azure/compute.azure.crossplane.io/AKSCluster/v1alpha3@v0.19.0#spec-disableRBAC b2468463-3ac4-4930-890c-f35b2bf4485d: categories: @@ -45252,6 +48835,7 @@ rules: group: top10-insecure-design name: b2468463-3ac4-4930-890c-f35b2bf4485d pretty_name: Path Is Ambiguous (v2) + recommended: true ref: https://swagger.io/specification/v2/#pathItemObject b25398a2-0625-4e61-8e4d-a1bb23905bf6: categories: @@ -45263,6 +48847,7 @@ rules: group: top10-insecure-design name: b25398a2-0625-4e61-8e4d-a1bb23905bf6 pretty_name: CDN Configuration Is Missing + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html b26d2b7e-60f6-413d-a3a1-a57db24aa2b3: categories: @@ -45273,6 +48858,7 @@ rules: group: cloud-insecure-iam name: b26d2b7e-60f6-413d-a3a1-a57db24aa2b3 pretty_name: SNS Topic is Publicly Accessible + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic b28bcd2f-c309-490e-ab7c-35fc4023eb26: categories: @@ -45284,6 +48870,7 @@ rules: group: top10-crypto-failures name: b28bcd2f-c309-490e-ab7c-35fc4023eb26 pretty_name: Google Compute SSL Policy Weak Cipher In Use + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_ssl_policy_module.html b2d9dbf6-539c-4374-a1fd-210ddf5563a8: categories: @@ -45293,6 +48880,7 @@ rules: group: top10-insecure-design name: b2d9dbf6-539c-4374-a1fd-210ddf5563a8 pretty_name: Invalid Global External Documentation URL (v3) + recommended: true ref: https://swagger.io/specification/#external-documentation-object b2e8752c-3497-4255-98d2-e4ae5b46bbf5: categories: @@ -45304,6 +48892,7 @@ rules: group: top10-crypto-failures name: b2e8752c-3497-4255-98d2-e4ae5b46bbf5 pretty_name: S3 Bucket Without Server-side-encryption + recommended: true ref: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html b2f275be-7d64-4064-b418-be6b431363a7: categories: @@ -45313,6 +48902,7 @@ rules: group: cloud-resources-public-access name: b2f275be-7d64-4064-b418-be6b431363a7 pretty_name: Success Response Code Undefined for Get Operation (v3) + recommended: true ref: https://swagger.io/specification/#operation-object b2fbf1df-76dd-4d78-a6c0-e538f4a9b016: categories: @@ -45323,6 +48913,7 @@ rules: group: cloud-resources-public-access name: b2fbf1df-76dd-4d78-a6c0-e538f4a9b016 pretty_name: SSH Access Is Not Restricted + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html b30981fa-a12e-49c7-a5bb-eeafb61d0f0f: categories: @@ -45332,6 +48923,7 @@ rules: group: top10-insecure-design name: b30981fa-a12e-49c7-a5bb-eeafb61d0f0f pretty_name: Global Parameter Definition Not Being Used + recommended: true ref: https://swagger.io/specification/v2/#parametersDefinitionsObject b3871dd8-9333-4d6c-bd52-67eb898b71ab: categories: @@ -45341,6 +48933,7 @@ rules: group: top10-insecure-design name: b3871dd8-9333-4d6c-bd52-67eb898b71ab pretty_name: Response Object With Incorrect Ref (v3) + recommended: true ref: https://swagger.io/specification/#responses-object b3a41501-f712-4c4f-81e5-db9a7dc0e34e: categories: @@ -45351,6 +48944,7 @@ rules: group: cloud-resources-public-access name: b3a41501-f712-4c4f-81e5-db9a7dc0e34e pretty_name: VPC Peering Route Table with Unrestricted CIDR + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route b3a59b8e-94a3-403e-b6e2-527abaf12034: categories: @@ -45361,6 +48955,7 @@ rules: group: top10-security-logging-monitoring-failures name: b3a59b8e-94a3-403e-b6e2-527abaf12034 pretty_name: API Gateway Deployment Without API Gateway UsagePlan Associated + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_deployment b3de4e4c-14be-4159-b99d-9ad194365e4c: categories: @@ -45371,6 +48966,7 @@ rules: group: cloud-resources-public-access name: b3de4e4c-14be-4159-b99d-9ad194365e4c pretty_name: EC2 Instance Subnet Has Public IP Mapping On Launch + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html#cfn-ec2-subnet-mappubliciponlaunch b4378389-a9aa-44ee-91e7-ef183f11079e: categories: @@ -45380,6 +48976,7 @@ rules: group: cloud-insecure-iam name: b4378389-a9aa-44ee-91e7-ef183f11079e pretty_name: IAM Policies Attached To User + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment b47b98ab-e481-4a82-8bb1-1ab39fd36e33: categories: @@ -45389,6 +48986,7 @@ rules: group: cloud-weak-configuration name: b47b98ab-e481-4a82-8bb1-1ab39fd36e33 pretty_name: API Gateway Without SSL Certificate + recommended: true ref: https://docs.ansible.com/ansible/2.8/modules/aws_api_gateway_module.html b4803607-ed72-4d60-99e2-3fa6edf471c6: categories: @@ -45398,6 +48996,7 @@ rules: group: top10-insecure-design name: b4803607-ed72-4d60-99e2-3fa6edf471c6 pretty_name: BasePath With Wrong Format + recommended: true ref: https://swagger.io/specification/v2/#schema b481d46c-9c61-480f-86d9-af07146dc4a4: categories: @@ -45408,6 +49007,7 @@ rules: group: top10-insecure-design name: b481d46c-9c61-480f-86d9-af07146dc4a4 pretty_name: Schema Discriminator Not Required (v3) + recommended: true ref: https://swagger.io/specification/#schema-object b4a7d925-738b-4219-99d9-87d6ee262a03: categories: @@ -45417,6 +49017,7 @@ rules: group: top10-insecure-design name: b4a7d925-738b-4219-99d9-87d6ee262a03 pretty_name: Invalid Tag External Documentation URL (v2) + recommended: true ref: https://swagger.io/specification/v2/#externalDocumentationObject b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a: categories: @@ -45426,6 +49027,7 @@ rules: group: top10-insecure-design name: b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a pretty_name: Virtual Network with DDoS Protection Plan disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network#ddos_protection_plan b4d9c12b-bfba-4aeb-9cb8-2358546d8041: categories: @@ -45438,6 +49040,7 @@ rules: group: cloud-weak-configuration name: b4d9c12b-bfba-4aeb-9cb8-2358546d8041 pretty_name: Vulnerable Default SSL Certificate + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html b4f65d13-a609-4dc1-af7c-63d2e08bffe9: categories: @@ -45449,6 +49052,7 @@ rules: group: cloud-weak-configuration name: b4f65d13-a609-4dc1-af7c-63d2e08bffe9 pretty_name: Google Container Node Pool Auto Repair Disabled + recommended: true ref: https://doc.crds.dev/github.com/crossplane/provider-gcp/container.gcp.crossplane.io/NodePool/v1beta1@v0.21.0#spec-forProvider-management-autoRepair b5102ea9-6527-4bb7-94fc-9b4076150e55: categories: @@ -45458,6 +49062,7 @@ rules: group: top10-insecure-design name: b5102ea9-6527-4bb7-94fc-9b4076150e55 pretty_name: Property Defining Minimum Greater Than Maximum (v2) + recommended: true ref: https://swagger.io/specification/v2/#schemaObject b5681959-6c09-4f55-b42b-c40fa12d03ec: categories: @@ -45468,6 +49073,7 @@ rules: group: cloud-weak-configuration name: b5681959-6c09-4f55-b42b-c40fa12d03ec pretty_name: IAM User Policy Without MFA + recommended: true ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html b592ffd4-0577-44b6-bd35-8c5ee81b5918: categories: @@ -45479,6 +49085,7 @@ rules: group: cloud-weak-configuration name: b592ffd4-0577-44b6-bd35-8c5ee81b5918 pretty_name: No Password Policy Enabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile b5c851d5-00f1-43dc-a8de-3218fd6f71be: categories: @@ -45490,6 +49097,7 @@ rules: group: top10-crypto-failures name: b5c851d5-00f1-43dc-a8de-3218fd6f71be pretty_name: Web App Not Using TLS Last Version + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites?tabs=json#siteconfig-object b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83: categories: @@ -45511,6 +49119,7 @@ rules: group: cloud-insecure-iam name: b5ed026d-a772-4f07-97f9-664ba0b116f8 pretty_name: IAM Policy Grants Full Permissions + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html b61cce4b-0cc4-472b-8096-15617a6d769b: categories: @@ -45521,6 +49130,7 @@ rules: group: cloud-insecure-iam name: b61cce4b-0cc4-472b-8096-15617a6d769b pretty_name: App Service Managed Identity Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#identity b69247e5-7e73-464e-ba74-ec9b715c6e12: categories: @@ -45531,6 +49141,7 @@ rules: group: cloud-insecure-iam name: b69247e5-7e73-464e-ba74-ec9b715c6e12 pretty_name: User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy b6a7e0ae-aed8-4a19-a993-a95760bf8836: categories: @@ -45540,6 +49151,7 @@ rules: group: top10-crypto-failures name: b6a7e0ae-aed8-4a19-a993-a95760bf8836 pretty_name: DynamoDB Table Not Encrypted + recommended: true ref: https://www.pulumi.com/registry/packages/aws/api-docs/dynamodb/table/#serversideencryption_yaml b7063015-6c31-4658-a8e7-14f98f37fd42: categories: @@ -45549,6 +49161,7 @@ rules: group: cloud-weak-secrets-management name: b7063015-6c31-4658-a8e7-14f98f37fd42 pretty_name: EBS Volume Without KmsKeyId + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volume.html b72d0026-f649-4c91-a9ea-15d8f681ac09: categories: @@ -45559,6 +49172,7 @@ rules: group: top10-security-logging-monitoring-failures name: b72d0026-f649-4c91-a9ea-15d8f681ac09 pretty_name: Stack Notifications Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack b7652612-de4e-4466-a0bf-1cd81f0c6063: categories: @@ -45569,6 +49183,7 @@ rules: group: cloud-insecure-iam name: b7652612-de4e-4466-a0bf-1cd81f0c6063 pretty_name: Volume Mount With OS Directory Write Permissions + recommended: true ref: https://kubernetes.io/docs/concepts/storage/volumes/ b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643: categories: @@ -45579,6 +49194,7 @@ rules: group: top10-crypto-failures name: b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643 pretty_name: App Service Not Using Latest TLS Encryption Version + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#min_tls_version b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14: categories: @@ -45591,6 +49207,7 @@ rules: group: cloud-insecure-iam name: b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14 pretty_name: RBAC Roles with Read Secrets Permissions + recommended: true ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ b7c9a40c-23e4-4a2d-8d39-a3352f10f288: categories: @@ -45601,6 +49218,7 @@ rules: group: top10-crypto-failures name: b7c9a40c-23e4-4a2d-8d39-a3352f10f288 pretty_name: API Gateway Method Settings Cache Not Encrypted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_settings#cache_data_encrypted b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff: categories: @@ -45611,6 +49229,7 @@ rules: group: cloud-weak-secrets-management name: b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff pretty_name: Etcd Peer Client Certificate Authentication Set To False + recommended: true ref: https://etcd.io/docs/v3.4/op-guide/security/ b80b14c6-aaa2-4876-b651-8a48b6c32fbf: categories: @@ -45620,6 +49239,7 @@ rules: group: cloud-resources-public-access name: b80b14c6-aaa2-4876-b651-8a48b6c32fbf pretty_name: Network Policy Is Not Targeting Any Pod + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#match_labels b84a0b47-2e99-4c9f-8933-98bcabe2b94d: categories: @@ -45631,6 +49251,7 @@ rules: group: supply-chain-scm-weak-configuration name: b84a0b47-2e99-4c9f-8933-98bcabe2b94d pretty_name: Run Using apt + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run b86987e1-6397-4619-81d5-8807f2387c79: categories: @@ -45640,6 +49261,7 @@ rules: group: supply-chain-cicd-weak-configuration name: b86987e1-6397-4619-81d5-8807f2387c79 pretty_name: Not Using JSON In CMD And ENTRYPOINT Arguments + recommended: true ref: https://docs.docker.com/engine/reference/builder/#entrypoint b897dfbf-322c-45a8-b67c-1e698beeaa51: categories: @@ -45650,6 +49272,7 @@ rules: group: cloud-insecure-iam name: b897dfbf-322c-45a8-b67c-1e698beeaa51 pretty_name: Admin User Enabled For Container Registry + recommended: true ref: https://www.terraform.io/docs/providers/azurerm/r/container_registry.html b8a31292-509d-4b61-bc40-13b167db7e9c: categories: @@ -45660,6 +49283,7 @@ rules: group: cloud-insecure-iam name: b8a31292-509d-4b61-bc40-13b167db7e9c pretty_name: Role With Privilege Escalation By Actions 'iam:AddUserToGroup' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy b8a9852c-9943-4973-b8d5-77dae9352851: categories: @@ -45669,6 +49293,7 @@ rules: group: supply-chain-cicd-weak-configuration name: b8a9852c-9943-4973-b8d5-77dae9352851 pretty_name: EFS Without Tags + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html b90033cf-ad9f-4fb9-acd1-1b9d6d278c87: categories: @@ -45679,6 +49304,7 @@ rules: group: top10-insecure-design name: b90033cf-ad9f-4fb9-acd1-1b9d6d278c87 pretty_name: Multiple Body Parameters In The Same Operation + recommended: true ref: https://swagger.io/specification/v2/#parameterObject b9033580-6886-401a-8631-5f19f5bb24c7: categories: @@ -45689,6 +49315,7 @@ rules: group: top10-crypto-failures name: b9033580-6886-401a-8631-5f19f5bb24c7 pretty_name: Workspaces Workspace Volume Not Encrypted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/workspaces_workspace#root_volume_encryption_enabled b90842e5-6779-44d4-9760-972f4c03ba1c: categories: @@ -45700,6 +49327,7 @@ rules: group: cloud-weak-configuration name: b90842e5-6779-44d4-9760-972f4c03ba1c pretty_name: Network Watcher Flow Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_watcher_flow_log b9380fd3-5ffe-4d10-9290-13e18e71eee1: categories: @@ -45711,6 +49339,7 @@ rules: group: cloud-resources-public-access name: b9380fd3-5ffe-4d10-9290-13e18e71eee1 pretty_name: Insecure Bind Address Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ b947809d-dd2f-4de9-b724-04d101c515aa: categories: @@ -45722,6 +49351,7 @@ rules: group: cloud-weak-configuration name: b947809d-dd2f-4de9-b724-04d101c515aa pretty_name: Redis Not Updated Regularly + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_cache#patch_schedule b9b7ada8-3868-4a35-854e-6100a2bb863d: categories: @@ -45732,6 +49362,7 @@ rules: group: cloud-resources-public-access name: b9b7ada8-3868-4a35-854e-6100a2bb863d pretty_name: Kubernetes Cluster Without Terway as CNI Network Plugin + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/cs_kubernetes#cluster_network_type b9c524a4-fe76-4021-a6a2-cb978fb4fde1: categories: @@ -45742,6 +49373,7 @@ rules: group: top10-security-logging-monitoring-failures name: b9c524a4-fe76-4021-a6a2-cb978fb4fde1 pretty_name: RDS Instance Events Not Logged + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/log_audit b9c83569-459b-4110-8f79-6305aa33cb37: categories: @@ -45754,6 +49386,7 @@ rules: group: cloud-weak-secrets-management name: b9c83569-459b-4110-8f79-6305aa33cb37 pretty_name: Using Kubernetes Native Secret Management + recommended: true ref: https://kubernetes.io/docs/concepts/configuration/secret/ b9db8a10-020c-49ca-88c6-780e5fdb4328: categories: @@ -45763,6 +49396,7 @@ rules: group: top10-insecure-design name: b9db8a10-020c-49ca-88c6-780e5fdb4328 pretty_name: Link Object Incorrect Ref + recommended: true ref: https://swagger.io/specification/#link-object ba066cda-e808-450d-92b6-f29109754d45: categories: @@ -45772,6 +49406,7 @@ rules: group: top10-insecure-design name: ba066cda-e808-450d-92b6-f29109754d45 pretty_name: Callback Object With Incorrect Ref + recommended: true ref: https://swagger.io/specification/#callback-object ba239cb9-f342-4c20-812d-7b5a2aa6969e: categories: @@ -45783,6 +49418,7 @@ rules: group: top10-insecure-design name: ba239cb9-f342-4c20-812d-7b5a2aa6969e pretty_name: Non OAuth2 Security Requirement Defining OAuth2 Scopes + recommended: true ref: https://swagger.io/specification/v2/#securityRequirementObject ba40ace1-a047-483c-8a8d-bc2d3a67a82d: categories: @@ -45794,6 +49430,7 @@ rules: group: cloud-resources-public-access name: ba40ace1-a047-483c-8a8d-bc2d3a67a82d pretty_name: EKS node group remote access disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group#remote_access ba48df05-eaa1-4d64-905e-4a4b051e7587: categories: @@ -45803,6 +49440,7 @@ rules: group: top10-insecure-design name: ba48df05-eaa1-4d64-905e-4a4b051e7587 pretty_name: Autoscaling Groups Supply Tags + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group#tag-and-tags ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698: categories: @@ -45813,6 +49451,7 @@ rules: group: cloud-insecure-iam name: ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698 pretty_name: AMI Shared With Multiple Accounts + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ami_launch_permission ba766c53-fe71-4bbb-be35-b6803f2ef13e: categories: @@ -45822,6 +49461,7 @@ rules: group: cloud-resources-public-access name: ba766c53-fe71-4bbb-be35-b6803f2ef13e pretty_name: ElastiCache Without VPC + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html#cfn-elasticache-cachecluster-cachesubnetgroupname baa3890f-bed7-46f5-ab8f-1da8fc91c729: categories: @@ -45831,6 +49471,7 @@ rules: group: cloud-insecure-iam name: baa3890f-bed7-46f5-ab8f-1da8fc91c729 pretty_name: Shared Host IPC Namespace + recommended: true ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir baa452f0-1f21-4a25-ace5-844e7a5f410d: categories: @@ -45842,6 +49483,7 @@ rules: group: supply-chain-cicd-weak-configuration name: baa452f0-1f21-4a25-ace5-844e7a5f410d pretty_name: Volume Mounted In Multiple Containers + recommended: true ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#volumes baade968-7467-41e4-bf22-83ca222f5800: categories: @@ -45853,6 +49495,7 @@ rules: group: cloud-insecure-iam name: baade968-7467-41e4-bf22-83ca222f5800 pretty_name: Security Field On Operations Has An Empty Object Definition (v3) + recommended: true ref: https://swagger.io/specification/#operation-object babdedcf-d859-43da-9a7b-6d72e661a8fd: categories: @@ -45862,6 +49505,7 @@ rules: group: cloud-insecure-iam name: babdedcf-d859-43da-9a7b-6d72e661a8fd pretty_name: IAM Role Allows All Principals To Assume + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html bac56e3c-1f71-4a74-8ae6-2fba07efcddb: categories: @@ -45871,6 +49515,7 @@ rules: group: top10-insecure-design name: bac56e3c-1f71-4a74-8ae6-2fba07efcddb pretty_name: Example JSON Reference Outside Components Examples + recommended: true ref: https://swagger.io/specification/#reference-object baecd2da-492a-4d59-b9dc-29540a1398e0: categories: @@ -45890,6 +49535,7 @@ rules: group: cloud-weak-configuration name: bb0db090-5509-4853-a827-75ced0b3caa0 pretty_name: Google Storage Bucket Level Access Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket bb241e61-77c3-4b97-9575-c0f8a1e008d0: categories: @@ -45900,6 +49546,7 @@ rules: group: top10-insecure-design name: bb241e61-77c3-4b97-9575-c0f8a1e008d0 pretty_name: StatefulSet Without Service Name + recommended: true ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ bb9ac4f7-e13b-423d-a010-c74a1bfbe492: categories: @@ -45911,6 +49558,7 @@ rules: group: cloud-insecure-iam name: bb9ac4f7-e13b-423d-a010-c74a1bfbe492 pretty_name: Memory Not Limited + recommended: true ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#resources bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9: categories: @@ -45920,6 +49568,7 @@ rules: group: top10-insecure-design name: bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9 pretty_name: IAM Password Without Lowercase Letter + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54: categories: @@ -45930,6 +49579,7 @@ rules: group: cloud-insecure-iam name: bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54 pretty_name: Policy Without Principal + recommended: true ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html bbf6b3df-4b65-4f87-82cc-da9f30f8c033: categories: @@ -45940,6 +49590,7 @@ rules: group: cloud-weak-configuration name: bbf6b3df-4b65-4f87-82cc-da9f30f8c033 pretty_name: VM Not Attached To Network + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine#network_interface_ids bbfc97ab-e92a-4a7b-954c-e88cec815011: categories: @@ -45952,6 +49603,7 @@ rules: group: top10-security-logging-monitoring-failures name: bbfc97ab-e92a-4a7b-954c-e88cec815011 pretty_name: Stackdriver Monitoring Disabled + recommended: true ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters bc1f9009-84a0-490f-ae09-3e0ea6d74ad6: categories: @@ -45962,6 +49614,7 @@ rules: group: top10-crypto-failures name: bc1f9009-84a0-490f-ae09-3e0ea6d74ad6 pretty_name: DOCDB Cluster Not Encrypted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#storage_encrypted bc20bbc6-0697-4568-9a73-85af1dd97bdd: categories: @@ -45973,6 +49626,7 @@ rules: group: cloud-insecure-iam name: bc20bbc6-0697-4568-9a73-85af1dd97bdd pretty_name: VM With Full Cloud Access + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html#parameter-service_accounts/scopes bc280331-27b9-4acb-a010-018e8098aa5d: categories: @@ -45984,6 +49638,7 @@ rules: group: cloud-insecure-iam name: bc280331-27b9-4acb-a010-018e8098aa5d pretty_name: VM With Full Cloud Access + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#scopes bc2908f3-f73c-40a9-8793-c1b7d5544f79: categories: @@ -45995,6 +49650,7 @@ rules: group: cloud-resources-public-access name: bc2908f3-f73c-40a9-8793-c1b7d5544f79 pretty_name: Privileged Ports Mapped In Container + recommended: true ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e: categories: @@ -46004,6 +49660,7 @@ rules: group: top10-insecure-design name: bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e pretty_name: Metadata Label Is Invalid + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#labels bc75ce52-a60a-4660-b533-bce837a5019b: categories: @@ -46027,6 +49684,7 @@ rules: group: cloud-resources-public-access name: bca7cc4d-b3a4-4345-9461-eb69c68fcd26 pretty_name: RDS Using Default Port + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#port bccb296f-362c-4b05-9221-86d1437a1016: categories: @@ -46039,6 +49697,7 @@ rules: group: cloud-insecure-iam name: bccb296f-362c-4b05-9221-86d1437a1016 pretty_name: Amazon DMS Replication Instance Is Publicly Accessible + recommended: true ref: https://www.pulumi.com/registry/packages/aws/api-docs/dms/replicationinstance/ bccfa089-89e4-47e0-a0e5-185fe6902220: categories: @@ -46048,6 +49707,7 @@ rules: group: top10-insecure-design name: bccfa089-89e4-47e0-a0e5-185fe6902220 pretty_name: Response Object With Incorrect Ref (v2) + recommended: true ref: https://swagger.io/specification/v2/#responses-object bcd3fc01-5902-4f2a-b05a-227f9bbf5450: categories: @@ -46059,6 +49719,7 @@ rules: group: top10-insecure-design name: bcd3fc01-5902-4f2a-b05a-227f9bbf5450 pretty_name: SQL Server Predictable Active Directory Account Name + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_active_directory_administrator bcdcbdc6-a350-4855-ae7c-d1e6436f7c97: categories: @@ -46069,6 +49730,7 @@ rules: group: cloud-insecure-iam name: bcdcbdc6-a350-4855-ae7c-d1e6436f7c97 pretty_name: IAM Policy Grants 'AssumeRole' Permission Across All Services + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role bd0088a5-c133-4b20-b129-ec9968b16ef3: categories: @@ -46079,6 +49741,7 @@ rules: group: top10-security-logging-monitoring-failures name: bd0088a5-c133-4b20-b129-ec9968b16ef3 pretty_name: CloudTrail Log Files S3 Bucket is Publicly Accessible + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#s3_bucket_name bd2cbef5-62c4-40f1-af07-4b7f9ced6616: categories: @@ -46089,6 +49752,7 @@ rules: group: top10-insecure-design name: bd2cbef5-62c4-40f1-af07-4b7f9ced6616 pretty_name: Parameter Objects Headers With Duplicated Name (v2) + recommended: true ref: https://swagger.io/specification/v2/#parameterObject bd6bd46c-57db-4887-956d-d372f21291b6: categories: @@ -46099,6 +49763,7 @@ rules: group: cloud-insecure-iam name: bd6bd46c-57db-4887-956d-d372f21291b6 pretty_name: Missing App Armor Config + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#annotations bd77554e-f138-40c5-91b2-2a09f878608e: categories: @@ -46110,6 +49775,7 @@ rules: group: top10-crypto-failures name: bd77554e-f138-40c5-91b2-2a09f878608e pretty_name: EFS Without KMS + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-kms_key_id bdecd6db-2600-47dd-a10c-72c97cf17ae9: categories: @@ -46121,6 +49787,7 @@ rules: group: top10-crypto-failures name: bdecd6db-2600-47dd-a10c-72c97cf17ae9 pretty_name: EFS Without KMS + recommended: true ref: https://doc.crds.dev/github.com/crossplane/provider-aws/efs.aws.crossplane.io/FileSystem/v1alpha1@v0.29.0#spec-forProvider-kmsKeyID bdf8dcb4-75df-4370-92c4-606e4ae6c4d3: categories: @@ -46132,6 +49799,7 @@ rules: group: cloud-weak-configuration name: bdf8dcb4-75df-4370-92c4-606e4ae6c4d3 pretty_name: Redshift Publicly Accessible + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html be0e0df7-f3d9-42a1-9b6f-d425f94872c4: categories: @@ -46142,6 +49810,7 @@ rules: group: cloud-weak-configuration name: be0e0df7-f3d9-42a1-9b6f-d425f94872c4 pretty_name: Array Items Has No Type (v3) + recommended: true ref: https://swagger.io/docs/specification/data-models/data-types/#string be1d8733-3731-40c7-a845-734741c6871d: categories: @@ -46152,6 +49821,7 @@ rules: group: top10-insecure-design name: be1d8733-3731-40c7-a845-734741c6871d pretty_name: Constraining Enum Property + recommended: true ref: https://swagger.io/specification/v2/#schemaObject be2aa235-bd93-4b68-978a-1cc65d49082f: categories: @@ -46163,6 +49833,7 @@ rules: name: be2aa235-bd93-4b68-978a-1cc65d49082f pretty_name: Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy be3e170e-1572-461e-a8b6-d963def581ec: categories: @@ -46172,6 +49843,7 @@ rules: group: cloud-weak-configuration name: be3e170e-1572-461e-a8b6-d963def581ec pretty_name: Operation Object Without 'produces' + recommended: true ref: https://swagger.io/specification/v2/#operation-object be41f891-96b1-4b9d-b74f-b922a918c778: categories: @@ -46181,6 +49853,7 @@ rules: group: cloud-weak-configuration name: be41f891-96b1-4b9d-b74f-b922a918c778 pretty_name: COS Node Image Not Used + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html#parameter-config/image_type be5b230d-4371-4a28-a441-85dc760e2aa3: categories: @@ -46190,6 +49863,7 @@ rules: group: cloud-insecure-iam name: be5b230d-4371-4a28-a441-85dc760e2aa3 pretty_name: IoT Policy Allows Wildcard Resource + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iot-policy.html be6a3722-af60-438c-b1b9-2a03e2958ab7: categories: @@ -46200,6 +49874,7 @@ rules: group: top10-insecure-design name: be6a3722-af60-438c-b1b9-2a03e2958ab7 pretty_name: Schema Discriminator Not Required (v2) + recommended: true ref: https://swagger.io/specification/v2/#schema-object be96849c-3df6-49c2-bc16-778a7be2519c: categories: @@ -46210,6 +49885,7 @@ rules: group: top10-crypto-failures name: be96849c-3df6-49c2-bc16-778a7be2519c pretty_name: Secure Ciphers Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-viewercertificate.html bf36b900-b5ef-4828-adb7-70eb543b7cfb: categories: @@ -46219,6 +49895,7 @@ rules: group: cloud-weak-configuration name: bf36b900-b5ef-4828-adb7-70eb543b7cfb pretty_name: Kubelet Hostname Override Is Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ bf4473f1-c8a2-4b1b-8134-bd32efabab93: categories: @@ -46228,6 +49905,7 @@ rules: group: top10-crypto-failures name: bf4473f1-c8a2-4b1b-8134-bd32efabab93 pretty_name: Neptune Database Cluster Encryption Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-neptune-dbcluster.html bf4b48b9-fc1f-4552-984a-4becdb5bf503: categories: @@ -46237,6 +49915,7 @@ rules: group: top10-security-logging-monitoring-failures name: bf4b48b9-fc1f-4552-984a-4becdb5bf503 pretty_name: API Gateway Access Logging Disabled + recommended: true ref: https://www.pulumi.com/registry/packages/aws/api-docs/apigatewayv2/stage/#accesslogsettings_yaml bf500309-da53-4dd3-bcf7-95f7974545a5: categories: @@ -46248,6 +49927,7 @@ rules: group: cloud-resources-public-access name: bf500309-da53-4dd3-bcf7-95f7974545a5 pretty_name: PostgreSQL Database Server SSL Disabled + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/2017-12-01/servers?tabs=json bf878b1a-7418-4de3-b13c-3a86cf894920: categories: @@ -46259,6 +49939,7 @@ rules: group: cloud-insecure-iam name: bf878b1a-7418-4de3-b13c-3a86cf894920 pretty_name: S3 Bucket Public ACL Overridden By Public Access Block + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket bf89373a-be40-4c04-99f5-746742dfd7f3: categories: @@ -46269,6 +49950,7 @@ rules: group: cloud-resources-public-access name: bf89373a-be40-4c04-99f5-746742dfd7f3 pretty_name: EMR Without VPC + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticmapreduce-cluster-jobflowinstancesconfig.html#cfn-elasticmapreduce-cluster-jobflowinstancesconfig-ec2subnetid bf9d42c7-c2f9-4dfe-942c-c8cc8249a081: categories: @@ -46279,6 +49961,7 @@ rules: group: cloud-insecure-iam name: bf9d42c7-c2f9-4dfe-942c-c8cc8249a081 pretty_name: User With Privilege Escalation By Actions 'iam:AddUserToGroup' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy c010082c-76e0-4b91-91d9-6e8439e455dd: categories: @@ -46289,6 +49972,7 @@ rules: group: cloud-insecure-iam name: c010082c-76e0-4b91-91d9-6e8439e455dd pretty_name: Cloud Storage Bucket Is Publicly Accessible + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam#member/members c01d10de-c468-4790-b3a0-fc887a56f289: categories: @@ -46299,6 +49983,7 @@ rules: group: cloud-resources-public-access name: c01d10de-c468-4790-b3a0-fc887a56f289 pretty_name: OSS Buckets Secure Transport Disabled + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy c065b98e-1515-4991-9dca-b602bd6a2fbb: categories: @@ -46308,6 +49993,7 @@ rules: group: top10-security-logging-monitoring-failures name: c065b98e-1515-4991-9dca-b602bd6a2fbb pretty_name: Action Trail Logging For All Regions Disabled + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/actiontrail_trail#trail_region c09cdac2-7670-458a-bf6c-efad6880973a: categories: @@ -46318,6 +50004,7 @@ rules: group: top10-security-logging-monitoring-failures name: c09cdac2-7670-458a-bf6c-efad6880973a pretty_name: SQL Server Database With Unrecommended Retention Days + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/auditingsettings?tabs=json c09e3ca5-f08a-4717-9c87-3919c5e6d209: categories: @@ -46329,6 +50016,7 @@ rules: group: cloud-weak-configuration name: c09e3ca5-f08a-4717-9c87-3919c5e6d209 pretty_name: RDS DB Instance Publicly Accessible + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-auto_minor_version_upgrade c09f4d3e-27d2-4d46-9453-abbe9687a64e: categories: @@ -46340,6 +50028,7 @@ rules: group: top10-crypto-failures name: c09f4d3e-27d2-4d46-9453-abbe9687a64e pretty_name: User Data Contains Encoded Private Key + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_lc_module.html c0c1e744-0f37-445e-924a-1846f0839f69: categories: @@ -46350,6 +50039,7 @@ rules: group: cloud-insecure-iam name: c0c1e744-0f37-445e-924a-1846f0839f69 pretty_name: Group With Privilege Escalation By Actions 'iam:PutRolePolicy' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy c1032cf7-3628-44e2-bd53-38c17cf31b6b: categories: @@ -46359,6 +50049,7 @@ rules: group: cloud-weak-secrets-management name: c1032cf7-3628-44e2-bd53-38c17cf31b6b pretty_name: Shared Service Account + recommended: true ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ c1282e03-b285-4637-aee7-eefe3a7bb658: categories: @@ -46370,6 +50061,7 @@ rules: group: top10-crypto-failures name: c1282e03-b285-4637-aee7-eefe3a7bb658 pretty_name: EFS Volume With Disabled Transit Encryption + recommended: true ref: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html c1573577-e494-4417-8854-7e119368dc8b: categories: @@ -46381,6 +50073,7 @@ rules: group: cloud-resources-public-access name: c1573577-e494-4417-8854-7e119368dc8b pretty_name: Network Interfaces With Public IP + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface#public_ip_address_id c19779a9-5774-4d2f-a3a1-a99831730375: categories: @@ -46391,6 +50084,7 @@ rules: group: top10-insecure-design name: c19779a9-5774-4d2f-a3a1-a99831730375 pretty_name: Components Link Definition Is Unused + recommended: true ref: https://swagger.io/specification/#components-object c201b7ad-6173-4598-a407-5edb04a1bcd7: categories: @@ -46400,6 +50094,7 @@ rules: group: top10-insecure-design name: c201b7ad-6173-4598-a407-5edb04a1bcd7 pretty_name: Path Template is Empty (v2) + recommended: true ref: https://swagger.io/specification/v2/#pathsObject c254adc4-ef25-46e1-8270-b7944adb4198: categories: @@ -46409,6 +50104,7 @@ rules: group: top10-insecure-design name: c254adc4-ef25-46e1-8270-b7944adb4198 pretty_name: OperationId Not Unique (v3) + recommended: true ref: https://swagger.io/specification/#operation-object c2a3efb6-8a58-481c-82f2-bfddf34bb4b7: categories: @@ -46419,6 +50115,7 @@ rules: group: cloud-resources-public-access name: c2a3efb6-8a58-481c-82f2-bfddf34bb4b7 pretty_name: CosmosDB Account IP Range Filter Not Set + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account#ip_range_filter c2eae442-d3ba-4cb1-84ca-1db4f80eae3d: categories: @@ -46428,6 +50125,7 @@ rules: group: cloud-weak-configuration name: c2eae442-d3ba-4cb1-84ca-1db4f80eae3d pretty_name: Lambda Function Without Dead Letter Queue + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-deadletterconfig c2f15af3-66a0-4176-a56e-e4711e502e5c: categories: @@ -46437,6 +50135,7 @@ rules: group: cloud-weak-secrets-management name: c2f15af3-66a0-4176-a56e-e4711e502e5c pretty_name: Hardcoded AWS Access Key + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_instance_module.html c333e906-8d8b-4275-b999-78b6318f8dc6: categories: @@ -46447,6 +50146,7 @@ rules: group: supply-chain-cicd-weak-configuration name: c333e906-8d8b-4275-b999-78b6318f8dc6 pretty_name: DynamoDB With Not Recommented Table Billing Mode + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html#cfn-dynamodb-table-attributedef c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6: categories: @@ -46456,6 +50156,7 @@ rules: group: cloud-insecure-iam name: c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6 pretty_name: Certificate Has Expired + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api c38d630d-a415-4e3e-bac2-65475979ba88: categories: @@ -46466,6 +50167,7 @@ rules: group: top10-insecure-design name: c38d630d-a415-4e3e-bac2-65475979ba88 pretty_name: Body Parameter With Wrong Property + recommended: true ref: https://swagger.io/specification/v2/#parameterObject c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d: categories: @@ -46476,6 +50178,7 @@ rules: group: top10-security-logging-monitoring-failures name: c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d pretty_name: S3 Bucket Logging Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-debug_botocore_endpoint_logs c3cab8c4-6c52-47a9-942b-c27f26fbd7d2: categories: @@ -46486,6 +50189,7 @@ rules: group: top10-insecure-design name: c3cab8c4-6c52-47a9-942b-c27f26fbd7d2 pretty_name: Parameter File Type Not In 'formData' + recommended: true ref: https://swagger.io/specification/v2/#parameterObject c3ce69fd-e3df-49c6-be78-1db3f802261c: categories: @@ -46497,6 +50201,7 @@ rules: group: top10-security-logging-monitoring-failures name: c3ce69fd-e3df-49c6-be78-1db3f802261c pretty_name: S3 Bucket CloudTrail Logging Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#cfn-s3-bucket-loggingconfig c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9: categories: @@ -46506,6 +50211,7 @@ rules: group: cloud-insecure-iam name: c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9 pretty_name: S3 Bucket With Public Access + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html#parameter-permission c407c3cf-c409-4b29-b590-db5f4138d332: categories: @@ -46516,6 +50222,7 @@ rules: group: cloud-insecure-iam name: c407c3cf-c409-4b29-b590-db5f4138d332 pretty_name: PostgreSQL Server Threat Detection Policy Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server#threat_detection_policy c44c95fc-ae92-4bb8-bdf8-bb9bc412004a: categories: @@ -46527,6 +50234,7 @@ rules: group: cloud-resources-public-access name: c44c95fc-ae92-4bb8-bdf8-bb9bc412004a pretty_name: EC2 Public Instance Exposed Through Subnet + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route.html c47f90e8-4a19-43f0-8413-cc434d286c4e: categories: @@ -46539,6 +50247,7 @@ rules: group: cloud-weak-configuration name: c47f90e8-4a19-43f0-8413-cc434d286c4e pretty_name: Network Policy Disabled + recommended: true ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters c48e57d3-d642-4e0b-90db-37f807b41b91: categories: @@ -46548,6 +50257,7 @@ rules: group: cloud-weak-configuration name: c48e57d3-d642-4e0b-90db-37f807b41b91 pretty_name: PSP Set To Privileged + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#privileged c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0: categories: @@ -46558,6 +50268,7 @@ rules: group: cloud-resources-public-access name: c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0 pretty_name: SSH Access Is Not Restricted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall c53c7a89-f9d7-4c7b-8b66-8a555be99593: categories: @@ -46567,6 +50278,7 @@ rules: group: cloud-insecure-iam name: c53c7a89-f9d7-4c7b-8b66-8a555be99593 pretty_name: Public and Private EC2 Share Role + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#iam_instance_profile c583f0f9-7dfd-476b-a056-f47c62b47b46: categories: @@ -46577,6 +50289,7 @@ rules: group: cloud-insecure-iam name: c583f0f9-7dfd-476b-a056-f47c62b47b46 pretty_name: Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy c589f42c-7924-4871-aee2-1cede9bc7cbc: categories: @@ -46589,6 +50302,7 @@ rules: group: cloud-insecure-iam name: c589f42c-7924-4871-aee2-1cede9bc7cbc pretty_name: RBAC Roles with Exec Permission + recommended: true ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ c5b31ab9-0f26-4a49-b8aa-4cc064392f4d: categories: @@ -46603,6 +50317,7 @@ rules: group: cloud-weak-configuration name: c5b31ab9-0f26-4a49-b8aa-4cc064392f4d pretty_name: S3 Bucket Without Enabled MFA Delete + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#mfa_delete c5bb7461-aa57-470b-a714-3bc3d74f4669: categories: @@ -46613,6 +50328,7 @@ rules: group: top10-insecure-design name: c5bb7461-aa57-470b-a714-3bc3d74f4669 pretty_name: Link Object OperationId Does Not Target Operation Object + recommended: true ref: https://swagger.io/specification/#link-object c5ff7bc9-d8ea-46dd-81cb-8286f3222249: categories: @@ -46622,6 +50338,7 @@ rules: group: top10-insecure-design name: c5ff7bc9-d8ea-46dd-81cb-8286f3222249 pretty_name: IAM Password Without Uppercase Letter + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy c606ba1d-d736-43eb-ac24-e16108f3a9e0: categories: @@ -46634,6 +50351,7 @@ rules: group: cloud-weak-configuration name: c606ba1d-d736-43eb-ac24-e16108f3a9e0 pretty_name: IP Aliasing Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster c62746cf-92d5-4649-9acf-7d48d086f2ee: categories: @@ -46643,6 +50361,7 @@ rules: group: top10-crypto-failures name: c62746cf-92d5-4649-9acf-7d48d086f2ee pretty_name: Storage Account Not Using Latest TLS Encryption Version + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-minimum_tls_version c62d3b92-9a11-4ffd-b7b7-6faaae83faed: categories: @@ -46652,6 +50371,7 @@ rules: group: cloud-weak-configuration name: c62d3b92-9a11-4ffd-b7b7-6faaae83faed pretty_name: AKS Dashboard Is Enabled + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json#managedclusteraddonprofile c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621: categories: @@ -46662,6 +50382,7 @@ rules: group: top10-security-logging-monitoring-failures name: c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621 pretty_name: ELBv2 ALB Access Log Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-loadbalancer-loadbalancerattributes.html#cfn-elasticloadbalancingv2-loadbalancer-loadbalancerattributes-key c640d783-10c5-4071-b6c1-23507300d333: categories: @@ -46672,6 +50393,7 @@ rules: group: top10-security-logging-monitoring-failures name: c640d783-10c5-4071-b6c1-23507300d333 pretty_name: PostgreSQL Log Connections Not Set + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration c66ebeaa-676c-40dc-a3ff-3e49395dcd5e: categories: @@ -46682,6 +50404,7 @@ rules: group: top10-insecure-design name: c66ebeaa-676c-40dc-a3ff-3e49395dcd5e pretty_name: Servers Array Undefined + recommended: true ref: https://swagger.io/specification/#server-object c689f51b-9203-43b3-9d8b-caed123f706c: categories: @@ -46706,6 +50429,7 @@ rules: name: c68b4e6d-4e01-4ca1-b256-1e18e875785c pretty_name: Google Project IAM Member Service Account has Token Creator or Account User Role + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e: categories: @@ -46716,6 +50440,7 @@ rules: group: cloud-resources-public-access name: c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e pretty_name: Sensitive Port Is Exposed To Wide Private Network + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule c6fc6f29-dc04-46b6-99ba-683c01aff350: categories: @@ -46727,6 +50452,7 @@ rules: group: cloud-resources-public-access name: c6fc6f29-dc04-46b6-99ba-683c01aff350 pretty_name: Serial Ports Are Enabled For VM Instances + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html c7000383-16d0-4509-8cd3-585e5ea2e2f2: categories: @@ -46736,6 +50462,7 @@ rules: group: top10-insecure-design name: c7000383-16d0-4509-8cd3-585e5ea2e2f2 pretty_name: Invalid Contact URL (v2) + recommended: true ref: https://swagger.io/specification/v2/#contactObject c757c6a3-ac87-4b9d-b28d-e5a5add6a315: categories: @@ -46745,6 +50472,7 @@ rules: group: top10-security-logging-monitoring-failures name: c757c6a3-ac87-4b9d-b28d-e5a5add6a315 pretty_name: Serverless API X-Ray Tracing Disabled + recommended: true ref: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-tracingenabled c759d6f2-4dd3-4160-82d3-89202ef10d87: categories: @@ -46755,6 +50483,7 @@ rules: group: cloud-weak-configuration name: c759d6f2-4dd3-4160-82d3-89202ef10d87 pretty_name: MySQL Instance With Local Infile On + recommended: true ref: https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances c7781feb-a955-4f9f-b9cf-0d7c6f54bb59: categories: @@ -46774,6 +50503,7 @@ rules: group: cloud-insecure-iam name: c7fc1481-2899-4490-bbd8-544a3a61a2f3 pretty_name: App Service Authentication Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#enabled c87749b3-ff10-41f5-9df2-c421e8151759: categories: @@ -46783,6 +50513,7 @@ rules: group: cloud-weak-configuration name: c87749b3-ff10-41f5-9df2-c421e8151759 pretty_name: Function App Managed Identity Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#identity c878abb4-cca5-4724-92b9-289be68bd47c: categories: @@ -46794,6 +50525,7 @@ rules: group: cloud-weak-configuration name: c878abb4-cca5-4724-92b9-289be68bd47c pretty_name: Privilege Escalation Allowed + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#allow_privilege_escalation c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22: categories: @@ -46804,6 +50536,7 @@ rules: group: cloud-weak-secrets-management name: c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22 pretty_name: Secrets Manager Should Specify KmsKeyId + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html c8dee387-a2e6-4a73-a942-183c975549ac: categories: @@ -46816,6 +50549,7 @@ rules: group: top10-crypto-failures name: c8dee387-a2e6-4a73-a942-183c975549ac pretty_name: DynamoDB With Aws Owned CMK + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-table-ssespecification.html c91d7ea0-d4d1-403b-8fe1-c9961ac082c5: categories: @@ -46825,6 +50559,7 @@ rules: group: cloud-insecure-iam name: c91d7ea0-d4d1-403b-8fe1-c9961ac082c5 pretty_name: Neptune Cluster With IAM Database Authentication Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster#storage_encrypted c9846969-d066-431f-9b34-8c4abafe422a: categories: @@ -46835,6 +50570,7 @@ rules: group: cloud-resources-public-access name: c9846969-d066-431f-9b34-8c4abafe422a pretty_name: Remote Desktop Port Open To Internet + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html c999cf62-0920-40f8-8dda-0caccd66ed7e: categories: @@ -46845,6 +50581,7 @@ rules: group: cloud-insecure-iam name: c999cf62-0920-40f8-8dda-0caccd66ed7e pretty_name: API Gateway Stage Without API Gateway UsagePlan Associated + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage c9d81239-c818-4869-9917-1570c62b81fd: categories: @@ -46865,6 +50602,7 @@ rules: group: top10-insecure-design name: ca02f4e8-d3ae-4832-b7db-bb037516d9e7 pretty_name: Request Body JSON Reference Does Not Exists + recommended: true ref: https://swagger.io/specification/#components-object ca2fba76-c1a7-4afd-be67-5249f861cb0e: categories: @@ -46875,6 +50613,7 @@ rules: group: cloud-weak-configuration name: ca2fba76-c1a7-4afd-be67-5249f861cb0e pretty_name: Tiller (Helm v2) Is Deployed + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image ca469dd4-c736-448f-8ac1-30a642705e0a: categories: @@ -46885,6 +50624,7 @@ rules: group: cloud-insecure-iam name: ca469dd4-c736-448f-8ac1-30a642705e0a pretty_name: CPU Requests Not Set + recommended: true ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/# ca4df748-613a-4fbf-9c76-f02cbd580307: categories: @@ -46895,6 +50635,7 @@ rules: group: cloud-insecure-iam name: ca4df748-613a-4fbf-9c76-f02cbd580307 pretty_name: Default Azure Storage Account Network Access Is Too Permissive + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-public_network_access caa3479d-885d-4882-9aac-95e5e78ef5c2: categories: @@ -46904,6 +50645,7 @@ rules: group: cloud-weak-configuration name: caa3479d-885d-4882-9aac-95e5e78ef5c2 pretty_name: Image Pull Policy Of The Container Is Not Set To Always + recommended: true ref: https://kubernetes.io/docs/concepts/containers/images/#updating-images caa93370-791f-4fc6-814b-ba6ce0cb4032: categories: @@ -46914,6 +50656,7 @@ rules: group: cloud-weak-configuration name: caa93370-791f-4fc6-814b-ba6ce0cb4032 pretty_name: Not Limited Capabilities For Pod Security Policy + recommended: true ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ caf1793e-95dd-4b18-8d90-8f3c0ab5bddf: categories: @@ -46924,6 +50667,7 @@ rules: group: cloud-weak-configuration name: caf1793e-95dd-4b18-8d90-8f3c0ab5bddf pretty_name: Invalid Format (v2) + recommended: true ref: https://swagger.io/specification/v2/ cb2f612b-ed42-4ff5-9fb9-255c73d39a18: categories: @@ -46933,6 +50677,7 @@ rules: group: cloud-weak-configuration name: cb2f612b-ed42-4ff5-9fb9-255c73d39a18 pretty_name: Serverless Function Without Dead Letter Queue + recommended: true ref: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-deadletterqueue cb319d87-b90f-485e-a7e7-f2408380f309: categories: @@ -46943,6 +50688,7 @@ rules: group: cloud-weak-secrets-management name: cb319d87-b90f-485e-a7e7-f2408380f309 pretty_name: High KMS Key Rotation Period + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/kms_key cb3f5ed6-0d18-40de-a93d-b3538db31e8c: categories: @@ -46953,6 +50699,7 @@ rules: group: top10-insecure-design name: cb3f5ed6-0d18-40de-a93d-b3538db31e8c pretty_name: Security Group Rule Without Description + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#description cb7e695d-6a85-495c-b15f-23aed2519303: categories: @@ -46962,6 +50709,7 @@ rules: group: cloud-weak-secrets-management name: cb7e695d-6a85-495c-b15f-23aed2519303 pretty_name: Not Unique Certificate Authority + recommended: true ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ cb8e4bf0-903d-45c6-a278-9a947d82a27b: categories: @@ -46972,6 +50720,7 @@ rules: group: top10-crypto-failures name: cb8e4bf0-903d-45c6-a278-9a947d82a27b pretty_name: Storage Account Not Forcing HTTPS + recommended: true ref: https://www.pulumi.com/registry/packages/azure-native/api-docs/storage/storageaccount/#enablehttpstrafficonly_yaml cbd2db69-0b21-4c14-8a40-7710a50571a9: categories: @@ -46983,6 +50732,7 @@ rules: group: top10-crypto-failures name: cbd2db69-0b21-4c14-8a40-7710a50571a9 pretty_name: Encryption Provider Config Is Not Defined + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ cbff2508-85c9-4448-a8b3-770070edf5ca: categories: @@ -46993,6 +50743,7 @@ rules: group: top10-insecure-design name: cbff2508-85c9-4448-a8b3-770070edf5ca pretty_name: Schema Object With Circular Ref (v2) + recommended: true ref: https://swagger.io/specification/v2/#definitionsObject cc4aaa9d-1070-461a-b519-04e00f42db8a: categories: @@ -47005,6 +50756,7 @@ rules: group: top10-insecure-design name: cc4aaa9d-1070-461a-b519-04e00f42db8a pretty_name: App Service Without Latest Python Version + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#python_version cc8b294f-006f-4f8f-b5bb-0a9140c33131: categories: @@ -47014,6 +50766,7 @@ rules: group: cloud-weak-configuration name: cc8b294f-006f-4f8f-b5bb-0a9140c33131 pretty_name: Wildcard In ACM Certificate Domain Name + recommended: true ref: https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html cc997676-481b-4e93-aa81-d19f8c5e9b12: categories: @@ -47023,6 +50776,7 @@ rules: group: top10-crypto-failures name: cc997676-481b-4e93-aa81-d19f8c5e9b12 pretty_name: EBS Volume Encryption Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted ccc3100c-0fdd-4a5e-9908-c10107291860: categories: @@ -47035,6 +50789,7 @@ rules: group: top10-crypto-failures name: ccc3100c-0fdd-4a5e-9908-c10107291860 pretty_name: DNSSEC Using RSASHA1 + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone#algorithm ccc98ff7-68a7-436e-9218-185cb0b0b780: categories: @@ -47046,6 +50801,7 @@ rules: group: top10-crypto-failures name: ccc98ff7-68a7-436e-9218-185cb0b0b780 pretty_name: Service Account Private Key File Not Defined + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ ccd0613f-cb77-4684-a892-183bd2674d12: categories: @@ -47057,6 +50813,7 @@ rules: group: top10-insecure-design name: ccd0613f-cb77-4684-a892-183bd2674d12 pretty_name: Path Parameter Not Required (v2) + recommended: true ref: https://swagger.io/specification/v2/#parameterObject cd290efd-6c82-4e9d-a698-be12ae31d536: categories: @@ -47066,6 +50823,7 @@ rules: group: cloud-insecure-iam name: cd290efd-6c82-4e9d-a698-be12ae31d536 pretty_name: Shared Host IPC Namespace + recommended: true ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b: categories: @@ -47075,6 +50833,7 @@ rules: group: top10-insecure-design name: cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b pretty_name: Encoding Map Key Mismatch Schema Defined Properties + recommended: true ref: https://swagger.io/specification/#media-type-object cdbb0467-2957-4a77-9992-7b55b29df7b7: categories: @@ -47086,6 +50845,7 @@ rules: group: cloud-resources-public-access name: cdbb0467-2957-4a77-9992-7b55b29df7b7 pretty_name: Security Groups With Exposed Admin Ports + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html cdc8b54e-6b16-4538-a1b0-35849dbe29cf: categories: @@ -47097,6 +50857,7 @@ rules: group: cloud-resources-public-access name: cdc8b54e-6b16-4538-a1b0-35849dbe29cf pretty_name: Kubelet HTTPS Set To False + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ cdddb86f-95f6-4fc4-b5a1-483d9afceb2b: categories: @@ -47108,6 +50869,7 @@ rules: group: supply-chain-cicd-weak-configuration name: cdddb86f-95f6-4fc4-b5a1-483d9afceb2b pretty_name: COPY '--from' References Current FROM Alias + recommended: true ref: https://docs.docker.com/develop/develop-images/multistage-build/ ce089fd4-1406-47bd-8aad-c259772bb294: categories: @@ -47117,6 +50879,7 @@ rules: group: top10-crypto-failures name: ce089fd4-1406-47bd-8aad-c259772bb294 pretty_name: DynamoDB Table Not Encrypted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#server_side_encryption ce14a68b-1668-41a0-ab7d-facd9f784742: categories: @@ -47127,6 +50890,7 @@ rules: group: cloud-resources-public-access name: ce14a68b-1668-41a0-ab7d-facd9f784742 pretty_name: Networks Not Set + recommended: true ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#networks ce30e584-b33f-4c7d-b418-a3d7027f8f60: categories: @@ -47138,6 +50902,7 @@ rules: group: cloud-insecure-iam name: ce30e584-b33f-4c7d-b418-a3d7027f8f60 pretty_name: Always Admit Admission Control Plugin Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ ce60cc6b-6831-4bd7-84a2-cc7f8ee71433: categories: @@ -47147,6 +50912,7 @@ rules: group: top10-crypto-failures name: ce60cc6b-6831-4bd7-84a2-cc7f8ee71433 pretty_name: SSM Session Transit Encryption Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_document#content ce60d060-efb8-4bfd-9cf7-ff8945d00d90: categories: @@ -47156,6 +50922,7 @@ rules: group: top10-insecure-design name: ce60d060-efb8-4bfd-9cf7-ff8945d00d90 pretty_name: Misconfigured Password Policy Expiration + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy ce76b7d0-9e77-464d-b86f-c5c48e03e22d: categories: @@ -47167,6 +50934,7 @@ rules: group: cloud-insecure-iam name: ce76b7d0-9e77-464d-b86f-c5c48e03e22d pretty_name: Container Capabilities Unrestricted + recommended: true ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop ce7c874e-1b88-450b-a5e4-cb76ada3c8a9: categories: @@ -47176,6 +50944,7 @@ rules: group: top10-crypto-failures name: ce7c874e-1b88-450b-a5e4-cb76ada3c8a9 pretty_name: Github Organization Webhook With SSL Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/github/latest/docs/resources/organization_webhook ce9dfce0-5fc8-433b-944a-3b16153111a8: categories: @@ -47188,6 +50957,7 @@ rules: group: cloud-insecure-iam name: ce9dfce0-5fc8-433b-944a-3b16153111a8 pretty_name: SSO Permission With Inadequate User Session Duration + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set ceefb058-8065-418f-9c4c-584a78c7e104: categories: @@ -47197,6 +50967,7 @@ rules: group: cloud-insecure-iam name: ceefb058-8065-418f-9c4c-584a78c7e104 pretty_name: Operation Using Basic Auth + recommended: true ref: https://swagger.io/specification/v2/#operation-object cefdad16-0dd5-4ac5-8ed2-a37502c78672: categories: @@ -47207,6 +50978,7 @@ rules: group: cloud-insecure-iam name: cefdad16-0dd5-4ac5-8ed2-a37502c78672 pretty_name: Service Account with Improper Privileges + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/iam_policy#role cf34805e-3872-4c08-bf92-6ff7bb0cfadb: categories: @@ -47218,6 +50990,7 @@ rules: group: top10-insecure-design name: cf34805e-3872-4c08-bf92-6ff7bb0cfadb pretty_name: Container Running As Root + recommended: true ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ cf3c7631-cd1e-42f3-8801-a561214a6e79: categories: @@ -47229,6 +51002,7 @@ rules: group: top10-software-data-integrity-failures name: cf3c7631-cd1e-42f3-8801-a561214a6e79 pretty_name: SQL DB Instance Backup Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance cf4a5f45-a27b-49df-843a-9911dbfe71d4: categories: @@ -47238,6 +51012,7 @@ rules: group: top10-insecure-design name: cf4a5f45-a27b-49df-843a-9911dbfe71d4 pretty_name: Invalid Media Type Value (v3) + recommended: true ref: https://swagger.io/specification/#media-type-object cfdcabb0-fc06-427c-865b-c59f13e898ce: categories: @@ -47249,6 +51024,7 @@ rules: group: top10-crypto-failures name: cfdcabb0-fc06-427c-865b-c59f13e898ce pretty_name: Redshift Not Encrypted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#encrypted cfdef2e5-1fe4-4ef4-bea8-c56e08963150: categories: @@ -47259,6 +51035,7 @@ rules: group: top10-insecure-design name: cfdef2e5-1fe4-4ef4-bea8-c56e08963150 pretty_name: ElastiCache Nodes Not Created Across Multi AZ + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html cff9c3f7-e8f0-455f-9fb4-5f72326da96e: categories: @@ -47269,6 +51046,7 @@ rules: group: top10-insecure-design name: cff9c3f7-e8f0-455f-9fb4-5f72326da96e pretty_name: Secret Without Expiration Date + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults/secrets?tabs=json#SecretAttributes d0b4d550-c001-46c3-bbdb-d5d75d33f05f: categories: @@ -47278,6 +51056,7 @@ rules: group: cloud-weak-configuration name: d0b4d550-c001-46c3-bbdb-d5d75d33f05f pretty_name: OSLogin Is Disabled For VM Instance + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance d0c13053-d2c8-44a6-95da-d592996e9e67: categories: @@ -47288,6 +51067,7 @@ rules: group: cloud-weak-configuration name: d0c13053-d2c8-44a6-95da-d592996e9e67 pretty_name: CloudFront Without Minimum Protocol TLS 1.2 + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html#parameter-viewer_certificate/minimum_protocol_version d0cc8694-fcad-43ff-ac86-32331d7e867f: categories: @@ -47297,6 +51077,7 @@ rules: group: cloud-insecure-iam name: d0cc8694-fcad-43ff-ac86-32331d7e867f pretty_name: S3 Bucket Allows Public ACL + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb: categories: @@ -47307,6 +51088,7 @@ rules: group: top10-crypto-failures name: d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb pretty_name: SQL DB Instance With SSL Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/ip_configuration/require_ssl d15db953-a553-4b8a-9a14-a3d62ea3d79d: categories: @@ -47317,6 +51099,7 @@ rules: group: top10-insecure-design name: d15db953-a553-4b8a-9a14-a3d62ea3d79d pretty_name: Components Callback Definition Is Unused + recommended: true ref: https://swagger.io/specification/#components-object d172a060-8569-4412-8045-3560ebd477e8: categories: @@ -47326,6 +51109,7 @@ rules: group: top10-insecure-design name: d172a060-8569-4412-8045-3560ebd477e8 pretty_name: Object Without Required Property (v3) + recommended: true ref: https://swagger.io/specification/ d1846b12-20c5-4d45-8798-fc35b79268eb: categories: @@ -47336,6 +51120,7 @@ rules: group: cloud-weak-configuration name: d1846b12-20c5-4d45-8798-fc35b79268eb pretty_name: ECR Image Tag Not Immutable + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository d2361d58-361c-49f0-9e50-b957fd608b29: categories: @@ -47346,6 +51131,7 @@ rules: group: top10-insecure-design name: d2361d58-361c-49f0-9e50-b957fd608b29 pretty_name: Schema With Both ReadOnly And WriteOnly + recommended: true ref: https://swagger.io/specification/#schema-object d24389b4-b209-4ff0-8345-dc7a4569dcdd: categories: @@ -47356,6 +51142,7 @@ rules: group: top10-security-logging-monitoring-failures name: d24389b4-b209-4ff0-8345-dc7a4569dcdd pretty_name: ECS Task Definition HealthCheck Missing + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-healthcheck.html d24c0755-c028-44b1-b503-8e719c898832: categories: @@ -47369,6 +51156,7 @@ rules: group: cloud-insecure-iam name: d24c0755-c028-44b1-b503-8e719c898832 pretty_name: S3 Bucket Allows Put Action From All Principals + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy d25edb51-07fb-4a73-97d4-41cecdc53a22: categories: @@ -47378,6 +51166,7 @@ rules: group: cloud-insecure-iam name: d25edb51-07fb-4a73-97d4-41cecdc53a22 pretty_name: Glue With Vulnerable Policy + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/glue_resource_policy#policy d2731f3d-a992-44ed-812e-f4f1c2747d71: categories: @@ -47387,6 +51176,7 @@ rules: group: top10-security-logging-monitoring-failures name: d2731f3d-a992-44ed-812e-f4f1c2747d71 pretty_name: VPC Flow Logs Disabled + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/vpc_flow_log d2ad057f-0928-41ef-a83c-f59203bb855b: categories: @@ -47397,6 +51187,7 @@ rules: group: cloud-weak-configuration name: d2ad057f-0928-41ef-a83c-f59203bb855b pretty_name: Dashboard Is Enabled + recommended: true ref: https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/ d31cb911-bf5b-4eb6-9fc3-16780c77c7bd: categories: @@ -47408,6 +51199,7 @@ rules: group: top10-security-logging-monitoring-failures name: d31cb911-bf5b-4eb6-9fc3-16780c77c7bd pretty_name: CloudFront Logging Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html d3499f6d-1651-41bb-a9a7-de925fea487b: categories: @@ -47418,6 +51210,7 @@ rules: group: supply-chain-scm-weak-configuration name: d3499f6d-1651-41bb-a9a7-de925fea487b pretty_name: Unpinned Package Version in Apk Add + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ d364984a-a222-4b5f-a8b0-e23ab19ebff3: categories: @@ -47429,6 +51222,7 @@ rules: group: top10-crypto-failures name: d364984a-a222-4b5f-a8b0-e23ab19ebff3 pretty_name: Athena Workgroup Not Encrypted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_workgroup#encryption_configuration d395a950-12ce-4314-a742-ac5a785ab44e: categories: @@ -47442,6 +51236,7 @@ rules: group: cloud-insecure-iam name: d395a950-12ce-4314-a742-ac5a785ab44e pretty_name: S3 Bucket Allows List Action From All Principals + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html d39761d7-94ab-45b0-ab5e-27c44e381d58: categories: @@ -47452,6 +51247,7 @@ rules: group: top10-security-logging-monitoring-failures name: d39761d7-94ab-45b0-ab5e-27c44e381d58 pretty_name: Stack Notifications Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudformation_module.html#parameter-notification_arns d3ea644a-9a5c-4fee-941f-f8a6786c0470: categories: @@ -47463,6 +51259,7 @@ rules: group: top10-insecure-design name: d3ea644a-9a5c-4fee-941f-f8a6786c0470 pretty_name: Property 'style' of Encoding Object Ignored + recommended: true ref: https://swagger.io/specification/#encoding-object d40210ea-64b9-4cce-a4fb-e8604f3c062c: categories: @@ -47474,6 +51271,7 @@ rules: group: top10-crypto-failures name: d40210ea-64b9-4cce-a4fb-e8604f3c062c pretty_name: ECS Task Definition Container With Plaintext Password + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition d40f27e6-15fb-4b56-90f8-fc0ff0291c51: categories: @@ -47483,6 +51281,7 @@ rules: group: top10-insecure-design name: d40f27e6-15fb-4b56-90f8-fc0ff0291c51 pretty_name: Parameter Object With Incorrect Ref (v3) + recommended: true ref: https://swagger.io/specification/#parameter-object d43366c5-80b0-45de-bbe8-2338f4ab0a83: categories: @@ -47493,6 +51292,7 @@ rules: group: cloud-resources-public-access name: d43366c5-80b0-45de-bbe8-2338f4ab0a83 pretty_name: GKE Master Authorized Networks Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html#parameter-master_authorized_networks_config/enabled d45330fd-f58d-45fb-a682-6481477a0f84: categories: @@ -47507,6 +51307,7 @@ rules: group: cloud-insecure-iam name: d45330fd-f58d-45fb-a682-6481477a0f84 pretty_name: RBAC Roles with Attach Permission + recommended: true ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ d47940ca-5970-45cc-bdd1-4d81398cee1f: categories: @@ -47516,6 +51317,7 @@ rules: group: top10-insecure-design name: d47940ca-5970-45cc-bdd1-4d81398cee1f pretty_name: Operation Summary Too Long + recommended: true ref: https://swagger.io/specification/v2/#operation-object d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5: categories: @@ -47526,6 +51328,7 @@ rules: group: top10-security-logging-monitoring-failures name: d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5 pretty_name: CloudTrail Logging Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html#parameter-enable_logging d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd: categories: @@ -47536,6 +51339,7 @@ rules: group: top10-insecure-design name: d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd pretty_name: Header Response Name Is Invalid (v3) + recommended: true ref: https://swagger.io/specification/#response-object d532566b-8d9d-4f3b-80bd-361fe802f9c2: categories: @@ -47545,6 +51349,7 @@ rules: group: supply-chain-cicd-weak-configuration name: d532566b-8d9d-4f3b-80bd-361fe802f9c2 pretty_name: Root Container Not Mounted As Read-only + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#read_only_root_filesystem d53323be-dde6-4457-9a43-42df737e71d2: categories: @@ -47564,6 +51369,7 @@ rules: group: top10-security-logging-monitoring-failures name: d53f4123-f8d8-4224-8cb3-f920b151cc98 pretty_name: RDS Instance Log Disconnections Disabled + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters d58c6f24-3763-4269-9f5b-86b2569a003b: categories: @@ -47575,6 +51381,7 @@ rules: group: cloud-weak-configuration name: d58c6f24-3763-4269-9f5b-86b2569a003b pretty_name: Google Container Node Pool Auto Repair Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html d5d1fe08-89db-440c-8725-b93223387309: categories: @@ -47586,6 +51393,7 @@ rules: group: top10-crypto-failures name: d5d1fe08-89db-440c-8725-b93223387309 pretty_name: Serverless API Without Content Encoding + recommended: true ref: https://www.serverless.com/framework/docs/providers/aws/events/apigateway#compression d5e83b32-56dd-4247-8c2e-074f43b38a5e: categories: @@ -47596,6 +51404,7 @@ rules: group: top10-security-logging-monitoring-failures name: d5e83b32-56dd-4247-8c2e-074f43b38a5e pretty_name: AKS Monitoring Logging Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_aks_module.html d5ec2080-340a-4259-b885-f833c4ea6a31: categories: @@ -47606,6 +51415,7 @@ rules: group: cloud-weak-configuration name: d5ec2080-340a-4259-b885-f833c4ea6a31 pretty_name: Certificate RSA Key Bytes Lower Than 256 + recommended: true ref: https://docs.ansible.com/ansible/2.10/collections/community/aws/aws_acm_module.html d6047119-a0b2-4b59-a4f2-127a36fb685b: categories: @@ -47616,6 +51426,7 @@ rules: group: cloud-insecure-iam name: d6047119-a0b2-4b59-a4f2-127a36fb685b pretty_name: Role With Privilege Escalation By Actions 'iam:PutGroupPolicy' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b: categories: @@ -47627,6 +51438,7 @@ rules: group: supply-chain-cicd-weak-configuration name: d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b pretty_name: Docker Socket Mounted In Container + recommended: true ref: https://docs.docker.com/compose/compose-file/#volumes d6653eee-2d4d-4e6a-976f-6794a497999a: categories: @@ -47638,6 +51450,7 @@ rules: group: top10-crypto-failures name: d6653eee-2d4d-4e6a-976f-6794a497999a pretty_name: API Gateway With Invalid Compression + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html d674aea4-ba8b-454b-bb97-88a772ea33f0: categories: @@ -47649,6 +51462,7 @@ rules: group: cloud-insecure-iam name: d674aea4-ba8b-454b-bb97-88a772ea33f0 pretty_name: Global Security Field Has An Empty Array (v3) + recommended: true ref: https://swagger.io/specification/#security-requirement-object d6c2d06f-43c1-488a-9ba1-8d75b40fc62d: categories: @@ -47660,6 +51474,7 @@ rules: group: cloud-resources-public-access name: d6c2d06f-43c1-488a-9ba1-8d75b40fc62d pretty_name: Elasticsearch with HTTPS disabled + recommended: true ref: https://docs.ansible.com/ansible/devel/collections/community/aws/opensearch_module.html d6cabc3a-d57e-48c2-b341-bf3dd4f4a120: categories: @@ -47670,6 +51485,7 @@ rules: group: top10-security-logging-monitoring-failures name: d6cabc3a-d57e-48c2-b341-bf3dd4f4a120 pretty_name: Cloud Storage Bucket Logging Not Enabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#log_bucket d6e10477-2e19-4bcd-b8a8-19c65b89ccdf: categories: @@ -47681,6 +51497,7 @@ rules: group: cloud-insecure-iam name: d6e10477-2e19-4bcd-b8a8-19c65b89ccdf pretty_name: Node Auto Upgrade Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html#parameter-management/auto_upgrade d6fae5b6-ada9-46c0-8b36-3108a2a2f77b: categories: @@ -47691,6 +51508,7 @@ rules: group: top10-security-logging-monitoring-failures name: d6fae5b6-ada9-46c0-8b36-3108a2a2f77b pretty_name: PostgreSQL Logging Of Temporary Files Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags d71b5fd7-9020-4b2d-9ec8-b3839faa2744: categories: @@ -47701,6 +51519,7 @@ rules: group: cloud-insecure-iam name: d71b5fd7-9020-4b2d-9ec8-b3839faa2744 pretty_name: Support Has No Role Associated + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html d72a7869-e8b9-4e12-bcd2-e8be10b39fa7: categories: @@ -47710,6 +51529,7 @@ rules: group: top10-insecure-design name: d72a7869-e8b9-4e12-bcd2-e8be10b39fa7 pretty_name: IAM Password Without Symbol + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user d740d048-8ed3-49d3-b77b-6f072f3b669e: categories: @@ -47720,6 +51540,7 @@ rules: group: cloud-insecure-iam name: d740d048-8ed3-49d3-b77b-6f072f3b669e pretty_name: StatefulSet Has No PodAntiAffinity + recommended: true ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ d7467bb6-3ed1-4c82-8095-5e7a818d0aad: categories: @@ -47730,6 +51551,7 @@ rules: group: top10-crypto-failures name: d7467bb6-3ed1-4c82-8095-5e7a818d0aad pretty_name: CodeBuild Not Encrypted + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html d7a5616f-0a3f-4d43-bc2b-29d1a183e317: categories: @@ -47741,6 +51563,7 @@ rules: group: top10-security-logging-monitoring-failures name: d7a5616f-0a3f-4d43-bc2b-29d1a183e317 pretty_name: PostgreSQL Log Connections Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags d7b9d850-3e06-4a75-852f-c46c2e92240b: categories: @@ -47750,6 +51573,7 @@ rules: group: cloud-weak-secrets-management name: d7b9d850-3e06-4a75-852f-c46c2e92240b pretty_name: Hardcoded AWS Access Key + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28: categories: @@ -47762,6 +51586,7 @@ rules: group: cloud-resources-public-access name: d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28 pretty_name: Unrestricted SQL Server Access + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_firewall_rule d83bebc8-4e5e-4241-b783-cba9fb5a1c9a: categories: @@ -47771,6 +51596,7 @@ rules: group: top10-insecure-design name: d83bebc8-4e5e-4241-b783-cba9fb5a1c9a pretty_name: Invalid Contact Email (v2) + recommended: true ref: https://swagger.io/specification/v2/#contactObject d855ced8-6157-448f-9f1d-f05a41d046f7: categories: @@ -47781,6 +51607,7 @@ rules: group: cloud-insecure-iam name: d855ced8-6157-448f-9f1d-f05a41d046f7 pretty_name: Default Azure Storage Account Network Access Is Too Permissive + recommended: true ref: https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts d86655c0-92f6-4ffc-b4d5-5b5775804c27: categories: @@ -47790,6 +51617,7 @@ rules: group: top10-insecure-design name: d86655c0-92f6-4ffc-b4d5-5b5775804c27 pretty_name: Responses With Wrong HTTP Status Code (v3) + recommended: true ref: https://swagger.io/specification/#responses-object d89a15bb-8dba-4c71-9529-bef6729b9c09: categories: @@ -47800,6 +51628,7 @@ rules: group: top10-insecure-design name: d89a15bb-8dba-4c71-9529-bef6729b9c09 pretty_name: Request Timeout Not Properly Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ d8c57c4e-bf6f-4e32-a2bf-8643532de77b: categories: @@ -47810,6 +51639,7 @@ rules: group: cloud-weak-secrets-management name: d8c57c4e-bf6f-4e32-a2bf-8643532de77b pretty_name: High Google KMS Crypto Key Rotation Period + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/kms_crypto_key d90d4e40-44c1-4125-87a0-e072c3e195b5: categories: @@ -47820,6 +51650,7 @@ rules: group: cloud-insecure-iam name: d90d4e40-44c1-4125-87a0-e072c3e195b5 pretty_name: Cleartext API Key In Operation Security (v3) + recommended: true ref: https://swagger.io/specification/#security-scheme-object d926aa95-0a04-4abc-b20c-acf54afe38a1: categories: @@ -47829,6 +51660,7 @@ rules: group: top10-crypto-failures name: d926aa95-0a04-4abc-b20c-acf54afe38a1 pretty_name: ElasticSearch Encryption With KMS Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-encryptionatrestoptions d929c031-078f-4241-b802-e224656ad890: categories: @@ -47839,6 +51671,7 @@ rules: group: cloud-weak-configuration name: d929c031-078f-4241-b802-e224656ad890 pretty_name: Invalid Format (v3) + recommended: true ref: https://swagger.io/docs/specification/data-models/data-types/ d991e4ae-42ab-429b-ab43-d5e5fa9ca633: categories: @@ -47851,6 +51684,7 @@ rules: group: top10-insecure-design name: d991e4ae-42ab-429b-ab43-d5e5fa9ca633 pretty_name: EC2 Not EBS Optimized + recommended: true ref: https://www.pulumi.com/registry/packages/aws/api-docs/ec2/instance/#ebsoptimized_yaml d994585f-defb-4b51-b6d2-c70f020ceb10: categories: @@ -47862,6 +51696,7 @@ rules: group: cloud-insecure-iam name: d994585f-defb-4b51-b6d2-c70f020ceb10 pretty_name: SQS Policy With Public Access + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html d9dc6429-5140-498a-8f55-a10daac5f000: categories: @@ -47874,6 +51709,7 @@ rules: group: cloud-weak-configuration name: d9dc6429-5140-498a-8f55-a10daac5f000 pretty_name: RDS DB Instance Publicly Accessible + recommended: true ref: https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/v1beta1@v0.17.0 da31d54b-ad54-41dc-95eb-8b3828629213: categories: @@ -47885,6 +51721,7 @@ rules: group: cloud-insecure-iam name: da31d54b-ad54-41dc-95eb-8b3828629213 pretty_name: Global Security Field Has An Empty Array (v2) + recommended: true ref: https://swagger.io/specification/v2/#security-requirement-object da4f2739-174f-4cdd-b9ef-dc3f14b5931f: categories: @@ -47896,6 +51733,7 @@ rules: group: cloud-weak-configuration name: da4f2739-174f-4cdd-b9ef-dc3f14b5931f pretty_name: Security Group is Not Configured + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_subnet_module.html da905474-7454-43c0-b8d2-5756ab951aba: categories: @@ -47908,6 +51746,7 @@ rules: group: cloud-weak-configuration name: da905474-7454-43c0-b8d2-5756ab951aba pretty_name: KMS Key With Full Permissions + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-keypolicy da9f3aa8-fbfb-472f-b5a1-576127944218: categories: @@ -47918,6 +51757,7 @@ rules: group: top10-security-logging-monitoring-failures name: da9f3aa8-fbfb-472f-b5a1-576127944218 pretty_name: Audit Log Maxage Not Properly Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ daa581ef-731c-4121-832d-cf078f67759d: categories: @@ -47928,6 +51768,7 @@ rules: group: top10-security-logging-monitoring-failures name: daa581ef-731c-4121-832d-cf078f67759d pretty_name: EC2 Instance Monitoring Disabled + recommended: true ref: https://www.pulumi.com/registry/packages/aws/api-docs/ec2/instance/#monitoring_yaml daaace5f-c0dc-4835-b526-7a116b7f4b4e: categories: @@ -47937,6 +51778,7 @@ rules: group: top10-insecure-design name: daaace5f-c0dc-4835-b526-7a116b7f4b4e pretty_name: Enum Name Not CamelCase + recommended: true ref: https://developers.google.com/protocol-buffers/docs/reference/proto3-spec#enum_definition dab4ec72-ce2e-4732-b7c3-1757dcce01a1: categories: @@ -47947,6 +51789,7 @@ rules: group: cloud-weak-secrets-management name: dab4ec72-ce2e-4732-b7c3-1757dcce01a1 pretty_name: Service Account Key File Not Properly Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ dadc2f36-1f5a-46c0-8289-75e626583123: categories: @@ -47956,6 +51799,7 @@ rules: group: top10-insecure-design name: dadc2f36-1f5a-46c0-8289-75e626583123 pretty_name: Schema Discriminator Property Not String (v3) + recommended: true ref: https://swagger.io/specification/#discriminator-object dae9c373-8287-462f-8746-6f93dad93610: categories: @@ -47965,6 +51809,7 @@ rules: group: cloud-resources-public-access name: dae9c373-8287-462f-8746-6f93dad93610 pretty_name: Security Group Egress With Port Range + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-egress.html dafe30ec-325d-4516-85d1-e8e6776f012c: categories: @@ -47975,6 +51820,7 @@ rules: group: top10-insecure-design name: dafe30ec-325d-4516-85d1-e8e6776f012c pretty_name: Azure Instance Using Basic Authentication + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine#admin_ssh_key db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8: categories: @@ -47985,6 +51831,7 @@ rules: group: cloud-insecure-iam name: db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8 pretty_name: CloudWatch Logs Destination With Vulnerable Policy + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_destination_policy#access_policy db78d14b-10e5-4e6e-84b1-dace6327b1ec: categories: @@ -47995,6 +51842,7 @@ rules: group: cloud-insecure-iam name: db78d14b-10e5-4e6e-84b1-dace6327b1ec pretty_name: Group With Privilege Escalation By Actions 'iam:AttachUserPolicy' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy dbbc6705-d541-43b0-b166-dd4be8208b54: categories: @@ -48004,6 +51852,7 @@ rules: group: cloud-weak-configuration name: dbbc6705-d541-43b0-b166-dd4be8208b54 pretty_name: NET_RAW Capabilities Not Being Dropped + recommended: true ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ dbe058d7-b82e-430b-8426-992b2e4677e7: categories: @@ -48013,6 +51862,7 @@ rules: group: cloud-weak-configuration name: dbe058d7-b82e-430b-8426-992b2e4677e7 pretty_name: COS Node Image Not Used + recommended: true ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters.nodePools dbfc834a-56e5-4750-b5da-73fda8e73f70: categories: @@ -48022,6 +51872,7 @@ rules: group: top10-crypto-failures name: dbfc834a-56e5-4750-b5da-73fda8e73f70 pretty_name: SLB Policy With Insecure TLS Version In Use + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/slb_tls_cipher_policy dc126833-125a-40fb-905a-ce5f2afde240: categories: @@ -48032,6 +51883,7 @@ rules: group: cloud-weak-configuration name: dc126833-125a-40fb-905a-ce5f2afde240 pretty_name: GKE Using Default Service Account + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html#parameter-node_config/service_account dc158941-28ce-481d-a7fa-dc80761edf46: categories: @@ -48041,6 +51893,7 @@ rules: group: top10-security-logging-monitoring-failures name: dc158941-28ce-481d-a7fa-dc80761edf46 pretty_name: RDS Instance Retention Period Not Recommended + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#sql_collector_config_value dc17ee4b-ddf2-4e23-96e8-7a36abad1303: categories: @@ -48051,6 +51904,7 @@ rules: group: cloud-weak-configuration name: dc17ee4b-ddf2-4e23-96e8-7a36abad1303 pretty_name: CloudFront Without Minimum Protocol TLS 1.2 + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html dc1ab429-1481-4540-9b1d-280e3f15f1f8: categories: @@ -48061,6 +51915,7 @@ rules: group: top10-security-logging-monitoring-failures name: dc1ab429-1481-4540-9b1d-280e3f15f1f8 pretty_name: Serverless Function Without X-Ray Tracing + recommended: true ref: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-tracing dc5c5fee-6c53-43b0-ab11-4c660e064aaf: categories: @@ -48073,6 +51928,7 @@ rules: group: cloud-insecure-iam name: dc5c5fee-6c53-43b0-ab11-4c660e064aaf pretty_name: Node Auto Upgrade Disabled + recommended: true ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters dcda2d32-e482-43ee-a926-75eaabeaa4e0: categories: @@ -48083,6 +51939,7 @@ rules: group: cloud-insecure-iam name: dcda2d32-e482-43ee-a926-75eaabeaa4e0 pretty_name: RAM Security Preference Not Enforce MFA Login + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_security_preference#enforce_mfa_for_login dd0971a6-09c3-4168-8474-a7ef8fbfd99d: categories: @@ -48092,6 +51949,7 @@ rules: group: top10-crypto-failures name: dd0971a6-09c3-4168-8474-a7ef8fbfd99d pretty_name: Memcached Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html#cfn-elasticache-cachecluster-engine dd29336b-fe57-445b-a26e-e6aa867ae609: categories: @@ -48103,6 +51961,7 @@ rules: group: cloud-weak-configuration name: dd29336b-fe57-445b-a26e-e6aa867ae609 pretty_name: Container Is Privileged + recommended: true ref: https://kubernetes.io/docs/concepts/workloads/pods/#privileged-mode-for-containers dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299: categories: @@ -48114,6 +51973,7 @@ rules: group: cloud-insecure-iam name: dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299 pretty_name: Storage Container Is Publicly Accessible + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container#container_access_type dd667399-8d9d-4a8d-bbb4-e49ab53b2f52: categories: @@ -48124,6 +51984,7 @@ rules: group: cloud-weak-configuration name: dd667399-8d9d-4a8d-bbb4-e49ab53b2f52 pretty_name: DB Security Group Has Public Interface + recommended: true ref: https://doc.crds.dev/github.com/crossplane/provider-aws/ec2.aws.crossplane.io/SecurityGroup/v1beta1@v0.29.0#spec-forProvider-ingress-ipRanges-cidrIp dd690686-2bf9-4012-a821-f61912dd77be: categories: @@ -48136,6 +51997,7 @@ rules: group: cloud-weak-configuration name: dd690686-2bf9-4012-a821-f61912dd77be pretty_name: Client Certificate Disabled + recommended: true ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters dd706080-b7a8-47dc-81fb-3e8184430ec0: categories: @@ -48146,6 +52008,7 @@ rules: group: cloud-resources-public-access name: dd706080-b7a8-47dc-81fb-3e8184430ec0 pretty_name: Public Security Group Rule Unknown Port + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/security_group_rule#port_range dd7d70aa-a6ec-460d-b5d2-38b40253b16f: categories: @@ -48166,6 +52029,7 @@ rules: group: cloud-resources-public-access name: ddfc4eaa-af23-409f-b96c-bf5c45dc4daa pretty_name: HTTP Port Open To Internet + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html de2b4910-8484-46d6-a055-dc1e793ee3ff: categories: @@ -48175,6 +52039,7 @@ rules: group: top10-insecure-design name: de2b4910-8484-46d6-a055-dc1e793ee3ff pretty_name: Invalid License URL (v2) + recommended: true ref: https://swagger.io/specification/v2/#licenseObject de38e1d5-54cb-4111-a868-6f7722695007: categories: @@ -48186,6 +52051,7 @@ rules: group: cloud-weak-configuration name: de38e1d5-54cb-4111-a868-6f7722695007 pretty_name: RDS DB Instance Publicly Accessible + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html de4421f1-4e35-43b4-9783-737dd4e4a47e: categories: @@ -48197,6 +52063,7 @@ rules: group: cloud-insecure-iam name: de4421f1-4e35-43b4-9783-737dd4e4a47e pretty_name: PSP With Unrestricted Access to Host Path + recommended: true ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems de76a0d6-66d5-45c9-9022-f05545b85c78: categories: @@ -48207,6 +52074,7 @@ rules: group: top10-crypto-failures name: de76a0d6-66d5-45c9-9022-f05545b85c78 pretty_name: Redshift Cluster Without KMS CMK + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html de77cd9f-0e8b-46cc-b4a4-b6b436838642: categories: @@ -48218,6 +52086,7 @@ rules: group: top10-security-logging-monitoring-failures name: de77cd9f-0e8b-46cc-b4a4-b6b436838642 pretty_name: CloudFront Logging Disabled + recommended: true ref: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/logging-and-monitoring.html de7f5e83-da88-4046-871f-ea18504b1d43: categories: @@ -48228,6 +52097,7 @@ rules: group: cloud-resources-public-access name: de7f5e83-da88-4046-871f-ea18504b1d43 pretty_name: ALB Listening on HTTP + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener de92dd34-1b88-43e8-b825-6e02d73c4549: categories: @@ -48237,6 +52107,7 @@ rules: group: top10-insecure-design name: de92dd34-1b88-43e8-b825-6e02d73c4549 pretty_name: IAM Password Without Lowercase Letter + recommended: true ref: https://www.pulumi.com/registry/packages/aws/api-docs/iam/accountpasswordpolicy/#requirelowercasecharacters_yaml dec7bc85-d156-4f64-9a33-96ed3d9f3fed: categories: @@ -48247,6 +52118,7 @@ rules: group: cloud-weak-configuration name: dec7bc85-d156-4f64-9a33-96ed3d9f3fed pretty_name: Serverless Function Without Dead Letter Queue + recommended: true ref: https://www.serverless.com/framework/docs/providers/aws/guide/functions#dead-letter-queue-dlq ded017bf-fb13-4f8d-868b-84aebcc572ad: categories: @@ -48257,6 +52129,7 @@ rules: group: top10-insecure-design name: ded017bf-fb13-4f8d-868b-84aebcc572ad pretty_name: Schema Object Properties With Duplicated Keys (v2) + recommended: true ref: https://swagger.io/specification/v2/#schemaObject dee21308-2a7a-49de-8ff7-c9b87e188575: categories: @@ -48267,6 +52140,7 @@ rules: group: cloud-resources-public-access name: dee21308-2a7a-49de-8ff7-c9b87e188575 pretty_name: SSH Access Is Not Restricted + recommended: true ref: https://cloud.google.com/compute/docs/reference/rest/v1/firewalls defe5b18-978d-4722-9325-4d1975d3699f: categories: @@ -48277,6 +52151,7 @@ rules: group: cloud-weak-configuration name: defe5b18-978d-4722-9325-4d1975d3699f pretty_name: Batch Job Definition With Privileged Container Properties + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_batch_job_definition_module.html df58d46c-783b-43e0-bdd0-d99164f712ee: categories: @@ -48288,6 +52163,7 @@ rules: group: cloud-weak-configuration name: df58d46c-783b-43e0-bdd0-d99164f712ee pretty_name: GKE Legacy Authorization Enabled + recommended: true ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters#Cluster.LegacyAbac df746b39-6564-4fed-bf85-e9c44382303c: categories: @@ -48297,6 +52173,7 @@ rules: group: supply-chain-scm-weak-configuration name: df746b39-6564-4fed-bf85-e9c44382303c pretty_name: Apt Get Install Lists Were Not Deleted + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ dfa20ffa-f476-428f-a490-424b41e91c7f: categories: @@ -48307,6 +52184,7 @@ rules: group: cloud-weak-secrets-management name: dfa20ffa-f476-428f-a490-424b41e91c7f pretty_name: Secret Expiration Not Set + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret dfb56e5d-ee68-446e-b32a-657b62befe69: categories: @@ -48317,6 +52195,7 @@ rules: group: cloud-weak-secrets-management name: dfb56e5d-ee68-446e-b32a-657b62befe69 pretty_name: Amplify Branch Basic Auth Config Password Exposed + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amplify-branch.html#cfn-amplify-branch-basicauthconfig e0099af2-fe17-411f-9991-0de28fe15f3c: categories: @@ -48328,6 +52207,7 @@ rules: group: top10-insecure-design name: e0099af2-fe17-411f-9991-0de28fe15f3c pretty_name: Event Rate Limit Admission Control Plugin Not Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ e01de151-a7bd-4db4-b49b-3c4775a5e881: categories: @@ -48338,6 +52218,7 @@ rules: group: cloud-resources-public-access name: e01de151-a7bd-4db4-b49b-3c4775a5e881 pretty_name: Redshift Using Default Port + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/redshift_module.html#parameter-port e055285c-bc01-48b4-8aa5-8a54acdd29df: categories: @@ -48348,6 +52229,7 @@ rules: group: top10-security-logging-monitoring-failures name: e055285c-bc01-48b4-8aa5-8a54acdd29df pretty_name: SQL Server Database Without Auditing + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/auditingsettings e08ed7eb-f3ef-494d-9d22-2e3db756a347: categories: @@ -48357,6 +52239,7 @@ rules: group: cloud-insecure-iam name: e08ed7eb-f3ef-494d-9d22-2e3db756a347 pretty_name: Lambda Permission Principal Is Wildcard + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_policy_module.html e0e00aba-5f1c-4981-a542-9a9563c0ee20: categories: @@ -48368,6 +52251,7 @@ rules: group: cloud-insecure-iam name: e0e00aba-5f1c-4981-a542-9a9563c0ee20 pretty_name: Client Certificate Authentication Not Setup Properly + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ e17fa86a-6222-4584-a914-56e8f6c87e06: categories: @@ -48379,6 +52263,7 @@ rules: group: cloud-resources-public-access name: e17fa86a-6222-4584-a914-56e8f6c87e06 pretty_name: Tiller Deployment Is Accessible From Within The Cluster + recommended: true ref: https://kubernetes.io/docs/concepts/containers/images/ e1e7b278-2a8b-49bd-a26e-66a7f70b17eb: categories: @@ -48389,6 +52274,7 @@ rules: group: top10-crypto-failures name: e1e7b278-2a8b-49bd-a26e-66a7f70b17eb pretty_name: SQS With SSE Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html#ansible-collections-community-aws-sqs-queue-module e200a6f3-c589-49ec-9143-7421d4a2c845: categories: @@ -48399,6 +52285,7 @@ rules: group: cloud-resources-public-access name: e200a6f3-c589-49ec-9143-7421d4a2c845 pretty_name: ELB With Security Group Without Inbound Rules + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#cfn-ec2-securitygroup-securitygroupingress e227091e-2228-4b40-b046-fc13650d8e88: categories: @@ -48409,6 +52296,7 @@ rules: group: cloud-insecure-iam name: e227091e-2228-4b40-b046-fc13650d8e88 pretty_name: User With Privilege Escalation By Actions 'iam:AttachRolePolicy' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy e24e18d9-4c2b-4649-b3d0-18c088145e24: categories: @@ -48419,6 +52307,7 @@ rules: group: top10-security-logging-monitoring-failures name: e24e18d9-4c2b-4649-b3d0-18c088145e24 pretty_name: CloudWatch Without Retention Period Specified + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudwatchlogs_log_group_module.html e25b56cd-a4d6-498f-ab92-e6296a082097: categories: @@ -48430,6 +52319,7 @@ rules: group: cloud-resources-public-access name: e25b56cd-a4d6-498f-ab92-e6296a082097 pretty_name: Trusted Microsoft Services Not Enabled + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json#networkruleset e28ceb92-d588-4166-aac5-766c8f5b7472: categories: @@ -48439,6 +52329,7 @@ rules: group: cloud-weak-configuration name: e28ceb92-d588-4166-aac5-766c8f5b7472 pretty_name: AWS Password Policy With Unchangeable Passwords + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html e29a75e6-aba3-4896-b42d-b87818c16b58: categories: @@ -48448,6 +52339,7 @@ rules: group: cloud-weak-configuration name: e29a75e6-aba3-4896-b42d-b87818c16b58 pretty_name: Redis Cache Allows Non SSL Connections + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_cache e2c83c1f-84d7-4467-966c-ed41fd015bb9: categories: @@ -48458,6 +52350,7 @@ rules: group: cloud-weak-configuration name: e2c83c1f-84d7-4467-966c-ed41fd015bb9 pretty_name: Ingress Controller Exposes Workload + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress#http e2d834b7-8b25-4935-af53-4a60668dcbe0: categories: @@ -48468,6 +52361,7 @@ rules: group: top10-insecure-design name: e2d834b7-8b25-4935-af53-4a60668dcbe0 pretty_name: Azure Instance Using Basic Authentication + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_virtualmachine_module.html#parameter-linux_config/disable_password_authentication e2e00c97-7171-4fb4-b461-d631df9a711c: categories: @@ -48478,6 +52372,7 @@ rules: group: top10-insecure-design name: e2e00c97-7171-4fb4-b461-d631df9a711c pretty_name: Header Parameter Named as 'Authorization' (v2) + recommended: true ref: https://swagger.io/specification/v2/#parameterObject e2ffa504-d22a-4c94-b6c5-f661849d2db7: categories: @@ -48487,6 +52382,7 @@ rules: group: cloud-weak-configuration name: e2ffa504-d22a-4c94-b6c5-f661849d2db7 pretty_name: JSON Object Schema Without Type (v3) + recommended: true ref: https://swagger.io/specification/#schema-object e35c16a2-d54e-419d-8546-a804d8e024d0: categories: @@ -48497,6 +52393,7 @@ rules: group: cloud-resources-public-access name: e35c16a2-d54e-419d-8546-a804d8e024d0 pretty_name: Sensitive Port Is Exposed To Small Public Network + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group e36d8880-3f78-4546-b9a1-12f0745ca0d5: categories: @@ -48506,6 +52403,7 @@ rules: group: supply-chain-scm-weak-configuration name: e36d8880-3f78-4546-b9a1-12f0745ca0d5 pretty_name: NPM Install Command Without Pinned Version + recommended: true ref: https://docs.docker.com/engine/reference/builder/#run e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10: categories: @@ -48517,6 +52415,7 @@ rules: group: top10-insecure-design name: e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10 pretty_name: Resource Not Using Tags + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/resource-tagging e39bee8c-fe54-4a3f-824d-e5e2d1cca40a: categories: @@ -48528,6 +52427,7 @@ rules: group: cloud-insecure-iam name: e39bee8c-fe54-4a3f-824d-e5e2d1cca40a pretty_name: IAM Role Policy passRole Allows All + recommended: true ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource e3aa0612-4351-4a0d-983f-aefea25cf203: categories: @@ -48540,6 +52440,7 @@ rules: group: top10-insecure-design name: e3aa0612-4351-4a0d-983f-aefea25cf203 pretty_name: Root Containers Admitted + recommended: true ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ e3f026e8-fdb4-4d5a-bcfd-bd94452073fe: categories: @@ -48550,6 +52451,7 @@ rules: group: cloud-insecure-iam name: e3f026e8-fdb4-4d5a-bcfd-bd94452073fe pretty_name: Security Definitions Undefined or Empty + recommended: true ref: https://swagger.io/specification/v2/#securityDefinitionsObject e401d614-8026-4f4b-9af9-75d1197461ba: categories: @@ -48561,6 +52463,7 @@ rules: group: cloud-insecure-iam name: e401d614-8026-4f4b-9af9-75d1197461ba pretty_name: IAM Policies With Full Privileges + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5: categories: @@ -48572,6 +52475,7 @@ rules: group: cloud-resources-public-access name: e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5 pretty_name: Fully Open Ingress + recommended: true ref: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/get-set-up-for-amazon-ecs.html#create-a-base-security-group e4239438-e639-44aa-adb8-866e400e3ade: categories: @@ -48581,6 +52485,7 @@ rules: group: cloud-insecure-iam name: e4239438-e639-44aa-adb8-866e400e3ade pretty_name: IAM Policy On User + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html e42a3ef0-5325-4667-84bf-075ba1c9d58e: categories: @@ -48590,6 +52495,7 @@ rules: group: cloud-resources-public-access name: e42a3ef0-5325-4667-84bf-075ba1c9d58e pretty_name: EC2 Instance Using Default VPC + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-subnetid e4a019f0-9af3-49c8-bf68-1939a6ff240d: categories: @@ -48599,6 +52505,7 @@ rules: group: cloud-weak-configuration name: e4a019f0-9af3-49c8-bf68-1939a6ff240d pretty_name: String Schema with Broad Pattern (v2) + recommended: true ref: https://swagger.io/specification/v2/#schema-object e4ee3903-9225-4b6a-bdfb-e62dbadef821: categories: @@ -48610,6 +52517,7 @@ rules: group: top10-crypto-failures name: e4ee3903-9225-4b6a-bdfb-e62dbadef821 pretty_name: ElastiCache With Disabled at Rest Encryption + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticache-replicationgroup.html#cfn-elasticache-replicationgroup-atrestencryptionenabled e4f54ff4-d352-40e8-a096-5141073c37a2: categories: @@ -48621,6 +52529,7 @@ rules: group: top10-insecure-design name: e4f54ff4-d352-40e8-a096-5141073c37a2 pretty_name: CDN Configuration Is Missing + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html e50eb68a-a4af-4048-8bbe-8ec324421469: categories: @@ -48632,6 +52541,7 @@ rules: group: top10-crypto-failures name: e50eb68a-a4af-4048-8bbe-8ec324421469 pretty_name: DB Instance Storage Not Encrypted + recommended: true ref: https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/v1beta1@v0.29.0#spec-forProvider-storageEncrypted e519ed6a-8328-4b69-8eb7-8fa549ac3050: categories: @@ -48642,6 +52552,7 @@ rules: group: top10-security-logging-monitoring-failures name: e519ed6a-8328-4b69-8eb7-8fa549ac3050 pretty_name: MQ Broker Logging Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amazonmq-broker.html#cfn-amazonmq-broker-logs e52395b4-250b-4c60-81d5-2e58c1d37abc: categories: @@ -48652,6 +52563,7 @@ rules: group: top10-crypto-failures name: e52395b4-250b-4c60-81d5-2e58c1d37abc pretty_name: Default KMS Key Usage + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html e542bd46-58c4-4e0f-a52a-1fb4f9548e02: categories: @@ -48661,6 +52573,7 @@ rules: group: top10-insecure-design name: e542bd46-58c4-4e0f-a52a-1fb4f9548e02 pretty_name: RDS Cluster With Backup Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period e5587d53-a673-4a6b-b3f2-ba07ec274def: categories: @@ -48670,6 +52583,7 @@ rules: group: cloud-weak-configuration name: e5587d53-a673-4a6b-b3f2-ba07ec274def pretty_name: NET_RAW Capabilities Not Being Dropped + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#drop e576ce44-dd03-4022-a8c0-3906acca2ab4: categories: @@ -48680,6 +52594,7 @@ rules: group: cloud-insecure-iam name: e576ce44-dd03-4022-a8c0-3906acca2ab4 pretty_name: BigQuery Dataset Is Public + recommended: true ref: https://www.terraform.io/docs/providers/google/r/bigquery_dataset.html e592a0c5-5bdb-414c-9066-5dba7cdea370: categories: @@ -48690,6 +52605,7 @@ rules: group: top10-insecure-design name: e592a0c5-5bdb-414c-9066-5dba7cdea370 pretty_name: IAM Access Analyzer Not Enabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/accessanalyzer_analyzer e649a218-d099-4550-86a4-1231e1fcb60d: categories: @@ -48699,6 +52615,7 @@ rules: group: top10-software-data-integrity-failures name: e649a218-d099-4550-86a4-1231e1fcb60d pretty_name: Low RDS Backup Retention Period + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html e65a0733-94a0-4826-82f4-df529f4c593f: categories: @@ -48709,6 +52626,7 @@ rules: group: cloud-insecure-iam name: e65a0733-94a0-4826-82f4-df529f4c593f pretty_name: Function App Authentication Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#auth_settings e66e1b71-c810-4b4e-a737-0ab59e7f5e41: categories: @@ -48718,6 +52636,7 @@ rules: group: cloud-weak-configuration name: e66e1b71-c810-4b4e-a737-0ab59e7f5e41 pretty_name: OSLogin Is Disabled In VM Instance + recommended: true ref: https://cloud.google.com/compute/docs/reference/rest/v1/instances e69890e6-fce5-461d-98ad-cb98318dfc96: categories: @@ -48728,6 +52647,7 @@ rules: group: top10-software-data-integrity-failures name: e69890e6-fce5-461d-98ad-cb98318dfc96 pretty_name: RDS With Backup Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-backup_retention_period e69bda39-e1e2-47ca-b9ee-b6531b23aedd: categories: @@ -48738,6 +52658,7 @@ rules: group: cloud-resources-public-access name: e69bda39-e1e2-47ca-b9ee-b6531b23aedd pretty_name: PostgreSQL Database Server Log Connections Disabled + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers/configurations?tabs=json#configurationproperties-object e6b4b943-6883-47a9-9739-7ada9568f8ca: categories: @@ -48748,6 +52669,7 @@ rules: group: top10-crypto-failures name: e6b4b943-6883-47a9-9739-7ada9568f8ca pretty_name: EBS Volume Snapshot Not Encrypted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_snapshot#encrypted e6cd49ba-77ed-417f-9bca-4f5303554308: categories: @@ -48757,6 +52679,7 @@ rules: group: top10-security-logging-monitoring-failures name: e6cd49ba-77ed-417f-9bca-4f5303554308 pretty_name: DocDB Logging Is Disabled + recommended: true ref: https://doc.crds.dev/github.com/crossplane/provider-aws/docdb.aws.crossplane.io/DBCluster/v1alpha1@v0.21.1#status-atProvider-enabledCloudwatchLogsExports e6f61c37-106b-449f-a5bb-81bfcaceb8b4: categories: @@ -48767,6 +52690,7 @@ rules: group: cloud-resources-public-access name: e6f61c37-106b-449f-a5bb-81bfcaceb8b4 pretty_name: Google Compute Network Using Firewall Rule that Allows Port Range + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall#allow e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40: categories: @@ -48779,6 +52703,7 @@ rules: group: cloud-weak-configuration name: e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40 pretty_name: Root Account Has Active Access Keys + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_module.html e7530c3c-b7cf-4149-8db9-d037a0b5268e: categories: @@ -48788,6 +52713,7 @@ rules: group: cloud-insecure-iam name: e7530c3c-b7cf-4149-8db9-d037a0b5268e pretty_name: Elasticsearch Without IAM Authentication + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain e7656d8d-7288-4bbe-b07b-22b389be75ce: categories: @@ -48798,6 +52724,7 @@ rules: group: top10-insecure-design name: e7656d8d-7288-4bbe-b07b-22b389be75ce pretty_name: Template Path With No Corresponding Path Parameter (v2) + recommended: true ref: https://github.com/OAI/OpenAPI-Specification/blob/main/versions/2.0.md#path-templating e76cca7c-c3f9-4fc9-884c-b2831168ebd8: categories: @@ -48807,6 +52734,7 @@ rules: group: supply-chain-scm-weak-configuration name: e76cca7c-c3f9-4fc9-884c-b2831168ebd8 pretty_name: Invalid Image + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image e76fd7ab-7333-40c6-a2d8-ea28af4a319e: categories: @@ -48818,6 +52746,7 @@ rules: group: cloud-weak-secrets-management name: e76fd7ab-7333-40c6-a2d8-ea28af4a319e pretty_name: Ram Account Password Policy Max Login Attempts Unrecommended + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#max_login_attempts e77c89f6-9c85-49ea-b95b-5f960fe5be92: categories: @@ -48828,6 +52757,7 @@ rules: group: cloud-insecure-iam name: e77c89f6-9c85-49ea-b95b-5f960fe5be92 pretty_name: Group With Privilege Escalation By Actions 'iam:PutGroupPolicy' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy e7e961ac-d17e-4413-84bc-8a1fbe242944: categories: @@ -48838,6 +52768,7 @@ rules: group: top10-security-logging-monitoring-failures name: e7e961ac-d17e-4413-84bc-8a1fbe242944 pretty_name: Cloud Storage Bucket Versioning Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#enabled e835bd0d-65da-49f7-b6d1-b646da8727e6: categories: @@ -48848,6 +52779,7 @@ rules: group: cloud-insecure-iam name: e835bd0d-65da-49f7-b6d1-b646da8727e6 pretty_name: IAM Policy Grants 'AssumeRole' Permission Across All Services + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html e84eaf4d-2f45-47b2-abe8-e581b06deb66: categories: @@ -48859,6 +52791,7 @@ rules: group: cloud-insecure-iam name: e84eaf4d-2f45-47b2-abe8-e581b06deb66 pretty_name: Ensure Administrative Boundaries Between Resources + recommended: true ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ e86e26fc-489e-44f0-9bcd-97305e4ba69a: categories: @@ -48868,6 +52801,7 @@ rules: group: cloud-insecure-iam name: e86e26fc-489e-44f0-9bcd-97305e4ba69a pretty_name: ECR Repository Is Publicly Accessible + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy e8bb41e4-2f24-4e84-8bea-8c7c070cf93d: categories: @@ -48878,6 +52812,7 @@ rules: group: cloud-weak-configuration name: e8bb41e4-2f24-4e84-8bea-8c7c070cf93d pretty_name: Serving Revision Spec Without Timeout Seconds + recommended: true ref: https://knative.dev/docs/reference/api/serving-api/#serving.knative.dev/v1.RevisionSpec e8c80448-31d8-4755-85fc-6dbab69c2717: categories: @@ -48888,6 +52823,7 @@ rules: group: cloud-resources-public-access name: e8c80448-31d8-4755-85fc-6dbab69c2717 pretty_name: CosmosDB Account IP Range Filter Not Set + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_cosmosdbaccount_module.html#parameter-ip_range_filter e8e62026-da63-4904-b402-65adfe3ca975: categories: @@ -48899,6 +52835,7 @@ rules: group: cloud-insecure-iam name: e8e62026-da63-4904-b402-65adfe3ca975 pretty_name: Ram Policy Admin Access Not Attached to Users Groups Roles + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_policy e93bbe63-a631-4c0f-b6ef-700d48441ff2: categories: @@ -48909,6 +52846,7 @@ rules: group: top10-software-data-integrity-failures name: e93bbe63-a631-4c0f-b6ef-700d48441ff2 pretty_name: ElastiCache Redis Cluster Without Backup + recommended: true ref: https://www.pulumi.com/registry/packages/aws/api-docs/elasticache/cluster/#snapshotretentionlimit_yaml e94d3121-c2d1-4e34-a295-139bfeb73ea3: categories: @@ -48918,6 +52856,7 @@ rules: group: cloud-insecure-iam name: e94d3121-c2d1-4e34-a295-139bfeb73ea3 pretty_name: Shared Host IPC Namespace + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_ipc e979fcbc-df6c-422d-9458-c33d65e71c45: categories: @@ -48927,6 +52866,7 @@ rules: group: top10-security-logging-monitoring-failures name: e979fcbc-df6c-422d-9458-c33d65e71c45 pretty_name: ElasticSearch Without Slow Logs + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#log_publishing_options e9817ad8-a8c9-4038-8a2f-db0e6e7b284b: categories: @@ -48937,6 +52877,7 @@ rules: group: cloud-insecure-iam name: e9817ad8-a8c9-4038-8a2f-db0e6e7b284b pretty_name: Implicit Flow in OAuth2 (v2) + recommended: true ref: https://swagger.io/specification/v2/#securitySchemeObject e9b7acf9-9ba0-4837-a744-31e7df1e434d: categories: @@ -48946,6 +52887,7 @@ rules: group: cloud-resources-public-access name: e9b7acf9-9ba0-4837-a744-31e7df1e434d pretty_name: SQS VPC Endpoint Without DNS Resolution + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc#enable_dns_support e9c133e5-c2dd-4b7b-8fff-40f2de367b56: categories: @@ -48956,6 +52898,7 @@ rules: group: cloud-insecure-iam name: e9c133e5-c2dd-4b7b-8fff-40f2de367b56 pretty_name: Website Azure Active Directory Disabled + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites?tabs=json#ManagedServiceIdentity e9db5fb4-6a84-4abb-b4af-3b94fbdace6d: categories: @@ -48965,6 +52908,7 @@ rules: group: top10-insecure-design name: e9db5fb4-6a84-4abb-b4af-3b94fbdace6d pretty_name: Responses JSON Reference Does Not Exists (v2) + recommended: true ref: https://swagger.io/specification/v2/#responsesDefinitionsObject e9dee01f-2505-4df2-b9bf-7804d1fd9082: categories: @@ -48975,6 +52919,7 @@ rules: group: cloud-resources-public-access name: e9dee01f-2505-4df2-b9bf-7804d1fd9082 pretty_name: Sensitive Port Is Exposed To Small Public Network + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule ea0ed1c7-9aef-4464-b7c7-94c762da3640: categories: @@ -48986,6 +52931,7 @@ rules: group: cloud-resources-public-access name: ea0ed1c7-9aef-4464-b7c7-94c762da3640 pretty_name: DB Security Group Open To Large Scope + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html#ansible-collections-amazon-aws-ec2-group-module ea33fcf7-394b-4d11-a228-985c5d08f205: categories: @@ -48997,6 +52943,7 @@ rules: group: cloud-resources-public-access name: ea33fcf7-394b-4d11-a228-985c5d08f205 pretty_name: Default Security Groups With Unrestricted Traffic + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html ea6bc7a6-d696-4dcf-a788-17fa03c17c81: categories: @@ -49007,6 +52954,7 @@ rules: group: cloud-resources-public-access name: ea6bc7a6-d696-4dcf-a788-17fa03c17c81 pretty_name: Security Group Ingress Not Restricted + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html eaaba502-2f94-411a-a3c2-83d63cc1776d: categories: @@ -49017,6 +52965,7 @@ rules: group: top10-security-logging-monitoring-failures name: eaaba502-2f94-411a-a3c2-83d63cc1776d pretty_name: CloudWatch IAM Policy Changes Alarm Missing + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern eafe4bc3-1042-4f88-b988-1939e64bf060: categories: @@ -49026,6 +52975,7 @@ rules: group: cloud-insecure-iam name: eafe4bc3-1042-4f88-b988-1939e64bf060 pretty_name: IAM Policies Attached To User + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_policy_module.html eb3f9744-d24e-4614-b1ff-2a9514eca21c: categories: @@ -49036,6 +52986,7 @@ rules: group: top10-insecure-design name: eb3f9744-d24e-4614-b1ff-2a9514eca21c pretty_name: Operation Object Parameters With 'body' And 'formatData' locations + recommended: true ref: https://swagger.io/specification/v2/#parameterObject eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7: categories: @@ -49046,6 +52997,7 @@ rules: group: cloud-insecure-iam name: eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7 pretty_name: Role With Privilege Escalation By Actions 'iam:PutRolePolicy' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy eb8c2560-8bee-4248-9d0d-e80c8641dd91: categories: @@ -49056,6 +53008,7 @@ rules: group: cloud-weak-configuration name: eb8c2560-8bee-4248-9d0d-e80c8641dd91 pretty_name: Web App Accepting Traffic Other Than HTTPS + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_webapp_module.html#parameter-https_only ebb2118a-03bc-4d53-ab43-d8750f5cb8d3: categories: @@ -49065,6 +53018,7 @@ rules: group: top10-security-logging-monitoring-failures name: ebb2118a-03bc-4d53-ab43-d8750f5cb8d3 pretty_name: CloudTrail Not Integrated With CloudWatch + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0: categories: @@ -49075,6 +53029,7 @@ rules: group: cloud-weak-secrets-management name: ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0 pretty_name: Kubelet Certificate Authority Not Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ ec28bf61-a474-4dbe-b414-6dd3a067d6f0: categories: @@ -49085,6 +53040,7 @@ rules: group: top10-insecure-design name: ec28bf61-a474-4dbe-b414-6dd3a067d6f0 pretty_name: Cognito UserPool Without MFA + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool ec49cbfd-fae4-45f3-81b1-860526d66e3f: categories: @@ -49095,6 +53051,7 @@ rules: group: cloud-insecure-iam name: ec49cbfd-fae4-45f3-81b1-860526d66e3f pretty_name: Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy ec62a32c-a297-41ca-a850-cab40b42094a: categories: @@ -49108,6 +53065,7 @@ rules: group: cloud-insecure-iam name: ec62a32c-a297-41ca-a850-cab40b42094a pretty_name: OSS Bucket Allows All Actions From All Principals + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy eccc4d59-74b9-4974-86f1-74386e0c7f33: categories: @@ -49129,6 +53087,7 @@ rules: group: top10-crypto-failures name: ed35928e-195c-4405-a252-98ccb664ab7b pretty_name: API Gateway With Invalid Compression + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api ed48229d-d43e-4da7-b453-5f98d964a57a: categories: @@ -49138,6 +53097,7 @@ rules: group: top10-insecure-design name: ed48229d-d43e-4da7-b453-5f98d964a57a pretty_name: Body Parameter Without Schema + recommended: true ref: https://swagger.io/specification/v2/#parameterObject ed4c48b8-eccc-4881-95c1-09fdae23db25: categories: @@ -49147,6 +53107,7 @@ rules: group: cloud-weak-configuration name: ed4c48b8-eccc-4881-95c1-09fdae23db25 pretty_name: API Gateway Without SSL Certificate + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html ed672a9f-fbf0-44d8-a47d-779501b0db05: categories: @@ -49159,6 +53120,7 @@ rules: group: cloud-weak-configuration name: ed672a9f-fbf0-44d8-a47d-779501b0db05 pretty_name: IP Aliasing Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html ed6cf6ff-9a1f-491c-9f88-e03c0807f390: categories: @@ -49169,6 +53131,7 @@ rules: group: top10-security-logging-monitoring-failures name: ed6cf6ff-9a1f-491c-9f88-e03c0807f390 pretty_name: Log Retention Is Not Greater Than 90 Days + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/log_store#retention_period ed6e3ba0-278f-47b6-a1f5-173576b40b7e: categories: @@ -49179,6 +53142,7 @@ rules: group: top10-insecure-design name: ed6e3ba0-278f-47b6-a1f5-173576b40b7e pretty_name: CMK Is Unusable + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/kms_key#is_enabled ed89b97d-04e9-4fd4-919f-ee5b27e555e9: categories: @@ -49189,6 +53153,7 @@ rules: group: cloud-resources-public-access name: ed89b97d-04e9-4fd4-919f-ee5b27e555e9 pretty_name: Kubelet Streaming Connection Timeout Disabled + recommended: true ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ ed9b3beb-92cf-44d9-a9d2-171eeba569d4: categories: @@ -49198,6 +53163,7 @@ rules: group: cloud-insecure-iam name: ed9b3beb-92cf-44d9-a9d2-171eeba569d4 pretty_name: SQS Policy Allows All Actions + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html eda48c88-2b7d-4e34-b6ca-04c0194aee17: categories: @@ -49208,6 +53174,7 @@ rules: group: cloud-insecure-iam name: eda48c88-2b7d-4e34-b6ca-04c0194aee17 pretty_name: Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy eda7301d-1f3e-47cf-8d4e-976debc64341: categories: @@ -49218,6 +53185,7 @@ rules: group: cloud-resources-public-access name: eda7301d-1f3e-47cf-8d4e-976debc64341 pretty_name: Remote Desktop Port Open To Internet + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html#ansible-collections-amazon-aws-ec2-group-module edbd62d4-8700-41de-b000-b3cfebb5e996: categories: @@ -49227,6 +53195,7 @@ rules: group: top10-security-logging-monitoring-failures name: edbd62d4-8700-41de-b000-b3cfebb5e996 pretty_name: Elasticsearch Logs Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-logpublishingoptions edc95c10-7366-4f30-9b4b-f995c84eceb5: categories: @@ -49236,6 +53205,7 @@ rules: group: cloud-insecure-iam name: edc95c10-7366-4f30-9b4b-f995c84eceb5 pretty_name: IAM Policies Attached To User + recommended: true ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html ee12ad32-2863-4c0f-b13f-28272d115028: categories: @@ -49245,6 +53215,7 @@ rules: group: top10-security-logging-monitoring-failures name: ee12ad32-2863-4c0f-b13f-28272d115028 pretty_name: ELB Access Log Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb-accessloggingpolicy.html ee305555-6b1d-4055-94cf-e22131143c34: categories: @@ -49254,6 +53225,7 @@ rules: group: cloud-weak-configuration name: ee305555-6b1d-4055-94cf-e22131143c34 pretty_name: PSP Set To Privileged + recommended: true ref: https://www.pulumi.com/registry/packages/kubernetes/api-docs/policy/v1beta1/podsecuritypolicy/#privileged_yaml ee3b1557-9fb5-4685-a95d-93f1edf2a0d7: categories: @@ -49264,6 +53236,7 @@ rules: group: cloud-resources-public-access name: ee3b1557-9fb5-4685-a95d-93f1edf2a0d7 pretty_name: ALB Listening on HTTP + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/alb_listener ee464fc2-54a6-4e22-b10a-c6dcd2474d0c: categories: @@ -49274,6 +53247,7 @@ rules: group: cloud-resources-public-access name: ee464fc2-54a6-4e22-b10a-c6dcd2474d0c pretty_name: Security Group Egress With All Protocols + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-egress.html ee49557d-750c-4cc1-aa95-94ab36cbefde: categories: @@ -49284,6 +53258,7 @@ rules: group: cloud-insecure-iam name: ee49557d-750c-4cc1-aa95-94ab36cbefde pretty_name: Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy ee7b93c1-b3f8-4a3b-9588-146d481814f5: categories: @@ -49294,6 +53269,7 @@ rules: group: cloud-resources-public-access name: ee7b93c1-b3f8-4a3b-9588-146d481814f5 pretty_name: Google Compute Subnetwork with Private Google Access Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork#private_ip_google_access ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4: categories: @@ -49304,6 +53280,7 @@ rules: group: top10-security-logging-monitoring-failures name: ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4 pretty_name: CloudTrail Log Files S3 Bucket with Logging Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#s3_bucket_name eeb4d37a-3c59-4789-a00c-1509bc3af1e5: categories: @@ -49314,6 +53291,7 @@ rules: group: cloud-insecure-iam name: eeb4d37a-3c59-4789-a00c-1509bc3af1e5 pretty_name: User With Privilege Escalation By Actions 'iam:PutRolePolicy' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy eee107f9-b3d8-45d3-b9c6-43b5a7263ce1: categories: @@ -49325,6 +53303,7 @@ rules: group: cloud-insecure-iam name: eee107f9-b3d8-45d3-b9c6-43b5a7263ce1 pretty_name: Authentication Without MFA + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_mfa_device_info_module.html ef05a925-8568-4054-8ff1-f5ba82631c16: categories: @@ -49344,6 +53323,7 @@ rules: group: top10-security-logging-monitoring-failures name: ef0b316a-211e-42f1-888e-64efe172b755 pretty_name: CloudWatch Without Retention Period Specified + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group efbf148a-67e9-42d2-ac47-02fa1c0d0b22: categories: @@ -49354,6 +53334,7 @@ rules: group: cloud-weak-configuration name: efbf148a-67e9-42d2-ac47-02fa1c0d0b22 pretty_name: Shell Running A Pipe Without Pipefail Flag + recommended: true ref: https://docs.docker.com/engine/reference/builder/#run efbf6449-5ec5-4cfe-8f15-acc51e0d787c: categories: @@ -49364,6 +53345,7 @@ rules: group: cloud-resources-public-access name: efbf6449-5ec5-4cfe-8f15-acc51e0d787c pretty_name: RDP Is Exposed To The Internet + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule efd1dfc8-da91-4909-a3f3-c23abc5ec799: categories: @@ -49374,6 +53356,7 @@ rules: group: cloud-weak-configuration name: efd1dfc8-da91-4909-a3f3-c23abc5ec799 pretty_name: Numeric Schema Without Minimum (v2) + recommended: true ref: https://swagger.io/specification/v2/#schemaObject f0104061-8bfc-4b45-8a7d-630eb502f281: categories: @@ -49384,6 +53367,7 @@ rules: group: top10-insecure-design name: f0104061-8bfc-4b45-8a7d-630eb502f281 pretty_name: Automatic Minor Upgrades Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html f0d8781f-99bf-4958-9917-d39283b168a0: categories: @@ -49394,6 +53378,7 @@ rules: group: cloud-weak-configuration name: f0d8781f-99bf-4958-9917-d39283b168a0 pretty_name: DB Security Group Has Public Interface + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_security_group f1173d8c-3264-4148-9fdb-61181e031b51: categories: @@ -49405,6 +53390,7 @@ rules: name: f1173d8c-3264-4148-9fdb-61181e031b51 pretty_name: Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy f118890b-2468-42b1-9ce9-af35146b425b: categories: @@ -49415,6 +53401,7 @@ rules: group: cloud-resources-public-access name: f118890b-2468-42b1-9ce9-af35146b425b pretty_name: MySQL Server Public Access Enabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_server#public_network_access_enabled f11aec39-858f-4b6f-b946-0a1bf46c0c87: categories: @@ -49425,6 +53412,7 @@ rules: group: top10-crypto-failures name: f11aec39-858f-4b6f-b946-0a1bf46c0c87 pretty_name: DAX Cluster Not Encrypted + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dax_cluster#enabled f1adc521-f79a-4d71-b55b-a68294687432: categories: @@ -49434,6 +53422,7 @@ rules: group: cloud-insecure-iam name: f1adc521-f79a-4d71-b55b-a68294687432 pretty_name: EC2 Instance Using Default Security Group + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#security_groups f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5: categories: @@ -49444,6 +53433,7 @@ rules: group: cloud-insecure-iam name: f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5 pretty_name: Authorization Mode Set To Always Allow + recommended: true ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ f20e97f9-4919-43f1-9be9-f203cd339cdd: categories: @@ -49454,6 +53444,7 @@ rules: group: top10-crypto-failures name: f20e97f9-4919-43f1-9be9-f203cd339cdd pretty_name: OSS Bucket Encryption Using CMK Disabled + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#server_side_encryption_rule f262118c-1ac6-4bb3-8495-cc48f1775b85: categories: @@ -49464,6 +53455,7 @@ rules: group: top10-crypto-failures name: f262118c-1ac6-4bb3-8495-cc48f1775b85 pretty_name: Ecs Data Disk Kms Key Id Undefined + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/disk#kms_key_id f2702af5-6016-46cb-bbc8-84c766032095: categories: @@ -49474,6 +53466,7 @@ rules: group: top10-insecure-design name: f2702af5-6016-46cb-bbc8-84c766032095 pretty_name: Header Parameter Named as 'Accept' (v3) + recommended: true ref: https://swagger.io/specification/#parameter-object f27791a5-e2ae-4905-8910-6f995c576d09: categories: @@ -49483,6 +53476,7 @@ rules: group: cloud-weak-configuration name: f27791a5-e2ae-4905-8910-6f995c576d09 pretty_name: API Gateway Without SSL Certificate + recommended: true ref: https://www.pulumi.com/registry/packages/aws/api-docs/apigatewayv2/stage/#clientcertificateid_yaml f29904c8-6041-4bca-b043-dfa0546b8079: categories: @@ -49492,6 +53486,7 @@ rules: group: top10-insecure-design name: f29904c8-6041-4bca-b043-dfa0546b8079 pretty_name: Callback JSON Reference Does Not Exists + recommended: true ref: https://swagger.io/specification/#components-object f2daed12-c802-49cd-afed-fe41d0b82fed: categories: @@ -49502,6 +53497,7 @@ rules: group: supply-chain-cicd-weak-configuration name: f2daed12-c802-49cd-afed-fe41d0b82fed pretty_name: Same Alias In Different Froms + recommended: true ref: https://docs.docker.com/develop/develop-images/multistage-build/ f2ea6481-1d31-4d40-946a-520dc6321dd7: categories: @@ -49512,6 +53508,7 @@ rules: group: top10-crypto-failures name: f2ea6481-1d31-4d40-946a-520dc6321dd7 pretty_name: Kinesis Not Encrypted With KMS + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/kinesis_stream_module.html f2f903fb-b977-461e-98d7-b3e2185c6118: categories: @@ -49522,6 +53519,7 @@ rules: group: supply-chain-scm-weak-configuration name: f2f903fb-b977-461e-98d7-b3e2185c6118 pretty_name: Pip install Keeping Cached Packages + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ f30ee711-0082-4480-85ab-31d922d9a2b2: categories: @@ -49531,6 +53529,7 @@ rules: group: top10-crypto-failures name: f30ee711-0082-4480-85ab-31d922d9a2b2 pretty_name: Global Schemes Uses HTTP + recommended: true ref: https://swagger.io/specification/v2/#swaggerObject f34508b9-f574-4330-b42d-88c44cced645: categories: @@ -49540,6 +53539,7 @@ rules: group: cloud-weak-secrets-management name: f34508b9-f574-4330-b42d-88c44cced645 pretty_name: Hardcoded AWS Access Key In Lambda + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_module.html f34c0c25-47b4-41eb-9c79-249b4dd47b89: categories: @@ -49550,6 +53550,7 @@ rules: group: cloud-resources-public-access name: f34c0c25-47b4-41eb-9c79-249b4dd47b89 pretty_name: IP Forwarding Enabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_instance f34c1c68-4773-4df0-a103-6e2ca32e585f: categories: @@ -49560,6 +53561,7 @@ rules: group: top10-insecure-design name: f34c1c68-4773-4df0-a103-6e2ca32e585f pretty_name: JSON '$ref' alongside other properties (v2) + recommended: true ref: https://swagger.io/specification/v2/#referenceObject f3674e0c-f6be-43fa-b71c-bf346d1aed99: categories: @@ -49571,6 +53573,7 @@ rules: group: top10-crypto-failures name: f3674e0c-f6be-43fa-b71c-bf346d1aed99 pretty_name: Sagemaker Notebook Instance Without KMS + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_notebook_instance#kms_key_id f368dd2d-9344-4146-a05b-7c6faa1269ad: categories: @@ -49581,6 +53584,7 @@ rules: group: cloud-resources-public-access name: f368dd2d-9344-4146-a05b-7c6faa1269ad pretty_name: Success Response Code Undefined for Post Operation (v3) + recommended: true ref: https://swagger.io/specification/#operation-object f36e87cc-a209-4f37-8571-66833e4aead7: categories: @@ -49591,6 +53595,7 @@ rules: group: cloud-resources-public-access name: f36e87cc-a209-4f37-8571-66833e4aead7 pretty_name: Success Response Code Undefined for Patch Operation (v2) + recommended: true ref: https://swagger.io/specification/v2/#operation-object f377b83e-bd07-4f48-a591-60c82b14a78b: categories: @@ -49601,6 +53606,7 @@ rules: group: cloud-weak-configuration name: f377b83e-bd07-4f48-a591-60c82b14a78b pretty_name: Seccomp Profile Is Not Configured + recommended: true ref: https://kubernetes.io/docs/tutorials/security/seccomp/#create-pod-that-uses-the-container-runtime-default-seccomp-profile f42dfe7e-787d-4478-a75e-a5f3d8a2269e: categories: @@ -49610,6 +53616,7 @@ rules: group: cloud-insecure-iam name: f42dfe7e-787d-4478-a75e-a5f3d8a2269e pretty_name: Operation Using Implicit Flow + recommended: true ref: https://swagger.io/specification/v2/#operation-object f45ea400-6bbe-4501-9fc7-1c3d75c32067: categories: @@ -49622,6 +53629,7 @@ rules: group: supply-chain-scm-weak-configuration name: f45ea400-6bbe-4501-9fc7-1c3d75c32067 pretty_name: Image Version Using 'latest' + recommended: true ref: https://docs.docker.com/develop/dev-best-practices/ f465fff1-0a0f-457d-aa4d-1bddb6f204ff: categories: @@ -49632,6 +53640,7 @@ rules: group: cloud-insecure-iam name: f465fff1-0a0f-457d-aa4d-1bddb6f204ff pretty_name: Role With Privilege Escalation By Actions 'iam:AttachRolePolicy' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy f4a6bcd3-e231-4acf-993c-aa027be50d2e: categories: @@ -49642,6 +53651,7 @@ rules: group: supply-chain-cicd-weak-configuration name: f4a6bcd3-e231-4acf-993c-aa027be50d2e pretty_name: RUN Instruction Using 'cd' Instead of WORKDIR + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir f4c9b5f5-68b8-491f-9e48-4f96644a1d51: categories: @@ -49652,6 +53662,7 @@ rules: group: cloud-insecure-iam name: f4c9b5f5-68b8-491f-9e48-4f96644a1d51 pretty_name: ECS Task Definition Invalid CPU or Memory + recommended: true ref: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html f4cf35d6-da92-48de-ab70-57be2b2e6497: categories: @@ -49661,6 +53672,7 @@ rules: group: top10-insecure-design name: f4cf35d6-da92-48de-ab70-57be2b2e6497 pretty_name: IAM Password Without Lowercase Letter + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user f4e9ff70-0f3b-4c50-a713-26cbe7ec4039: categories: @@ -49671,6 +53683,7 @@ rules: group: cloud-resources-public-access name: f4e9ff70-0f3b-4c50-a713-26cbe7ec4039 pretty_name: SQLServer Ingress From Any IP + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlfirewallrule_module.html f509931b-bbb0-443c-bd9b-10e92ecf2193: categories: @@ -49680,6 +53693,7 @@ rules: group: cloud-insecure-iam name: f509931b-bbb0-443c-bd9b-10e92ecf2193 pretty_name: IAM Group Without Users + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_group_module.html f525cc92-9050-4c41-a75c-890dc6f64449: categories: @@ -49689,6 +53703,7 @@ rules: group: cloud-insecure-iam name: f525cc92-9050-4c41-a75c-890dc6f64449 pretty_name: Security Scheme Using HTTP Negotiate + recommended: true ref: https://swagger.io/specification/#security-scheme-object f5342045-b935-402d-adf1-8dbbd09c0eef: categories: @@ -49700,6 +53715,7 @@ rules: group: cloud-weak-configuration name: f5342045-b935-402d-adf1-8dbbd09c0eef pretty_name: AKS Network Policy Misconfigured + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster f53f16d6-46a9-4277-9fbe-617b1e24cdca: categories: @@ -49720,6 +53736,7 @@ rules: group: top10-crypto-failures name: f5587077-3f57-4370-9b4e-4eb5b1bac85b pretty_name: CloudTrail Log Files Not Encrypted With KMS + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html f57f849c-883b-4cb7-85e7-f7b199dff163: categories: @@ -49729,6 +53746,7 @@ rules: group: cloud-resources-public-access name: f57f849c-883b-4cb7-85e7-f7b199dff163 pretty_name: TCP/UDP Protocol Network ACL Entry Allows All Ports + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html#cfn-ec2-networkaclentry-portrange f5b2e6af-76f5-496d-8482-8f898c5fdb4a: categories: @@ -49738,6 +53756,7 @@ rules: group: top10-insecure-design name: f5b2e6af-76f5-496d-8482-8f898c5fdb4a pretty_name: Parameters Name In Combination Not Unique (v3) + recommended: true ref: https://swagger.io/specification/#parameters-object f5c45127-1d28-4b49-a692-0b97da1c3a84: categories: @@ -49747,6 +53766,7 @@ rules: group: top10-insecure-design name: f5c45127-1d28-4b49-a692-0b97da1c3a84 pretty_name: ECS Service Without Running Tasks + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_service_module.html#ansible-collections-community-aws-ecs-service-module f5f38943-664b-4acc-ab11-f292fa10ed0b: categories: @@ -49756,6 +53776,7 @@ rules: group: cloud-resources-public-access name: f5f38943-664b-4acc-ab11-f292fa10ed0b pretty_name: API Gateway without WAF + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/wafv2_resources_module.html#parameter-arn f6049677-ec4a-43af-8779-5190b6d03cba: categories: @@ -49765,6 +53786,7 @@ rules: group: cloud-insecure-iam name: f6049677-ec4a-43af-8779-5190b6d03cba pretty_name: KMS Allows Wildcard Principal + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html f62aa827-4ade-4dc4-89e4-1433d384a368: categories: @@ -49776,6 +53798,7 @@ rules: group: cloud-insecure-iam name: f62aa827-4ade-4dc4-89e4-1433d384a368 pretty_name: IAM Policy Grants Full Permissions + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html f6397a20-4cf1-4540-a997-1d363c25ef58: categories: @@ -49789,6 +53812,7 @@ rules: group: cloud-insecure-iam name: f6397a20-4cf1-4540-a997-1d363c25ef58 pretty_name: S3 Bucket Allows Put Action From All Principals + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html f6d299d2-21eb-41cc-b1e1-fe12d857500b: categories: @@ -49798,6 +53822,7 @@ rules: group: top10-security-logging-monitoring-failures name: f6d299d2-21eb-41cc-b1e1-fe12d857500b pretty_name: VPC FlowLogs Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-flowlog.html f74b9c43-161a-4799-bc95-0b0ec81801b9: categories: @@ -49807,6 +53832,7 @@ rules: group: cloud-weak-secrets-management name: f74b9c43-161a-4799-bc95-0b0ec81801b9 pretty_name: Shared Service Account + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#service_account_name f79b9d26-e945-44e7-98a1-b93f0f7a68a0: categories: @@ -49816,6 +53842,7 @@ rules: group: cloud-weak-configuration name: f79b9d26-e945-44e7-98a1-b93f0f7a68a0 pretty_name: Media Type Object Without Schema + recommended: true ref: https://swagger.io/specification/#media-type-object f7ab6c83-ef89-40e1-8a99-32e2599fb665: categories: @@ -49826,6 +53853,7 @@ rules: group: top10-insecure-design name: f7ab6c83-ef89-40e1-8a99-32e2599fb665 pretty_name: Required Property With Default Value (v2) + recommended: true ref: https://swagger.io/specification/v2/#schemaObject f7e296b0-6660-4bc5-8f87-22ac4a815edf: categories: @@ -49835,6 +53863,7 @@ rules: group: top10-security-logging-monitoring-failures name: f7e296b0-6660-4bc5-8f87-22ac4a815edf pretty_name: SQL Server Auditing Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server f7fa95b7-d819-484c-9a2b-665dd1bba25e: categories: @@ -49844,6 +53873,7 @@ rules: group: top10-insecure-design name: f7fa95b7-d819-484c-9a2b-665dd1bba25e pretty_name: Invalid Schema External Documentation URL (v2) + recommended: true ref: https://swagger.io/specification/v2/#externalDocumentationObject f80e3aa7-7b34-4185-954e-440a6894dde6: categories: @@ -49853,6 +53883,7 @@ rules: group: cloud-insecure-iam name: f80e3aa7-7b34-4185-954e-440a6894dde6 pretty_name: IAM Role Allows All Principals To Assume + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-assumerolepolicydocument f81d63d2-c5d7-43a4-a5b5-66717a41c895: categories: @@ -49863,6 +53894,7 @@ rules: group: cloud-resources-public-access name: f81d63d2-c5d7-43a4-a5b5-66717a41c895 pretty_name: ALB Listening on HTTP + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html f83121ea-03da-434f-9277-9cd247ab3047: categories: @@ -49872,6 +53904,7 @@ rules: group: top10-security-logging-monitoring-failures name: f83121ea-03da-434f-9277-9cd247ab3047 pretty_name: VPC FlowLogs Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc f861041c-8c9f-4156-acfc-5e6e524f5884: categories: @@ -49882,6 +53915,7 @@ rules: group: top10-security-logging-monitoring-failures name: f861041c-8c9f-4156-acfc-5e6e524f5884 pretty_name: S3 Bucket Logging Disabled + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket f8e08a38-fc6e-4915-abbe-a7aadf1d59ef: categories: @@ -49891,6 +53925,7 @@ rules: group: top10-insecure-design name: f8e08a38-fc6e-4915-abbe-a7aadf1d59ef pretty_name: Key Vault Secrets Content Type Undefined + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#content_type f906113d-cdc0-415a-ba60-609cc6daaf4d: categories: @@ -49901,6 +53936,7 @@ rules: group: cloud-insecure-iam name: f906113d-cdc0-415a-ba60-609cc6daaf4d pretty_name: Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy f9112910-c7bb-4864-9f5e-2059ba413bb7: categories: @@ -49911,6 +53947,7 @@ rules: group: cloud-resources-public-access name: f9112910-c7bb-4864-9f5e-2059ba413bb7 pretty_name: PostgreSQL Database Server Log Checkpoints Disabled + recommended: true ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/2017-12-01/servers/configurations?tabs=json f914357d-8386-4d56-9ba6-456e5723f9a6: categories: @@ -49921,6 +53958,7 @@ rules: group: cloud-insecure-iam name: f914357d-8386-4d56-9ba6-456e5723f9a6 pretty_name: EC2 Instance Has No IAM Role + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html f922827f-aab6-447c-832a-e1ff63312bd3: categories: @@ -49932,6 +53970,7 @@ rules: group: cloud-weak-configuration name: f922827f-aab6-447c-832a-e1ff63312bd3 pretty_name: Container Runs Unmasked + recommended: true ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes f97b7d23-568f-4bcc-9ac9-02df0d57fbba: categories: @@ -49945,6 +53984,7 @@ rules: group: cloud-insecure-iam name: f97b7d23-568f-4bcc-9ac9-02df0d57fbba pretty_name: S3 Bucket Allows Get Action From All Principals + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html f985a7d2-d404-4a7f-9814-f645f791e46e: categories: @@ -49954,6 +53994,7 @@ rules: group: top10-insecure-design name: f985a7d2-d404-4a7f-9814-f645f791e46e pretty_name: Invalid Media Type Value (v2) + recommended: true ref: https://swagger.io/specification/#media-type-object f988a17f-1139-46a3-8928-f27eafd8b024: categories: @@ -49964,6 +54005,7 @@ rules: group: cloud-weak-secrets-management name: f988a17f-1139-46a3-8928-f27eafd8b024 pretty_name: DMS Endpoint MongoDB Settings Password Exposed + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dms-endpoint-mongodbsettings.html f99d3482-fa8c-4f79-bad9-35212dded164: categories: @@ -49973,6 +54015,7 @@ rules: group: cloud-weak-configuration name: f99d3482-fa8c-4f79-bad9-35212dded164 pretty_name: Serverless Function Without Tags + recommended: true ref: https://www.serverless.com/framework/docs/providers/aws/guide/functions#tags f9b10cdb-eaab-4e39-9793-e12b94a582ad: categories: @@ -49984,6 +54027,7 @@ rules: group: top10-crypto-failures name: f9b10cdb-eaab-4e39-9793-e12b94a582ad pretty_name: ECS Task Definition Container With Plaintext Password + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-containerdefinitions.html#cfn-ecs-taskdefinition-containerdefinition-environment f9b7086b-deb8-4034-9330-d7fd38f1b8de: categories: @@ -49994,6 +54038,7 @@ rules: group: cloud-weak-secrets-management name: f9b7086b-deb8-4034-9330-d7fd38f1b8de pretty_name: High Google KMS Crypto Key Rotation Period + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_kms_crypto_key_module.html fa00ce45-386d-4718-8392-fb485e1f3c5b: categories: @@ -50004,6 +54049,7 @@ rules: group: cloud-insecure-iam name: fa00ce45-386d-4718-8392-fb485e1f3c5b pretty_name: Secrets Manager With Vulnerable Policy + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_policy#policy fa4def8c-1898-4a35-a139-7b76b1acdef0: categories: @@ -50015,6 +54061,7 @@ rules: group: cloud-resources-public-access name: fa4def8c-1898-4a35-a139-7b76b1acdef0 pretty_name: Insecure Port Not Properly Set + recommended: true ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ fa62ac4f-f5b9-45b9-97c1-625c8b6253ca: categories: @@ -50027,6 +54074,7 @@ rules: name: fa62ac4f-f5b9-45b9-97c1-625c8b6253ca pretty_name: Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction' + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f: categories: @@ -50037,6 +54085,7 @@ rules: group: cloud-resources-public-access name: fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f pretty_name: TSL Connection Certificate Not Setup + recommended: true ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ faa8fddf-c0aa-4b2d-84ff-e993e233ebe9: categories: @@ -50050,6 +54099,7 @@ rules: group: cloud-insecure-iam name: faa8fddf-c0aa-4b2d-84ff-e993e233ebe9 pretty_name: S3 Bucket Allows List Action From All Principals + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html faaefc15-51a5-419e-bb5e-51a4b5ab3485: categories: @@ -50060,6 +54110,7 @@ rules: group: cloud-weak-configuration name: faaefc15-51a5-419e-bb5e-51a4b5ab3485 pretty_name: RDS DB Instance Publicly Accessible + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#address fae52418-bb8b-4ac2-b287-0b9082d6a3fd: categories: @@ -50071,6 +54122,7 @@ rules: group: cloud-insecure-iam name: fae52418-bb8b-4ac2-b287-0b9082d6a3fd pretty_name: EFS With Vulnerable Policy + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system_policy#policy fb2b0ecf-1492-491a-a70d-ba1df579175d: categories: @@ -50082,6 +54134,7 @@ rules: group: top10-insecure-design name: fb2b0ecf-1492-491a-a70d-ba1df579175d pretty_name: ECS No Load Balancer Attached + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html fb5a5df7-6d74-4243-ab82-ff779a958bfd: categories: @@ -50091,6 +54144,7 @@ rules: group: cloud-insecure-iam name: fb5a5df7-6d74-4243-ab82-ff779a958bfd pretty_name: ECR Repository Is Publicly Accessible + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_ecr_module.html#parameter-policy fb7d81e7-4150-48c4-b914-92fc05da6a2f: categories: @@ -50100,6 +54154,7 @@ rules: group: top10-insecure-design name: fb7d81e7-4150-48c4-b914-92fc05da6a2f pretty_name: Unknown Property (v3) + recommended: true ref: https://swagger.io/specification/ fb889ae9-2d16-40b5-b41f-9da716c5abc1: categories: @@ -50109,6 +54164,7 @@ rules: group: top10-insecure-design name: fb889ae9-2d16-40b5-b41f-9da716c5abc1 pretty_name: Parameter JSON Reference Does Not Exists (v2) + recommended: true ref: https://swagger.io/specification/v2/#parameterObject fb8f8929-afeb-4c46-99f0-a6cf410f7df4: categories: @@ -50121,6 +54177,7 @@ rules: group: cloud-weak-configuration name: fb8f8929-afeb-4c46-99f0-a6cf410f7df4 pretty_name: Vulnerable Default SSL Certificate + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html fbe9b2d0-a2b7-47a1-a534-03775f3013f7: categories: @@ -50132,6 +54189,7 @@ rules: group: cloud-weak-configuration name: fbe9b2d0-a2b7-47a1-a534-03775f3013f7 pretty_name: Cluster Labels Disabled + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html fbf699b5-ef74-4542-9cf1-f6eeac379373: categories: @@ -50142,6 +54200,7 @@ rules: group: cloud-weak-configuration name: fbf699b5-ef74-4542-9cf1-f6eeac379373 pretty_name: Numeric Schema Without Format (v3) + recommended: true ref: https://swagger.io/specification/#schema-object fc040fb6-4c23-4c0d-b12a-39edac35debb: categories: @@ -50154,6 +54213,7 @@ rules: group: top10-crypto-failures name: fc040fb6-4c23-4c0d-b12a-39edac35debb pretty_name: Disk Encryption Disabled + recommended: true ref: https://cloud.google.com/compute/docs/reference/rest/v1/instances fc101ca7-c9dd-4198-a1eb-0fbe92e80044: categories: @@ -50163,6 +54223,7 @@ rules: group: cloud-insecure-iam name: fc101ca7-c9dd-4198-a1eb-0fbe92e80044 pretty_name: IAM Group Without Users + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership#users fc5109bf-01fd-49fb-8bde-4492b543c34a: categories: @@ -50172,6 +54233,7 @@ rules: group: top10-insecure-design name: fc5109bf-01fd-49fb-8bde-4492b543c34a pretty_name: Variable Without Type + recommended: true ref: https://www.terraform.io/docs/language/values/variables.html#input-variable-documentation fc775e75-fcfb-4c98-b2f2-910c5858b359: categories: @@ -50182,6 +54244,7 @@ rules: group: supply-chain-scm-weak-configuration name: fc775e75-fcfb-4c98-b2f2-910c5858b359 pretty_name: Run Using 'wget' and 'curl' + recommended: true ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run fc7c2c15-f5d0-4b80-adb2-c89019f8f62b: categories: @@ -50191,6 +54254,7 @@ rules: group: top10-security-logging-monitoring-failures name: fc7c2c15-f5d0-4b80-adb2-c89019f8f62b pretty_name: MSK Cluster Logging Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-msk-cluster.html fcb1b388-f558-4b7f-9b6e-f4e98abb7380: categories: @@ -50210,6 +54274,7 @@ rules: group: cloud-resources-public-access name: fcbf9019-566c-4832-a65c-af00d8137d2b pretty_name: API Gateway without WAF + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html#cfn-wafv2-webaclassociation-resourcearn fcc2612a-1dfe-46e4-8ce6-0320959f0040: categories: @@ -50219,6 +54284,7 @@ rules: group: supply-chain-cicd-weak-configuration name: fcc2612a-1dfe-46e4-8ce6-0320959f0040 pretty_name: StatefulSet Requests Storage + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#volume_claim_template fd097ed0-7fe6-4f58-8b71-fef9f0820a21: categories: @@ -50230,6 +54296,7 @@ rules: group: cloud-insecure-iam name: fd097ed0-7fe6-4f58-8b71-fef9f0820a21 pretty_name: Memory Limits Not Defined + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#limits fd54f200-402c-4333-a5a4-36ef6709af2f: categories: @@ -50241,6 +54308,7 @@ rules: group: supply-chain-cicd-weak-configuration name: fd54f200-402c-4333-a5a4-36ef6709af2f pretty_name: Missing User Instruction + recommended: true ref: https://docs.docker.com/engine/reference/builder/#user fd632aaf-b8a1-424d-a4d1-0de22fd3247a: categories: @@ -50250,6 +54318,7 @@ rules: group: cloud-resources-public-access name: fd632aaf-b8a1-424d-a4d1-0de22fd3247a pretty_name: VPC Without Network Firewall + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall#vpc_id fd8da341-6760-4450-b26c-9f6d8850575e: categories: @@ -50260,6 +54329,7 @@ rules: group: cloud-resources-public-access name: fd8da341-6760-4450-b26c-9f6d8850575e pretty_name: Redis Entirely Accessible + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_firewall_rule fe286195-e75c-4359-bd58-00847c4f855a: categories: @@ -50273,6 +54343,7 @@ rules: group: cloud-insecure-iam name: fe286195-e75c-4359-bd58-00847c4f855a pretty_name: OSS Bucket Allows Put Action From All Principals + recommended: true ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy fe771ff7-ba15-4f8f-ad7a-8aa232b49a28: categories: @@ -50282,6 +54353,7 @@ rules: group: cloud-weak-configuration name: fe771ff7-ba15-4f8f-ad7a-8aa232b49a28 pretty_name: Containers With Added Capabilities + recommended: true ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#capabilities-1 fe974ae9-858e-4991-bbd5-e040a834679f: categories: @@ -50292,6 +54364,7 @@ rules: group: top10-software-data-integrity-failures name: fe974ae9-858e-4991-bbd5-e040a834679f pretty_name: Stack Retention Disabled + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-stackset-autodeployment.html#cfn-cloudformation-stackset-autodeployment-retainstacksonaccountremoval ffac8a12-322e-42c1-b9b9-81ff85c39ef7: categories: @@ -50302,6 +54375,7 @@ rules: group: cloud-resources-public-access name: ffac8a12-322e-42c1-b9b9-81ff85c39ef7 pretty_name: HTTP Port Open To Internet + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group ffb02aca-0d12-475e-b77c-a726f7aeff4b: categories: @@ -50312,6 +54386,7 @@ rules: group: top10-security-logging-monitoring-failures name: ffb02aca-0d12-475e-b77c-a726f7aeff4b pretty_name: Log Retention Is Not Set + recommended: true ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration ffdf4b37-7703-4dfe-a682-9d2e99bc6c09: categories: @@ -50325,6 +54400,7 @@ rules: group: cloud-insecure-iam name: ffdf4b37-7703-4dfe-a682-9d2e99bc6c09 pretty_name: S3 Bucket Allows Delete Action From All Principals + recommended: true ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9: categories: @@ -50335,6 +54411,7 @@ rules: group: cloud-insecure-iam name: ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9 pretty_name: No Stack Policy + recommended: true ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudformation_module.html ffee2785-c347-451e-89f3-11aeb08e5c84: categories: @@ -50345,5 +54422,5 @@ rules: group: top10-crypto-failures name: ffee2785-c347-451e-89f3-11aeb08e5c84 pretty_name: CMK Unencrypted Storage + recommended: true ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html - From 6a98f536a17fe23324f2d69a609c06eb796c5f26 Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Mon, 5 Aug 2024 14:25:42 -0400 Subject: [PATCH 5/5] latest registry action --- .github/workflows/registry-scanner.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/registry-scanner.yaml b/.github/workflows/registry-scanner.yaml index 7ff07b00..37b61162 100644 --- a/.github/workflows/registry-scanner.yaml +++ b/.github/workflows/registry-scanner.yaml @@ -29,7 +29,7 @@ jobs: - name: Checkout uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Scan Registry - uses: boostsecurityio/scanner-registry-action@7c3690aed2453f790be130a209d644c41b333fb7 # v1.5.4 + uses: boostsecurityio/scanner-registry-action@91ede50ad22990f74865613c94fa51569b144f71 # v1.5.5 with: api_endpoint: ${{ vars.BOOST_API_ENDPOINT }} api_token: ${{ secrets.BOOST_SYSTEM_API_KEY_REGISTRY }}