Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
Home Page: https://kics.io
License: Apache License 2.0
Terraform
AWS
Instance should be configured in vpc
The readme.md should be updated to contain all necessary info to setup and run the code
Terraform
AWS)*
The AWS EBS Snapshot Encryption configuration must be enable
Terraform
GCP
This query ensures that object versioning is enabled on a Google Storage Bucket by checking if the 'versioning' block exists within the 'google_storage_bucket' resource and with the 'enabled' field equal to 'true'.
With the impeding change of the repo name, we must ensure all references of the previous name is changed
Terraform
GCP
This query checks if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.
Create new query for Terraform (Aws_Security_Group)
Terraform
Azure
Add log_retention&log_disconnection queries - check that these flags are se.
Update log_connection query name, to be in line with the others
Create a similarityId for each one of our results, based on:
Terraform
AWS
Check if AWS CloudWatch Logs for APIs is defined
Terraform
Azure
Terraform
GCP
Google storage bucket with logging not enabled
Terraform
Azure
Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
Terraform
AWS
SSL Client Certificate should be enabled in aws_api_gateway_stage resource
Currently the queries are divided in code by "system/provider" (e.g. terraform/aws). A structure grouping the queries per category is recommended to be more readable -> "system/category/provider".
Terraform
GCP
Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty
Terraform
GCP
Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true
Terraform
AWS
Aws Cloud Formation Stack should have a stack policy in order to protect stack resources from update actions
Terraform
GCP
Support query to check if any Cloud SQL database Instances have public access.
Terraform
GCP
GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty
Terraform
GCP
This query detects if a Cloud Storage Bucket is anonymously or publicly accessible by checking if the member/members field inside the resource 'google_storage_bucket_iam_member' equals/includes 'allUsers' or 'allAuthenticatedUsers'.
Terraform
GCP
Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE
Terrafom
GCP
Ensure that corporate login credentials are used instead of Gmail accounts.
Terraform
Azure
Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
Terraform
AWS
Enable AWS CloudFormation Stack Notifications
Terraform
Azure
Rename and change the description and description URL for the following queries:
Terraform
AWS
Ensure that AWS EBS clusters are encrypted
The current queries names should be standardized to make sure each one has a similar naming convention
Terraform
GCP
This query detects Cloud SQL Database instances with backup_configuration disabled. Checks if, within the 'settings' block, the 'backup_configuration' block exists with the 'enable' field equal to 'false'.
Terraform
GCP
Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'
Need to add test to ensure the application has the same expected behavior on both Windows and Linux machines
Terraform
GCP
This query detects Cloud SQL Database instances with SSL disabled for incoming connections. Checks if, within the 'settings' block, the 'ip_configuration' block exists with the 'require_ssl' field equal to 'false'.
Need to update to the latest Golang version
Terraform
AWS
This Query confirms that Amazon GuardDuty is Enabled
Engine and the CLI must be separate from private repo dependencies
Terraform
Azure
Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server
The current CircleCI pipelines should be separate from the existing internal accounts. Need to evaluate the best solution (eg. Github Actions..)
Terraform
Azure
Add the (almost identical) high-severity ports-exposure-related queries to the system.
Terraform
GCP
Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false
Terraform
AWS
The value must be true or by default (true)
Terraform
AWS
Enable Active Tracing
Add static docs
Add auto-generated static project site
Platform
Terraform
Provider
AWS
Description
Check if the Multi Region is enabled in the CloudTrail
Terraform
GCP
Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true
By running our engine against our code samples, we should guarantee that it would never fail, for each PR.
Input:
go run ./cmd/console/main.go -p assets/queries
Output:
Exit status should be 0
In case of failing (exit status 1), we should give some information of the error (showing the log for example)
Platform
Terraform
Provider
AWS
Description
Check if the Multi Region is enabled in the CloudTrail
Terraform
GCP
Ensure that Cloud Audit Logging is configured properly across all services and all users from a project.
The repo should be renamed to the new name (KICS) - Keeping Infrastructure as Code Secure
All hardcoded places containing the previous should also be addressed
Terraform
AWS
Avoid creating resources in default VPC
Terraform
AWS
This query checks if AWS Redshift Cluster Logging is Disabled
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
