Skip to content

Rules Index

CI/CD - Supply Chain

Name Description
cicd-binary-artifacts-stored-in-scm Ensure that binary / executable artifacts are not stored in SCM.
cicd-branch-protection Ensure that default repository branches are protected.
cicd-gha-can-create-and-approve-pull-requests Ensure that GitHub Actions cannot approve Pull Requests automatically.
cicd-gha-org-allows-all-actions Ensure that not all GitHub Actions are allowed to run.
cicd-gha-org-secret-publicly-visible Ensure that GitHub organizations do not have Organization-level secrets
cicd-gha-read-write-token-permissions Ensure that GitHub Actions do not have Read / Write permissions token.
cicd-gha-risky-pull-request-target-usage Ensure that GitHub Actions are not making risky usage of pull_request_target events.
cicd-gha-shell-injection-detected Ensure that GitHub Actions do not have shell injection.
cicd-sca-scanning-absent Ensure that Software Composition Analysis (SCA) is performed.
cicd-scm-2fa-enforcement-absent Ensure the GitHub Organization is enforcing the all members have 2FA enabled.
cicd-unpinned-dependencies Ensure that dependency management lock files are being used.

Cloud Misconfigurations

AWS Infrastructure

Name Description
aws-athena-encryption-off Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption
aws-cloudtrail-all-regions Ensure CloudTrail is enabled in all Regions
aws-cloudtrail-validation-off Ensure CloudTrail log file validation is enabled
aws-cloudwatch-log-retention Ensure cloudwatch log groups specify retention days
aws-db-backup-off Ensure that database backup is enabled
aws-db-no-version-upgrade Ensured that database auto-upgrade is enabled
aws-ec2-public-ip EC2 instance should not have public IP.
aws-ecr-scanning-off Ensure ECR image scanning on push is enabled
aws-ecr-tags-mutable Ensure ECR Image Tags are immutable
aws-ecs-container-insights-off Ensure container insights are enabled on ECS cluster
aws-iam-password-policy Ensure that IAM password policy has sufficient complexity based on industry best practices
aws-iam-policy-lax-full-admin Ensure IAM policies that allow full "*-*" administrative privileges are not created
aws-iam-policy-on-users Ensure IAM policies are attached only to groups or roles
aws-iam-wildcard-actions Ensure no IAM policies documents allow "*" as a statement's actions
aws-kms-key-rotation Ensure rotation for customer created CMKs is enabled
aws-lb-allow-invalid-headers Ensure that the load balancer drops invalid HTTP headers
aws-legacy-instance-meta Ensure Instance Metadata Service Version 1 is not enabled
aws-network-https-off Ensure the the networking resource enforces the use of HTTPS
aws-network-insecure-tls Ensure that load balancer is using TLS 1.2
aws-network-public-rdp Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (RDP)
aws-network-public-ssh Ensure that the resource or security group allow ingress from 0.0.0.0:0 to port 22 (SSH)
aws-resource-logging-off Ensure that the resource has some form of audit logging enabled to help with forensics
aws-resource-outside-vpc Ensure that the resource is configured inside a VPC
aws-resource-public-access Ensure that all data stored in the managed service is not publicly accessible
aws-resource-public-policy Ensure that the resource policy is not set to public
aws-resource-unencrypted-at-rest Ensure that all data stored in the managed service is securely encrypted at rest
aws-resource-unencrypted-in-transit Ensure that data going to and from the managed service is securely encrypted at transit
aws-s3-public-access Ensure the S3 bucket does not allow Read or Write permissions to anyone on the Internet
aws-s3-public-policy Ensure S3 bucket does not allow an action with any Principal (i.e. anyone on the Internet)
aws-s3-unencrypted-at-rest Ensure all data stored in the S3 bucket is securely encrypted at rest
aws-vpc-assign-public-ip Ensure VPC subnets do not assign public IP by default
aws-vpc-endpoint-auto-accept Ensure that VPC Endpoint Service is configured for Manual Acceptance

Azure Infrastructure

Name Description
azure-aks-api-iprange Ensure AKS has an API Server Authorized IP Ranges enabled
azure-aks-logging-enable Ensure AKS logging to Azure Monitoring is Configured
azure-aks-networkpolicy Ensure AKS cluster has Network Policy configured
azure-aks-private-cluster Ensure that AKS enables private clusters
azure-aks-rbac-enabled Ensure RBAC is enabled on AKS clusters
azure-appsvc-ad-enabled Ensure that Register with Azure Active Directory is enabled on App Service
azure-appsvc-auth-enabled Ensure App Service Authentication is set on Azure App Service
azure-appsvc-cors-restrictive Ensure that CORS disallows every resource to access app services
azure-appsvc-disable-debug Ensure that remote debugging is not enabled for app services
azure-appsvc-ftp-disabled Ensure FTP deployments are disabled
azure-appsvc-http-redirect Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
azure-appsvc-http-tls-version Ensure web app is using the latest version of TLS encryption
azure-appsvc-http-version Ensure that 'HTTP Version' is the latest if used to run the web app
azure-automn-variable-encrypted Ensure that Automation account variables are encrypted
azure-batch-keyvault Ensure that Azure Batch account uses key vault to encrypt data
azure-dashboard-disable Ensure Kube Dashboard is disabled
azure-db-audit-enabled Ensure that 'Auditing' is set to 'On' for SQL servers
azure-db-audit-retention Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers
azure-db-public-ingress Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
azure-funcapp-auth-enabled Ensure that function apps enables Authentication
azure-funcapp-http-version Ensure that 'HTTP Version' is the latest, if used to run the Function app
azure-funcapp-https-only Ensure that Function apps is only accessible over HTTPS
azure-machine-scaleset-auth Ensure Azure linux scale set does not use basic authentication
azure-machine-scaleset-encrypt Ensure that Virtual machine scale sets have encryption at host enabled
azure-machine-sensitive-data Ensure that no sensitive credentials are exposed in VM custom_data
azure-mariadb-public-ingress Ensure 'public network access enabled' is set to 'False' for MariaDB servers
azure-mariadb-ssl-enabled Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers
azure-monitor-audit-activities Ensure audit profile captures all the activities
azure-monitor-log-retention Ensure that Activity Log Retention is set 365 days or greater
azure-mssql-audit-retention Ensure an audit log retention period greater than 90 days.
azure-mssql-email-service Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers
azure-mssql-send-alerts Ensure that 'Send Alerts To' is enabled for MSSQL servers
azure-mssql-threat-types Ensure that 'Threat Detection types' is set to 'All'
azure-mssql-tls-version Ensure MSSQL is using the latest version of TLS encryption
azure-mysql-enforce-ssl Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
azure-mysql-public-ingress Ensure 'public network access enabled' is set to 'False' for mySQL servers
azure-mysql-tls-version Ensure MySQL is using the latest version of TLS encryption
azure-network-log-retention Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
azure-network-public-rdp Ensure that RDP access is restricted from the internet
azure-network-public-udp Ensure that UDP Services are restricted from the Internet
azure-psql-enforce-ssl Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
azure-psql-param-conn-throttling Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
azure-psql-public-ingress Ensure that PostgreSQL server disables public network access
azure-seccntr-email-alerts Ensure that 'Send email notification for high severity alerts' is set to 'On'
azure-storage-public-access Ensure that 'Public access level' is set to Private for blob containers
azure-storage-public-ingress Ensure default network access rule for Storage Accounts is set to deny
azure-storage-secure-xfer Ensure that 'Secure transfer required' is set to 'Enabled'
azure-storage-tls-version Ensure Storage Account is using the latest version of TLS encryption
azure-storage-trust-msft Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
azure-storsync-public-ingress Ensure that Azure File Sync disables public network access
azure-vault-allow-firewall Ensure that key vault allows firewall rules settings
azure-vault-key-expiry Ensure that the expiration date is set on all keys
azure-vault-purge-protection Ensure that key vault enables purge protection
azure-vault-secret-expiry Ensure that the expiration date is set on all secrets

GCP Infrastructure

Name Description
gcp-bq-anon-or-public Ensure that BigQuery datasets are not anonymously or publicly accessible
gcp-gce-default-svcacct Ensure that instances are not configured to use the default service account
gcp-gce-fw-public-rdp Ensure Google compute firewall ingress does not allow unrestricted rdp access
gcp-gce-fw-public-ssh Ensure Google compute firewall ingress does not allow unrestricted ssh access
gcp-gce-ip-fwd-on Ensure that IP forwarding is not enabled on Instances
gcp-gce-public-ip Ensure that Compute instances do not have public IP addresses
gcp-gce-serialport-on Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
gcp-gcs-anon-or-public Ensure that Cloud Storage bucket is not anonymously or publicly accessible
gcp-gcs-logs-off Bucket should log access
gcp-iam-svcacct-admin-role Ensure that Service Account has no Admin privileges
gcp-iam-svcacct-allo-sudo Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
gcp-k8s-basic-auth-on Ensure GKE basic auth is disabled
gcp-k8s-legacy-instance-metadata-on Ensure legacy Compute Engine instance metadata APIs are Disabled
gcp-k8s-legacy-rbac-on Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
gcp-k8s-metadata-server-off Ensure the GKE Metadata Server is Enabled
gcp-k8s-stackdriver-monitor-off Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters
gcp-k8s-strackdriver-logs-off Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters
gcp-kms-bad-key-rotation Ensure KMS encryption keys are rotated within a period of 90 days
gcp-lb-ssl-weak-ciphers Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
gcp-res-man-default-svcacct Ensure Default Service account is not used at a project level
gcp-sql-backup-off Ensure all Cloud SQL database instance have backup configuration enabled
gcp-sql-mysql-local_infile-on Ensure MySQL database 'local_infile' flag is set to 'off'
gcp-sql-public-access Ensure that Cloud SQL database Instances are not open to the world
gcp-sql-public-ip Ensure SQL database do not have public IP
gcp-sql-ssl-off Ensure all Cloud SQL database instance requires all incoming connections to use SSL

Kubernetes (K8S)

Name Description
k8s-dashboard-present Ensure the Kubernetes dashboard is not deployed
k8s-docker-daemon Do not expose the docker daemon socket to containers
k8s-host-namespace Containers should not share the host namespaces
k8s-immutable-image Image Tag should be fixed - not latest or blank
k8s-podsecuritypolicy-defined Ensure that if a Pod Security Policy exists, it enforces best practices.
k8s-rbac-wildcards Minimize wildcard use in Roles and ClusterRoles
k8s-resources-defined CPU, Memory requests and limit should be set
k8s-securitycontext-capabilities Minimize the admission of containers with added capability
k8s-securitycontext-defined Apply security context to your pods and containers
k8s-securitycontext-privileged Container should not be privileged
k8s-serviceaccount-default Ensure that default service accounts are not actively used
k8s-tiller-present Ensure that Tiller (Helm v2) is not deployed

X509 Certficiates

Name Description
x509-cert-expired x509 certificate has expired and is no longer valid
x509-cert-expires-soon x509 certificate will expire in the near future
x509-cert-insecure-signing-algorithm x509 certificate uses a weak cryptographic algorithm
x509-cert-insufficient-key-length x509 certificate Public Key length that is considered insecure.

Insecure Coding Practices

Name Description
bypass-framework-safe-default-output-encoding Ensure framework default output encoding
cookie-secure-flag-not-set Ensure cookies are set to secure
dangerous-function-buffer-alloc-unsafe Ensure buffer does not use allowUnsafe
dangerous-function-buffer-noassert Ensure buffer does not use noAssert
dangerous-function-buffer-non-literal-alloc Ensure buffer is initialized with a literal value
dangerous-function-deserialization Ensure safe deserialization
dangerous-raw-sql-used-with-orm Ensure no raw SQL queries
debugging-interface-publicly-exposed Ensure debug interface is not exposed
dos-via-decompression-bomb Ensure proper handling of highly compressed data
dynamic-code-injection Ensure no dynamic code injection
eval-with-expression Ensure no dynamic eval expression
express-detect-no-csrf-before-method-override Ensure express detects CSRF before override
insecure-crypto-algorithm Ensure usage of secure cryptograhic alogrithms
jwt-hardcoded-secret-key Ensure JWT secret is not hard coded
jwt-none-algorithm-usage Ensure JWT algorithm defined
missing-reverse-tabnabbing-protection Ensure secure link target
node-disable-ssl Ensure Node performs TLS validation
node-unsafe-property-access Ensure safe property access
node-vm-runinthiscontext Ensure node function runInThisContext used securely
non-literal-require Ensure node uses literal require statements
os-command-injection Ensure secure usage of os commands
path-traversal Ensure the function validates filesystem paths
plaintext-client-request Ensure XHR requests use encrypted transport
serialize-option-unsafe Ensure javascript serialize does not use unsafe
server-side-template-injection Ensure server side templates are validated
ssrf Ensure server side requests are validated
tls-disabled-cert-validation Ensure TLS validation is enabled
tls-insecure-protocol-config Ensure strong TLS protocols are used
unrestricted-server-socket-binding Ensure binding to limited interfaces
unsafe-child-process Ensure child_process usage is secure
wildcard-in-system-call Ensure system calls do not use wildcards
window-postmessage-unsafe-target-origin Ensure safe usage of window.postMessage
xss-request-parameter-reflected-in-response Ensure safe encoding of response