From 9e9545db18f6f37aa18c12babd3b5fa902440f12 Mon Sep 17 00:00:00 2001 From: ajbara Date: Tue, 12 Apr 2022 12:32:56 +0300 Subject: [PATCH 01/26] Added output limitation --- checkov/common/output/record.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/checkov/common/output/record.py b/checkov/common/output/record.py index 6b948e1f7de..68a5adc0827 100644 --- a/checkov/common/output/record.py +++ b/checkov/common/output/record.py @@ -15,6 +15,7 @@ DEFAULT_SEVERITY = "none" # equivalent to a score of 0.0 in the CVSS v3.0 Ratings +output_violation_len = os.environ.get('CHECKOV_OUTPUT_VIOLATION_LENGTH', 50) class Record: check_id = "" @@ -118,6 +119,9 @@ def _code_line_string(code_block: List[Tuple[int, str]], colorized: bool = True) color_codes = (Fore.WHITE if colorized else "", Fore.YELLOW if colorized else "") last_line_number_len = len(str(code_block[-1][0])) + if len(code_block) >= output_violation_len: + return f'\t\t{color_codes[1]}Text is too long.' + for line_num, line in code_block: spaces = " " * (last_line_number_len - len(str(line_num))) if line.lstrip().startswith("#"): From f17b100e0bf365496fb1155ec8945dcafb8391a5 Mon Sep 17 00:00:00 2001 From: achiar99 <34912231+achiar99@users.noreply.github.com> Date: Tue, 12 Apr 2022 12:49:10 +0300 Subject: [PATCH 02/26] report_mutator_data refactor (#2799) * report_mutator_data refactor * add new line * none * pylint * fix import * lint * fix import --- checkov/common/runners/base_runner.py | 1 + checkov/kubernetes/runner.py | 19 ++++++------ checkov/kustomize/runner.py | 43 ++++++++++++++++++++------- 3 files changed, 44 insertions(+), 19 deletions(-) diff --git a/checkov/common/runners/base_runner.py b/checkov/common/runners/base_runner.py index 968e50e3fca..6079c1a81db 100644 --- a/checkov/common/runners/base_runner.py +++ b/checkov/common/runners/base_runner.py @@ -64,6 +64,7 @@ def set_external_data( definitions: Optional[Dict[str, Dict[str, Any]]], context: Optional[Dict[str, Dict[str, Any]]], breadcrumbs: Optional[Dict[str, Dict[str, Any]]], + *args ) -> None: self.definitions = definitions self.context = context diff --git a/checkov/kubernetes/runner.py b/checkov/kubernetes/runner.py index 078c8ff4543..ebe75eca3b7 100644 --- a/checkov/kubernetes/runner.py +++ b/checkov/kubernetes/runner.py @@ -36,8 +36,9 @@ def __init__( self.graph_registry = get_graph_checks_registry(self.check_type) self.definitions_raw = {} + self.report_mutator_data = None - def run(self, root_folder, external_checks_dir=None, files=None, runner_filter=RunnerFilter(), collect_skip_comments=True, helmChart=None, reportMutatorData=None): + def run(self, root_folder, external_checks_dir=None, files=None, runner_filter=RunnerFilter(), collect_skip_comments=True, helmChart=None): report = Report(self.check_type) if self.context is None or self.definitions is None: if files or root_folder: @@ -58,13 +59,13 @@ def run(self, root_folder, external_checks_dir=None, files=None, runner_filter=R self.graph_manager.save_graph(local_graph) self.definitions = local_graph.definitions - report = self.check_definitions(root_folder, runner_filter, report, reportMutatorData=reportMutatorData, collect_skip_comments=collect_skip_comments, helmChart=helmChart) - graph_report = self.get_graph_checks_report(root_folder, runner_filter, helmChart=helmChart, reportMutatorData=reportMutatorData) + report = self.check_definitions(root_folder, runner_filter, report, collect_skip_comments=collect_skip_comments, helmChart=helmChart) + graph_report = self.get_graph_checks_report(root_folder, runner_filter, helmChart=helmChart) merge_reports(report, graph_report) return report - def check_definitions(self, root_folder, runner_filter, report, reportMutatorData, collect_skip_comments=True, helmChart=None,): + def check_definitions(self, root_folder, runner_filter, report, collect_skip_comments=True, helmChart=None,): for k8_file in self.definitions.keys(): # There are a few cases here. If -f was used, there could be a leading / because it's an absolute path, # or there will be no leading slash; root_folder will always be none. @@ -88,17 +89,17 @@ def check_definitions(self, root_folder, runner_filter, report, reportMutatorDat # TODO? - Variable Eval Message! variable_evaluations = {} - report = self.mutateKubernetesResults(results, report, k8_file, k8_file_path, file_abs_path, entity_conf, variable_evaluations, reportMutatorData) + report = self.mutateKubernetesResults(results, report, k8_file, k8_file_path, file_abs_path, entity_conf, variable_evaluations) return report - def get_graph_checks_report(self, root_folder: str, runner_filter: RunnerFilter, helmChart, reportMutatorData) -> Report: + def get_graph_checks_report(self, root_folder: str, runner_filter: RunnerFilter, helmChart) -> Report: report = Report(self.check_type) checks_results = self.run_graph_checks_results(runner_filter) - report = self.mutateKubernetesGraphResults(root_folder, runner_filter, report, checks_results, reportMutatorData=reportMutatorData) + report = self.mutateKubernetesGraphResults(root_folder, runner_filter, report, checks_results) return report - def mutateKubernetesResults(self, results, report, k8_file=None, k8_file_path=None, file_abs_path=None, entity_conf=None, variable_evaluations=None, reportMutatorData=None): + def mutateKubernetesResults(self, results, report, k8_file=None, k8_file_path=None, file_abs_path=None, entity_conf=None, variable_evaluations=None): # Moves report generation logic out of run() method in Runner class. # Allows function overriding of a much smaller function than run() for other "child" frameworks such as Kustomize, Helm # Where Kubernetes CHECKS are needed, but the specific file references are to another framework for the user output (or a mix of both). @@ -117,7 +118,7 @@ def mutateKubernetesResults(self, results, report, k8_file=None, k8_file_path=No return report - def mutateKubernetesGraphResults(self, root_folder: str, runner_filter: RunnerFilter, report: Report, checks_results, reportMutatorData=None) -> Report: + def mutateKubernetesGraphResults(self, root_folder: str, runner_filter: RunnerFilter, report: Report, checks_results) -> Report: # Moves report generation logic out of run() method in Runner class. # Allows function overriding of a much smaller function than run() for other "child" frameworks such as Kustomize, Helm # Where Kubernetes CHECKS are needed, but the specific file references are to another framework for the user output (or a mix of both). diff --git a/checkov/kustomize/runner.py b/checkov/kustomize/runner.py index 40dced70287..ba9585132e9 100644 --- a/checkov/kustomize/runner.py +++ b/checkov/kustomize/runner.py @@ -5,6 +5,7 @@ import shutil import subprocess # nosec import tempfile +from typing import List, Optional, Dict, Any, Type import yaml @@ -16,16 +17,37 @@ from checkov.kubernetes.runner import Runner as K8sRunner from checkov.kubernetes.runner import _get_entity_abs_path from checkov.runner_filter import RunnerFilter +from checkov.common.graph.checks_infra.registry import BaseRegistry +from checkov.common.graph.db_connectors.networkx.networkx_db_connector import NetworkxConnector +from checkov.common.graph.graph_builder.local_graph import LocalGraph +from checkov.common.graph.graph_manager import GraphManager +from checkov.kubernetes.graph_builder.local_graph import KubernetesLocalGraph class K8sKustomizeRunner(K8sRunner): - - def mutateKubernetesResults(self, results, report, k8_file=None, k8_file_path=None, file_abs_path=None, entity_conf=None, variable_evaluations=None, reportMutatorData=None): + def __init__(self, graph_class: Type[LocalGraph] = KubernetesLocalGraph, + db_connector: NetworkxConnector = NetworkxConnector(), + source: str = "Kubernetes", + graph_manager: Optional[GraphManager] = None, + external_registries: Optional[List[BaseRegistry]] = None) -> None: + super().__init__(graph_class, db_connector, source, graph_manager, external_registries) + self.report_mutator_data = {} + + def set_external_data(self, + definitions: Optional[Dict[str, Dict[str, Any]]], + context: Optional[Dict[str, Dict[str, Any]]], + breadcrumbs: Optional[Dict[str, Dict[str, Any]]], + report_mutator_data: Optional[Dict[str, Dict[str, Any]]] + ): + super().set_external_data(definitions, context, breadcrumbs) + self.report_mutator_data = report_mutator_data + + def mutateKubernetesResults(self, results, report, k8_file=None, k8_file_path=None, file_abs_path=None, entity_conf=None, variable_evaluations=None): # Moves report generation logic out of checkov.kubernetes.runner.run() def. # Allows us to overriding report file information for "child" frameworks such as Kustomize, Helm # Where Kubernetes CHECKS are needed, but the specific file references are to another framework for the user output (or a mix of both). - kustomizeMetadata = reportMutatorData['kustomizeMetadata'], - kustomizeFileMappings = reportMutatorData['kustomizeFileMappings'] + kustomizeMetadata = self.report_mutator_data['kustomizeMetadata'], + kustomizeFileMappings = self.report_mutator_data['kustomizeFileMappings'] for check, check_result in results.items(): resource_id = get_resource_id(entity_conf) entity_context = self.context[k8_file][resource_id] @@ -61,12 +83,12 @@ def line_range(self, code_lines): file_line_range = [first_line, last_line] return file_line_range - def mutateKubernetesGraphResults(self, root_folder: str, runner_filter: RunnerFilter, report: Report, checks_results, reportMutatorData=None) -> Report: + def mutateKubernetesGraphResults(self, root_folder: str, runner_filter: RunnerFilter, report: Report, checks_results) -> Report: # Moves report generation logic out of run() method in Runner class. # Allows function overriding of a much smaller function than run() for other "child" frameworks such as Kustomize, Helm # Where Kubernetes CHECKS are needed, but the specific file references are to another framework for the user output (or a mix of both). - kustomizeMetadata = reportMutatorData['kustomizeMetadata'], - kustomizeFileMappings = reportMutatorData['kustomizeFileMappings'] + kustomizeMetadata = self.report_mutator_data['kustomizeMetadata'], + kustomizeFileMappings = self.report_mutator_data['kustomizeFileMappings'] for check, check_results in checks_results.items(): for check_result in check_results: @@ -368,10 +390,11 @@ def run(self, root_folder, external_checks_dir=None, files=None, runner_filter=R try: k8s_runner = K8sKustomizeRunner() - reportMutatorData = {'kustomizeMetadata':self.kustomizeProcessedFolderAndMeta,'kustomizeFileMappings':self.kustomizeFileMappings} + report_mutator_data = {'kustomizeMetadata':self.kustomizeProcessedFolderAndMeta, + 'kustomizeFileMappings':self.kustomizeFileMappings} # k8s_runner.run() will kick off both CKV_ and CKV2_ checks and return a merged results object. - chart_results = k8s_runner.run(target_dir, external_checks_dir=None, - runner_filter=runner_filter, reportMutatorData=reportMutatorData) + k8s_runner.report_mutator_data = report_mutator_data + chart_results = k8s_runner.run(target_dir, external_checks_dir=None, runner_filter=runner_filter) logging.debug(f"Sucessfully ran k8s scan on Kustomization templated files in tmp scan dir : {target_dir}") report.failed_checks += chart_results.failed_checks report.passed_checks += chart_results.passed_checks From 142f684d4b59e83962c80a99553980eb45fbd760 Mon Sep 17 00:00:00 2001 From: James Woolfenden Date: Tue, 12 Apr 2022 09:49:11 +0000 Subject: [PATCH 03/26] Merge 4394bb07c2c9abc2d6d4337d5a257e5d40653c44 into f17b100e0bf365496fb1155ec8945dcafb8391a5 --- admissioncontroller/checkov-requirements.txt | 2 +- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/admissioncontroller/checkov-requirements.txt b/admissioncontroller/checkov-requirements.txt index e96b2e62d5e..8d968d74f50 100644 --- a/admissioncontroller/checkov-requirements.txt +++ b/admissioncontroller/checkov-requirements.txt @@ -1 +1 @@ -checkov==2.0.1051 +checkov==2.0.1052 diff --git a/checkov/version.py b/checkov/version.py index ad70dca3cb4..48046bd62c9 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.1051' +version = '2.0.1052' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index e96b2e62d5e..8d968d74f50 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.1051 +checkov==2.0.1052 From 48aa8acc3823f67672cfc187745b9b3426175589 Mon Sep 17 00:00:00 2001 From: achiar99 <34912231+achiar99@users.noreply.github.com> Date: Tue, 12 Apr 2022 12:49:10 +0300 Subject: [PATCH 04/26] report_mutator_data refactor (#2799) * report_mutator_data refactor * add new line * none * pylint * fix import * lint * fix import --- admissioncontroller/k8s/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admissioncontroller/k8s/deployment.yaml b/admissioncontroller/k8s/deployment.yaml index 3e0ea498e50..62412ceca84 100644 --- a/admissioncontroller/k8s/deployment.yaml +++ b/admissioncontroller/k8s/deployment.yaml @@ -31,7 +31,7 @@ spec: drop: - ALL - NET_RAW - image: bridgecrew/whorf@sha256:d3f459cba6a2cd325855de025b5be6e3b2efc79cc926da72ea8c31690d3044ec + image: bridgecrew/whorf@sha256:d96169c00b7c6116cc342f59ca9f4e831d4b199b538471867737e2f74ed7adb3 resources: limits: cpu: "1" From fbf104e065828e34b197a98044c17e266489a293 Mon Sep 17 00:00:00 2001 From: ajbara Date: Tue, 12 Apr 2022 13:41:12 +0300 Subject: [PATCH 05/26] Fixed --- checkov/common/output/record.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/checkov/common/output/record.py b/checkov/common/output/record.py index 68a5adc0827..9cdd0d01be5 100644 --- a/checkov/common/output/record.py +++ b/checkov/common/output/record.py @@ -10,12 +10,13 @@ from checkov.common.models.enums import CheckResult from checkov.common.typing import _CheckResult from checkov.common.util.file_utils import convert_to_unix_path +from checkov.common.util.type_forcers import force_int init(autoreset=True) DEFAULT_SEVERITY = "none" # equivalent to a score of 0.0 in the CVSS v3.0 Ratings -output_violation_len = os.environ.get('CHECKOV_OUTPUT_VIOLATION_LENGTH', 50) +OUTPUT_VIOLATION_LEN = force_int(os.getenv('CHECKOV_OUTPUT_VIOLATION_LENGTH')) or 50 class Record: check_id = "" @@ -119,7 +120,7 @@ def _code_line_string(code_block: List[Tuple[int, str]], colorized: bool = True) color_codes = (Fore.WHITE if colorized else "", Fore.YELLOW if colorized else "") last_line_number_len = len(str(code_block[-1][0])) - if len(code_block) >= output_violation_len: + if len(code_block) >= OUTPUT_VIOLATION_LEN: return f'\t\t{color_codes[1]}Text is too long.' for line_num, line in code_block: From 5fdaeda2270dc2e6f79abc1735bde4145ddb75c3 Mon Sep 17 00:00:00 2001 From: achiagit Date: Tue, 12 Apr 2022 14:07:02 +0300 Subject: [PATCH 06/26] fix set external runner data --- checkov/common/runners/base_runner.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checkov/common/runners/base_runner.py b/checkov/common/runners/base_runner.py index 6079c1a81db..374b1a949e0 100644 --- a/checkov/common/runners/base_runner.py +++ b/checkov/common/runners/base_runner.py @@ -64,7 +64,7 @@ def set_external_data( definitions: Optional[Dict[str, Dict[str, Any]]], context: Optional[Dict[str, Dict[str, Any]]], breadcrumbs: Optional[Dict[str, Dict[str, Any]]], - *args + **kwargs ) -> None: self.definitions = definitions self.context = context From d90a9b1abb6817b0dd98208dfa877ffeddce33bf Mon Sep 17 00:00:00 2001 From: ajbara Date: Tue, 12 Apr 2022 14:12:35 +0300 Subject: [PATCH 07/26] Textual Changes --- checkov/common/output/record.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/checkov/common/output/record.py b/checkov/common/output/record.py index 9cdd0d01be5..e738427bae6 100644 --- a/checkov/common/output/record.py +++ b/checkov/common/output/record.py @@ -16,7 +16,7 @@ DEFAULT_SEVERITY = "none" # equivalent to a score of 0.0 in the CVSS v3.0 Ratings -OUTPUT_VIOLATION_LEN = force_int(os.getenv('CHECKOV_OUTPUT_VIOLATION_LENGTH')) or 50 +OUTPUT_CODE_LINE_LIMIT = force_int(os.getenv('CHECKOV_OUTPUT_CODE_LINE_LIMIT')) or 50 class Record: check_id = "" @@ -120,8 +120,9 @@ def _code_line_string(code_block: List[Tuple[int, str]], colorized: bool = True) color_codes = (Fore.WHITE if colorized else "", Fore.YELLOW if colorized else "") last_line_number_len = len(str(code_block[-1][0])) - if len(code_block) >= OUTPUT_VIOLATION_LEN: - return f'\t\t{color_codes[1]}Text is too long.' + if len(code_block) >= OUTPUT_CODE_LINE_LIMIT: + return f'\t\t{color_codes[1]}Code lines for this resource are too many. ' \ + f'Please use IDE of your choice to review the file.' for line_num, line in code_block: spaces = " " * (last_line_number_len - len(str(line_num))) From ff217a56ee70b9b0c6d82174a9a816d52663187a Mon Sep 17 00:00:00 2001 From: achiagit Date: Tue, 12 Apr 2022 14:07:02 +0300 Subject: [PATCH 08/26] fix set external runner data --- admissioncontroller/checkov-requirements.txt | 2 +- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/admissioncontroller/checkov-requirements.txt b/admissioncontroller/checkov-requirements.txt index 8d968d74f50..0e5f46ebdb2 100644 --- a/admissioncontroller/checkov-requirements.txt +++ b/admissioncontroller/checkov-requirements.txt @@ -1 +1 @@ -checkov==2.0.1052 +checkov==2.0.1053 diff --git a/checkov/version.py b/checkov/version.py index 48046bd62c9..951c1248506 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.1052' +version = '2.0.1053' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 8d968d74f50..0e5f46ebdb2 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.1052 +checkov==2.0.1053 From f0db9c734fdf3bef9c3fe1635a78383e242f7c36 Mon Sep 17 00:00:00 2001 From: achiagit Date: Tue, 12 Apr 2022 14:07:02 +0300 Subject: [PATCH 09/26] fix set external runner data --- admissioncontroller/k8s/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admissioncontroller/k8s/deployment.yaml b/admissioncontroller/k8s/deployment.yaml index 62412ceca84..730957b5022 100644 --- a/admissioncontroller/k8s/deployment.yaml +++ b/admissioncontroller/k8s/deployment.yaml @@ -31,7 +31,7 @@ spec: drop: - ALL - NET_RAW - image: bridgecrew/whorf@sha256:d96169c00b7c6116cc342f59ca9f4e831d4b199b538471867737e2f74ed7adb3 + image: bridgecrew/whorf@sha256:3032f5f9a02eabf8be59bf943a7e5e37a61e4fecfbf11986b21bfb24d2d2cc18 resources: limits: cpu: "1" From 34c902111330324cd49830323659b7451d94f80e Mon Sep 17 00:00:00 2001 From: achiagit Date: Tue, 12 Apr 2022 14:21:51 +0300 Subject: [PATCH 10/26] Revert "fix set external runner data" This reverts commit 5fdaeda2270dc2e6f79abc1735bde4145ddb75c3. --- checkov/common/runners/base_runner.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checkov/common/runners/base_runner.py b/checkov/common/runners/base_runner.py index 374b1a949e0..6079c1a81db 100644 --- a/checkov/common/runners/base_runner.py +++ b/checkov/common/runners/base_runner.py @@ -64,7 +64,7 @@ def set_external_data( definitions: Optional[Dict[str, Dict[str, Any]]], context: Optional[Dict[str, Dict[str, Any]]], breadcrumbs: Optional[Dict[str, Dict[str, Any]]], - **kwargs + *args ) -> None: self.definitions = definitions self.context = context From e8e5dfa871ff1ffdd95db7f0ba3bf6cfedb672c1 Mon Sep 17 00:00:00 2001 From: achiar99 <34912231+achiar99@users.noreply.github.com> Date: Tue, 12 Apr 2022 11:23:57 +0000 Subject: [PATCH 11/26] Merge a55af0efd5bedc49b12daf6faff96271abe09166 into d9269af517a85a62d8010e17fa09b34e1a3b17ed --- admissioncontroller/checkov-requirements.txt | 2 +- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/admissioncontroller/checkov-requirements.txt b/admissioncontroller/checkov-requirements.txt index 0e5f46ebdb2..119d200be4d 100644 --- a/admissioncontroller/checkov-requirements.txt +++ b/admissioncontroller/checkov-requirements.txt @@ -1 +1 @@ -checkov==2.0.1053 +checkov==2.0.1054 diff --git a/checkov/version.py b/checkov/version.py index 951c1248506..38c524a1426 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.1053' +version = '2.0.1054' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 0e5f46ebdb2..119d200be4d 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.1053 +checkov==2.0.1054 From 7ab10bea9c71cb446c1e4d41bfcc04b6ebf54025 Mon Sep 17 00:00:00 2001 From: achiagit Date: Tue, 12 Apr 2022 14:22:13 +0300 Subject: [PATCH 12/26] Merge branch 'master' of https://github.com/bridgecrewio/checkov --- admissioncontroller/k8s/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admissioncontroller/k8s/deployment.yaml b/admissioncontroller/k8s/deployment.yaml index 730957b5022..5dda785c63d 100644 --- a/admissioncontroller/k8s/deployment.yaml +++ b/admissioncontroller/k8s/deployment.yaml @@ -31,7 +31,7 @@ spec: drop: - ALL - NET_RAW - image: bridgecrew/whorf@sha256:3032f5f9a02eabf8be59bf943a7e5e37a61e4fecfbf11986b21bfb24d2d2cc18 + image: bridgecrew/whorf@sha256:0fcd7c23c2174a5dfa4d2834deaea41aa5ed43a60bc43f58a4bdfff7e067b9e1 resources: limits: cpu: "1" From 16b3c8324485841c332f28c25a98029d8db6c67c Mon Sep 17 00:00:00 2001 From: achiar99 <34912231+achiar99@users.noreply.github.com> Date: Tue, 12 Apr 2022 14:35:14 +0300 Subject: [PATCH 13/26] fix set external data (#2802) --- checkov/common/runners/base_runner.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checkov/common/runners/base_runner.py b/checkov/common/runners/base_runner.py index 6079c1a81db..374b1a949e0 100644 --- a/checkov/common/runners/base_runner.py +++ b/checkov/common/runners/base_runner.py @@ -64,7 +64,7 @@ def set_external_data( definitions: Optional[Dict[str, Dict[str, Any]]], context: Optional[Dict[str, Dict[str, Any]]], breadcrumbs: Optional[Dict[str, Dict[str, Any]]], - *args + **kwargs ) -> None: self.definitions = definitions self.context = context From cf623d13bc054b3030558235f58f4e62798cc7ee Mon Sep 17 00:00:00 2001 From: achiar99 <34912231+achiar99@users.noreply.github.com> Date: Tue, 12 Apr 2022 14:35:14 +0300 Subject: [PATCH 14/26] fix set external data (#2802) --- admissioncontroller/checkov-requirements.txt | 2 +- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/admissioncontroller/checkov-requirements.txt b/admissioncontroller/checkov-requirements.txt index 119d200be4d..1df84a07f97 100644 --- a/admissioncontroller/checkov-requirements.txt +++ b/admissioncontroller/checkov-requirements.txt @@ -1 +1 @@ -checkov==2.0.1054 +checkov==2.0.1055 diff --git a/checkov/version.py b/checkov/version.py index 38c524a1426..2ed5c2c6733 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.1054' +version = '2.0.1055' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 119d200be4d..1df84a07f97 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.1054 +checkov==2.0.1055 From 98bc197aab51d5ed2840610e440237c287e0f308 Mon Sep 17 00:00:00 2001 From: achiar99 <34912231+achiar99@users.noreply.github.com> Date: Tue, 12 Apr 2022 14:35:14 +0300 Subject: [PATCH 15/26] fix set external data (#2802) --- admissioncontroller/k8s/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admissioncontroller/k8s/deployment.yaml b/admissioncontroller/k8s/deployment.yaml index 5dda785c63d..27ea8aa27d8 100644 --- a/admissioncontroller/k8s/deployment.yaml +++ b/admissioncontroller/k8s/deployment.yaml @@ -31,7 +31,7 @@ spec: drop: - ALL - NET_RAW - image: bridgecrew/whorf@sha256:0fcd7c23c2174a5dfa4d2834deaea41aa5ed43a60bc43f58a4bdfff7e067b9e1 + image: bridgecrew/whorf@sha256:d89621cccf516267d499ce6d63ec8b563bd21119ca04fef80774ca99e6b4b1d1 resources: limits: cpu: "1" From 31c378c6719306a4b51ccd811c91f35dd97edb50 Mon Sep 17 00:00:00 2001 From: Aya Jbara <101502964+ayajbara@users.noreply.github.com> Date: Tue, 12 Apr 2022 14:52:33 +0300 Subject: [PATCH 16/26] Merge pull request #2800 from bridgecrewio/limit_printed_lines Added output limitation --- admissioncontroller/checkov-requirements.txt | 2 +- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/admissioncontroller/checkov-requirements.txt b/admissioncontroller/checkov-requirements.txt index 1df84a07f97..53e068df193 100644 --- a/admissioncontroller/checkov-requirements.txt +++ b/admissioncontroller/checkov-requirements.txt @@ -1 +1 @@ -checkov==2.0.1055 +checkov==2.0.1056 diff --git a/checkov/version.py b/checkov/version.py index 2ed5c2c6733..47f496d7d4c 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.1055' +version = '2.0.1056' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 1df84a07f97..53e068df193 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.1055 +checkov==2.0.1056 From 6bf7fc00d13a6ae6ae24312de7f44e77f0574beb Mon Sep 17 00:00:00 2001 From: Aya Jbara <101502964+ayajbara@users.noreply.github.com> Date: Tue, 12 Apr 2022 14:52:33 +0300 Subject: [PATCH 17/26] Merge pull request #2800 from bridgecrewio/limit_printed_lines Added output limitation --- admissioncontroller/k8s/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admissioncontroller/k8s/deployment.yaml b/admissioncontroller/k8s/deployment.yaml index 27ea8aa27d8..1956b6bf7df 100644 --- a/admissioncontroller/k8s/deployment.yaml +++ b/admissioncontroller/k8s/deployment.yaml @@ -31,7 +31,7 @@ spec: drop: - ALL - NET_RAW - image: bridgecrew/whorf@sha256:d89621cccf516267d499ce6d63ec8b563bd21119ca04fef80774ca99e6b4b1d1 + image: bridgecrew/whorf@sha256:1057b38b045e69ec2fdf327f54138462f782819d3bb94d328506146c71f97ca0 resources: limits: cpu: "1" From 36928cf3477aee08c594bcc8fea34497e40a2d22 Mon Sep 17 00:00:00 2001 From: James Woolfenden Date: Tue, 12 Apr 2022 20:09:39 +0100 Subject: [PATCH 18/26] Alicloud k8s Ensure that network plugin for k8s policy support is installed (#2801) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Check for network plugin * Check for network plugin * Update checkov/terraform/checks/resource/alicloud/K8sEnableNetworkPolicies.py Co-authored-by: Anton Grübel * remove duplicate logic Co-authored-by: Anton Grübel --- .../alicloud/K8sEnableNetworkPolicies.py | 60 ++++++++++++++ .../checks/resource/alicloud/RDSRetention.py | 1 + .../alicloud/example_DiskIsEncrypted/main.tf | 3 +- .../example_K8sEnableNetworkPolicies/main.tf | 82 +++++++++++++++++++ .../alicloud/test_K8sEnableNetworkPolicies.py | 44 ++++++++++ 5 files changed, 189 insertions(+), 1 deletion(-) create mode 100644 checkov/terraform/checks/resource/alicloud/K8sEnableNetworkPolicies.py create mode 100644 tests/terraform/checks/resource/alicloud/example_K8sEnableNetworkPolicies/main.tf create mode 100644 tests/terraform/checks/resource/alicloud/test_K8sEnableNetworkPolicies.py diff --git a/checkov/terraform/checks/resource/alicloud/K8sEnableNetworkPolicies.py b/checkov/terraform/checks/resource/alicloud/K8sEnableNetworkPolicies.py new file mode 100644 index 00000000000..c8d18cef1e3 --- /dev/null +++ b/checkov/terraform/checks/resource/alicloud/K8sEnableNetworkPolicies.py @@ -0,0 +1,60 @@ +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck + + +class K8sEnableNetworkPolicies(BaseResourceCheck): + def __init__(self): + """ + Kubernetes Cluster should have Terway or Flannel as CNI Network Plugin as it allows you to use + standard Kubernetes network policies + https://www.alibabacloud.com/help/en/container-service-for-kubernetes/latest/work-with-terway + https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/cs_kubernetes#cluster_network_type + The vswitches for the pod network when using Terway.Be careful the pod_vswitch_ids can not equal to + worker_vswitch_ids or master_vswitch_ids but must be in same availability zones. + Flannel requires pod_cidr. + """ + + name = "Ensure Kubernetes installs plugin Terway or Flannel to support standard policies" + id = "CKV_ALI_26" + supported_resources = ['alicloud_cs_kubernetes'] + categories = [CheckCategories.KUBERNETES] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf): + # required fields + if not (conf.get("pod_vswitch_ids") or conf.get("pod_cidr")): + return CheckResult.FAILED + # addons + if conf.get("addons") and isinstance(conf.get("addons"), list): + names = [ + addon["name"][0] + for addon in conf["addons"] + if addon.get("name") + ] + + if "terway-eniip" in names: + if conf.get("pod_vswitch_ids") and isinstance(conf.get("pod_vswitch_ids"), list): + net_ids = conf.get("pod_vswitch_ids")[0] + if isinstance(conf.get("worker_vswitch_ids"), list) \ + and isinstance(conf.get("master_vswitch_ids"), list): + if any(net_id in net_ids for net_id in conf.get("worker_vswitch_ids")[0]): + self.evaluated_keys = ["worker_vswitch_ids"] + return CheckResult.FAILED + if any(net_id in net_ids for net_id in conf.get("master_vswitch_ids")[0]): + self.evaluated_keys = ["master_vswitch_ids"] + return CheckResult.FAILED + return CheckResult.PASSED + + self.evaluated_keys = ["pod_vswitch_ids"] + return CheckResult.FAILED + if "flannel" in names: + if conf.get("pod_cidr"): + return CheckResult.PASSED + self.evaluated_keys = ["addons/[0]/config"] + return CheckResult.FAILED + else: + self.evaluated_keys = ["addons"] + return CheckResult.FAILED + + +check = K8sEnableNetworkPolicies() diff --git a/checkov/terraform/checks/resource/alicloud/RDSRetention.py b/checkov/terraform/checks/resource/alicloud/RDSRetention.py index 47fcd2569cd..a215a14c2cd 100644 --- a/checkov/terraform/checks/resource/alicloud/RDSRetention.py +++ b/checkov/terraform/checks/resource/alicloud/RDSRetention.py @@ -29,4 +29,5 @@ def scan_resource_conf(self, conf) -> CheckResult: return CheckResult.FAILED + check = RDSRetention() diff --git a/tests/terraform/checks/resource/alicloud/example_DiskIsEncrypted/main.tf b/tests/terraform/checks/resource/alicloud/example_DiskIsEncrypted/main.tf index 600a8b327fc..90838c69a43 100644 --- a/tests/terraform/checks/resource/alicloud/example_DiskIsEncrypted/main.tf +++ b/tests/terraform/checks/resource/alicloud/example_DiskIsEncrypted/main.tf @@ -41,4 +41,5 @@ resource "alicloud_disk" "fail2" { tags = { Name = "TerraformTest" } -} \ No newline at end of file +} + diff --git a/tests/terraform/checks/resource/alicloud/example_K8sEnableNetworkPolicies/main.tf b/tests/terraform/checks/resource/alicloud/example_K8sEnableNetworkPolicies/main.tf new file mode 100644 index 00000000000..f2091ca3fd1 --- /dev/null +++ b/tests/terraform/checks/resource/alicloud/example_K8sEnableNetworkPolicies/main.tf @@ -0,0 +1,82 @@ + +provider "alicloud" { +} + +#happy path +resource "alicloud_cs_kubernetes" "pass" { + worker_number = 4 + worker_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] + master_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] + master_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] + worker_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] + + addons { + config = "" + name = "terway-eniip" + } + + pod_vswitch_ids = ["vsw-id4"] +} + +# array of addons +resource "alicloud_cs_kubernetes" "pass2" { + worker_number = 4 + worker_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] + master_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] + master_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] + worker_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] + + addons { + config = "" + name = "flannel" + } + + addons { + name = "csi-plugin" + config = "" + } + + pod_cidr = "10.0.1.0/16" +} + + +#no addon +resource "alicloud_cs_kubernetes" "fail" { + worker_number = 4 + worker_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] + master_vswitch_ids = ["vsw-id1", "vsw-id2", "vsw-id3"] + master_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] + worker_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] + + pod_vswitch_ids = ["vsw-id6"] +} + +#conflict with worker_vswitch_ids +resource "alicloud_cs_kubernetes" "fail2" { + worker_number = 4 + worker_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] + master_vswitch_ids = ["vsw-id2", "vsw-id2", "vsw-id3"] + master_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] + worker_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] + addons { + config = "" + name = "terway-eniip" + } + pod_vswitch_ids = ["vsw-id1"] +} + +#conflict with master_vswitch_ids +resource "alicloud_cs_kubernetes" "fail3" { + worker_number = 4 + worker_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] + master_vswitch_ids = ["vsw-id1", "vsw-id2", "vsw-id3"] + master_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] + worker_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] + + addons { + config = "" + name = "terway-eniip" + } + pod_vswitch_ids = ["vsw-id2"] +} + diff --git a/tests/terraform/checks/resource/alicloud/test_K8sEnableNetworkPolicies.py b/tests/terraform/checks/resource/alicloud/test_K8sEnableNetworkPolicies.py new file mode 100644 index 00000000000..db29522bed3 --- /dev/null +++ b/tests/terraform/checks/resource/alicloud/test_K8sEnableNetworkPolicies.py @@ -0,0 +1,44 @@ +import os +import unittest + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.runner import Runner +from checkov.terraform.checks.resource.alicloud.K8sEnableNetworkPolicies import check + + +class TestK8sEnableNetworkPolicies(unittest.TestCase): + + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = os.path.join(current_dir, "example_K8sEnableNetworkPolicies") + report = runner.run(root_folder=test_files_dir, + runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + 'alicloud_cs_kubernetes.pass', + 'alicloud_cs_kubernetes.pass2', + } + failing_resources = { + 'alicloud_cs_kubernetes.fail', + 'alicloud_cs_kubernetes.fail2', + 'alicloud_cs_kubernetes.fail3', + } + skipped_resources = {} + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], len(skipped_resources)) + self.assertEqual(summary['parsing_errors'], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() \ No newline at end of file From c024eb1c42782167357e9c9dbc275470e3f8f35b Mon Sep 17 00:00:00 2001 From: Yuval Avrahami <39744677+yuvalavra@users.noreply.github.com> Date: Tue, 12 Apr 2022 22:09:56 +0300 Subject: [PATCH 19/26] Add base_rbac_check for k8s along with CKV_K8S_155 & CKV_K8S_156 (#2776) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add base_rbac_check for k8s alongwith CKV_K8S_155 & CKV_K8S_156 * fix linting * Update checkov/kubernetes/checks/resource/base_rbac_check.py Co-authored-by: Anton Grübel Co-authored-by: Anton Grübel --- .../checks/resource/base_rbac_check.py | 83 +++++++++++++++++++ .../RbacApproveCertificateSigningRequests.py | 26 ++++++ .../resource/k8s/RbacControlWebhooks.py | 20 +++++ .../clusterrole-failed-1.yaml | 13 +++ .../clusterrole-failed-2.yaml | 10 +++ .../clusterrole-failed-3.yaml | 13 +++ .../clusterrole-passed-1.yaml | 13 +++ .../clusterrole-passed-2.yaml | 10 +++ .../clusterrole-failed-1.yaml | 13 +++ .../clusterrole-failed-2.yaml | 10 +++ .../clusterrole-passed-1.yaml | 10 +++ .../clusterrole-passed-2.yaml | 10 +++ ...t_RbacApproveCertificateSigningRequests.py | 42 ++++++++++ .../checks/test_RbacControlWebhooks.py | 41 +++++++++ 14 files changed, 314 insertions(+) create mode 100644 checkov/kubernetes/checks/resource/base_rbac_check.py create mode 100644 checkov/kubernetes/checks/resource/k8s/RbacApproveCertificateSigningRequests.py create mode 100644 checkov/kubernetes/checks/resource/k8s/RbacControlWebhooks.py create mode 100644 tests/kubernetes/checks/example_RbacApproveCertificateSigningRequests/clusterrole-failed-1.yaml create mode 100644 tests/kubernetes/checks/example_RbacApproveCertificateSigningRequests/clusterrole-failed-2.yaml create mode 100644 tests/kubernetes/checks/example_RbacApproveCertificateSigningRequests/clusterrole-failed-3.yaml create mode 100644 tests/kubernetes/checks/example_RbacApproveCertificateSigningRequests/clusterrole-passed-1.yaml create mode 100644 tests/kubernetes/checks/example_RbacApproveCertificateSigningRequests/clusterrole-passed-2.yaml create mode 100644 tests/kubernetes/checks/example_RbacControlWebhooks/clusterrole-failed-1.yaml create mode 100644 tests/kubernetes/checks/example_RbacControlWebhooks/clusterrole-failed-2.yaml create mode 100644 tests/kubernetes/checks/example_RbacControlWebhooks/clusterrole-passed-1.yaml create mode 100644 tests/kubernetes/checks/example_RbacControlWebhooks/clusterrole-passed-2.yaml create mode 100644 tests/kubernetes/checks/test_RbacApproveCertificateSigningRequests.py create mode 100644 tests/kubernetes/checks/test_RbacControlWebhooks.py diff --git a/checkov/kubernetes/checks/resource/base_rbac_check.py b/checkov/kubernetes/checks/resource/base_rbac_check.py new file mode 100644 index 00000000000..ad6dc3576be --- /dev/null +++ b/checkov/kubernetes/checks/resource/base_rbac_check.py @@ -0,0 +1,83 @@ +from checkov.kubernetes.checks.resource.base_spec_check import BaseK8Check +from checkov.common.models.enums import CheckCategories, CheckResult +from typing import Dict, Any, List + + +class RbacOperation(): + """ + A collection of RBAC permissions that permit a certain operation within Kubernetes. + For example, the RbacOperation below denotes a write operation on admission webhooks. + control_webhooks = RbacOperation( + apigroups=["admissionregistration.k8s.io"], + verbs=["create", "update", "patch"], + resources=["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]) + Rules matching an apiGroup, verb and resource should be able to perform the operation. + """ + def __init__(self, apigroups: List[str], verbs: List[str], + resources: List[str]): + self.apigroups = apigroups + self.verbs = verbs + self.resources = resources + + +class BaseRbacK8sCheck(BaseK8Check): + """ + Base class for checks that evaluate RBAC permissions in Roles and ClusterRoles + """ + def __init__(self, name, id, supported_entities=None): + if supported_entities is None: + supported_entities = ["Role", "ClusterRole"] + categories = [CheckCategories.KUBERNETES] + super().__init__(name=name, id=id, categories=categories, supported_entities=supported_entities) + # A role that grants *ALL* the RbacOperation in failing_operations fails this check + self.failing_operations: RbacOperation = [] + + def scan_spec_conf(self, conf): + rules = conf.get("rules") + if rules and isinstance(rules, list): + for operation in self.failing_operations: + # if one operation can't be found, check passes + if not any(self.rule_can(rule, operation) for rule in rules): + return CheckResult.PASSED + # all operations were found, therefore the check fails + return CheckResult.FAILED + + return CheckResult.PASSED + + # Check if a rule has an apigroup, verb, and resource specified in @operation + def rule_can(self, rule: Dict[str, Any], operation: RbacOperation) -> bool: + return self.apigroup_or_wildcard(rule, operation.apigroups) and \ + self.verb_or_wildcard(rule, operation.verbs) and \ + self.resource_or_wildcard(rule, operation.resources) + + def apigroup_or_wildcard(self, rule: Dict[str, Any], apigroups: List[str]) -> bool: + return self.value_or_wildcard(rule, "apiGroups", apigroups) + + def verb_or_wildcard(self, rule: Dict[str, Any], verbs: List[str]) -> bool: + return self.value_or_wildcard(rule, "verbs", verbs) + + def resource_or_wildcard(self, rule: Dict[str, Any], resources: List[str]) -> bool: + if "resources" in rule: + for granted_resource in rule["resources"]: + if self.is_wildcard(granted_resource): + return True + for failing_resource in resources: + if granted_resource == failing_resource: + return True + # Check for '*/subresource' syntax + if "/" in failing_resource and "/" in granted_resource: + if granted_resource == "*/" + failing_resource.split("/")[1]: + return True + return False + + # Check if rule has a key with a wildcard or a value from @value_list + def value_or_wildcard(self, rule: Dict[str, Any], key: str, value_list: List[str]) -> bool: + if key in rule: + for value in rule[key]: + if self.is_wildcard(value) or value in value_list: + return True + return False + + # Check if value is a K8s RBAC wildcard + def is_wildcard(self, value: str) -> bool: + return value == "*" or value == "*/*" diff --git a/checkov/kubernetes/checks/resource/k8s/RbacApproveCertificateSigningRequests.py b/checkov/kubernetes/checks/resource/k8s/RbacApproveCertificateSigningRequests.py new file mode 100644 index 00000000000..dd38227d562 --- /dev/null +++ b/checkov/kubernetes/checks/resource/k8s/RbacApproveCertificateSigningRequests.py @@ -0,0 +1,26 @@ +from checkov.kubernetes.checks.resource.base_rbac_check import BaseRbacK8sCheck, RbacOperation + + +class RbacApproveCertificateSigningRequests(BaseRbacK8sCheck): + def __init__(self): + name = "Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests" + id = "CKV_K8S_156" + supported_entities = ["ClusterRole"] + super().__init__(name=name, id=id, supported_entities=supported_entities) + + # See https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/ + self.failing_operations = [ + RbacOperation( + apigroups=["certificates.k8s.io"], + verbs=["update", "patch"], + resources=["certificatesigningrequests/approval"] + ), + RbacOperation( + apigroups=["certificates.k8s.io"], + verbs=["approve"], + resources=["signers"] + ), + ] + + +check = RbacApproveCertificateSigningRequests() diff --git a/checkov/kubernetes/checks/resource/k8s/RbacControlWebhooks.py b/checkov/kubernetes/checks/resource/k8s/RbacControlWebhooks.py new file mode 100644 index 00000000000..a6a7b4b3fa3 --- /dev/null +++ b/checkov/kubernetes/checks/resource/k8s/RbacControlWebhooks.py @@ -0,0 +1,20 @@ +from checkov.kubernetes.checks.resource.base_rbac_check import BaseRbacK8sCheck, RbacOperation + + +class RbacControlWebhooks(BaseRbacK8sCheck): + def __init__(self): + name = "Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations" + id = "CKV_K8S_155" + supported_entities = ["ClusterRole"] + super().__init__(name=name, id=id, supported_entities=supported_entities) + + self.failing_operations = [ + RbacOperation( + apigroups=["admissionregistration.k8s.io"], + verbs=["create", "update", "patch"], + resources=["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + ), + ] + + +check = RbacControlWebhooks() diff --git a/tests/kubernetes/checks/example_RbacApproveCertificateSigningRequests/clusterrole-failed-1.yaml b/tests/kubernetes/checks/example_RbacApproveCertificateSigningRequests/clusterrole-failed-1.yaml new file mode 100644 index 00000000000..a4fec7a27f8 --- /dev/null +++ b/tests/kubernetes/checks/example_RbacApproveCertificateSigningRequests/clusterrole-failed-1.yaml @@ -0,0 +1,13 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: test-should-fail-1 + namespace: test +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests/approval"] + verbs: ["update", "get"] +- apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + verbs: ["approve"] \ No newline at end of file diff --git a/tests/kubernetes/checks/example_RbacApproveCertificateSigningRequests/clusterrole-failed-2.yaml b/tests/kubernetes/checks/example_RbacApproveCertificateSigningRequests/clusterrole-failed-2.yaml new file mode 100644 index 00000000000..9a068529d62 --- /dev/null +++ b/tests/kubernetes/checks/example_RbacApproveCertificateSigningRequests/clusterrole-failed-2.yaml @@ -0,0 +1,10 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: test-should-fail-2 + namespace: test +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["*/*"] + verbs: ["*"] \ No newline at end of file diff --git a/tests/kubernetes/checks/example_RbacApproveCertificateSigningRequests/clusterrole-failed-3.yaml b/tests/kubernetes/checks/example_RbacApproveCertificateSigningRequests/clusterrole-failed-3.yaml new file mode 100644 index 00000000000..70c7c0b848e --- /dev/null +++ b/tests/kubernetes/checks/example_RbacApproveCertificateSigningRequests/clusterrole-failed-3.yaml @@ -0,0 +1,13 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: test-should-fail-3 + namespace: test +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["*"] + verbs: ["approve"] +- apiGroups: ["certificates.k8s.io"] + resources: ["*/approval"] + verbs: ["update"] \ No newline at end of file diff --git a/tests/kubernetes/checks/example_RbacApproveCertificateSigningRequests/clusterrole-passed-1.yaml b/tests/kubernetes/checks/example_RbacApproveCertificateSigningRequests/clusterrole-passed-1.yaml new file mode 100644 index 00000000000..4b33593aac8 --- /dev/null +++ b/tests/kubernetes/checks/example_RbacApproveCertificateSigningRequests/clusterrole-passed-1.yaml @@ -0,0 +1,13 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: test-should-pass-1 + namespace: test +rules: +- apiGroups: ["*"] + resources: ["*"] + verbs: ["approve"] +- apiGroups: ["*"] + resources: ["pods"] + verbs: ["update", "patch", "get"] \ No newline at end of file diff --git a/tests/kubernetes/checks/example_RbacApproveCertificateSigningRequests/clusterrole-passed-2.yaml b/tests/kubernetes/checks/example_RbacApproveCertificateSigningRequests/clusterrole-passed-2.yaml new file mode 100644 index 00000000000..29bb47ddeb4 --- /dev/null +++ b/tests/kubernetes/checks/example_RbacApproveCertificateSigningRequests/clusterrole-passed-2.yaml @@ -0,0 +1,10 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: test-should-pass-2 + namespace: test +rules: +- apiGroups: ["", "extensions", "apps"] + resources: ["*"] + verbs: [""] \ No newline at end of file diff --git a/tests/kubernetes/checks/example_RbacControlWebhooks/clusterrole-failed-1.yaml b/tests/kubernetes/checks/example_RbacControlWebhooks/clusterrole-failed-1.yaml new file mode 100644 index 00000000000..67a2df74643 --- /dev/null +++ b/tests/kubernetes/checks/example_RbacControlWebhooks/clusterrole-failed-1.yaml @@ -0,0 +1,13 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: test-should-fail-1 + namespace: test +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["create", "list"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["get"] diff --git a/tests/kubernetes/checks/example_RbacControlWebhooks/clusterrole-failed-2.yaml b/tests/kubernetes/checks/example_RbacControlWebhooks/clusterrole-failed-2.yaml new file mode 100644 index 00000000000..4594808e804 --- /dev/null +++ b/tests/kubernetes/checks/example_RbacControlWebhooks/clusterrole-failed-2.yaml @@ -0,0 +1,10 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: test-should-fail-2 + namespace: test +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["patch"] \ No newline at end of file diff --git a/tests/kubernetes/checks/example_RbacControlWebhooks/clusterrole-passed-1.yaml b/tests/kubernetes/checks/example_RbacControlWebhooks/clusterrole-passed-1.yaml new file mode 100644 index 00000000000..101c19dba70 --- /dev/null +++ b/tests/kubernetes/checks/example_RbacControlWebhooks/clusterrole-passed-1.yaml @@ -0,0 +1,10 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: test-should-pass-1 + namespace: test +rules: +- apiGroups: ["*"] + resources: ["*"] + verbs: ["get"] \ No newline at end of file diff --git a/tests/kubernetes/checks/example_RbacControlWebhooks/clusterrole-passed-2.yaml b/tests/kubernetes/checks/example_RbacControlWebhooks/clusterrole-passed-2.yaml new file mode 100644 index 00000000000..521ac0a2f48 --- /dev/null +++ b/tests/kubernetes/checks/example_RbacControlWebhooks/clusterrole-passed-2.yaml @@ -0,0 +1,10 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: test-should-pass-2 + namespace: test +rules: +- apiGroups: ["*"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch"] \ No newline at end of file diff --git a/tests/kubernetes/checks/test_RbacApproveCertificateSigningRequests.py b/tests/kubernetes/checks/test_RbacApproveCertificateSigningRequests.py new file mode 100644 index 00000000000..ccfd020b3c7 --- /dev/null +++ b/tests/kubernetes/checks/test_RbacApproveCertificateSigningRequests.py @@ -0,0 +1,42 @@ +import os +import unittest + +from checkov.kubernetes.checks.resource.k8s.RbacApproveCertificateSigningRequests import check +from checkov.kubernetes.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestRbacApproveCertificateSigningRequests(unittest.TestCase): + + def test_summary(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = current_dir + "/example_RbacApproveCertificateSigningRequests" + report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + 'ClusterRole.test.test-should-pass-1', + 'ClusterRole.test.test-should-pass-2' + } + failing_resources = { + 'ClusterRole.test.test-should-fail-1', + 'ClusterRole.test.test-should-fail-2', + 'ClusterRole.test.test-should-fail-3' + } + + self.assertEqual(summary['passed'], 2) + self.assertEqual(summary['failed'], 3) + self.assertEqual(summary['skipped'], 0) + self.assertEqual(summary['parsing_errors'], 0) + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() diff --git a/tests/kubernetes/checks/test_RbacControlWebhooks.py b/tests/kubernetes/checks/test_RbacControlWebhooks.py new file mode 100644 index 00000000000..3a471157e27 --- /dev/null +++ b/tests/kubernetes/checks/test_RbacControlWebhooks.py @@ -0,0 +1,41 @@ +import os +import unittest + +from checkov.kubernetes.checks.resource.k8s.RbacControlWebhooks import check +from checkov.kubernetes.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestRbacControlWebhooks(unittest.TestCase): + + def test_summary(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = current_dir + "/example_RbacControlWebhooks" + report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + 'ClusterRole.test.test-should-pass-1', + 'ClusterRole.test.test-should-pass-2', + } + failing_resources = { + 'ClusterRole.test.test-should-fail-1', + 'ClusterRole.test.test-should-fail-2' + } + + self.assertEqual(summary['passed'], 2) + self.assertEqual(summary['failed'], 2) + self.assertEqual(summary['skipped'], 0) + self.assertEqual(summary['parsing_errors'], 0) + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() From ea9b4e9b0aaced27e2e0f56d98c106d6a8af8718 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anton=20Gr=C3=BCbel?= Date: Tue, 12 Apr 2022 19:12:23 +0000 Subject: [PATCH 20/26] Merge 77584f0a117639b9fbd76cb178950d688c5d7409 into c024eb1c42782167357e9c9dbc275470e3f8f35b --- docs/5.Policy Index/all.md | 3971 +++++++++++++++-------------- docs/5.Policy Index/kubernetes.md | 2 + docs/5.Policy Index/terraform.md | 1731 ++++++------- 3 files changed, 2855 insertions(+), 2849 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 3c4452429cb..8070b7b33ef 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -33,1990 +33,1993 @@ nav_order: 1 | 22 | CKV_ALI_23 | resource | alicloud_ram_account_password_policy | Ensure Ram Account Password Policy Max Login Attempts not > 5 | Terraform | | 23 | CKV_ALI_24 | resource | alicloud_ram_account_password_policy | Ensure Ram Account Password Policy Max Age less than/equal to 90 days | Terraform | | 24 | CKV_ALI_25 | resource | alicloud_db_instance | Ensure RDS Instance SQL Collector Retention Period should be greater than 180 | Terraform | -| 25 | CKV_AWS_1 | data | aws_iam_policy_document | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 26 | CKV_AWS_1 | resource | serverless_aws | Ensure IAM policies that allow full "*-*" administrative privileges are not created | serverless | -| 27 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 28 | CKV_AWS_2 | resource | aws_alb_listener | Ensure ALB protocol is HTTPS | Terraform | -| 29 | CKV_AWS_2 | resource | aws_lb_listener | Ensure ALB protocol is HTTPS | Terraform | -| 30 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 31 | CKV_AWS_3 | resource | aws_ebs_volume | Ensure all data stored in the EBS is securely encrypted | Terraform | -| 32 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 33 | CKV_AWS_5 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform | -| 34 | CKV_AWS_5 | resource | aws_opensearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform | -| 35 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 36 | CKV_AWS_6 | resource | aws_elasticsearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform | -| 37 | CKV_AWS_6 | resource | aws_opensearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform | -| 38 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 39 | CKV_AWS_7 | resource | aws_kms_key | Ensure rotation for customer created CMKs is enabled | Terraform | -| 40 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 41 | CKV_AWS_8 | resource | aws_instance | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | Terraform | -| 42 | CKV_AWS_8 | resource | aws_launch_configuration | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | Terraform | -| 43 | CKV_AWS_9 | resource | aws_iam_account_password_policy | Ensure IAM password policy expires passwords within 90 days or less | Terraform | -| 44 | CKV_AWS_10 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires minimum length of 14 or greater | Terraform | -| 45 | CKV_AWS_11 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one lowercase letter | Terraform | -| 46 | CKV_AWS_12 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one number | Terraform | -| 47 | CKV_AWS_13 | resource | aws_iam_account_password_policy | Ensure IAM password policy prevents password reuse | Terraform | -| 48 | CKV_AWS_14 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one symbol | Terraform | -| 49 | CKV_AWS_15 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one uppercase letter | Terraform | -| 50 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 51 | CKV_AWS_16 | resource | aws_db_instance | Ensure all data stored in the RDS is securely encrypted at rest | Terraform | -| 52 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 53 | CKV_AWS_17 | resource | aws_db_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | -| 54 | CKV_AWS_17 | resource | aws_rds_cluster_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | -| 55 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 56 | CKV_AWS_18 | resource | aws_s3_bucket | Ensure the S3 bucket has access logging enabled | Terraform | -| 57 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 58 | CKV_AWS_19 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform | -| 59 | CKV_AWS_19 | resource | aws_s3_bucket_server_side_encryption_configuration | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform | -| 60 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 61 | CKV_AWS_20 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public READ access. | Terraform | -| 62 | CKV_AWS_20 | resource | aws_s3_bucket_acl | S3 Bucket has an ACL defined which allows public READ access. | Terraform | -| 63 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 64 | CKV_AWS_21 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket have versioning enabled | Terraform | -| 65 | CKV_AWS_21 | resource | aws_s3_bucket_versioning | Ensure all data stored in the S3 bucket have versioning enabled | Terraform | -| 66 | CKV_AWS_22 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker Notebook is encrypted at rest using KMS CMK | Terraform | -| 67 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 68 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 69 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 70 | CKV_AWS_23 | resource | aws_db_security_group | Ensure every security groups rule has a description | Terraform | -| 71 | CKV_AWS_23 | resource | aws_elasticache_security_group | Ensure every security groups rule has a description | Terraform | -| 72 | CKV_AWS_23 | resource | aws_redshift_security_group | Ensure every security groups rule has a description | Terraform | -| 73 | CKV_AWS_23 | resource | aws_security_group | Ensure every security groups rule has a description | Terraform | -| 74 | CKV_AWS_23 | resource | aws_security_group_rule | Ensure every security groups rule has a description | Terraform | -| 75 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 76 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 77 | CKV_AWS_24 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | -| 78 | CKV_AWS_24 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | -| 79 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 80 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 81 | CKV_AWS_25 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | -| 82 | CKV_AWS_25 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | -| 83 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 84 | CKV_AWS_26 | resource | aws_sns_topic | Ensure all data stored in the SNS topic is encrypted | Terraform | -| 85 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 86 | CKV_AWS_27 | resource | aws_sqs_queue | Ensure all data stored in the SQS queue is encrypted | Terraform | -| 87 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 88 | CKV_AWS_28 | resource | aws_dynamodb_table | Ensure Dynamodb point in time recovery (backup) is enabled | Terraform | -| 89 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 90 | CKV_AWS_29 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Terraform | -| 91 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 92 | CKV_AWS_30 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Terraform | -| 93 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 94 | CKV_AWS_31 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Terraform | -| 95 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 96 | CKV_AWS_32 | resource | aws_ecr_repository_policy | Ensure ECR policy is not set to public | Terraform | -| 97 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 98 | CKV_AWS_33 | resource | aws_kms_key | Ensure KMS key policy does not contain wildcard (*) principal | Terraform | -| 99 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 100 | CKV_AWS_34 | resource | aws_cloudfront_distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Terraform | -| 101 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 102 | CKV_AWS_35 | resource | aws_cloudtrail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Terraform | -| 103 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 104 | CKV_AWS_36 | resource | aws_cloudtrail | Ensure CloudTrail log file validation is enabled | Terraform | -| 105 | CKV_AWS_37 | resource | aws_eks_cluster | Ensure Amazon EKS control plane logging enabled for all log types | Terraform | -| 106 | CKV_AWS_38 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 | Terraform | -| 107 | CKV_AWS_39 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint disabled | Terraform | -| 108 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 109 | CKV_AWS_40 | resource | aws_iam_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | -| 110 | CKV_AWS_40 | resource | aws_iam_user_policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | -| 111 | CKV_AWS_40 | resource | aws_iam_user_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | -| 112 | CKV_AWS_41 | provider | aws | Ensure no hard coded AWS access key and secret key exists in provider | Terraform | -| 113 | CKV_AWS_41 | resource | serverless_aws | Ensure no hard coded AWS access key and secret key exists in provider | serverless | -| 114 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 115 | CKV_AWS_42 | resource | aws_efs_file_system | Ensure EFS is securely encrypted | Terraform | -| 116 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 117 | CKV_AWS_43 | resource | aws_kinesis_stream | Ensure Kinesis Stream is securely encrypted | Terraform | -| 118 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 119 | CKV_AWS_44 | resource | aws_neptune_cluster | Ensure Neptune storage is securely encrypted | Terraform | -| 120 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 121 | CKV_AWS_45 | resource | AWS::Serverless::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 122 | CKV_AWS_45 | resource | aws_lambda_function | Ensure no hard-coded secrets exist in lambda environment | Terraform | -| 123 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 124 | CKV_AWS_46 | resource | aws_instance | Ensure no hard-coded secrets exist in EC2 user data | Terraform | -| 125 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 126 | CKV_AWS_47 | resource | aws_dax_cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Terraform | -| 127 | CKV_AWS_48 | resource | aws_mq_broker | Ensure MQ Broker logging is enabled | Terraform | -| 128 | CKV_AWS_49 | data | aws_iam_policy_document | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 129 | CKV_AWS_49 | resource | serverless_aws | Ensure no IAM policies documents allow "*" as a statement's actions | serverless | -| 130 | CKV_AWS_50 | resource | aws_lambda_function | X-ray tracing is enabled for Lambda | Terraform | -| 131 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 132 | CKV_AWS_51 | resource | aws_ecr_repository | Ensure ECR Image Tags are immutable | Terraform | -| 133 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 134 | CKV_AWS_53 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public ACLS enabled | Terraform | -| 135 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 136 | CKV_AWS_54 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public policy enabled | Terraform | -| 137 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 138 | CKV_AWS_55 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has ignore public ACLs enabled | Terraform | -| 139 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 140 | CKV_AWS_56 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has 'restrict_public_bucket' enabled | Terraform | -| 141 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 142 | CKV_AWS_57 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform | -| 143 | CKV_AWS_57 | resource | aws_s3_bucket_acl | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform | -| 144 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 145 | CKV_AWS_58 | resource | aws_eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Terraform | -| 146 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 147 | CKV_AWS_59 | resource | aws_api_gateway_method | Ensure there is no open access to back-end resources through API | Terraform | -| 148 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 149 | CKV_AWS_60 | resource | aws_iam_role | Ensure IAM role allows only specific services or principals to assume it | Terraform | -| 150 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 151 | CKV_AWS_61 | resource | aws_iam_role | Ensure IAM role allows only specific principals in account to assume it | Terraform | -| 152 | CKV_AWS_62 | resource | AWS::IAM::Group | Ensure no IAM policies that allow full "*-*" administrative privileges are not created | Cloudformation | -| 153 | CKV_AWS_62 | resource | AWS::IAM::Policy | Ensure no IAM policies that allow full "*-*" administrative privileges are not created | Cloudformation | -| 154 | CKV_AWS_62 | resource | AWS::IAM::Role | Ensure no IAM policies that allow full "*-*" administrative privileges are not created | Cloudformation | -| 155 | CKV_AWS_62 | resource | AWS::IAM::User | Ensure no IAM policies that allow full "*-*" administrative privileges are not created | Cloudformation | -| 156 | CKV_AWS_62 | resource | aws_iam_group_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 157 | CKV_AWS_62 | resource | aws_iam_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 158 | CKV_AWS_62 | resource | aws_iam_role_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 159 | CKV_AWS_62 | resource | aws_iam_user_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 160 | CKV_AWS_62 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 161 | CKV_AWS_63 | resource | AWS::IAM::Group | Ensure no IAM policies documents allow "*" as a statement's actions | Cloudformation | -| 162 | CKV_AWS_63 | resource | AWS::IAM::Policy | Ensure no IAM policies documents allow "*" as a statement's actions | Cloudformation | -| 163 | CKV_AWS_63 | resource | AWS::IAM::Role | Ensure no IAM policies documents allow "*" as a statement's actions | Cloudformation | -| 164 | CKV_AWS_63 | resource | AWS::IAM::User | Ensure no IAM policies documents allow "*" as a statement's actions | Cloudformation | -| 165 | CKV_AWS_63 | resource | aws_iam_group_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 166 | CKV_AWS_63 | resource | aws_iam_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 167 | CKV_AWS_63 | resource | aws_iam_role_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 168 | CKV_AWS_63 | resource | aws_iam_user_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 169 | CKV_AWS_63 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 170 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 171 | CKV_AWS_64 | resource | aws_redshift_cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Terraform | -| 172 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 173 | CKV_AWS_65 | resource | aws_ecs_cluster | Ensure container insights are enabled on ECS cluster | Terraform | -| 174 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 175 | CKV_AWS_66 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group specifies retention days | Terraform | -| 176 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 177 | CKV_AWS_67 | resource | aws_cloudtrail | Ensure CloudTrail is enabled in all Regions | Terraform | -| 178 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 179 | CKV_AWS_68 | resource | aws_cloudfront_distribution | CloudFront Distribution should have WAF enabled | Terraform | -| 180 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 181 | CKV_AWS_69 | resource | aws_mq_broker | Ensure MQ Broker is not publicly exposed | Terraform | -| 182 | CKV_AWS_70 | resource | aws_s3_bucket | Ensure S3 bucket does not allow an action with any Principal | Terraform | -| 183 | CKV_AWS_70 | resource | aws_s3_bucket_policy | Ensure S3 bucket does not allow an action with any Principal | Terraform | -| 184 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 185 | CKV_AWS_71 | resource | aws_redshift_cluster | Ensure Redshift Cluster logging is enabled | Terraform | -| 186 | CKV_AWS_72 | resource | aws_sqs_queue_policy | Ensure SQS policy does not allow ALL (*) actions. | Terraform | -| 187 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 188 | CKV_AWS_73 | resource | AWS::Serverless::Api | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 189 | CKV_AWS_73 | resource | aws_api_gateway_stage | Ensure API Gateway has X-Ray Tracing enabled | Terraform | -| 190 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 191 | CKV_AWS_74 | resource | aws_docdb_cluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Terraform | -| 192 | CKV_AWS_75 | resource | aws_globalaccelerator_accelerator | Ensure Global Accelerator accelerator has flow logs enabled | Terraform | -| 193 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 194 | CKV_AWS_76 | resource | AWS::Serverless::Api | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 195 | CKV_AWS_76 | resource | aws_api_gateway_stage | Ensure API Gateway has Access Logging enabled | Terraform | -| 196 | CKV_AWS_76 | resource | aws_apigatewayv2_stage | Ensure API Gateway has Access Logging enabled | Terraform | -| 197 | CKV_AWS_77 | resource | aws_athena_database | Ensure Athena Database is encrypted at rest (default is unencrypted) | Terraform | -| 198 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 199 | CKV_AWS_78 | resource | aws_codebuild_project | Ensure that CodeBuild Project encryption is not disabled | Terraform | -| 200 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 201 | CKV_AWS_79 | resource | aws_instance | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | -| 202 | CKV_AWS_79 | resource | aws_launch_configuration | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | -| 203 | CKV_AWS_79 | resource | aws_launch_template | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | -| 204 | CKV_AWS_80 | resource | aws_msk_cluster | Ensure MSK Cluster logging is enabled | Terraform | -| 205 | CKV_AWS_81 | resource | aws_msk_cluster | Ensure MSK Cluster encryption in rest and transit is enabled | Terraform | -| 206 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 207 | CKV_AWS_82 | resource | aws_athena_workgroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Terraform | -| 208 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 209 | CKV_AWS_83 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform | -| 210 | CKV_AWS_83 | resource | aws_opensearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform | -| 211 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 212 | CKV_AWS_84 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform | -| 213 | CKV_AWS_84 | resource | aws_opensearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform | -| 214 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 215 | CKV_AWS_85 | resource | aws_docdb_cluster | Ensure DocDB Logging is enabled | Terraform | -| 216 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 217 | CKV_AWS_86 | resource | aws_cloudfront_distribution | Ensure Cloudfront distribution has Access Logging enabled | Terraform | -| 218 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 219 | CKV_AWS_87 | resource | aws_redshift_cluster | Redshift cluster should not be publicly accessible | Terraform | -| 220 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 221 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 222 | CKV_AWS_88 | resource | aws_instance | EC2 instance should not have public IP. | Terraform | -| 223 | CKV_AWS_88 | resource | aws_launch_template | EC2 instance should not have public IP. | Terraform | -| 224 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 225 | CKV_AWS_89 | resource | aws_dms_replication_instance | DMS replication instance should not be publicly accessible | Terraform | -| 226 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 227 | CKV_AWS_90 | resource | aws_docdb_cluster_parameter_group | Ensure DocDB TLS is not disabled | Terraform | -| 228 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 229 | CKV_AWS_91 | resource | aws_alb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | -| 230 | CKV_AWS_91 | resource | aws_lb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | -| 231 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 232 | CKV_AWS_92 | resource | aws_elb | Ensure the ELB has access logging enabled | Terraform | -| 233 | CKV_AWS_93 | resource | aws_s3_bucket | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | -| 234 | CKV_AWS_93 | resource | aws_s3_bucket_policy | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | -| 235 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 236 | CKV_AWS_94 | resource | aws_glue_data_catalog_encryption_settings | Ensure Glue Data Catalog Encryption is enabled | Terraform | -| 237 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 238 | CKV_AWS_95 | resource | AWS::Serverless::HttpApi | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 239 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurora is securely encrypted at rest | Cloudformation | -| 240 | CKV_AWS_96 | resource | aws_rds_cluster | Ensure all data stored in Aurora is securely encrypted at rest | Terraform | -| 241 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 242 | CKV_AWS_97 | resource | aws_ecs_task_definition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Terraform | -| 243 | CKV_AWS_98 | resource | aws_sagemaker_endpoint_configuration | Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest | Terraform | -| 244 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 245 | CKV_AWS_99 | resource | aws_glue_security_configuration | Ensure Glue Security Configuration Encryption is enabled | Terraform | -| 246 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implicit SSH access from 0.0.0.0/0 | Cloudformation | -| 247 | CKV_AWS_100 | resource | aws_eks_node_group | Ensure Amazon EKS Node group has implicit SSH access from 0.0.0.0/0 | Terraform | -| 248 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 249 | CKV_AWS_101 | resource | aws_neptune_cluster | Ensure Neptune logging is enabled | Terraform | -| 250 | CKV_AWS_102 | resource | aws_neptune_cluster_instance | Ensure Neptune Cluster instance is not publicly available | Terraform | -| 251 | CKV_AWS_103 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure that Application Load Balancer Listener is using TLS v1.2 | Cloudformation | -| 252 | CKV_AWS_103 | resource | aws_alb_listener | Ensure that load balancer is using TLS 1.2 | Terraform | -| 253 | CKV_AWS_103 | resource | aws_lb_listener | Ensure that load balancer is using TLS 1.2 | Terraform | -| 254 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 255 | CKV_AWS_104 | resource | aws_docdb_cluster_parameter_group | Ensure DocDB has audit logs enabled | Terraform | -| 256 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 257 | CKV_AWS_105 | resource | aws_redshift_parameter_group | Ensure Redshift uses SSL | Terraform | -| 258 | CKV_AWS_106 | resource | aws_ebs_encryption_by_default | Ensure EBS default encryption is enabled | Terraform | -| 259 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 260 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 261 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 262 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 263 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 264 | CKV_AWS_107 | data | aws_iam_policy_document | Ensure IAM policies does not allow credentials exposure | Terraform | -| 265 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 266 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 267 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 268 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 269 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 270 | CKV_AWS_108 | data | aws_iam_policy_document | Ensure IAM policies does not allow data exfiltration | Terraform | -| 271 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 272 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 273 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 274 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 275 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 276 | CKV_AWS_109 | data | aws_iam_policy_document | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | -| 277 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 278 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 279 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 280 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 281 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 282 | CKV_AWS_110 | data | aws_iam_policy_document | Ensure IAM policies does not allow privilege escalation | Terraform | -| 283 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 284 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 285 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 286 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 287 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 288 | CKV_AWS_111 | data | aws_iam_policy_document | Ensure IAM policies does not allow write access without constraints | Terraform | -| 289 | CKV_AWS_112 | resource | aws_ssm_document | Ensure Session Manager data is encrypted in transit | Terraform | -| 290 | CKV_AWS_113 | resource | aws_ssm_document | Ensure Session Manager logs are enabled and encrypted | Terraform | -| 291 | CKV_AWS_114 | resource | aws_emr_cluster | Ensure that EMR clusters with Kerberos have Kerberos Realm set | Terraform | -| 292 | CKV_AWS_115 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | Terraform | -| 293 | CKV_AWS_116 | resource | AWS::Lambda::Function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Cloudformation | -| 294 | CKV_AWS_116 | resource | AWS::Serverless::Function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Cloudformation | -| 295 | CKV_AWS_116 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Terraform | -| 296 | CKV_AWS_117 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured inside a VPC | Terraform | -| 297 | CKV_AWS_118 | resource | aws_db_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | -| 298 | CKV_AWS_118 | resource | aws_rds_cluster_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | -| 299 | CKV_AWS_119 | resource | AWS::DynamoDB::Table | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK | Cloudformation | -| 300 | CKV_AWS_119 | resource | aws_dynamodb_table | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK | Terraform | -| 301 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 302 | CKV_AWS_120 | resource | AWS::Serverless::Api | Ensure API Gateway caching is enabled | Cloudformation | -| 303 | CKV_AWS_120 | resource | aws_api_gateway_stage | Ensure API Gateway caching is enabled | Terraform | -| 304 | CKV_AWS_121 | resource | aws_config_configuration_aggregator | Ensure AWS Config is enabled in all regions | Terraform | -| 305 | CKV_AWS_122 | resource | aws_sagemaker_notebook_instance | Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance | Terraform | -| 306 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 307 | CKV_AWS_123 | resource | aws_vpc_endpoint_service | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Terraform | -| 308 | CKV_AWS_124 | resource | aws_cloudformation_stack | Ensure that CloudFormation stacks are sending event notifications to an SNS topic | Terraform | -| 309 | CKV_AWS_126 | resource | aws_instance | Ensure that detailed monitoring is enabled for EC2 instances | Terraform | -| 310 | CKV_AWS_127 | resource | aws_elb | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager | Terraform | -| 311 | CKV_AWS_128 | resource | aws_rds_cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | Terraform | -| 312 | CKV_AWS_129 | resource | aws_db_instance | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled | Terraform | -| 313 | CKV_AWS_130 | resource | aws_subnet | Ensure VPC subnets do not assign public IP by default | Terraform | -| 314 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 315 | CKV_AWS_131 | resource | aws_alb | Ensure that ALB drops HTTP headers | Terraform | -| 316 | CKV_AWS_131 | resource | aws_lb | Ensure that ALB drops HTTP headers | Terraform | -| 317 | CKV_AWS_133 | resource | aws_db_instance | Ensure that RDS instances has backup policy | Terraform | -| 318 | CKV_AWS_133 | resource | aws_rds_cluster | Ensure that RDS instances has backup policy | Terraform | -| 319 | CKV_AWS_134 | resource | aws_elasticache_cluster | Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on | Terraform | -| 320 | CKV_AWS_135 | resource | aws_instance | Ensure that EC2 is EBS optimized | Terraform | -| 321 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 322 | CKV_AWS_136 | resource | aws_ecr_repository | Ensure that ECR repositories are encrypted using KMS | Terraform | -| 323 | CKV_AWS_137 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform | -| 324 | CKV_AWS_137 | resource | aws_opensearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform | -| 325 | CKV_AWS_138 | resource | aws_elb | Ensure that ELB is cross-zone-load-balancing enabled | Terraform | -| 326 | CKV_AWS_139 | resource | aws_rds_cluster | Ensure that RDS clusters have deletion protection enabled | Terraform | -| 327 | CKV_AWS_140 | resource | aws_rds_global_cluster | Ensure that RDS global clusters are encrypted | Terraform | -| 328 | CKV_AWS_141 | resource | aws_redshift_cluster | Ensured that redshift cluster allowing version upgrade by default | Terraform | -| 329 | CKV_AWS_142 | resource | aws_redshift_cluster | Ensure that Redshift cluster is encrypted by KMS | Terraform | -| 330 | CKV_AWS_143 | resource | aws_s3_bucket | Ensure that S3 bucket has lock configuration enabled by default | Terraform | -| 331 | CKV_AWS_144 | resource | aws_s3_bucket | Ensure that S3 bucket has cross-region replication enabled | Terraform | -| 332 | CKV_AWS_145 | resource | aws_s3_bucket | Ensure that S3 buckets are encrypted with KMS by default | Terraform | -| 333 | CKV_AWS_145 | resource | aws_s3_bucket_server_side_encryption_configuration | Ensure that S3 buckets are encrypted with KMS by default | Terraform | -| 334 | CKV_AWS_146 | resource | aws_db_cluster_snapshot | Ensure that RDS database cluster snapshot is encrypted | Terraform | -| 335 | CKV_AWS_147 | resource | aws_codebuild_project | Ensure that CodeBuild projects are encrypted | Terraform | -| 336 | CKV_AWS_148 | resource | aws_default_vpc | Ensure no default VPC is planned to be provisioned | Terraform | -| 337 | CKV_AWS_149 | resource | AWS::SecretsManager::Secret | Ensure that Secrets Manager secret is encrypted using KMS CMK | Cloudformation | -| 338 | CKV_AWS_149 | resource | aws_secretsmanager_secret | Ensure that Secrets Manager secret is encrypted using KMS CMK | Terraform | -| 339 | CKV_AWS_150 | resource | aws_alb | Ensure that Load Balancer has deletion protection enabled | Terraform | -| 340 | CKV_AWS_150 | resource | aws_lb | Ensure that Load Balancer has deletion protection enabled | Terraform | -| 341 | CKV_AWS_152 | resource | aws_alb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | -| 342 | CKV_AWS_152 | resource | aws_lb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | -| 343 | CKV_AWS_153 | resource | aws_autoscaling_group | Autoscaling groups should supply tags to launch configurations | Terraform | -| 344 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 345 | CKV_AWS_154 | resource | aws_redshift_cluster | Ensure Redshift is not deployed outside of a VPC | Terraform | -| 346 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 347 | CKV_AWS_155 | resource | aws_workspaces_workspace | Ensure that Workspace user volumes are encrypted | Terraform | -| 348 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 349 | CKV_AWS_156 | resource | aws_workspaces_workspace | Ensure that Workspace root volumes are encrypted | Terraform | -| 350 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 351 | CKV_AWS_157 | resource | aws_db_instance | Ensure that RDS instances have Multi-AZ enabled | Terraform | -| 352 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 353 | CKV_AWS_158 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group is encrypted by KMS | Terraform | -| 354 | CKV_AWS_159 | resource | aws_athena_workgroup | Ensure that Athena Workgroup is encrypted | Terraform | -| 355 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 356 | CKV_AWS_160 | resource | aws_timestreamwrite_database | Ensure that Timestream database is encrypted with KMS CMK | Terraform | -| 357 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 358 | CKV_AWS_161 | resource | aws_db_instance | Ensure RDS database has IAM authentication enabled | Terraform | -| 359 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 360 | CKV_AWS_162 | resource | aws_rds_cluster | Ensure RDS cluster has IAM authentication enabled | Terraform | -| 361 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 362 | CKV_AWS_163 | resource | aws_ecr_repository | Ensure ECR image scanning on push is enabled | Terraform | -| 363 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 364 | CKV_AWS_164 | resource | aws_transfer_server | Ensure Transfer Server is not exposed publicly. | Terraform | -| 365 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 366 | CKV_AWS_165 | resource | aws_dynamodb_global_table | Ensure Dynamodb point in time recovery (backup) is enabled for global tables | Terraform | -| 367 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 368 | CKV_AWS_166 | resource | aws_backup_vault | Ensure Backup Vault is encrypted at rest using KMS CMK | Terraform | -| 369 | CKV_AWS_167 | resource | aws_glacier_vault | Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it | Terraform | -| 370 | CKV_AWS_168 | resource | aws_sqs_queue | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform | -| 371 | CKV_AWS_168 | resource | aws_sqs_queue_policy | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform | -| 372 | CKV_AWS_169 | resource | aws_sns_topic_policy | Ensure SNS topic policy is not public by only allowing specific services or principals to access it | Terraform | -| 373 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 374 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | -| 375 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | -| 376 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | -| 377 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | -| 378 | CKV_AWS_173 | resource | AWS::Lambda::Function | Check encryption settings for Lambda environmental variable | Cloudformation | -| 379 | CKV_AWS_173 | resource | AWS::Serverless::Function | Check encryption settings for Lambda environmental variable | Cloudformation | -| 380 | CKV_AWS_173 | resource | aws_lambda_function | Check encryption settings for Lambda environmental variable | Terraform | -| 381 | CKV_AWS_174 | resource | AWS::CloudFront::Distribution | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 | Cloudformation | -| 382 | CKV_AWS_174 | resource | aws_cloudfront_distribution | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 | Terraform | -| 383 | CKV_AWS_175 | resource | aws_waf_web_acl | Ensure WAF has associated rules | Terraform | -| 384 | CKV_AWS_175 | resource | aws_wafregional_web_acl | Ensure WAF has associated rules | Terraform | -| 385 | CKV_AWS_175 | resource | aws_wafv2_web_acl | Ensure WAF has associated rules | Terraform | -| 386 | CKV_AWS_176 | resource | aws_waf_web_acl | Ensure Logging is enabled for WAF Web Access Control Lists | Terraform | -| 387 | CKV_AWS_176 | resource | aws_wafregional_web_acl | Ensure Logging is enabled for WAF Web Access Control Lists | Terraform | -| 388 | CKV_AWS_177 | resource | aws_kinesis_video_stream | Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 389 | CKV_AWS_178 | resource | aws_fsx_ontap_file_system | Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 390 | CKV_AWS_179 | resource | aws_fsx_windows_file_system | Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 391 | CKV_AWS_180 | resource | aws_imagebuilder_component | Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 392 | CKV_AWS_181 | resource | aws_s3_object_copy | Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 393 | CKV_AWS_182 | resource | aws_docdb_cluster | Ensure Doc DB is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 394 | CKV_AWS_183 | resource | aws_ebs_snapshot_copy | Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 395 | CKV_AWS_184 | resource | aws_efs_file_system | Ensure resource is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 396 | CKV_AWS_185 | resource | aws_kinesis_stream | Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 397 | CKV_AWS_186 | resource | aws_s3_bucket_object | Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 398 | CKV_AWS_187 | resource | aws_sagemaker_domain | Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 399 | CKV_AWS_188 | resource | aws_redshift_cluster | Ensure RedShift Cluster is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 400 | CKV_AWS_189 | resource | aws_ebs_volume | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 401 | CKV_AWS_190 | resource | aws_fsx_lustre_file_system | Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 402 | CKV_AWS_191 | resource | aws_elasticache_replication_group | Ensure Elasticache replication group is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 403 | CKV_AWS_192 | resource | AWS::WAFv2::WebACL | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Cloudformation | -| 404 | CKV_AWS_192 | resource | aws_wafv2_web_acl | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | -| 405 | CKV_AWS_193 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync has Logging enabled | Cloudformation | -| 406 | CKV_AWS_193 | resource | aws_appsync_graphql_api | Ensure AppSync has Logging enabled | Terraform | -| 407 | CKV_AWS_194 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync has Field-Level logs enabled | Cloudformation | -| 408 | CKV_AWS_194 | resource | aws_appsync_graphql_api | Ensure AppSync has Field-Level logs enabled | Terraform | -| 409 | CKV_AWS_195 | resource | AWS::Glue::Crawler | Ensure Glue component has a security configuration associated | Cloudformation | -| 410 | CKV_AWS_195 | resource | AWS::Glue::DevEndpoint | Ensure Glue component has a security configuration associated | Cloudformation | -| 411 | CKV_AWS_195 | resource | AWS::Glue::Job | Ensure Glue component has a security configuration associated | Cloudformation | -| 412 | CKV_AWS_195 | resource | aws_glue_crawler | Ensure Glue component has a security configuration associated | Terraform | -| 413 | CKV_AWS_195 | resource | aws_glue_dev_endpoint | Ensure Glue component has a security configuration associated | Terraform | -| 414 | CKV_AWS_195 | resource | aws_glue_job | Ensure Glue component has a security configuration associated | Terraform | -| 415 | CKV_AWS_196 | resource | aws_elasticache_security_group | Ensure no aws_elasticache_security_group resources exist | Terraform | -| 416 | CKV_AWS_197 | resource | aws_mq_broker | Ensure MQ Broker Audit logging is enabled | Terraform | -| 417 | CKV_AWS_198 | resource | aws_db_security_group | Ensure no aws_db_security_group resources exist | Terraform | -| 418 | CKV_AWS_199 | resource | aws_imagebuilder_distribution_configuration | Ensure Image Builder Distribution Configuration encrypts AMI's using KMS - a customer managed Key (CMK) | Terraform | -| 419 | CKV_AWS_200 | resource | aws_imagebuilder_image_recipe | Ensure that Image Recipe EBS Disk are encrypted with CMK | Terraform | -| 420 | CKV_AWS_201 | resource | aws_memorydb_cluster | Ensure MemoryDB is encrypted at rest using KMS CMKs | Terraform | -| 421 | CKV_AWS_202 | resource | aws_memorydb_cluster | Ensure MemoryDB data is encrypted in transit | Terraform | -| 422 | CKV_AWS_203 | resource | aws_fsx_openzfs_file_system | Ensure resource is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 423 | CKV_AWS_204 | resource | aws_ami | Ensure AMIs are encrypted using KMS CMKs | Terraform | -| 424 | CKV_AWS_205 | resource | aws_ami_launch_permission | Ensure to Limit AMI launch Permissions | Terraform | -| 425 | CKV_AWS_206 | resource | aws_api_gateway_domain_name | Ensure API Gateway Domain uses a modern security Policy | Terraform | -| 426 | CKV_AWS_207 | resource | aws_mq_broker | Ensure MQ Broker minor version updates are enabled | Terraform | -| 427 | CKV_AWS_208 | resource | aws_mq_broker | Ensure MQBroker version is current | Terraform | -| 428 | CKV_AWS_208 | resource | aws_mq_configuration | Ensure MQBroker version is current | Terraform | -| 429 | CKV_AWS_209 | resource | aws_mq_broker | Ensure MQ broker encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 430 | CKV_AWS_210 | resource | aws_batch_job_definition | Batch job does not define a privileged container | Terraform | -| 431 | CKV_AWS_211 | resource | aws_db_instance | Ensure RDS uses a modern CaCert | Terraform | -| 432 | CKV_AWS_212 | resource | aws_dms_replication_instance | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 433 | CKV_AWS_213 | resource | aws_load_balancer_policy | Ensure ELB Policy uses only secure protocols | Terraform | -| 434 | CKV_AWS_214 | resource | aws_appsync_api_cache | Ensure Appsync API Cache is encrypted at rest | Terraform | -| 435 | CKV_AWS_215 | resource | aws_appsync_api_cache | Ensure Appsync API Cache is encrypted in transit | Terraform | -| 436 | CKV_AWS_216 | resource | aws_cloudfront_distribution | Ensure Cloudfront distribution is enabled | Terraform | -| 437 | CKV_AWS_217 | resource | aws_api_gateway_deployment | Ensure Create before destroy for API deployments | Terraform | -| 438 | CKV_AWS_218 | resource | aws_cloudsearch_domain | Ensure that Cloudsearch is using latest TLS | Terraform | -| 439 | CKV_AWS_219 | resource | aws_codepipeline | Ensure Code Pipeline Artifact store is using a KMS CMK | Terraform | -| 440 | CKV_AWS_220 | resource | aws_cloudsearch_domain | Ensure that Cloudsearch is using https | Terraform | -| 441 | CKV_AWS_221 | resource | aws_codeartifact_domain | Ensure Code artifact Domain is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 442 | CKV_AWS_222 | resource | aws_dms_replication_instance | Ensure DMS instance gets all minor upgrade automatically | Terraform | -| 443 | CKV_AWS_223 | resource | aws_ecs_cluster | Ensure ECS Cluster enables logging of ECS Exec | Terraform | -| 444 | CKV_AWS_224 | resource | aws_ecs_cluster | Ensure Cluster logging with CMK | Terraform | -| 445 | CKV_AWS_225 | resource | aws_api_gateway_method_settings | Ensure API Gateway method setting caching is enabled | Terraform | -| 446 | CKV_AWS_226 | resource | aws_db_instance | Ensure DB instance gets all minor upgrades automatically | Terraform | -| 447 | CKV_AWS_226 | resource | aws_rds_cluster_instance | Ensure DB instance gets all minor upgrades automatically | Terraform | -| 448 | CKV_AWS_227 | resource | aws_kms_key | Ensure KMS key is enabled | Terraform | -| 449 | CKV_AWS_228 | resource | aws_elasticsearch_domain | Verify Elasticsearch domain is using an up to date TLS policy | Terraform | -| 450 | CKV_AWS_228 | resource | aws_opensearch_domain | Verify Elasticsearch domain is using an up to date TLS policy | Terraform | -| 451 | CKV_AWS_229 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 | Terraform | -| 452 | CKV_AWS_229 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 | Terraform | -| 453 | CKV_AWS_230 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 | Terraform | -| 454 | CKV_AWS_230 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 | Terraform | -| 455 | CKV_AWS_231 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 | Terraform | -| 456 | CKV_AWS_231 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 | Terraform | -| 457 | CKV_AWS_232 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 | Terraform | -| 458 | CKV_AWS_232 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 | Terraform | -| 459 | CKV_AWS_233 | resource | aws_acm_certificate | Ensure Create before destroy for ACM certificates | Terraform | -| 460 | CKV_AWS_234 | resource | aws_acm_certificate | Verify logging preference for ACM certificates | Terraform | -| 461 | CKV_AWS_235 | resource | aws_ami_copy | Ensure that copied AMIs are encrypted | Terraform | -| 462 | CKV_AWS_236 | resource | aws_ami_copy | Ensure AMI copying uses a CMK | Terraform | -| 463 | CKV_AWS_237 | resource | aws_api_gateway_rest_api | Ensure Create before destroy for API GATEWAY | Terraform | -| 464 | CKV_AWS_238 | resource | aws_guardduty_detector | Ensure that Guard Duty detector is enabled | Terraform | -| 465 | CKV_AWS_239 | resource | aws_dax_cluster | Ensure DAX cluster endpoint is using TLS | Terraform | -| 466 | CKV_AWS_240 | resource | aws_kinesis_firehose_delivery_stream | Ensure Kinesis Firehose delivery stream is encrypted | Terraform | -| 467 | CKV_AWS_241 | resource | aws_kinesis_firehose_delivery_stream | Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK | Terraform | -| 468 | CKV_AWS_242 | resource | aws_mwaa_environment | Ensure MWAA environment has scheduler logs enabled | Terraform | -| 469 | CKV_AWS_243 | resource | aws_mwaa_environment | Ensure MWAA environment has worker logs enabled | Terraform | -| 470 | CKV_AWS_244 | resource | aws_mwaa_environment | Ensure MWAA environment has webserver logs enabled | Terraform | -| 471 | CKV_AWS_245 | resource | aws_db_instance_automated_backups_replication | Ensure replicated backups are encrypted at rest using KMS CMKs | Terraform | -| 472 | CKV_AWS_246 | resource | aws_rds_cluster_activity_stream | Ensure RDS Cluster activity streams are encrypted using KMS CMKs | Terraform | -| 473 | CKV_AWS_247 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is encrypted with a CMK | Terraform | -| 474 | CKV_AWS_247 | resource | aws_opensearch_domain | Ensure all data stored in the Elasticsearch is encrypted with a CMK | Terraform | -| 475 | CKV_AWS_248 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is not using the default Security Group | Terraform | -| 476 | CKV_AWS_248 | resource | aws_opensearch_domain | Ensure that Elasticsearch is not using the default Security Group | Terraform | -| 477 | CKV_AWS_249 | resource | aws_ecs_task_definition | Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions | Terraform | -| 478 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 479 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 480 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 481 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 482 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 483 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 484 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 485 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 486 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to another resource | Terraform | -| 487 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 488 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 489 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 490 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 491 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | -| 492 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | -| 493 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | -| 494 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 495 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 496 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 497 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 498 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 499 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 500 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 501 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 502 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 503 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 504 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 505 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 506 | CKV2_AWS_20 | resource | aws_alb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 507 | CKV2_AWS_20 | resource | aws_alb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 508 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 509 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 510 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | -| 511 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | -| 512 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 513 | CKV2_AWS_27 | resource | aws_rds_cluster | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | -| 514 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | -| 515 | CKV2_AWS_28 | resource | aws_alb | Ensure public facing ALB are protected by WAF | Terraform | -| 516 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 517 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | -| 518 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | -| 519 | CKV2_AWS_30 | resource | aws_db_instance | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | -| 520 | CKV2_AWS_30 | resource | aws_db_parameter_group | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | -| 521 | CKV2_AWS_31 | resource | aws_wafv2_web_acl | Ensure WAF2 has a Logging Configuration | Terraform | -| 522 | CKV2_AWS_32 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has a strict security headers policy attached | Terraform | -| 523 | CKV2_AWS_32 | resource | aws_cloudfront_response_headers_policy | Ensure CloudFront distribution has a strict security headers policy attached | Terraform | -| 524 | CKV2_AWS_33 | resource | aws_appsync_graphql_api | Ensure AppSync is protected by WAF | Terraform | -| 525 | CKV2_AWS_34 | resource | aws_ssm_parameter | AWS SSM Parameter should be Encrypted | Terraform | -| 526 | CKV2_AWS_35 | resource | aws_route | AWS NAT Gateways should be utilized for the default route | Terraform | -| 527 | CKV2_AWS_35 | resource | aws_route_table | AWS NAT Gateways should be utilized for the default route | Terraform | -| 528 | CKV2_AWS_36 | resource | aws_ssm_parameter | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | -| 529 | CKV2_AWS_36 | resource | data.http | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | -| 530 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | -| 531 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Bicep | -| 532 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | -| 533 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | -| 534 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | arm | -| 535 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | Bicep | -| 536 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | -| 537 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | arm | -| 538 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | Bicep | -| 539 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'Secure transfer required' is set to 'Enabled' | Terraform | -| 540 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | arm | -| 541 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | Bicep | -| 542 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | -| 543 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | arm | -| 544 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | Bicep | -| 545 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | -| 546 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | arm | -| 547 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | Bicep | -| 548 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | -| 549 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | arm | -| 550 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | Bicep | -| 551 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | -| 552 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | arm | -| 553 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | Bicep | -| 554 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kubernetes Dashboard is disabled | Terraform | -| 555 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | arm | -| 556 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | Bicep | -| 557 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | arm | -| 558 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | Bicep | -| 559 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | -| 560 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | -| 561 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | arm | -| 562 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | Bicep | -| 563 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | arm | -| 564 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | Bicep | -| 565 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | -| 566 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | -| 567 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | arm | -| 568 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Bicep | -| 569 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 570 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 571 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 572 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 573 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | -| 574 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | -| 575 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | -| 576 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | -| 577 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | -| 578 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | -| 579 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | -| 580 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | -| 581 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | -| 582 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | arm | -| 583 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | Bicep | -| 584 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | -| 585 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | arm | -| 586 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | Bicep | -| 587 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | arm | -| 588 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Bicep | -| 589 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | -| 590 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | arm | -| 591 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | Bicep | -| 592 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | -| 593 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | arm | -| 594 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | Bicep | -| 595 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | -| 596 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | arm | -| 597 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Bicep | -| 598 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | -| 599 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | arm | -| 600 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | Bicep | -| 601 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | -| 602 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | arm | -| 603 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | Bicep | -| 604 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | -| 605 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | arm | -| 606 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | Bicep | -| 607 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | -| 608 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | -| 609 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Bicep | -| 610 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | -| 611 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | -| 612 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Bicep | -| 613 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | -| 614 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | -| 615 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | -| 616 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | -| 617 | CKV_AZURE_23 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | -| 618 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | -| 619 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | arm | -| 620 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Bicep | -| 621 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | -| 622 | CKV_AZURE_24 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | -| 623 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | -| 624 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | arm | -| 625 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | Bicep | -| 626 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | -| 627 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | arm | -| 628 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Bicep | -| 629 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | -| 630 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | arm | -| 631 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Bicep | -| 632 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | -| 633 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | arm | -| 634 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Bicep | -| 635 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | -| 636 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | arm | -| 637 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Bicep | -| 638 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | -| 639 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | -| 640 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Bicep | -| 641 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 642 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | -| 643 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Bicep | -| 644 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | -| 645 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | Bicep | -| 646 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 647 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | -| 648 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | Bicep | -| 649 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | -| 650 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Bicep | -| 651 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 652 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | -| 653 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Bicep | -| 654 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | arm | -| 655 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Bicep | -| 656 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | -| 657 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | -| 658 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | -| 659 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | -| 660 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | -| 661 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | -| 662 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | arm | -| 663 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | -| 664 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | arm | -| 665 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | Bicep | -| 666 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | -| 667 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | -| 668 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | arm | -| 669 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Bicep | -| 670 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | -| 671 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | -| 672 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | -| 673 | CKV_AZURE_37 | resource | microsoft.insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | arm | -| 674 | CKV_AZURE_37 | resource | microsoft.insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | Bicep | -| 675 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | -| 676 | CKV_AZURE_38 | resource | microsoft.insights/logprofiles | Ensure audit profile captures all the activities | arm | -| 677 | CKV_AZURE_38 | resource | microsoft.insights/logprofiles | Ensure audit profile captures all the activities | Bicep | -| 678 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | arm | -| 679 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | Bicep | -| 680 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | -| 681 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | -| 682 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | arm | -| 683 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | Bicep | -| 684 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | -| 685 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | arm | -| 686 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | Bicep | -| 687 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | -| 688 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure Storage Accounts adhere to the naming rules | Terraform | -| 689 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | -| 690 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | -| 691 | CKV_AZURE_47 | resource | Microsoft.DBforMariaDB/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | arm | -| 692 | CKV_AZURE_47 | resource | Microsoft.DBforMariaDB/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Bicep | -| 693 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | -| 694 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | -| 695 | CKV_AZURE_49 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | arm | -| 696 | CKV_AZURE_49 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Bicep | -| 697 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | -| 698 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | -| 699 | CKV_AZURE_50 | resource | azurerm_windows_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | -| 700 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | -| 701 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | -| 702 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | -| 703 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | -| 704 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | -| 705 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | -| 706 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | -| 707 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | -| 708 | CKV_AZURE_60 | resource | azurerm_storage_account | Ensure that storage account enables secure transfer | Terraform | -| 709 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | -| 710 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | -| 711 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | -| 712 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | -| 713 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | -| 714 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | -| 715 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | -| 716 | CKV_AZURE_67 | resource | azurerm_function_app_slot | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | -| 717 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | -| 718 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | -| 719 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | -| 720 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | -| 721 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | -| 722 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | -| 723 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | -| 724 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | -| 725 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | -| 726 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses disk encryption | Terraform | -| 727 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | -| 728 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | -| 729 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | -| 730 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | -| 731 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | -| 732 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | -| 733 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | -| 734 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | -| 735 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | -| 736 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | -| 737 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | -| 738 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | -| 739 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | -| 740 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | -| 741 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | -| 742 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | -| 743 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | -| 744 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | -| 745 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | -| 746 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | -| 747 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | -| 748 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | -| 749 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | -| 750 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | -| 751 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | -| 752 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | -| 753 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | -| 754 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | -| 755 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | -| 756 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | -| 757 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | -| 758 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | -| 759 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | -| 760 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | -| 761 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | -| 762 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | -| 763 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | -| 764 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | -| 765 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | -| 766 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | -| 767 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | -| 768 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | -| 769 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | -| 770 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | -| 771 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | -| 772 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | -| 773 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | -| 774 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | -| 775 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | -| 776 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | -| 777 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | -| 778 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | -| 779 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform | -| 780 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | -| 781 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | -| 782 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | -| 783 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | -| 784 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | -| 785 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | -| 786 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | -| 787 | CKV_AZURE_131 | parameter | string | SecureString parameter should not have hardcoded default values | Bicep | -| 788 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | arm | -| 789 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Bicep | -| 790 | CKV_AZURE_132 | resource | azurerm_cosmosdb_account | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Terraform | -| 791 | CKV_AZURE_133 | resource | azurerm_frontdoor_firewall_policy | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | -| 792 | CKV_AZURE_134 | resource | azurerm_cognitive_account | Ensure that Cognitive Services accounts disable public network access | Terraform | -| 793 | CKV_AZURE_135 | resource | azurerm_web_application_firewall_policy | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | -| 794 | CKV_AZURE_136 | resource | azurerm_postgresql_flexible_server | Ensure that PostgreSQL Flexible server enables geo-redundant backups | Terraform | -| 795 | CKV_AZURE_137 | resource | azurerm_container_registry | Ensure ACR admin account is disabled | Terraform | -| 796 | CKV_AZURE_138 | resource | azurerm_container_registry | Ensures that ACR disables anonymous pulling of images | Terraform | -| 797 | CKV_AZURE_139 | resource | azurerm_container_registry | Ensure ACR set to disable public networking | Terraform | -| 798 | CKV_AZURE_140 | resource | azurerm_cosmosdb_account | Ensure that Local Authentication is disabled on CosmosDB | Terraform | -| 799 | CKV_AZURE_141 | resource | azurerm_kubernetes_cluster | Ensure AKS local admin account is disabled | Terraform | -| 800 | CKV_AZURE_142 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Local Authentication is disabled | Terraform | -| 801 | CKV_AZURE_143 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster nodes do not have public IP addresses | Terraform | -| 802 | CKV_AZURE_144 | resource | azurerm_machine_learning_workspace | Ensure that Public Access is disabled for Machine Learning Workspace | Terraform | -| 803 | CKV_AZURE_145 | resource | azurerm_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform | -| 804 | CKV_AZURE_146 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_retention' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 805 | CKV_AZURE_147 | resource | azurerm_postgresql_server | Ensure PostgreSQL is using the latest version of TLS encryption | Terraform | -| 806 | CKV_AZURE_148 | resource | azurerm_redis_cache | Ensure Redis Cache is using the latest version of TLS encryption | Terraform | -| 807 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine | Ensure that Virtual machine does not enable password authentication | Terraform | -| 808 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine does not enable password authentication | Terraform | -| 809 | CKV_AZURE_150 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0 | Terraform | -| 810 | CKV_AZURE_151 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables encryption | Terraform | -| 811 | CKV_AZURE_152 | resource | azurerm_api_management | Ensure Client Certificates are enforced for API management | Terraform | -| 812 | CKV_AZURE_153 | resource | azurerm_app_service_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | -| 813 | CKV_AZURE_154 | resource | azurerm_app_service_slot | Ensure the App service slot is using the latest version of TLS encryption | Terraform | -| 814 | CKV_AZURE_155 | resource | azurerm_app_service_slot | Ensure debugging is disabled for the App service slot | Terraform | -| 815 | CKV_AZURE_156 | resource | azurerm_mssql_database_extended_auditing_policy | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs | Terraform | -| 816 | CKV_AZURE_157 | resource | azurerm_synapse_workspace | Ensure that Synapse workspace has data_exfiltration_protection_enabled | Terraform | -| 817 | CKV_AZURE_158 | resource | azurerm_databricks_workspace | Ensure that databricks workspace has not public | Terraform | -| 818 | CKV_AZURE_159 | resource | azurerm_function_app | Ensure function app builtin logging is enabled | Terraform | -| 819 | CKV_AZURE_159 | resource | azurerm_function_app_slot | Ensure function app builtin logging is enabled | Terraform | -| 820 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 821 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 822 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 823 | CKV2_AZURE_3 | resource | azurerm_mssql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 824 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 825 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 826 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 827 | CKV2_AZURE_4 | resource | azurerm_mssql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | -| 828 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | -| 829 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | -| 830 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | -| 831 | CKV2_AZURE_5 | resource | azurerm_mssql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 832 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 833 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 834 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 835 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 836 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 837 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 838 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 839 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 840 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 841 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 842 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 843 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | -| 844 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 845 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 846 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 847 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | -| 848 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | -| 849 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 850 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 851 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 852 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 853 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 854 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 855 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 856 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 857 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 858 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 859 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 860 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 861 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 862 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 863 | CKV2_AZURE_22 | resource | azurerm_cognitive_account | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | -| 864 | CKV2_AZURE_22 | resource | azurerm_cognitive_account_customer_managed_key | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | -| 865 | CKV_BCW_1 | provider | bridgecrew | Ensure no hard coded API token exist in the provider | Terraform | -| 866 | CKV_BITBUCKET_1 | bitbucket_configuration | * | Merge requests should require at least 2 approvals | bitbucket_configuration | -| 867 | CKV_DIO_1 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket has versioning enabled | Terraform | -| 868 | CKV_DIO_2 | resource | digitalocean_droplet | Ensure the droplet specifies an SSH key | Terraform | -| 869 | CKV_DIO_3 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket is private | Terraform | -| 870 | CKV_DIO_4 | resource | digitalocean_firewall | Ensure the firewall ingress is not wide open | Terraform | -| 871 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | -| 872 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | -| 873 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | -| 874 | CKV_DOCKER_4 | dockerfile | ADD | Ensure that COPY is used instead of ADD in Dockerfiles | dockerfile | -| 875 | CKV_DOCKER_5 | dockerfile | RUN | Ensure update instructions are not use alone in the Dockerfile | dockerfile | -| 876 | CKV_DOCKER_6 | dockerfile | MAINTAINER | Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated) | dockerfile | -| 877 | CKV_DOCKER_7 | dockerfile | FROM | Ensure the base image uses a non latest version tag | dockerfile | -| 878 | CKV_DOCKER_8 | dockerfile | USER | Ensure the last USER is not root | dockerfile | -| 879 | CKV_DOCKER_9 | dockerfile | RUN | Ensure that APT isn't used | dockerfile | -| 880 | CKV_DOCKER_10 | dockerfile | WORKDIR | Ensure that WORKDIR values are absolute paths | dockerfile | -| 881 | CKV_DOCKER_11 | dockerfile | FROM | Ensure From Alias are unique for multistage builds. | dockerfile | -| 882 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | -| 883 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | -| 884 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | -| 885 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | -| 886 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | -| 887 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | -| 888 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | -| 889 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | -| 890 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | -| 891 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | -| 892 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | -| 893 | CKV_GCP_13 | resource | google_container_cluster | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled | Terraform | -| 894 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | -| 895 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | -| 896 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | -| 897 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | -| 898 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | -| 899 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | -| 900 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | -| 901 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | -| 902 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | -| 903 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | -| 904 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | -| 905 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | -| 906 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | -| 907 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | -| 908 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | -| 909 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | -| 910 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | -| 911 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | -| 912 | CKV_GCP_30 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account | Terraform | -| 913 | CKV_GCP_30 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account | Terraform | -| 914 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | -| 915 | CKV_GCP_31 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | -| 916 | CKV_GCP_31 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | -| 917 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | -| 918 | CKV_GCP_32 | resource | google_compute_instance_from_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | -| 919 | CKV_GCP_32 | resource | google_compute_instance_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | -| 920 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | -| 921 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | -| 922 | CKV_GCP_34 | resource | google_compute_instance_from_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | -| 923 | CKV_GCP_34 | resource | google_compute_instance_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | -| 924 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | -| 925 | CKV_GCP_35 | resource | google_compute_instance_from_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | -| 926 | CKV_GCP_35 | resource | google_compute_instance_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | -| 927 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | -| 928 | CKV_GCP_36 | resource | google_compute_instance_from_template | Ensure that IP forwarding is not enabled on Instances | Terraform | -| 929 | CKV_GCP_36 | resource | google_compute_instance_template | Ensure that IP forwarding is not enabled on Instances | Terraform | -| 930 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 931 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 932 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | -| 933 | CKV_GCP_39 | resource | google_compute_instance_from_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | -| 934 | CKV_GCP_39 | resource | google_compute_instance_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | -| 935 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | -| 936 | CKV_GCP_40 | resource | google_compute_instance_from_template | Ensure that Compute instances do not have public IP addresses | Terraform | -| 937 | CKV_GCP_40 | resource | google_compute_instance_template | Ensure that Compute instances do not have public IP addresses | Terraform | -| 938 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | -| 939 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | -| 940 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | -| 941 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | -| 942 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | -| 943 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | -| 944 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | -| 945 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | -| 946 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | -| 947 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | -| 948 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | -| 949 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | -| 950 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | -| 951 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | -| 952 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | -| 953 | CKV_GCP_49 | resource | google_project_iam_member | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | -| 954 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | -| 955 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | -| 956 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | -| 957 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | -| 958 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | -| 959 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | -| 960 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | -| 961 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | -| 962 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | -| 963 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | -| 964 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure Cloud SQL database does not have public IP | Terraform | -| 965 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | -| 966 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | -| 967 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | -| 968 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | -| 969 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | -| 970 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | -| 971 | CKV_GCP_67 | resource | google_container_cluster | Ensure legacy Compute Engine instance metadata APIs are Disabled | Terraform | -| 972 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | -| 973 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | -| 974 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | -| 975 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | -| 976 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | -| 977 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | -| 978 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | -| 979 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | -| 980 | CKV_GCP_73 | resource | google_compute_security_policy | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | -| 981 | CKV_GCP_74 | resource | google_compute_subnetwork | Ensure that private_ip_google_access is enabled for Subnet | Terraform | -| 982 | CKV_GCP_75 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted FTP access | Terraform | -| 983 | CKV_GCP_76 | resource | google_compute_subnetwork | Ensure that Private google access is enabled for IPV6 | Terraform | -| 984 | CKV_GCP_77 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow on ftp port | Terraform | -| 985 | CKV_GCP_78 | resource | google_storage_bucket | Ensure Cloud storage has versioning enabled | Terraform | -| 986 | CKV_GCP_79 | resource | google_sql_database_instance | Ensure SQL database is using latest Major version | Terraform | -| 987 | CKV_GCP_80 | resource | google_bigquery_table | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 988 | CKV_GCP_81 | resource | google_bigquery_dataset | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 989 | CKV_GCP_82 | resource | google_kms_crypto_key | Ensure KMS keys are protected from deletion | Terraform | -| 990 | CKV_GCP_83 | resource | google_pubsub_topic | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 991 | CKV_GCP_84 | resource | google_artifact_registry_repository | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 992 | CKV_GCP_85 | resource | google_bigtable_instance | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 993 | CKV_GCP_86 | resource | google_cloudbuild_worker_pool | Ensure Cloud build workers are private | Terraform | -| 994 | CKV_GCP_87 | resource | google_data_fusion_instance | Ensure Data fusion instances are private | Terraform | -| 995 | CKV_GCP_88 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted mysql access | Terraform | -| 996 | CKV_GCP_89 | resource | google_notebooks_instance | Ensure Vertex AI instances are private | Terraform | -| 997 | CKV_GCP_90 | resource | google_dataflow_job | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 998 | CKV_GCP_91 | resource | google_dataproc_cluster | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 999 | CKV_GCP_92 | resource | google_vertex_ai_dataset | Ensure Vertex AI datasets uses a CMK (Customer Manager Key) | Terraform | -| 1000 | CKV_GCP_93 | resource | google_spanner_database | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 1001 | CKV_GCP_94 | resource | google_dataflow_job | Ensure Dataflow jobs are private | Terraform | -| 1002 | CKV_GCP_95 | resource | google_redis_instance | Ensure Memorystore for Redis has AUTH enabled | Terraform | -| 1003 | CKV_GCP_96 | resource | google_vertex_ai_metadata_store | Ensure Vertex AI Metadata Store uses a CMK (Customer Manager Key) | Terraform | -| 1004 | CKV_GCP_97 | resource | google_redis_instance | Ensure Memorystore for Redis uses intransit encryption | Terraform | -| 1005 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_binding | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | -| 1006 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_member | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | -| 1007 | CKV_GCP_99 | resource | google_pubsub_topic_iam_binding | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | -| 1008 | CKV_GCP_99 | resource | google_pubsub_topic_iam_member | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | -| 1009 | CKV_GCP_100 | resource | google_bigquery_table_iam_binding | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | -| 1010 | CKV_GCP_100 | resource | google_bigquery_table_iam_member | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | -| 1011 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_binding | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | -| 1012 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_member | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | -| 1013 | CKV_GCP_102 | resource | google_cloud_run_service_iam_binding | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | -| 1014 | CKV_GCP_102 | resource | google_cloud_run_service_iam_member | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | -| 1015 | CKV_GCP_103 | resource | google_dataproc_cluster | Ensure Dataproc Clusters do not have public IPs | Terraform | -| 1016 | CKV_GCP_104 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver logging enabled | Terraform | -| 1017 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | -| 1018 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 1019 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 1020 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 1021 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 1022 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 1023 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 1024 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 1025 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 1026 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 1027 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 1028 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 1029 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 1030 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 1031 | CKV2_GCP_8 | resource | google_kms_key_ring | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | -| 1032 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_binding | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | -| 1033 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_member | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | -| 1034 | CKV2_GCP_9 | resource | google_container_registry | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | -| 1035 | CKV2_GCP_9 | resource | google_storage_bucket_iam_binding | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | -| 1036 | CKV2_GCP_9 | resource | google_storage_bucket_iam_member | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | -| 1037 | CKV_GHA_1 | jobs | jobs | Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables on a job | github_actions | -| 1038 | CKV_GHA_2 | jobs | jobs | Ensure run commands are not vulnerable to shell injection | github_actions | -| 1039 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | -| 1040 | CKV_GIT_2 | resource | github_repository_webhook | Ensure Repository Webhook uses secure Ssl | Terraform | -| 1041 | CKV_GIT_3 | resource | github_repository | Ensure GitHub repository has vulnerability alerts enabled | Terraform | -| 1042 | CKV_GIT_4 | resource | github_actions_environment_secret | Ensure Secrets are encrypted | Terraform | -| 1043 | CKV_GIT_4 | resource | github_actions_organization_secret | Ensure Secrets are encrypted | Terraform | -| 1044 | CKV_GIT_4 | resource | github_actions_secret | Ensure Secrets are encrypted | Terraform | -| 1045 | CKV_GITHUB_1 | github_configuration | * | Ensure GitHub organization security settings require 2FA | github_configuration | -| 1046 | CKV_GITHUB_2 | github_configuration | * | Ensure GitHub organization security settings require SSO | github_configuration | -| 1047 | CKV_GITHUB_3 | github_configuration | * | Ensure GitHub organization security settings has IP allow list enabled | github_configuration | -| 1048 | CKV_GITHUB_4 | github_configuration | * | Ensure GitHub branch protection rules requires signed commits | github_configuration | -| 1049 | CKV_GITHUB_5 | github_configuration | * | Ensure GitHub branch protection rules does not allow force pushes | github_configuration | -| 1050 | CKV_GITLAB_1 | gitlab_configuration | * | Merge requests should require at least 2 approvals | gitlab_configuration | -| 1051 | CKV_GITLAB_2 | gitlab_configuration | * | Ensure all Gitlab groups require two factor authentication | gitlab_configuration | -| 1052 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | -| 1053 | CKV_K8S_1 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host process ID namespace | Terraform | -| 1054 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | -| 1055 | CKV_K8S_2 | resource | kubernetes_pod_security_policy | Do not admit privileged containers | Terraform | -| 1056 | CKV_K8S_3 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host IPC namespace | Kubernetes | -| 1057 | CKV_K8S_3 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host IPC namespace | Terraform | -| 1058 | CKV_K8S_4 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host network namespace | Kubernetes | -| 1059 | CKV_K8S_4 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host network namespace | Terraform | -| 1060 | CKV_K8S_5 | resource | PodSecurityPolicy | Containers should not run with allowPrivilegeEscalation | Kubernetes | -| 1061 | CKV_K8S_5 | resource | kubernetes_pod_security_policy | Containers should not run with allowPrivilegeEscalation | Terraform | -| 1062 | CKV_K8S_6 | resource | PodSecurityPolicy | Do not admit root containers | Kubernetes | -| 1063 | CKV_K8S_6 | resource | kubernetes_pod_security_policy | Do not admit root containers | Terraform | -| 1064 | CKV_K8S_7 | resource | PodSecurityPolicy | Do not admit containers with the NET_RAW capability | Kubernetes | -| 1065 | CKV_K8S_7 | resource | kubernetes_pod_security_policy | Do not admit containers with the NET_RAW capability | Terraform | -| 1066 | CKV_K8S_8 | resource | DaemonSet | Liveness Probe Should be Configured | Kubernetes | -| 1067 | CKV_K8S_8 | resource | Deployment | Liveness Probe Should be Configured | Kubernetes | -| 1068 | CKV_K8S_8 | resource | Pod | Liveness Probe Should be Configured | Kubernetes | -| 1069 | CKV_K8S_8 | resource | PodTemplate | Liveness Probe Should be Configured | Kubernetes | -| 1070 | CKV_K8S_8 | resource | ReplicaSet | Liveness Probe Should be Configured | Kubernetes | -| 1071 | CKV_K8S_8 | resource | ReplicationController | Liveness Probe Should be Configured | Kubernetes | -| 1072 | CKV_K8S_8 | resource | StatefulSet | Liveness Probe Should be Configured | Kubernetes | -| 1073 | CKV_K8S_8 | resource | kubernetes_pod | Liveness Probe Should be Configured | Terraform | -| 1074 | CKV_K8S_9 | resource | DaemonSet | Readiness Probe Should be Configured | Kubernetes | -| 1075 | CKV_K8S_9 | resource | Deployment | Readiness Probe Should be Configured | Kubernetes | -| 1076 | CKV_K8S_9 | resource | Pod | Readiness Probe Should be Configured | Kubernetes | -| 1077 | CKV_K8S_9 | resource | PodTemplate | Readiness Probe Should be Configured | Kubernetes | -| 1078 | CKV_K8S_9 | resource | ReplicaSet | Readiness Probe Should be Configured | Kubernetes | -| 1079 | CKV_K8S_9 | resource | ReplicationController | Readiness Probe Should be Configured | Kubernetes | -| 1080 | CKV_K8S_9 | resource | StatefulSet | Readiness Probe Should be Configured | Kubernetes | -| 1081 | CKV_K8S_9 | resource | kubernetes_pod | Readiness Probe Should be Configured | Terraform | -| 1082 | CKV_K8S_10 | resource | CronJob | CPU requests should be set | Kubernetes | -| 1083 | CKV_K8S_10 | resource | DaemonSet | CPU requests should be set | Kubernetes | -| 1084 | CKV_K8S_10 | resource | Deployment | CPU requests should be set | Kubernetes | -| 1085 | CKV_K8S_10 | resource | Job | CPU requests should be set | Kubernetes | -| 1086 | CKV_K8S_10 | resource | Pod | CPU requests should be set | Kubernetes | -| 1087 | CKV_K8S_10 | resource | PodTemplate | CPU requests should be set | Kubernetes | -| 1088 | CKV_K8S_10 | resource | ReplicaSet | CPU requests should be set | Kubernetes | -| 1089 | CKV_K8S_10 | resource | ReplicationController | CPU requests should be set | Kubernetes | -| 1090 | CKV_K8S_10 | resource | StatefulSet | CPU requests should be set | Kubernetes | -| 1091 | CKV_K8S_10 | resource | kubernetes_pod | CPU requests should be set | Terraform | -| 1092 | CKV_K8S_11 | resource | CronJob | CPU limits should be set | Kubernetes | -| 1093 | CKV_K8S_11 | resource | DaemonSet | CPU limits should be set | Kubernetes | -| 1094 | CKV_K8S_11 | resource | Deployment | CPU limits should be set | Kubernetes | -| 1095 | CKV_K8S_11 | resource | Job | CPU limits should be set | Kubernetes | -| 1096 | CKV_K8S_11 | resource | Pod | CPU limits should be set | Kubernetes | -| 1097 | CKV_K8S_11 | resource | PodTemplate | CPU limits should be set | Kubernetes | -| 1098 | CKV_K8S_11 | resource | ReplicaSet | CPU limits should be set | Kubernetes | -| 1099 | CKV_K8S_11 | resource | ReplicationController | CPU limits should be set | Kubernetes | -| 1100 | CKV_K8S_11 | resource | StatefulSet | CPU limits should be set | Kubernetes | -| 1101 | CKV_K8S_11 | resource | kubernetes_pod | CPU Limits should be set | Terraform | -| 1102 | CKV_K8S_12 | resource | CronJob | Memory requests should be set | Kubernetes | -| 1103 | CKV_K8S_12 | resource | DaemonSet | Memory requests should be set | Kubernetes | -| 1104 | CKV_K8S_12 | resource | Deployment | Memory requests should be set | Kubernetes | -| 1105 | CKV_K8S_12 | resource | Job | Memory requests should be set | Kubernetes | -| 1106 | CKV_K8S_12 | resource | Pod | Memory requests should be set | Kubernetes | -| 1107 | CKV_K8S_12 | resource | PodTemplate | Memory requests should be set | Kubernetes | -| 1108 | CKV_K8S_12 | resource | ReplicaSet | Memory requests should be set | Kubernetes | -| 1109 | CKV_K8S_12 | resource | ReplicationController | Memory requests should be set | Kubernetes | -| 1110 | CKV_K8S_12 | resource | StatefulSet | Memory requests should be set | Kubernetes | -| 1111 | CKV_K8S_12 | resource | kubernetes_pod | Memory Limits should be set | Terraform | -| 1112 | CKV_K8S_13 | resource | CronJob | Memory limits should be set | Kubernetes | -| 1113 | CKV_K8S_13 | resource | DaemonSet | Memory limits should be set | Kubernetes | -| 1114 | CKV_K8S_13 | resource | Deployment | Memory limits should be set | Kubernetes | -| 1115 | CKV_K8S_13 | resource | Job | Memory limits should be set | Kubernetes | -| 1116 | CKV_K8S_13 | resource | Pod | Memory limits should be set | Kubernetes | -| 1117 | CKV_K8S_13 | resource | PodTemplate | Memory limits should be set | Kubernetes | -| 1118 | CKV_K8S_13 | resource | ReplicaSet | Memory limits should be set | Kubernetes | -| 1119 | CKV_K8S_13 | resource | ReplicationController | Memory limits should be set | Kubernetes | -| 1120 | CKV_K8S_13 | resource | StatefulSet | Memory limits should be set | Kubernetes | -| 1121 | CKV_K8S_13 | resource | kubernetes_pod | Memory requests should be set | Terraform | -| 1122 | CKV_K8S_14 | resource | CronJob | Image Tag should be fixed - not latest or blank | Kubernetes | -| 1123 | CKV_K8S_14 | resource | DaemonSet | Image Tag should be fixed - not latest or blank | Kubernetes | -| 1124 | CKV_K8S_14 | resource | Deployment | Image Tag should be fixed - not latest or blank | Kubernetes | -| 1125 | CKV_K8S_14 | resource | Job | Image Tag should be fixed - not latest or blank | Kubernetes | -| 1126 | CKV_K8S_14 | resource | Pod | Image Tag should be fixed - not latest or blank | Kubernetes | -| 1127 | CKV_K8S_14 | resource | PodTemplate | Image Tag should be fixed - not latest or blank | Kubernetes | -| 1128 | CKV_K8S_14 | resource | ReplicaSet | Image Tag should be fixed - not latest or blank | Kubernetes | -| 1129 | CKV_K8S_14 | resource | ReplicationController | Image Tag should be fixed - not latest or blank | Kubernetes | -| 1130 | CKV_K8S_14 | resource | StatefulSet | Image Tag should be fixed - not latest or blank | Kubernetes | -| 1131 | CKV_K8S_14 | resource | kubernetes_pod | Image Tag should be fixed - not latest or blank | Terraform | -| 1132 | CKV_K8S_15 | resource | CronJob | Image Pull Policy should be Always | Kubernetes | -| 1133 | CKV_K8S_15 | resource | DaemonSet | Image Pull Policy should be Always | Kubernetes | -| 1134 | CKV_K8S_15 | resource | Deployment | Image Pull Policy should be Always | Kubernetes | -| 1135 | CKV_K8S_15 | resource | Job | Image Pull Policy should be Always | Kubernetes | -| 1136 | CKV_K8S_15 | resource | Pod | Image Pull Policy should be Always | Kubernetes | -| 1137 | CKV_K8S_15 | resource | PodTemplate | Image Pull Policy should be Always | Kubernetes | -| 1138 | CKV_K8S_15 | resource | ReplicaSet | Image Pull Policy should be Always | Kubernetes | -| 1139 | CKV_K8S_15 | resource | ReplicationController | Image Pull Policy should be Always | Kubernetes | -| 1140 | CKV_K8S_15 | resource | StatefulSet | Image Pull Policy should be Always | Kubernetes | -| 1141 | CKV_K8S_15 | resource | kubernetes_pod | Image Pull Policy should be Always | Terraform | -| 1142 | CKV_K8S_16 | resource | CronJob | Container should not be privileged | Kubernetes | -| 1143 | CKV_K8S_16 | resource | DaemonSet | Container should not be privileged | Kubernetes | -| 1144 | CKV_K8S_16 | resource | Deployment | Container should not be privileged | Kubernetes | -| 1145 | CKV_K8S_16 | resource | Job | Container should not be privileged | Kubernetes | -| 1146 | CKV_K8S_16 | resource | Pod | Container should not be privileged | Kubernetes | -| 1147 | CKV_K8S_16 | resource | PodTemplate | Container should not be privileged | Kubernetes | -| 1148 | CKV_K8S_16 | resource | ReplicaSet | Container should not be privileged | Kubernetes | -| 1149 | CKV_K8S_16 | resource | ReplicationController | Container should not be privileged | Kubernetes | -| 1150 | CKV_K8S_16 | resource | StatefulSet | Container should not be privileged | Kubernetes | -| 1151 | CKV_K8S_16 | resource | kubernetes_pod | Do not admit privileged containers | Terraform | -| 1152 | CKV_K8S_17 | resource | CronJob | Containers should not share the host process ID namespace | Kubernetes | -| 1153 | CKV_K8S_17 | resource | DaemonSet | Containers should not share the host process ID namespace | Kubernetes | -| 1154 | CKV_K8S_17 | resource | Deployment | Containers should not share the host process ID namespace | Kubernetes | -| 1155 | CKV_K8S_17 | resource | Job | Containers should not share the host process ID namespace | Kubernetes | -| 1156 | CKV_K8S_17 | resource | Pod | Containers should not share the host process ID namespace | Kubernetes | -| 1157 | CKV_K8S_17 | resource | ReplicaSet | Containers should not share the host process ID namespace | Kubernetes | -| 1158 | CKV_K8S_17 | resource | ReplicationController | Containers should not share the host process ID namespace | Kubernetes | -| 1159 | CKV_K8S_17 | resource | StatefulSet | Containers should not share the host process ID namespace | Kubernetes | -| 1160 | CKV_K8S_17 | resource | kubernetes_pod | Do not admit containers wishing to share the host process ID namespace | Terraform | -| 1161 | CKV_K8S_18 | resource | CronJob | Containers should not share the host IPC namespace | Kubernetes | -| 1162 | CKV_K8S_18 | resource | DaemonSet | Containers should not share the host IPC namespace | Kubernetes | -| 1163 | CKV_K8S_18 | resource | Deployment | Containers should not share the host IPC namespace | Kubernetes | -| 1164 | CKV_K8S_18 | resource | Job | Containers should not share the host IPC namespace | Kubernetes | -| 1165 | CKV_K8S_18 | resource | Pod | Containers should not share the host IPC namespace | Kubernetes | -| 1166 | CKV_K8S_18 | resource | ReplicaSet | Containers should not share the host IPC namespace | Kubernetes | -| 1167 | CKV_K8S_18 | resource | ReplicationController | Containers should not share the host IPC namespace | Kubernetes | -| 1168 | CKV_K8S_18 | resource | StatefulSet | Containers should not share the host IPC namespace | Kubernetes | -| 1169 | CKV_K8S_18 | resource | kubernetes_pod | Do not admit containers wishing to share the host IPC namespace | Terraform | -| 1170 | CKV_K8S_19 | resource | CronJob | Containers should not share the host network namespace | Kubernetes | -| 1171 | CKV_K8S_19 | resource | DaemonSet | Containers should not share the host network namespace | Kubernetes | -| 1172 | CKV_K8S_19 | resource | Deployment | Containers should not share the host network namespace | Kubernetes | -| 1173 | CKV_K8S_19 | resource | Job | Containers should not share the host network namespace | Kubernetes | -| 1174 | CKV_K8S_19 | resource | Pod | Containers should not share the host network namespace | Kubernetes | -| 1175 | CKV_K8S_19 | resource | ReplicaSet | Containers should not share the host network namespace | Kubernetes | -| 1176 | CKV_K8S_19 | resource | ReplicationController | Containers should not share the host network namespace | Kubernetes | -| 1177 | CKV_K8S_19 | resource | StatefulSet | Containers should not share the host network namespace | Kubernetes | -| 1178 | CKV_K8S_19 | resource | kubernetes_pod | Do not admit containers wishing to share the host network namespace | Terraform | -| 1179 | CKV_K8S_20 | resource | CronJob | Containers should not run with allowPrivilegeEscalation | Kubernetes | -| 1180 | CKV_K8S_20 | resource | DaemonSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | -| 1181 | CKV_K8S_20 | resource | Deployment | Containers should not run with allowPrivilegeEscalation | Kubernetes | -| 1182 | CKV_K8S_20 | resource | Job | Containers should not run with allowPrivilegeEscalation | Kubernetes | -| 1183 | CKV_K8S_20 | resource | Pod | Containers should not run with allowPrivilegeEscalation | Kubernetes | -| 1184 | CKV_K8S_20 | resource | PodTemplate | Containers should not run with allowPrivilegeEscalation | Kubernetes | -| 1185 | CKV_K8S_20 | resource | ReplicaSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | -| 1186 | CKV_K8S_20 | resource | ReplicationController | Containers should not run with allowPrivilegeEscalation | Kubernetes | -| 1187 | CKV_K8S_20 | resource | StatefulSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | -| 1188 | CKV_K8S_20 | resource | kubernetes_pod | Containers should not run with allowPrivilegeEscalation | Terraform | -| 1189 | CKV_K8S_21 | resource | ConfigMap | The default namespace should not be used | Kubernetes | -| 1190 | CKV_K8S_21 | resource | CronJob | The default namespace should not be used | Kubernetes | -| 1191 | CKV_K8S_21 | resource | DaemonSet | The default namespace should not be used | Kubernetes | -| 1192 | CKV_K8S_21 | resource | Deployment | The default namespace should not be used | Kubernetes | -| 1193 | CKV_K8S_21 | resource | Ingress | The default namespace should not be used | Kubernetes | -| 1194 | CKV_K8S_21 | resource | Job | The default namespace should not be used | Kubernetes | -| 1195 | CKV_K8S_21 | resource | Pod | The default namespace should not be used | Kubernetes | -| 1196 | CKV_K8S_21 | resource | ReplicaSet | The default namespace should not be used | Kubernetes | -| 1197 | CKV_K8S_21 | resource | ReplicationController | The default namespace should not be used | Kubernetes | -| 1198 | CKV_K8S_21 | resource | Role | The default namespace should not be used | Kubernetes | -| 1199 | CKV_K8S_21 | resource | RoleBinding | The default namespace should not be used | Kubernetes | -| 1200 | CKV_K8S_21 | resource | Secret | The default namespace should not be used | Kubernetes | -| 1201 | CKV_K8S_21 | resource | Service | The default namespace should not be used | Kubernetes | -| 1202 | CKV_K8S_21 | resource | ServiceAccount | The default namespace should not be used | Kubernetes | -| 1203 | CKV_K8S_21 | resource | StatefulSet | The default namespace should not be used | Kubernetes | -| 1204 | CKV_K8S_21 | resource | kubernetes_config_map | The default namespace should not be used | Terraform | -| 1205 | CKV_K8S_21 | resource | kubernetes_cron_job | The default namespace should not be used | Terraform | -| 1206 | CKV_K8S_21 | resource | kubernetes_daemonset | The default namespace should not be used | Terraform | -| 1207 | CKV_K8S_21 | resource | kubernetes_deployment | The default namespace should not be used | Terraform | -| 1208 | CKV_K8S_21 | resource | kubernetes_ingress | The default namespace should not be used | Terraform | -| 1209 | CKV_K8S_21 | resource | kubernetes_job | The default namespace should not be used | Terraform | -| 1210 | CKV_K8S_21 | resource | kubernetes_pod | The default namespace should not be used | Terraform | -| 1211 | CKV_K8S_21 | resource | kubernetes_replication_controller | The default namespace should not be used | Terraform | -| 1212 | CKV_K8S_21 | resource | kubernetes_role_binding | The default namespace should not be used | Terraform | -| 1213 | CKV_K8S_21 | resource | kubernetes_secret | The default namespace should not be used | Terraform | -| 1214 | CKV_K8S_21 | resource | kubernetes_service | The default namespace should not be used | Terraform | -| 1215 | CKV_K8S_21 | resource | kubernetes_service_account | The default namespace should not be used | Terraform | -| 1216 | CKV_K8S_21 | resource | kubernetes_stateful_set | The default namespace should not be used | Terraform | -| 1217 | CKV_K8S_22 | resource | CronJob | Use read-only filesystem for containers where possible | Kubernetes | -| 1218 | CKV_K8S_22 | resource | DaemonSet | Use read-only filesystem for containers where possible | Kubernetes | -| 1219 | CKV_K8S_22 | resource | Deployment | Use read-only filesystem for containers where possible | Kubernetes | -| 1220 | CKV_K8S_22 | resource | Job | Use read-only filesystem for containers where possible | Kubernetes | -| 1221 | CKV_K8S_22 | resource | Pod | Use read-only filesystem for containers where possible | Kubernetes | -| 1222 | CKV_K8S_22 | resource | PodTemplate | Use read-only filesystem for containers where possible | Kubernetes | -| 1223 | CKV_K8S_22 | resource | ReplicaSet | Use read-only filesystem for containers where possible | Kubernetes | -| 1224 | CKV_K8S_22 | resource | ReplicationController | Use read-only filesystem for containers where possible | Kubernetes | -| 1225 | CKV_K8S_22 | resource | StatefulSet | Use read-only filesystem for containers where possible | Kubernetes | -| 1226 | CKV_K8S_22 | resource | kubernetes_pod | Use read-only filesystem for containers where possible | Terraform | -| 1227 | CKV_K8S_23 | resource | CronJob | Minimize the admission of root containers | Kubernetes | -| 1228 | CKV_K8S_23 | resource | DaemonSet | Minimize the admission of root containers | Kubernetes | -| 1229 | CKV_K8S_23 | resource | Deployment | Minimize the admission of root containers | Kubernetes | -| 1230 | CKV_K8S_23 | resource | Job | Minimize the admission of root containers | Kubernetes | -| 1231 | CKV_K8S_23 | resource | Pod | Minimize the admission of root containers | Kubernetes | -| 1232 | CKV_K8S_23 | resource | ReplicaSet | Minimize the admission of root containers | Kubernetes | -| 1233 | CKV_K8S_23 | resource | ReplicationController | Minimize the admission of root containers | Kubernetes | -| 1234 | CKV_K8S_23 | resource | StatefulSet | Minimize the admission of root containers | Kubernetes | -| 1235 | CKV_K8S_24 | resource | PodSecurityPolicy | Do not allow containers with added capability | Kubernetes | -| 1236 | CKV_K8S_24 | resource | kubernetes_pod_security_policy | Do not allow containers with added capability | Terraform | -| 1237 | CKV_K8S_25 | resource | CronJob | Minimize the admission of containers with added capability | Kubernetes | -| 1238 | CKV_K8S_25 | resource | DaemonSet | Minimize the admission of containers with added capability | Kubernetes | -| 1239 | CKV_K8S_25 | resource | Deployment | Minimize the admission of containers with added capability | Kubernetes | -| 1240 | CKV_K8S_25 | resource | Job | Minimize the admission of containers with added capability | Kubernetes | -| 1241 | CKV_K8S_25 | resource | Pod | Minimize the admission of containers with added capability | Kubernetes | -| 1242 | CKV_K8S_25 | resource | PodTemplate | Minimize the admission of containers with added capability | Kubernetes | -| 1243 | CKV_K8S_25 | resource | ReplicaSet | Minimize the admission of containers with added capability | Kubernetes | -| 1244 | CKV_K8S_25 | resource | ReplicationController | Minimize the admission of containers with added capability | Kubernetes | -| 1245 | CKV_K8S_25 | resource | StatefulSet | Minimize the admission of containers with added capability | Kubernetes | -| 1246 | CKV_K8S_25 | resource | kubernetes_pod | Minimize the admission of containers with added capability | Terraform | -| 1247 | CKV_K8S_26 | resource | CronJob | Do not specify hostPort unless absolutely necessary | Kubernetes | -| 1248 | CKV_K8S_26 | resource | DaemonSet | Do not specify hostPort unless absolutely necessary | Kubernetes | -| 1249 | CKV_K8S_26 | resource | Deployment | Do not specify hostPort unless absolutely necessary | Kubernetes | -| 1250 | CKV_K8S_26 | resource | Job | Do not specify hostPort unless absolutely necessary | Kubernetes | -| 1251 | CKV_K8S_26 | resource | Pod | Do not specify hostPort unless absolutely necessary | Kubernetes | -| 1252 | CKV_K8S_26 | resource | PodTemplate | Do not specify hostPort unless absolutely necessary | Kubernetes | -| 1253 | CKV_K8S_26 | resource | ReplicaSet | Do not specify hostPort unless absolutely necessary | Kubernetes | -| 1254 | CKV_K8S_26 | resource | ReplicationController | Do not specify hostPort unless absolutely necessary | Kubernetes | -| 1255 | CKV_K8S_26 | resource | StatefulSet | Do not specify hostPort unless absolutely necessary | Kubernetes | -| 1256 | CKV_K8S_26 | resource | kubernetes_pod | Do not specify hostPort unless absolutely necessary | Terraform | -| 1257 | CKV_K8S_27 | resource | CronJob | Do not expose the docker daemon socket to containers | Kubernetes | -| 1258 | CKV_K8S_27 | resource | DaemonSet | Do not expose the docker daemon socket to containers | Kubernetes | -| 1259 | CKV_K8S_27 | resource | Deployment | Do not expose the docker daemon socket to containers | Kubernetes | -| 1260 | CKV_K8S_27 | resource | Job | Do not expose the docker daemon socket to containers | Kubernetes | -| 1261 | CKV_K8S_27 | resource | Pod | Do not expose the docker daemon socket to containers | Kubernetes | -| 1262 | CKV_K8S_27 | resource | ReplicaSet | Do not expose the docker daemon socket to containers | Kubernetes | -| 1263 | CKV_K8S_27 | resource | ReplicationController | Do not expose the docker daemon socket to containers | Kubernetes | -| 1264 | CKV_K8S_27 | resource | StatefulSet | Do not expose the docker daemon socket to containers | Kubernetes | -| 1265 | CKV_K8S_27 | resource | kubernetes_daemonset | Do not expose the docker daemon socket to containers | Terraform | -| 1266 | CKV_K8S_27 | resource | kubernetes_deployment | Do not expose the docker daemon socket to containers | Terraform | -| 1267 | CKV_K8S_27 | resource | kubernetes_pod | Do not expose the docker daemon socket to containers | Terraform | -| 1268 | CKV_K8S_28 | resource | CronJob | Minimize the admission of containers with the NET_RAW capability | Kubernetes | -| 1269 | CKV_K8S_28 | resource | DaemonSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | -| 1270 | CKV_K8S_28 | resource | Deployment | Minimize the admission of containers with the NET_RAW capability | Kubernetes | -| 1271 | CKV_K8S_28 | resource | Job | Minimize the admission of containers with the NET_RAW capability | Kubernetes | -| 1272 | CKV_K8S_28 | resource | Pod | Minimize the admission of containers with the NET_RAW capability | Kubernetes | -| 1273 | CKV_K8S_28 | resource | PodTemplate | Minimize the admission of containers with the NET_RAW capability | Kubernetes | -| 1274 | CKV_K8S_28 | resource | ReplicaSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | -| 1275 | CKV_K8S_28 | resource | ReplicationController | Minimize the admission of containers with the NET_RAW capability | Kubernetes | -| 1276 | CKV_K8S_28 | resource | StatefulSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | -| 1277 | CKV_K8S_28 | resource | kubernetes_pod | Minimize the admission of containers with the NET_RAW capability | Terraform | -| 1278 | CKV_K8S_29 | resource | CronJob | Apply security context to your pods and containers | Kubernetes | -| 1279 | CKV_K8S_29 | resource | DaemonSet | Apply security context to your pods and containers | Kubernetes | -| 1280 | CKV_K8S_29 | resource | Deployment | Apply security context to your pods and containers | Kubernetes | -| 1281 | CKV_K8S_29 | resource | Job | Apply security context to your pods and containers | Kubernetes | -| 1282 | CKV_K8S_29 | resource | Pod | Apply security context to your pods and containers | Kubernetes | -| 1283 | CKV_K8S_29 | resource | ReplicaSet | Apply security context to your pods and containers | Kubernetes | -| 1284 | CKV_K8S_29 | resource | ReplicationController | Apply security context to your pods and containers | Kubernetes | -| 1285 | CKV_K8S_29 | resource | StatefulSet | Apply security context to your pods and containers | Kubernetes | -| 1286 | CKV_K8S_29 | resource | kubernetes_daemonset | Apply security context to your pods and containers | Terraform | -| 1287 | CKV_K8S_29 | resource | kubernetes_deployment | Apply security context to your pods and containers | Terraform | -| 1288 | CKV_K8S_29 | resource | kubernetes_pod | Apply security context to your pods and containers | Terraform | -| 1289 | CKV_K8S_30 | resource | CronJob | Apply security context to your pods and containers | Kubernetes | -| 1290 | CKV_K8S_30 | resource | DaemonSet | Apply security context to your pods and containers | Kubernetes | -| 1291 | CKV_K8S_30 | resource | Deployment | Apply security context to your pods and containers | Kubernetes | -| 1292 | CKV_K8S_30 | resource | Job | Apply security context to your pods and containers | Kubernetes | -| 1293 | CKV_K8S_30 | resource | Pod | Apply security context to your pods and containers | Kubernetes | -| 1294 | CKV_K8S_30 | resource | PodTemplate | Apply security context to your pods and containers | Kubernetes | -| 1295 | CKV_K8S_30 | resource | ReplicaSet | Apply security context to your pods and containers | Kubernetes | -| 1296 | CKV_K8S_30 | resource | ReplicationController | Apply security context to your pods and containers | Kubernetes | -| 1297 | CKV_K8S_30 | resource | StatefulSet | Apply security context to your pods and containers | Kubernetes | -| 1298 | CKV_K8S_30 | resource | kubernetes_pod | Apply security context to your pods and containers | Terraform | -| 1299 | CKV_K8S_31 | resource | CronJob | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1300 | CKV_K8S_31 | resource | DaemonSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1301 | CKV_K8S_31 | resource | Deployment | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1302 | CKV_K8S_31 | resource | Job | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1303 | CKV_K8S_31 | resource | Pod | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1304 | CKV_K8S_31 | resource | ReplicaSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1305 | CKV_K8S_31 | resource | ReplicationController | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1306 | CKV_K8S_31 | resource | StatefulSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1307 | CKV_K8S_32 | resource | PodSecurityPolicy | Ensure default seccomp profile set to docker/default or runtime/default | Kubernetes | -| 1308 | CKV_K8S_32 | resource | kubernetes_pod_security_policy | Ensure default seccomp profile set to docker/default or runtime/default | Terraform | -| 1309 | CKV_K8S_33 | resource | CronJob | Ensure the Kubernetes dashboard is not deployed | Kubernetes | -| 1310 | CKV_K8S_33 | resource | DaemonSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | -| 1311 | CKV_K8S_33 | resource | Deployment | Ensure the Kubernetes dashboard is not deployed | Kubernetes | -| 1312 | CKV_K8S_33 | resource | Job | Ensure the Kubernetes dashboard is not deployed | Kubernetes | -| 1313 | CKV_K8S_33 | resource | Pod | Ensure the Kubernetes dashboard is not deployed | Kubernetes | -| 1314 | CKV_K8S_33 | resource | PodTemplate | Ensure the Kubernetes dashboard is not deployed | Kubernetes | -| 1315 | CKV_K8S_33 | resource | ReplicaSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | -| 1316 | CKV_K8S_33 | resource | ReplicationController | Ensure the Kubernetes dashboard is not deployed | Kubernetes | -| 1317 | CKV_K8S_33 | resource | StatefulSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | -| 1318 | CKV_K8S_34 | resource | CronJob | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | -| 1319 | CKV_K8S_34 | resource | DaemonSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | -| 1320 | CKV_K8S_34 | resource | Deployment | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | -| 1321 | CKV_K8S_34 | resource | Job | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | -| 1322 | CKV_K8S_34 | resource | Pod | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | -| 1323 | CKV_K8S_34 | resource | PodTemplate | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | -| 1324 | CKV_K8S_34 | resource | ReplicaSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | -| 1325 | CKV_K8S_34 | resource | ReplicationController | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | -| 1326 | CKV_K8S_34 | resource | StatefulSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | -| 1327 | CKV_K8S_34 | resource | kubernetes_pod | Ensure that Tiller (Helm v2) is not deployed | Terraform | -| 1328 | CKV_K8S_35 | resource | CronJob | Prefer using secrets as files over secrets as environment variables | Kubernetes | -| 1329 | CKV_K8S_35 | resource | DaemonSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | -| 1330 | CKV_K8S_35 | resource | Deployment | Prefer using secrets as files over secrets as environment variables | Kubernetes | -| 1331 | CKV_K8S_35 | resource | Job | Prefer using secrets as files over secrets as environment variables | Kubernetes | -| 1332 | CKV_K8S_35 | resource | Pod | Prefer using secrets as files over secrets as environment variables | Kubernetes | -| 1333 | CKV_K8S_35 | resource | PodTemplate | Prefer using secrets as files over secrets as environment variables | Kubernetes | -| 1334 | CKV_K8S_35 | resource | ReplicaSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | -| 1335 | CKV_K8S_35 | resource | ReplicationController | Prefer using secrets as files over secrets as environment variables | Kubernetes | -| 1336 | CKV_K8S_35 | resource | StatefulSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | -| 1337 | CKV_K8S_35 | resource | kubernetes_pod | Prefer using secrets as files over secrets as environment variables | Terraform | -| 1338 | CKV_K8S_36 | resource | PodSecurityPolicy | Minimize the admission of containers with capabilities assigned | Kubernetes | -| 1339 | CKV_K8S_36 | resource | kubernetes_pod_security_policy | Minimise the admission of containers with capabilities assigned | Terraform | -| 1340 | CKV_K8S_37 | resource | CronJob | Minimize the admission of containers with capabilities assigned | Kubernetes | -| 1341 | CKV_K8S_37 | resource | DaemonSet | Minimize the admission of containers with capabilities assigned | Kubernetes | -| 1342 | CKV_K8S_37 | resource | Deployment | Minimize the admission of containers with capabilities assigned | Kubernetes | -| 1343 | CKV_K8S_37 | resource | Job | Minimize the admission of containers with capabilities assigned | Kubernetes | -| 1344 | CKV_K8S_37 | resource | Pod | Minimize the admission of containers with capabilities assigned | Kubernetes | -| 1345 | CKV_K8S_37 | resource | PodTemplate | Minimize the admission of containers with capabilities assigned | Kubernetes | -| 1346 | CKV_K8S_37 | resource | ReplicaSet | Minimize the admission of containers with capabilities assigned | Kubernetes | -| 1347 | CKV_K8S_37 | resource | ReplicationController | Minimize the admission of containers with capabilities assigned | Kubernetes | -| 1348 | CKV_K8S_37 | resource | StatefulSet | Minimize the admission of containers with capabilities assigned | Kubernetes | -| 1349 | CKV_K8S_37 | resource | kubernetes_pod | Minimise the admission of containers with capabilities assigned | Terraform | -| 1350 | CKV_K8S_38 | resource | CronJob | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1351 | CKV_K8S_38 | resource | DaemonSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1352 | CKV_K8S_38 | resource | Deployment | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1353 | CKV_K8S_38 | resource | Job | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1354 | CKV_K8S_38 | resource | Pod | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1355 | CKV_K8S_38 | resource | ReplicaSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1356 | CKV_K8S_38 | resource | ReplicationController | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1357 | CKV_K8S_38 | resource | StatefulSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1358 | CKV_K8S_39 | resource | CronJob | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | -| 1359 | CKV_K8S_39 | resource | DaemonSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | -| 1360 | CKV_K8S_39 | resource | Deployment | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | -| 1361 | CKV_K8S_39 | resource | Job | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | -| 1362 | CKV_K8S_39 | resource | Pod | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | -| 1363 | CKV_K8S_39 | resource | PodTemplate | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | -| 1364 | CKV_K8S_39 | resource | ReplicaSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | -| 1365 | CKV_K8S_39 | resource | ReplicationController | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | -| 1366 | CKV_K8S_39 | resource | StatefulSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | -| 1367 | CKV_K8S_39 | resource | kubernetes_pod | Do not use the CAP_SYS_ADMIN linux capability | Terraform | -| 1368 | CKV_K8S_40 | resource | CronJob | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1369 | CKV_K8S_40 | resource | DaemonSet | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1370 | CKV_K8S_40 | resource | Deployment | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1371 | CKV_K8S_40 | resource | Job | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1372 | CKV_K8S_40 | resource | Pod | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1373 | CKV_K8S_40 | resource | ReplicaSet | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1374 | CKV_K8S_40 | resource | ReplicationController | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1375 | CKV_K8S_40 | resource | StatefulSet | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1376 | CKV_K8S_41 | resource | ServiceAccount | Ensure that default service accounts are not actively used | Kubernetes | -| 1377 | CKV_K8S_41 | resource | kubernetes_service_account | Ensure that default service accounts are not actively used | Terraform | -| 1378 | CKV_K8S_42 | resource | ClusterRoleBinding | Ensure that default service accounts are not actively used | Kubernetes | -| 1379 | CKV_K8S_42 | resource | RoleBinding | Ensure that default service accounts are not actively used | Kubernetes | -| 1380 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding | Ensure that default service accounts are not actively used | Terraform | -| 1381 | CKV_K8S_42 | resource | kubernetes_role_binding | Ensure that default service accounts are not actively used | Terraform | -| 1382 | CKV_K8S_43 | resource | CronJob | Image should use digest | Kubernetes | -| 1383 | CKV_K8S_43 | resource | DaemonSet | Image should use digest | Kubernetes | -| 1384 | CKV_K8S_43 | resource | Deployment | Image should use digest | Kubernetes | -| 1385 | CKV_K8S_43 | resource | Job | Image should use digest | Kubernetes | -| 1386 | CKV_K8S_43 | resource | Pod | Image should use digest | Kubernetes | -| 1387 | CKV_K8S_43 | resource | PodTemplate | Image should use digest | Kubernetes | -| 1388 | CKV_K8S_43 | resource | ReplicaSet | Image should use digest | Kubernetes | -| 1389 | CKV_K8S_43 | resource | ReplicationController | Image should use digest | Kubernetes | -| 1390 | CKV_K8S_43 | resource | StatefulSet | Image should use digest | Kubernetes | -| 1391 | CKV_K8S_43 | resource | kubernetes_pod | Image should use digest | Terraform | -| 1392 | CKV_K8S_44 | resource | Service | Ensure that the Tiller Service (Helm v2) is deleted | Kubernetes | -| 1393 | CKV_K8S_44 | resource | kubernetes_service | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | -| 1394 | CKV_K8S_45 | resource | CronJob | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | -| 1395 | CKV_K8S_45 | resource | DaemonSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | -| 1396 | CKV_K8S_45 | resource | Deployment | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | -| 1397 | CKV_K8S_45 | resource | Job | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | -| 1398 | CKV_K8S_45 | resource | Pod | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | -| 1399 | CKV_K8S_45 | resource | PodTemplate | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | -| 1400 | CKV_K8S_45 | resource | ReplicaSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | -| 1401 | CKV_K8S_45 | resource | ReplicationController | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | -| 1402 | CKV_K8S_45 | resource | StatefulSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | -| 1403 | CKV_K8S_49 | resource | ClusterRole | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | -| 1404 | CKV_K8S_49 | resource | Role | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | -| 1405 | CKV_K8S_49 | resource | kubernetes_cluster_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | -| 1406 | CKV_K8S_49 | resource | kubernetes_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | -| 1407 | CKV_K8S_68 | resource | CronJob | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1408 | CKV_K8S_68 | resource | DaemonSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1409 | CKV_K8S_68 | resource | Deployment | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1410 | CKV_K8S_68 | resource | Job | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1411 | CKV_K8S_68 | resource | Pod | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1412 | CKV_K8S_68 | resource | PodTemplate | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1413 | CKV_K8S_68 | resource | ReplicaSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1414 | CKV_K8S_68 | resource | ReplicationController | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1415 | CKV_K8S_68 | resource | StatefulSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1416 | CKV_K8S_69 | resource | CronJob | Ensure that the --basic-auth-file argument is not set | Kubernetes | -| 1417 | CKV_K8S_69 | resource | DaemonSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | -| 1418 | CKV_K8S_69 | resource | Deployment | Ensure that the --basic-auth-file argument is not set | Kubernetes | -| 1419 | CKV_K8S_69 | resource | Job | Ensure that the --basic-auth-file argument is not set | Kubernetes | -| 1420 | CKV_K8S_69 | resource | Pod | Ensure that the --basic-auth-file argument is not set | Kubernetes | -| 1421 | CKV_K8S_69 | resource | PodTemplate | Ensure that the --basic-auth-file argument is not set | Kubernetes | -| 1422 | CKV_K8S_69 | resource | ReplicaSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | -| 1423 | CKV_K8S_69 | resource | ReplicationController | Ensure that the --basic-auth-file argument is not set | Kubernetes | -| 1424 | CKV_K8S_69 | resource | StatefulSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | -| 1425 | CKV_K8S_70 | resource | CronJob | Ensure that the --token-auth-file argument is not set | Kubernetes | -| 1426 | CKV_K8S_70 | resource | DaemonSet | Ensure that the --token-auth-file argument is not set | Kubernetes | -| 1427 | CKV_K8S_70 | resource | Deployment | Ensure that the --token-auth-file argument is not set | Kubernetes | -| 1428 | CKV_K8S_70 | resource | Job | Ensure that the --token-auth-file argument is not set | Kubernetes | -| 1429 | CKV_K8S_70 | resource | Pod | Ensure that the --token-auth-file argument is not set | Kubernetes | -| 1430 | CKV_K8S_70 | resource | PodTemplate | Ensure that the --token-auth-file argument is not set | Kubernetes | -| 1431 | CKV_K8S_70 | resource | ReplicaSet | Ensure that the --token-auth-file argument is not set | Kubernetes | -| 1432 | CKV_K8S_70 | resource | ReplicationController | Ensure that the --token-auth-file argument is not set | Kubernetes | -| 1433 | CKV_K8S_70 | resource | StatefulSet | Ensure that the --token-auth-file argument is not set | Kubernetes | -| 1434 | CKV_K8S_71 | resource | CronJob | Ensure that the --kubelet-https argument is set to true | Kubernetes | -| 1435 | CKV_K8S_71 | resource | DaemonSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | -| 1436 | CKV_K8S_71 | resource | Deployment | Ensure that the --kubelet-https argument is set to true | Kubernetes | -| 1437 | CKV_K8S_71 | resource | Job | Ensure that the --kubelet-https argument is set to true | Kubernetes | -| 1438 | CKV_K8S_71 | resource | Pod | Ensure that the --kubelet-https argument is set to true | Kubernetes | -| 1439 | CKV_K8S_71 | resource | PodTemplate | Ensure that the --kubelet-https argument is set to true | Kubernetes | -| 1440 | CKV_K8S_71 | resource | ReplicaSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | -| 1441 | CKV_K8S_71 | resource | ReplicationController | Ensure that the --kubelet-https argument is set to true | Kubernetes | -| 1442 | CKV_K8S_71 | resource | StatefulSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | -| 1443 | CKV_K8S_72 | resource | CronJob | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | -| 1444 | CKV_K8S_72 | resource | DaemonSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | -| 1445 | CKV_K8S_72 | resource | Deployment | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | -| 1446 | CKV_K8S_72 | resource | Job | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | -| 1447 | CKV_K8S_72 | resource | Pod | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | -| 1448 | CKV_K8S_72 | resource | PodTemplate | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | -| 1449 | CKV_K8S_72 | resource | ReplicaSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | -| 1450 | CKV_K8S_72 | resource | ReplicationController | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | -| 1451 | CKV_K8S_72 | resource | StatefulSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | -| 1452 | CKV_K8S_73 | resource | CronJob | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | -| 1453 | CKV_K8S_73 | resource | DaemonSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | -| 1454 | CKV_K8S_73 | resource | Deployment | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | -| 1455 | CKV_K8S_73 | resource | Job | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | -| 1456 | CKV_K8S_73 | resource | Pod | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | -| 1457 | CKV_K8S_73 | resource | PodTemplate | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | -| 1458 | CKV_K8S_73 | resource | ReplicaSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | -| 1459 | CKV_K8S_73 | resource | ReplicationController | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | -| 1460 | CKV_K8S_73 | resource | StatefulSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | -| 1461 | CKV_K8S_74 | resource | CronJob | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1462 | CKV_K8S_74 | resource | DaemonSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1463 | CKV_K8S_74 | resource | Deployment | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1464 | CKV_K8S_74 | resource | Job | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1465 | CKV_K8S_74 | resource | Pod | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1466 | CKV_K8S_74 | resource | PodTemplate | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1467 | CKV_K8S_74 | resource | ReplicaSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1468 | CKV_K8S_74 | resource | ReplicationController | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1469 | CKV_K8S_74 | resource | StatefulSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1470 | CKV_K8S_75 | resource | CronJob | Ensure that the --authorization-mode argument includes Node | Kubernetes | -| 1471 | CKV_K8S_75 | resource | DaemonSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | -| 1472 | CKV_K8S_75 | resource | Deployment | Ensure that the --authorization-mode argument includes Node | Kubernetes | -| 1473 | CKV_K8S_75 | resource | Job | Ensure that the --authorization-mode argument includes Node | Kubernetes | -| 1474 | CKV_K8S_75 | resource | Pod | Ensure that the --authorization-mode argument includes Node | Kubernetes | -| 1475 | CKV_K8S_75 | resource | PodTemplate | Ensure that the --authorization-mode argument includes Node | Kubernetes | -| 1476 | CKV_K8S_75 | resource | ReplicaSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | -| 1477 | CKV_K8S_75 | resource | ReplicationController | Ensure that the --authorization-mode argument includes Node | Kubernetes | -| 1478 | CKV_K8S_75 | resource | StatefulSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | -| 1479 | CKV_K8S_77 | resource | CronJob | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | -| 1480 | CKV_K8S_77 | resource | DaemonSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | -| 1481 | CKV_K8S_77 | resource | Deployment | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | -| 1482 | CKV_K8S_77 | resource | Job | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | -| 1483 | CKV_K8S_77 | resource | Pod | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | -| 1484 | CKV_K8S_77 | resource | PodTemplate | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | -| 1485 | CKV_K8S_77 | resource | ReplicaSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | -| 1486 | CKV_K8S_77 | resource | ReplicationController | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | -| 1487 | CKV_K8S_77 | resource | StatefulSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | -| 1488 | CKV_K8S_78 | resource | AdmissionConfiguration | Ensure that the admission control plugin EventRateLimit is set | Kubernetes | -| 1489 | CKV_K8S_79 | resource | CronJob | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | -| 1490 | CKV_K8S_79 | resource | DaemonSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | -| 1491 | CKV_K8S_79 | resource | Deployment | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | -| 1492 | CKV_K8S_79 | resource | Job | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | -| 1493 | CKV_K8S_79 | resource | Pod | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | -| 1494 | CKV_K8S_79 | resource | PodTemplate | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | -| 1495 | CKV_K8S_79 | resource | ReplicaSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | -| 1496 | CKV_K8S_79 | resource | ReplicationController | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | -| 1497 | CKV_K8S_79 | resource | StatefulSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | -| 1498 | CKV_K8S_80 | resource | CronJob | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | -| 1499 | CKV_K8S_80 | resource | DaemonSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | -| 1500 | CKV_K8S_80 | resource | Deployment | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | -| 1501 | CKV_K8S_80 | resource | Job | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | -| 1502 | CKV_K8S_80 | resource | Pod | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | -| 1503 | CKV_K8S_80 | resource | PodTemplate | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | -| 1504 | CKV_K8S_80 | resource | ReplicaSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | -| 1505 | CKV_K8S_80 | resource | ReplicationController | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | -| 1506 | CKV_K8S_80 | resource | StatefulSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | -| 1507 | CKV_K8S_81 | resource | CronJob | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | -| 1508 | CKV_K8S_81 | resource | DaemonSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | -| 1509 | CKV_K8S_81 | resource | Deployment | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | -| 1510 | CKV_K8S_81 | resource | Job | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | -| 1511 | CKV_K8S_81 | resource | Pod | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | -| 1512 | CKV_K8S_81 | resource | PodTemplate | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | -| 1513 | CKV_K8S_81 | resource | ReplicaSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | -| 1514 | CKV_K8S_81 | resource | ReplicationController | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | -| 1515 | CKV_K8S_81 | resource | StatefulSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | -| 1516 | CKV_K8S_82 | resource | CronJob | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | -| 1517 | CKV_K8S_82 | resource | DaemonSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | -| 1518 | CKV_K8S_82 | resource | Deployment | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | -| 1519 | CKV_K8S_82 | resource | Job | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | -| 1520 | CKV_K8S_82 | resource | Pod | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | -| 1521 | CKV_K8S_82 | resource | PodTemplate | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | -| 1522 | CKV_K8S_82 | resource | ReplicaSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | -| 1523 | CKV_K8S_82 | resource | ReplicationController | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | -| 1524 | CKV_K8S_82 | resource | StatefulSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | -| 1525 | CKV_K8S_83 | resource | CronJob | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | -| 1526 | CKV_K8S_83 | resource | DaemonSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | -| 1527 | CKV_K8S_83 | resource | Deployment | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | -| 1528 | CKV_K8S_83 | resource | Job | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | -| 1529 | CKV_K8S_83 | resource | Pod | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | -| 1530 | CKV_K8S_83 | resource | PodTemplate | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | -| 1531 | CKV_K8S_83 | resource | ReplicaSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | -| 1532 | CKV_K8S_83 | resource | ReplicationController | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | -| 1533 | CKV_K8S_83 | resource | StatefulSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | -| 1534 | CKV_K8S_84 | resource | CronJob | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | -| 1535 | CKV_K8S_84 | resource | DaemonSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | -| 1536 | CKV_K8S_84 | resource | Deployment | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | -| 1537 | CKV_K8S_84 | resource | Job | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | -| 1538 | CKV_K8S_84 | resource | Pod | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | -| 1539 | CKV_K8S_84 | resource | PodTemplate | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | -| 1540 | CKV_K8S_84 | resource | ReplicaSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | -| 1541 | CKV_K8S_84 | resource | ReplicationController | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | -| 1542 | CKV_K8S_84 | resource | StatefulSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | -| 1543 | CKV_K8S_85 | resource | CronJob | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | -| 1544 | CKV_K8S_85 | resource | DaemonSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | -| 1545 | CKV_K8S_85 | resource | Deployment | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | -| 1546 | CKV_K8S_85 | resource | Job | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | -| 1547 | CKV_K8S_85 | resource | Pod | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | -| 1548 | CKV_K8S_85 | resource | PodTemplate | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | -| 1549 | CKV_K8S_85 | resource | ReplicaSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | -| 1550 | CKV_K8S_85 | resource | ReplicationController | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | -| 1551 | CKV_K8S_85 | resource | StatefulSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | -| 1552 | CKV_K8S_86 | resource | CronJob | Ensure that the --insecure-bind-address argument is not set | Kubernetes | -| 1553 | CKV_K8S_86 | resource | DaemonSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | -| 1554 | CKV_K8S_86 | resource | Deployment | Ensure that the --insecure-bind-address argument is not set | Kubernetes | -| 1555 | CKV_K8S_86 | resource | Job | Ensure that the --insecure-bind-address argument is not set | Kubernetes | -| 1556 | CKV_K8S_86 | resource | Pod | Ensure that the --insecure-bind-address argument is not set | Kubernetes | -| 1557 | CKV_K8S_86 | resource | PodTemplate | Ensure that the --insecure-bind-address argument is not set | Kubernetes | -| 1558 | CKV_K8S_86 | resource | ReplicaSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | -| 1559 | CKV_K8S_86 | resource | ReplicationController | Ensure that the --insecure-bind-address argument is not set | Kubernetes | -| 1560 | CKV_K8S_86 | resource | StatefulSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | -| 1561 | CKV_K8S_88 | resource | CronJob | Ensure that the --insecure-port argument is set to 0 | Kubernetes | -| 1562 | CKV_K8S_88 | resource | DaemonSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | -| 1563 | CKV_K8S_88 | resource | Deployment | Ensure that the --insecure-port argument is set to 0 | Kubernetes | -| 1564 | CKV_K8S_88 | resource | Job | Ensure that the --insecure-port argument is set to 0 | Kubernetes | -| 1565 | CKV_K8S_88 | resource | Pod | Ensure that the --insecure-port argument is set to 0 | Kubernetes | -| 1566 | CKV_K8S_88 | resource | PodTemplate | Ensure that the --insecure-port argument is set to 0 | Kubernetes | -| 1567 | CKV_K8S_88 | resource | ReplicaSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | -| 1568 | CKV_K8S_88 | resource | ReplicationController | Ensure that the --insecure-port argument is set to 0 | Kubernetes | -| 1569 | CKV_K8S_88 | resource | StatefulSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | -| 1570 | CKV_K8S_89 | resource | CronJob | Ensure that the --secure-port argument is not set to 0 | Kubernetes | -| 1571 | CKV_K8S_89 | resource | DaemonSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | -| 1572 | CKV_K8S_89 | resource | Deployment | Ensure that the --secure-port argument is not set to 0 | Kubernetes | -| 1573 | CKV_K8S_89 | resource | Job | Ensure that the --secure-port argument is not set to 0 | Kubernetes | -| 1574 | CKV_K8S_89 | resource | Pod | Ensure that the --secure-port argument is not set to 0 | Kubernetes | -| 1575 | CKV_K8S_89 | resource | PodTemplate | Ensure that the --secure-port argument is not set to 0 | Kubernetes | -| 1576 | CKV_K8S_89 | resource | ReplicaSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | -| 1577 | CKV_K8S_89 | resource | ReplicationController | Ensure that the --secure-port argument is not set to 0 | Kubernetes | -| 1578 | CKV_K8S_89 | resource | StatefulSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | -| 1579 | CKV_K8S_90 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | -| 1580 | CKV_K8S_90 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | -| 1581 | CKV_K8S_90 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | -| 1582 | CKV_K8S_90 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | -| 1583 | CKV_K8S_90 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | -| 1584 | CKV_K8S_90 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | -| 1585 | CKV_K8S_90 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | -| 1586 | CKV_K8S_90 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | -| 1587 | CKV_K8S_90 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | -| 1588 | CKV_K8S_91 | resource | CronJob | Ensure that the --audit-log-path argument is set | Kubernetes | -| 1589 | CKV_K8S_91 | resource | DaemonSet | Ensure that the --audit-log-path argument is set | Kubernetes | -| 1590 | CKV_K8S_91 | resource | Deployment | Ensure that the --audit-log-path argument is set | Kubernetes | -| 1591 | CKV_K8S_91 | resource | Job | Ensure that the --audit-log-path argument is set | Kubernetes | -| 1592 | CKV_K8S_91 | resource | Pod | Ensure that the --audit-log-path argument is set | Kubernetes | -| 1593 | CKV_K8S_91 | resource | PodTemplate | Ensure that the --audit-log-path argument is set | Kubernetes | -| 1594 | CKV_K8S_91 | resource | ReplicaSet | Ensure that the --audit-log-path argument is set | Kubernetes | -| 1595 | CKV_K8S_91 | resource | ReplicationController | Ensure that the --audit-log-path argument is set | Kubernetes | -| 1596 | CKV_K8S_91 | resource | StatefulSet | Ensure that the --audit-log-path argument is set | Kubernetes | -| 1597 | CKV_K8S_92 | resource | CronJob | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | -| 1598 | CKV_K8S_92 | resource | DaemonSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | -| 1599 | CKV_K8S_92 | resource | Deployment | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | -| 1600 | CKV_K8S_92 | resource | Job | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | -| 1601 | CKV_K8S_92 | resource | Pod | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | -| 1602 | CKV_K8S_92 | resource | PodTemplate | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | -| 1603 | CKV_K8S_92 | resource | ReplicaSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | -| 1604 | CKV_K8S_92 | resource | ReplicationController | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | -| 1605 | CKV_K8S_92 | resource | StatefulSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | -| 1606 | CKV_K8S_93 | resource | CronJob | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | -| 1607 | CKV_K8S_93 | resource | DaemonSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | -| 1608 | CKV_K8S_93 | resource | Deployment | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | -| 1609 | CKV_K8S_93 | resource | Job | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | -| 1610 | CKV_K8S_93 | resource | Pod | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | -| 1611 | CKV_K8S_93 | resource | PodTemplate | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | -| 1612 | CKV_K8S_93 | resource | ReplicaSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | -| 1613 | CKV_K8S_93 | resource | ReplicationController | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | -| 1614 | CKV_K8S_93 | resource | StatefulSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | -| 1615 | CKV_K8S_94 | resource | CronJob | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | -| 1616 | CKV_K8S_94 | resource | DaemonSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | -| 1617 | CKV_K8S_94 | resource | Deployment | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | -| 1618 | CKV_K8S_94 | resource | Job | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | -| 1619 | CKV_K8S_94 | resource | Pod | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | -| 1620 | CKV_K8S_94 | resource | PodTemplate | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | -| 1621 | CKV_K8S_94 | resource | ReplicaSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | -| 1622 | CKV_K8S_94 | resource | ReplicationController | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | -| 1623 | CKV_K8S_94 | resource | StatefulSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | -| 1624 | CKV_K8S_95 | resource | CronJob | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | -| 1625 | CKV_K8S_95 | resource | DaemonSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | -| 1626 | CKV_K8S_95 | resource | Deployment | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | -| 1627 | CKV_K8S_95 | resource | Job | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | -| 1628 | CKV_K8S_95 | resource | Pod | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | -| 1629 | CKV_K8S_95 | resource | PodTemplate | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | -| 1630 | CKV_K8S_95 | resource | ReplicaSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | -| 1631 | CKV_K8S_95 | resource | ReplicationController | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | -| 1632 | CKV_K8S_95 | resource | StatefulSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | -| 1633 | CKV_K8S_96 | resource | CronJob | Ensure that the --service-account-lookup argument is set to true | Kubernetes | -| 1634 | CKV_K8S_96 | resource | DaemonSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | -| 1635 | CKV_K8S_96 | resource | Deployment | Ensure that the --service-account-lookup argument is set to true | Kubernetes | -| 1636 | CKV_K8S_96 | resource | Job | Ensure that the --service-account-lookup argument is set to true | Kubernetes | -| 1637 | CKV_K8S_96 | resource | Pod | Ensure that the --service-account-lookup argument is set to true | Kubernetes | -| 1638 | CKV_K8S_96 | resource | PodTemplate | Ensure that the --service-account-lookup argument is set to true | Kubernetes | -| 1639 | CKV_K8S_96 | resource | ReplicaSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | -| 1640 | CKV_K8S_96 | resource | ReplicationController | Ensure that the --service-account-lookup argument is set to true | Kubernetes | -| 1641 | CKV_K8S_96 | resource | StatefulSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | -| 1642 | CKV_K8S_97 | resource | CronJob | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | -| 1643 | CKV_K8S_97 | resource | DaemonSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | -| 1644 | CKV_K8S_97 | resource | Deployment | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | -| 1645 | CKV_K8S_97 | resource | Job | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | -| 1646 | CKV_K8S_97 | resource | Pod | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | -| 1647 | CKV_K8S_97 | resource | PodTemplate | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | -| 1648 | CKV_K8S_97 | resource | ReplicaSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | -| 1649 | CKV_K8S_97 | resource | ReplicationController | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | -| 1650 | CKV_K8S_97 | resource | StatefulSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | -| 1651 | CKV_K8S_99 | resource | CronJob | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | -| 1652 | CKV_K8S_99 | resource | DaemonSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | -| 1653 | CKV_K8S_99 | resource | Deployment | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | -| 1654 | CKV_K8S_99 | resource | Job | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | -| 1655 | CKV_K8S_99 | resource | Pod | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | -| 1656 | CKV_K8S_99 | resource | PodTemplate | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | -| 1657 | CKV_K8S_99 | resource | ReplicaSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | -| 1658 | CKV_K8S_99 | resource | ReplicationController | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | -| 1659 | CKV_K8S_99 | resource | StatefulSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | -| 1660 | CKV_K8S_100 | resource | CronJob | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1661 | CKV_K8S_100 | resource | DaemonSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1662 | CKV_K8S_100 | resource | Deployment | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1663 | CKV_K8S_100 | resource | Job | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1664 | CKV_K8S_100 | resource | Pod | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1665 | CKV_K8S_100 | resource | PodTemplate | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1666 | CKV_K8S_100 | resource | ReplicaSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1667 | CKV_K8S_100 | resource | ReplicationController | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1668 | CKV_K8S_100 | resource | StatefulSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1669 | CKV_K8S_102 | resource | CronJob | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | -| 1670 | CKV_K8S_102 | resource | DaemonSet | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | -| 1671 | CKV_K8S_102 | resource | Deployment | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | -| 1672 | CKV_K8S_102 | resource | Job | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | -| 1673 | CKV_K8S_102 | resource | Pod | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | -| 1674 | CKV_K8S_102 | resource | PodTemplate | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | -| 1675 | CKV_K8S_102 | resource | ReplicaSet | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | -| 1676 | CKV_K8S_102 | resource | ReplicationController | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | -| 1677 | CKV_K8S_102 | resource | StatefulSet | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | -| 1678 | CKV_K8S_104 | resource | CronJob | Ensure that encryption providers are appropriately configured | Kubernetes | -| 1679 | CKV_K8S_104 | resource | DaemonSet | Ensure that encryption providers are appropriately configured | Kubernetes | -| 1680 | CKV_K8S_104 | resource | Deployment | Ensure that encryption providers are appropriately configured | Kubernetes | -| 1681 | CKV_K8S_104 | resource | Job | Ensure that encryption providers are appropriately configured | Kubernetes | -| 1682 | CKV_K8S_104 | resource | Pod | Ensure that encryption providers are appropriately configured | Kubernetes | -| 1683 | CKV_K8S_104 | resource | PodTemplate | Ensure that encryption providers are appropriately configured | Kubernetes | -| 1684 | CKV_K8S_104 | resource | ReplicaSet | Ensure that encryption providers are appropriately configured | Kubernetes | -| 1685 | CKV_K8S_104 | resource | ReplicationController | Ensure that encryption providers are appropriately configured | Kubernetes | -| 1686 | CKV_K8S_104 | resource | StatefulSet | Ensure that encryption providers are appropriately configured | Kubernetes | -| 1687 | CKV_K8S_105 | resource | CronJob | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1688 | CKV_K8S_105 | resource | DaemonSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1689 | CKV_K8S_105 | resource | Deployment | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1690 | CKV_K8S_105 | resource | Job | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1691 | CKV_K8S_105 | resource | Pod | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1692 | CKV_K8S_105 | resource | PodTemplate | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1693 | CKV_K8S_105 | resource | ReplicaSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1694 | CKV_K8S_105 | resource | ReplicationController | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1695 | CKV_K8S_105 | resource | StatefulSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1696 | CKV_K8S_106 | resource | CronJob | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | -| 1697 | CKV_K8S_106 | resource | DaemonSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | -| 1698 | CKV_K8S_106 | resource | Deployment | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | -| 1699 | CKV_K8S_106 | resource | Job | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | -| 1700 | CKV_K8S_106 | resource | Pod | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | -| 1701 | CKV_K8S_106 | resource | PodTemplate | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | -| 1702 | CKV_K8S_106 | resource | ReplicaSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | -| 1703 | CKV_K8S_106 | resource | ReplicationController | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | -| 1704 | CKV_K8S_106 | resource | StatefulSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | -| 1705 | CKV_K8S_107 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | -| 1706 | CKV_K8S_107 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | -| 1707 | CKV_K8S_107 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | -| 1708 | CKV_K8S_107 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | -| 1709 | CKV_K8S_107 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | -| 1710 | CKV_K8S_107 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | -| 1711 | CKV_K8S_107 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | -| 1712 | CKV_K8S_107 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | -| 1713 | CKV_K8S_107 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | -| 1714 | CKV_K8S_108 | resource | CronJob | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | -| 1715 | CKV_K8S_108 | resource | DaemonSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | -| 1716 | CKV_K8S_108 | resource | Deployment | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | -| 1717 | CKV_K8S_108 | resource | Job | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | -| 1718 | CKV_K8S_108 | resource | Pod | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | -| 1719 | CKV_K8S_108 | resource | PodTemplate | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | -| 1720 | CKV_K8S_108 | resource | ReplicaSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | -| 1721 | CKV_K8S_108 | resource | ReplicationController | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | -| 1722 | CKV_K8S_108 | resource | StatefulSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | -| 1723 | CKV_K8S_110 | resource | CronJob | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | -| 1724 | CKV_K8S_110 | resource | DaemonSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | -| 1725 | CKV_K8S_110 | resource | Deployment | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | -| 1726 | CKV_K8S_110 | resource | Job | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | -| 1727 | CKV_K8S_110 | resource | Pod | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | -| 1728 | CKV_K8S_110 | resource | PodTemplate | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | -| 1729 | CKV_K8S_110 | resource | ReplicaSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | -| 1730 | CKV_K8S_110 | resource | ReplicationController | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | -| 1731 | CKV_K8S_110 | resource | StatefulSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | -| 1732 | CKV_K8S_111 | resource | CronJob | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | -| 1733 | CKV_K8S_111 | resource | DaemonSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | -| 1734 | CKV_K8S_111 | resource | Deployment | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | -| 1735 | CKV_K8S_111 | resource | Job | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | -| 1736 | CKV_K8S_111 | resource | Pod | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | -| 1737 | CKV_K8S_111 | resource | PodTemplate | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | -| 1738 | CKV_K8S_111 | resource | ReplicaSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | -| 1739 | CKV_K8S_111 | resource | ReplicationController | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | -| 1740 | CKV_K8S_111 | resource | StatefulSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | -| 1741 | CKV_K8S_112 | resource | CronJob | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | -| 1742 | CKV_K8S_112 | resource | DaemonSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | -| 1743 | CKV_K8S_112 | resource | Deployment | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | -| 1744 | CKV_K8S_112 | resource | Job | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | -| 1745 | CKV_K8S_112 | resource | Pod | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | -| 1746 | CKV_K8S_112 | resource | PodTemplate | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | -| 1747 | CKV_K8S_112 | resource | ReplicaSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | -| 1748 | CKV_K8S_112 | resource | ReplicationController | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | -| 1749 | CKV_K8S_112 | resource | StatefulSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | -| 1750 | CKV_K8S_113 | resource | CronJob | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1751 | CKV_K8S_113 | resource | DaemonSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1752 | CKV_K8S_113 | resource | Deployment | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1753 | CKV_K8S_113 | resource | Job | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1754 | CKV_K8S_113 | resource | Pod | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1755 | CKV_K8S_113 | resource | PodTemplate | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1756 | CKV_K8S_113 | resource | ReplicaSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1757 | CKV_K8S_113 | resource | ReplicationController | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1758 | CKV_K8S_113 | resource | StatefulSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1759 | CKV_K8S_114 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | -| 1760 | CKV_K8S_114 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | -| 1761 | CKV_K8S_114 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | -| 1762 | CKV_K8S_114 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | -| 1763 | CKV_K8S_114 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | -| 1764 | CKV_K8S_114 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | -| 1765 | CKV_K8S_114 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | -| 1766 | CKV_K8S_114 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | -| 1767 | CKV_K8S_114 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | -| 1768 | CKV_K8S_115 | resource | CronJob | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1769 | CKV_K8S_115 | resource | DaemonSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1770 | CKV_K8S_115 | resource | Deployment | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1771 | CKV_K8S_115 | resource | Job | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1772 | CKV_K8S_115 | resource | Pod | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1773 | CKV_K8S_115 | resource | PodTemplate | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1774 | CKV_K8S_115 | resource | ReplicaSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1775 | CKV_K8S_115 | resource | ReplicationController | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1776 | CKV_K8S_115 | resource | StatefulSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1777 | CKV_K8S_116 | resource | CronJob | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | -| 1778 | CKV_K8S_116 | resource | DaemonSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | -| 1779 | CKV_K8S_116 | resource | Deployment | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | -| 1780 | CKV_K8S_116 | resource | Job | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | -| 1781 | CKV_K8S_116 | resource | Pod | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | -| 1782 | CKV_K8S_116 | resource | PodTemplate | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | -| 1783 | CKV_K8S_116 | resource | ReplicaSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | -| 1784 | CKV_K8S_116 | resource | ReplicationController | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | -| 1785 | CKV_K8S_116 | resource | StatefulSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | -| 1786 | CKV_K8S_117 | resource | CronJob | Ensure that the --client-cert-auth argument is set to true | Kubernetes | -| 1787 | CKV_K8S_117 | resource | DaemonSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | -| 1788 | CKV_K8S_117 | resource | Deployment | Ensure that the --client-cert-auth argument is set to true | Kubernetes | -| 1789 | CKV_K8S_117 | resource | Job | Ensure that the --client-cert-auth argument is set to true | Kubernetes | -| 1790 | CKV_K8S_117 | resource | Pod | Ensure that the --client-cert-auth argument is set to true | Kubernetes | -| 1791 | CKV_K8S_117 | resource | PodTemplate | Ensure that the --client-cert-auth argument is set to true | Kubernetes | -| 1792 | CKV_K8S_117 | resource | ReplicaSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | -| 1793 | CKV_K8S_117 | resource | ReplicationController | Ensure that the --client-cert-auth argument is set to true | Kubernetes | -| 1794 | CKV_K8S_117 | resource | StatefulSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | -| 1795 | CKV_K8S_118 | resource | CronJob | Ensure that the --auto-tls argument is not set to true | Kubernetes | -| 1796 | CKV_K8S_118 | resource | DaemonSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | -| 1797 | CKV_K8S_118 | resource | Deployment | Ensure that the --auto-tls argument is not set to true | Kubernetes | -| 1798 | CKV_K8S_118 | resource | Job | Ensure that the --auto-tls argument is not set to true | Kubernetes | -| 1799 | CKV_K8S_118 | resource | Pod | Ensure that the --auto-tls argument is not set to true | Kubernetes | -| 1800 | CKV_K8S_118 | resource | PodTemplate | Ensure that the --auto-tls argument is not set to true | Kubernetes | -| 1801 | CKV_K8S_118 | resource | ReplicaSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | -| 1802 | CKV_K8S_118 | resource | ReplicationController | Ensure that the --auto-tls argument is not set to true | Kubernetes | -| 1803 | CKV_K8S_118 | resource | StatefulSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | -| 1804 | CKV_K8S_119 | resource | CronJob | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | -| 1805 | CKV_K8S_119 | resource | DaemonSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | -| 1806 | CKV_K8S_119 | resource | Deployment | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | -| 1807 | CKV_K8S_119 | resource | Job | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | -| 1808 | CKV_K8S_119 | resource | Pod | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | -| 1809 | CKV_K8S_119 | resource | PodTemplate | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | -| 1810 | CKV_K8S_119 | resource | ReplicaSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | -| 1811 | CKV_K8S_119 | resource | ReplicationController | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | -| 1812 | CKV_K8S_119 | resource | StatefulSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | -| 1813 | CKV_K8S_121 | resource | Pod | Ensure that the --peer-client-cert-auth argument is set to true | Kubernetes | -| 1814 | CKV_K8S_138 | resource | CronJob | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1815 | CKV_K8S_138 | resource | DaemonSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1816 | CKV_K8S_138 | resource | Deployment | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1817 | CKV_K8S_138 | resource | Job | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1818 | CKV_K8S_138 | resource | Pod | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1819 | CKV_K8S_138 | resource | PodTemplate | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1820 | CKV_K8S_138 | resource | ReplicaSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1821 | CKV_K8S_138 | resource | ReplicationController | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1822 | CKV_K8S_138 | resource | StatefulSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1823 | CKV_K8S_139 | resource | CronJob | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1824 | CKV_K8S_139 | resource | DaemonSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1825 | CKV_K8S_139 | resource | Deployment | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1826 | CKV_K8S_139 | resource | Job | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1827 | CKV_K8S_139 | resource | Pod | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1828 | CKV_K8S_139 | resource | PodTemplate | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1829 | CKV_K8S_139 | resource | ReplicaSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1830 | CKV_K8S_139 | resource | ReplicationController | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1831 | CKV_K8S_139 | resource | StatefulSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1832 | CKV_K8S_140 | resource | CronJob | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | -| 1833 | CKV_K8S_140 | resource | DaemonSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | -| 1834 | CKV_K8S_140 | resource | Deployment | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | -| 1835 | CKV_K8S_140 | resource | Job | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | -| 1836 | CKV_K8S_140 | resource | Pod | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | -| 1837 | CKV_K8S_140 | resource | PodTemplate | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | -| 1838 | CKV_K8S_140 | resource | ReplicaSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | -| 1839 | CKV_K8S_140 | resource | ReplicationController | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | -| 1840 | CKV_K8S_140 | resource | StatefulSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | -| 1841 | CKV_K8S_141 | resource | CronJob | Ensure that the --read-only-port argument is set to 0 | Kubernetes | -| 1842 | CKV_K8S_141 | resource | DaemonSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | -| 1843 | CKV_K8S_141 | resource | Deployment | Ensure that the --read-only-port argument is set to 0 | Kubernetes | -| 1844 | CKV_K8S_141 | resource | Job | Ensure that the --read-only-port argument is set to 0 | Kubernetes | -| 1845 | CKV_K8S_141 | resource | Pod | Ensure that the --read-only-port argument is set to 0 | Kubernetes | -| 1846 | CKV_K8S_141 | resource | PodTemplate | Ensure that the --read-only-port argument is set to 0 | Kubernetes | -| 1847 | CKV_K8S_141 | resource | ReplicaSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | -| 1848 | CKV_K8S_141 | resource | ReplicationController | Ensure that the --read-only-port argument is set to 0 | Kubernetes | -| 1849 | CKV_K8S_141 | resource | StatefulSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | -| 1850 | CKV_K8S_143 | resource | CronJob | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | -| 1851 | CKV_K8S_143 | resource | DaemonSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | -| 1852 | CKV_K8S_143 | resource | Deployment | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | -| 1853 | CKV_K8S_143 | resource | Job | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | -| 1854 | CKV_K8S_143 | resource | Pod | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | -| 1855 | CKV_K8S_143 | resource | PodTemplate | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | -| 1856 | CKV_K8S_143 | resource | ReplicaSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | -| 1857 | CKV_K8S_143 | resource | ReplicationController | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | -| 1858 | CKV_K8S_143 | resource | StatefulSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | -| 1859 | CKV_K8S_144 | resource | CronJob | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | -| 1860 | CKV_K8S_144 | resource | DaemonSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | -| 1861 | CKV_K8S_144 | resource | Deployment | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | -| 1862 | CKV_K8S_144 | resource | Job | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | -| 1863 | CKV_K8S_144 | resource | Pod | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | -| 1864 | CKV_K8S_144 | resource | PodTemplate | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | -| 1865 | CKV_K8S_144 | resource | ReplicaSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | -| 1866 | CKV_K8S_144 | resource | ReplicationController | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | -| 1867 | CKV_K8S_144 | resource | StatefulSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | -| 1868 | CKV_K8S_145 | resource | CronJob | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | -| 1869 | CKV_K8S_145 | resource | DaemonSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | -| 1870 | CKV_K8S_145 | resource | Deployment | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | -| 1871 | CKV_K8S_145 | resource | Job | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | -| 1872 | CKV_K8S_145 | resource | Pod | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | -| 1873 | CKV_K8S_145 | resource | PodTemplate | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | -| 1874 | CKV_K8S_145 | resource | ReplicaSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | -| 1875 | CKV_K8S_145 | resource | ReplicationController | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | -| 1876 | CKV_K8S_145 | resource | StatefulSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | -| 1877 | CKV_K8S_146 | resource | CronJob | Ensure that the --hostname-override argument is not set | Kubernetes | -| 1878 | CKV_K8S_146 | resource | DaemonSet | Ensure that the --hostname-override argument is not set | Kubernetes | -| 1879 | CKV_K8S_146 | resource | Deployment | Ensure that the --hostname-override argument is not set | Kubernetes | -| 1880 | CKV_K8S_146 | resource | Job | Ensure that the --hostname-override argument is not set | Kubernetes | -| 1881 | CKV_K8S_146 | resource | Pod | Ensure that the --hostname-override argument is not set | Kubernetes | -| 1882 | CKV_K8S_146 | resource | PodTemplate | Ensure that the --hostname-override argument is not set | Kubernetes | -| 1883 | CKV_K8S_146 | resource | ReplicaSet | Ensure that the --hostname-override argument is not set | Kubernetes | -| 1884 | CKV_K8S_146 | resource | ReplicationController | Ensure that the --hostname-override argument is not set | Kubernetes | -| 1885 | CKV_K8S_146 | resource | StatefulSet | Ensure that the --hostname-override argument is not set | Kubernetes | -| 1886 | CKV_K8S_147 | resource | CronJob | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | -| 1887 | CKV_K8S_147 | resource | DaemonSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | -| 1888 | CKV_K8S_147 | resource | Deployment | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | -| 1889 | CKV_K8S_147 | resource | Job | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | -| 1890 | CKV_K8S_147 | resource | Pod | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | -| 1891 | CKV_K8S_147 | resource | PodTemplate | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | -| 1892 | CKV_K8S_147 | resource | ReplicaSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | -| 1893 | CKV_K8S_147 | resource | ReplicationController | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | -| 1894 | CKV_K8S_147 | resource | StatefulSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | -| 1895 | CKV_K8S_148 | resource | CronJob | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1896 | CKV_K8S_148 | resource | DaemonSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1897 | CKV_K8S_148 | resource | Deployment | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1898 | CKV_K8S_148 | resource | Job | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1899 | CKV_K8S_148 | resource | Pod | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1900 | CKV_K8S_148 | resource | PodTemplate | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1901 | CKV_K8S_148 | resource | ReplicaSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1902 | CKV_K8S_148 | resource | ReplicationController | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1903 | CKV_K8S_148 | resource | StatefulSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1904 | CKV_K8S_149 | resource | CronJob | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | -| 1905 | CKV_K8S_149 | resource | DaemonSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | -| 1906 | CKV_K8S_149 | resource | Deployment | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | -| 1907 | CKV_K8S_149 | resource | Job | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | -| 1908 | CKV_K8S_149 | resource | Pod | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | -| 1909 | CKV_K8S_149 | resource | PodTemplate | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | -| 1910 | CKV_K8S_149 | resource | ReplicaSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | -| 1911 | CKV_K8S_149 | resource | ReplicationController | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | -| 1912 | CKV_K8S_149 | resource | StatefulSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | -| 1913 | CKV_K8S_151 | resource | CronJob | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1914 | CKV_K8S_151 | resource | DaemonSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1915 | CKV_K8S_151 | resource | Deployment | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1916 | CKV_K8S_151 | resource | Job | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1917 | CKV_K8S_151 | resource | Pod | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1918 | CKV_K8S_151 | resource | PodTemplate | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1919 | CKV_K8S_151 | resource | ReplicaSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1920 | CKV_K8S_151 | resource | ReplicationController | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1921 | CKV_K8S_151 | resource | StatefulSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1922 | CKV_K8S_152 | resource | Ingress | Prevent NGINX Ingress annotation snippets which contain LUA code execution. See CVE-2021-25742 | Kubernetes | -| 1923 | CKV_K8S_153 | resource | Ingress | Prevent All NGINX Ingress annotation snippets. See CVE-2021-25742 | Kubernetes | -| 1924 | CKV_K8S_154 | resource | Ingress | Prevent NGINX Ingress annotation snippets which contain alias statements See CVE-2021-25742 | Kubernetes | -| 1925 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | -| 1926 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | -| 1927 | CKV_LIN_3 | resource | linode_user | Ensure email is set | Terraform | -| 1928 | CKV_LIN_4 | resource | linode_user | Ensure username is set | Terraform | -| 1929 | CKV_LIN_5 | resource | linode_firewall | Ensure Inbound Firewall Policy is not set to ACCEPT | Terraform | -| 1930 | CKV_LIN_6 | resource | linode_firewall | Ensure Outbound Firewall Policy is not set to ACCEPT | Terraform | -| 1931 | CKV_OCI_1 | provider | oci | Ensure no hard coded OCI private key in provider | Terraform | -| 1932 | CKV_OCI_2 | resource | oci_core_volume | Ensure OCI Block Storage Block Volume has backup enabled | Terraform | -| 1933 | CKV_OCI_3 | resource | oci_core_volume | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) | Terraform | -| 1934 | CKV_OCI_4 | resource | oci_core_instance | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled | Terraform | -| 1935 | CKV_OCI_5 | resource | oci_core_instance | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | Terraform | -| 1936 | CKV_OCI_6 | resource | oci_core_instance | Ensure OCI Compute Instance has monitoring enabled | Terraform | -| 1937 | CKV_OCI_7 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage bucket can emit object events | Terraform | -| 1938 | CKV_OCI_8 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage has versioning enabled | Terraform | -| 1939 | CKV_OCI_9 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is encrypted with Customer Managed Key | Terraform | -| 1940 | CKV_OCI_10 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is not Public | Terraform | -| 1941 | CKV_OCI_11 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain lower case | Terraform | -| 1942 | CKV_OCI_12 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Numeric characters | Terraform | -| 1943 | CKV_OCI_13 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Special characters | Terraform | -| 1944 | CKV_OCI_14 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Uppercase characters | Terraform | -| 1945 | CKV_OCI_15 | resource | oci_file_storage_file_system | Ensure OCI File System is Encrypted with a customer Managed Key | Terraform | -| 1946 | CKV_OCI_16 | resource | oci_core_security_list | Ensure VCN has an inbound security list | Terraform | -| 1947 | CKV_OCI_17 | resource | oci_core_security_list | Ensure VCN inbound security lists are stateless | Terraform | -| 1948 | CKV_OCI_18 | resource | oci_identity_authentication_policy | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters | Terraform | -| 1949 | CKV_OCI_19 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 22. | Terraform | -| 1950 | CKV_OCI_20 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. | Terraform | -| 1951 | CKV_OCI_21 | resource | oci_core_network_security_group_security_rule | Ensure security group has stateless ingress security rules | Terraform | -| 1952 | CKV_OCI_22 | resource | oci_core_network_security_group_security_rule | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 | Terraform | -| 1953 | CKV2_OCI_1 | resource | oci_identity_group | Ensure administrator users are not associated with API keys | Terraform | -| 1954 | CKV2_OCI_1 | resource | oci_identity_user | Ensure administrator users are not associated with API keys | Terraform | -| 1955 | CKV2_OCI_1 | resource | oci_identity_user_group_membership | Ensure administrator users are not associated with API keys | Terraform | -| 1956 | CKV_OPENSTACK_1 | provider | openstack | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider | Terraform | -| 1957 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | -| 1958 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | -| 1959 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | -| 1960 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | -| 1961 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2 | Ensure that instance does not use basic credentials | Terraform | -| 1962 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1 | Ensure firewall rule set a destination IP | Terraform | -| 1963 | CKV_PAN_1 | provider | panos | Ensure no hard coded PAN-OS credentials exist in provider | Terraform | -| 1964 | CKV_PAN_2 | resource | panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Terraform | -| 1965 | CKV_PAN_3 | resource | panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Terraform | -| 1966 | CKV_PAN_4 | resource | panos_security_policy | Ensure DSRI is not enabled within security policies | Terraform | -| 1967 | CKV_PAN_4 | resource | panos_security_rule_group | Ensure DSRI is not enabled within security policies | Terraform | -| 1968 | CKV_PAN_5 | resource | panos_security_policy | Ensure security rules do not have 'applications' set to 'any' | Terraform | -| 1969 | CKV_PAN_5 | resource | panos_security_rule_group | Ensure security rules do not have 'applications' set to 'any' | Terraform | -| 1970 | CKV_PAN_6 | resource | panos_security_policy | Ensure security rules do not have 'services' set to 'any' | Terraform | -| 1971 | CKV_PAN_6 | resource | panos_security_rule_group | Ensure security rules do not have 'services' set to 'any' | Terraform | -| 1972 | CKV_PAN_7 | resource | panos_security_policy | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | -| 1973 | CKV_PAN_7 | resource | panos_security_rule_group | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | -| 1974 | CKV_PAN_8 | resource | panos_security_policy | Ensure description is populated within security policies | Terraform | -| 1975 | CKV_PAN_8 | resource | panos_security_rule_group | Ensure description is populated within security policies | Terraform | -| 1976 | CKV_PAN_9 | resource | panos_security_policy | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | -| 1977 | CKV_PAN_9 | resource | panos_security_rule_group | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | -| 1978 | CKV_PAN_10 | resource | panos_security_policy | Ensure logging at session end is enabled within security policies | Terraform | -| 1979 | CKV_PAN_10 | resource | panos_security_rule_group | Ensure logging at session end is enabled within security policies | Terraform | -| 1980 | CKV_PAN_11 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | -| 1981 | CKV_PAN_11 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | -| 1982 | CKV_PAN_12 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | -| 1983 | CKV_PAN_12 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | -| 1984 | CKV_PAN_13 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | -| 1985 | CKV_PAN_13 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | -| 1986 | CKV_PAN_14 | resource | panos_panorama_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | -| 1987 | CKV_PAN_14 | resource | panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | -| 1988 | CKV_PAN_14 | resource | panos_zone_entry | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | -| 1989 | CKV_PAN_15 | resource | panos_panorama_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | -| 1990 | CKV_PAN_15 | resource | panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | -| 1991 | CKV_SECRET_1 | Artifactory Credentials | secrets | Artifactory Credentials | secrets | -| 1992 | CKV_SECRET_2 | AWS Access Key | secrets | AWS Access Key | secrets | -| 1993 | CKV_SECRET_3 | Azure Storage Account access key | secrets | Azure Storage Account access key | secrets | -| 1994 | CKV_SECRET_4 | Basic Auth Credentials | secrets | Basic Auth Credentials | secrets | -| 1995 | CKV_SECRET_5 | Cloudant Credentials | secrets | Cloudant Credentials | secrets | -| 1996 | CKV_SECRET_6 | Base64 High Entropy String | secrets | Base64 High Entropy String | secrets | -| 1997 | CKV_SECRET_7 | IBM Cloud IAM Key | secrets | IBM Cloud IAM Key | secrets | -| 1998 | CKV_SECRET_8 | IBM COS HMAC Credentials | secrets | IBM COS HMAC Credentials | secrets | -| 1999 | CKV_SECRET_9 | JSON Web Token | secrets | JSON Web Token | secrets | -| 2000 | CKV_SECRET_11 | Mailchimp Access Key | secrets | Mailchimp Access Key | secrets | -| 2001 | CKV_SECRET_12 | NPM tokens | secrets | NPM tokens | secrets | -| 2002 | CKV_SECRET_13 | Private Key | secrets | Private Key | secrets | -| 2003 | CKV_SECRET_14 | Slack Token | secrets | Slack Token | secrets | -| 2004 | CKV_SECRET_15 | SoftLayer Credentials | secrets | SoftLayer Credentials | secrets | -| 2005 | CKV_SECRET_16 | Square OAuth Secret | secrets | Square OAuth Secret | secrets | -| 2006 | CKV_SECRET_17 | Stripe Access Key | secrets | Stripe Access Key | secrets | -| 2007 | CKV_SECRET_18 | Twilio API Key | secrets | Twilio API Key | secrets | -| 2008 | CKV_SECRET_19 | Hex High Entropy String | secrets | Hex High Entropy String | secrets | +| 25 | CKV_ALI_26 | resource | alicloud_cs_kubernetes | Ensure Kubernetes installs plugin Terway or Flannel to support standard policies | Terraform | +| 26 | CKV_AWS_1 | data | aws_iam_policy_document | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 27 | CKV_AWS_1 | resource | serverless_aws | Ensure IAM policies that allow full "*-*" administrative privileges are not created | serverless | +| 28 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 29 | CKV_AWS_2 | resource | aws_alb_listener | Ensure ALB protocol is HTTPS | Terraform | +| 30 | CKV_AWS_2 | resource | aws_lb_listener | Ensure ALB protocol is HTTPS | Terraform | +| 31 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_3 | resource | aws_ebs_volume | Ensure all data stored in the EBS is securely encrypted | Terraform | +| 33 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 34 | CKV_AWS_5 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform | +| 35 | CKV_AWS_5 | resource | aws_opensearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform | +| 36 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 37 | CKV_AWS_6 | resource | aws_elasticsearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform | +| 38 | CKV_AWS_6 | resource | aws_opensearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform | +| 39 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 40 | CKV_AWS_7 | resource | aws_kms_key | Ensure rotation for customer created CMKs is enabled | Terraform | +| 41 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 42 | CKV_AWS_8 | resource | aws_instance | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | Terraform | +| 43 | CKV_AWS_8 | resource | aws_launch_configuration | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | Terraform | +| 44 | CKV_AWS_9 | resource | aws_iam_account_password_policy | Ensure IAM password policy expires passwords within 90 days or less | Terraform | +| 45 | CKV_AWS_10 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires minimum length of 14 or greater | Terraform | +| 46 | CKV_AWS_11 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one lowercase letter | Terraform | +| 47 | CKV_AWS_12 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one number | Terraform | +| 48 | CKV_AWS_13 | resource | aws_iam_account_password_policy | Ensure IAM password policy prevents password reuse | Terraform | +| 49 | CKV_AWS_14 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one symbol | Terraform | +| 50 | CKV_AWS_15 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one uppercase letter | Terraform | +| 51 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 52 | CKV_AWS_16 | resource | aws_db_instance | Ensure all data stored in the RDS is securely encrypted at rest | Terraform | +| 53 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 54 | CKV_AWS_17 | resource | aws_db_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | +| 55 | CKV_AWS_17 | resource | aws_rds_cluster_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | +| 56 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 57 | CKV_AWS_18 | resource | aws_s3_bucket | Ensure the S3 bucket has access logging enabled | Terraform | +| 58 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 59 | CKV_AWS_19 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform | +| 60 | CKV_AWS_19 | resource | aws_s3_bucket_server_side_encryption_configuration | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform | +| 61 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 62 | CKV_AWS_20 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public READ access. | Terraform | +| 63 | CKV_AWS_20 | resource | aws_s3_bucket_acl | S3 Bucket has an ACL defined which allows public READ access. | Terraform | +| 64 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 65 | CKV_AWS_21 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket have versioning enabled | Terraform | +| 66 | CKV_AWS_21 | resource | aws_s3_bucket_versioning | Ensure all data stored in the S3 bucket have versioning enabled | Terraform | +| 67 | CKV_AWS_22 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker Notebook is encrypted at rest using KMS CMK | Terraform | +| 68 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 69 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 70 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 71 | CKV_AWS_23 | resource | aws_db_security_group | Ensure every security groups rule has a description | Terraform | +| 72 | CKV_AWS_23 | resource | aws_elasticache_security_group | Ensure every security groups rule has a description | Terraform | +| 73 | CKV_AWS_23 | resource | aws_redshift_security_group | Ensure every security groups rule has a description | Terraform | +| 74 | CKV_AWS_23 | resource | aws_security_group | Ensure every security groups rule has a description | Terraform | +| 75 | CKV_AWS_23 | resource | aws_security_group_rule | Ensure every security groups rule has a description | Terraform | +| 76 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 77 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 78 | CKV_AWS_24 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | +| 79 | CKV_AWS_24 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | +| 80 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 81 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 82 | CKV_AWS_25 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | +| 83 | CKV_AWS_25 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | +| 84 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 85 | CKV_AWS_26 | resource | aws_sns_topic | Ensure all data stored in the SNS topic is encrypted | Terraform | +| 86 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 87 | CKV_AWS_27 | resource | aws_sqs_queue | Ensure all data stored in the SQS queue is encrypted | Terraform | +| 88 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 89 | CKV_AWS_28 | resource | aws_dynamodb_table | Ensure Dynamodb point in time recovery (backup) is enabled | Terraform | +| 90 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 91 | CKV_AWS_29 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Terraform | +| 92 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 93 | CKV_AWS_30 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Terraform | +| 94 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 95 | CKV_AWS_31 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Terraform | +| 96 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 97 | CKV_AWS_32 | resource | aws_ecr_repository_policy | Ensure ECR policy is not set to public | Terraform | +| 98 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 99 | CKV_AWS_33 | resource | aws_kms_key | Ensure KMS key policy does not contain wildcard (*) principal | Terraform | +| 100 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 101 | CKV_AWS_34 | resource | aws_cloudfront_distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Terraform | +| 102 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 103 | CKV_AWS_35 | resource | aws_cloudtrail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Terraform | +| 104 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 105 | CKV_AWS_36 | resource | aws_cloudtrail | Ensure CloudTrail log file validation is enabled | Terraform | +| 106 | CKV_AWS_37 | resource | aws_eks_cluster | Ensure Amazon EKS control plane logging enabled for all log types | Terraform | +| 107 | CKV_AWS_38 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 | Terraform | +| 108 | CKV_AWS_39 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint disabled | Terraform | +| 109 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 110 | CKV_AWS_40 | resource | aws_iam_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | +| 111 | CKV_AWS_40 | resource | aws_iam_user_policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | +| 112 | CKV_AWS_40 | resource | aws_iam_user_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | +| 113 | CKV_AWS_41 | provider | aws | Ensure no hard coded AWS access key and secret key exists in provider | Terraform | +| 114 | CKV_AWS_41 | resource | serverless_aws | Ensure no hard coded AWS access key and secret key exists in provider | serverless | +| 115 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 116 | CKV_AWS_42 | resource | aws_efs_file_system | Ensure EFS is securely encrypted | Terraform | +| 117 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 118 | CKV_AWS_43 | resource | aws_kinesis_stream | Ensure Kinesis Stream is securely encrypted | Terraform | +| 119 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 120 | CKV_AWS_44 | resource | aws_neptune_cluster | Ensure Neptune storage is securely encrypted | Terraform | +| 121 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 122 | CKV_AWS_45 | resource | AWS::Serverless::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 123 | CKV_AWS_45 | resource | aws_lambda_function | Ensure no hard-coded secrets exist in lambda environment | Terraform | +| 124 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 125 | CKV_AWS_46 | resource | aws_instance | Ensure no hard-coded secrets exist in EC2 user data | Terraform | +| 126 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 127 | CKV_AWS_47 | resource | aws_dax_cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Terraform | +| 128 | CKV_AWS_48 | resource | aws_mq_broker | Ensure MQ Broker logging is enabled | Terraform | +| 129 | CKV_AWS_49 | data | aws_iam_policy_document | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 130 | CKV_AWS_49 | resource | serverless_aws | Ensure no IAM policies documents allow "*" as a statement's actions | serverless | +| 131 | CKV_AWS_50 | resource | aws_lambda_function | X-ray tracing is enabled for Lambda | Terraform | +| 132 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 133 | CKV_AWS_51 | resource | aws_ecr_repository | Ensure ECR Image Tags are immutable | Terraform | +| 134 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 135 | CKV_AWS_53 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public ACLS enabled | Terraform | +| 136 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 137 | CKV_AWS_54 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public policy enabled | Terraform | +| 138 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 139 | CKV_AWS_55 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has ignore public ACLs enabled | Terraform | +| 140 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 141 | CKV_AWS_56 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has 'restrict_public_bucket' enabled | Terraform | +| 142 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 143 | CKV_AWS_57 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform | +| 144 | CKV_AWS_57 | resource | aws_s3_bucket_acl | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform | +| 145 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 146 | CKV_AWS_58 | resource | aws_eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Terraform | +| 147 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 148 | CKV_AWS_59 | resource | aws_api_gateway_method | Ensure there is no open access to back-end resources through API | Terraform | +| 149 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 150 | CKV_AWS_60 | resource | aws_iam_role | Ensure IAM role allows only specific services or principals to assume it | Terraform | +| 151 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 152 | CKV_AWS_61 | resource | aws_iam_role | Ensure IAM role allows only specific principals in account to assume it | Terraform | +| 153 | CKV_AWS_62 | resource | AWS::IAM::Group | Ensure no IAM policies that allow full "*-*" administrative privileges are not created | Cloudformation | +| 154 | CKV_AWS_62 | resource | AWS::IAM::Policy | Ensure no IAM policies that allow full "*-*" administrative privileges are not created | Cloudformation | +| 155 | CKV_AWS_62 | resource | AWS::IAM::Role | Ensure no IAM policies that allow full "*-*" administrative privileges are not created | Cloudformation | +| 156 | CKV_AWS_62 | resource | AWS::IAM::User | Ensure no IAM policies that allow full "*-*" administrative privileges are not created | Cloudformation | +| 157 | CKV_AWS_62 | resource | aws_iam_group_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 158 | CKV_AWS_62 | resource | aws_iam_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 159 | CKV_AWS_62 | resource | aws_iam_role_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 160 | CKV_AWS_62 | resource | aws_iam_user_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 161 | CKV_AWS_62 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 162 | CKV_AWS_63 | resource | AWS::IAM::Group | Ensure no IAM policies documents allow "*" as a statement's actions | Cloudformation | +| 163 | CKV_AWS_63 | resource | AWS::IAM::Policy | Ensure no IAM policies documents allow "*" as a statement's actions | Cloudformation | +| 164 | CKV_AWS_63 | resource | AWS::IAM::Role | Ensure no IAM policies documents allow "*" as a statement's actions | Cloudformation | +| 165 | CKV_AWS_63 | resource | AWS::IAM::User | Ensure no IAM policies documents allow "*" as a statement's actions | Cloudformation | +| 166 | CKV_AWS_63 | resource | aws_iam_group_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 167 | CKV_AWS_63 | resource | aws_iam_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 168 | CKV_AWS_63 | resource | aws_iam_role_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 169 | CKV_AWS_63 | resource | aws_iam_user_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 170 | CKV_AWS_63 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 171 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 172 | CKV_AWS_64 | resource | aws_redshift_cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Terraform | +| 173 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 174 | CKV_AWS_65 | resource | aws_ecs_cluster | Ensure container insights are enabled on ECS cluster | Terraform | +| 175 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 176 | CKV_AWS_66 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group specifies retention days | Terraform | +| 177 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 178 | CKV_AWS_67 | resource | aws_cloudtrail | Ensure CloudTrail is enabled in all Regions | Terraform | +| 179 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 180 | CKV_AWS_68 | resource | aws_cloudfront_distribution | CloudFront Distribution should have WAF enabled | Terraform | +| 181 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 182 | CKV_AWS_69 | resource | aws_mq_broker | Ensure MQ Broker is not publicly exposed | Terraform | +| 183 | CKV_AWS_70 | resource | aws_s3_bucket | Ensure S3 bucket does not allow an action with any Principal | Terraform | +| 184 | CKV_AWS_70 | resource | aws_s3_bucket_policy | Ensure S3 bucket does not allow an action with any Principal | Terraform | +| 185 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 186 | CKV_AWS_71 | resource | aws_redshift_cluster | Ensure Redshift Cluster logging is enabled | Terraform | +| 187 | CKV_AWS_72 | resource | aws_sqs_queue_policy | Ensure SQS policy does not allow ALL (*) actions. | Terraform | +| 188 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 189 | CKV_AWS_73 | resource | AWS::Serverless::Api | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 190 | CKV_AWS_73 | resource | aws_api_gateway_stage | Ensure API Gateway has X-Ray Tracing enabled | Terraform | +| 191 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 192 | CKV_AWS_74 | resource | aws_docdb_cluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Terraform | +| 193 | CKV_AWS_75 | resource | aws_globalaccelerator_accelerator | Ensure Global Accelerator accelerator has flow logs enabled | Terraform | +| 194 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 195 | CKV_AWS_76 | resource | AWS::Serverless::Api | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 196 | CKV_AWS_76 | resource | aws_api_gateway_stage | Ensure API Gateway has Access Logging enabled | Terraform | +| 197 | CKV_AWS_76 | resource | aws_apigatewayv2_stage | Ensure API Gateway has Access Logging enabled | Terraform | +| 198 | CKV_AWS_77 | resource | aws_athena_database | Ensure Athena Database is encrypted at rest (default is unencrypted) | Terraform | +| 199 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 200 | CKV_AWS_78 | resource | aws_codebuild_project | Ensure that CodeBuild Project encryption is not disabled | Terraform | +| 201 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 202 | CKV_AWS_79 | resource | aws_instance | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | +| 203 | CKV_AWS_79 | resource | aws_launch_configuration | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | +| 204 | CKV_AWS_79 | resource | aws_launch_template | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | +| 205 | CKV_AWS_80 | resource | aws_msk_cluster | Ensure MSK Cluster logging is enabled | Terraform | +| 206 | CKV_AWS_81 | resource | aws_msk_cluster | Ensure MSK Cluster encryption in rest and transit is enabled | Terraform | +| 207 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 208 | CKV_AWS_82 | resource | aws_athena_workgroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Terraform | +| 209 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 210 | CKV_AWS_83 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform | +| 211 | CKV_AWS_83 | resource | aws_opensearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform | +| 212 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 213 | CKV_AWS_84 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform | +| 214 | CKV_AWS_84 | resource | aws_opensearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform | +| 215 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 216 | CKV_AWS_85 | resource | aws_docdb_cluster | Ensure DocDB Logging is enabled | Terraform | +| 217 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 218 | CKV_AWS_86 | resource | aws_cloudfront_distribution | Ensure Cloudfront distribution has Access Logging enabled | Terraform | +| 219 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 220 | CKV_AWS_87 | resource | aws_redshift_cluster | Redshift cluster should not be publicly accessible | Terraform | +| 221 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 222 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 223 | CKV_AWS_88 | resource | aws_instance | EC2 instance should not have public IP. | Terraform | +| 224 | CKV_AWS_88 | resource | aws_launch_template | EC2 instance should not have public IP. | Terraform | +| 225 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 226 | CKV_AWS_89 | resource | aws_dms_replication_instance | DMS replication instance should not be publicly accessible | Terraform | +| 227 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 228 | CKV_AWS_90 | resource | aws_docdb_cluster_parameter_group | Ensure DocDB TLS is not disabled | Terraform | +| 229 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 230 | CKV_AWS_91 | resource | aws_alb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | +| 231 | CKV_AWS_91 | resource | aws_lb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | +| 232 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 233 | CKV_AWS_92 | resource | aws_elb | Ensure the ELB has access logging enabled | Terraform | +| 234 | CKV_AWS_93 | resource | aws_s3_bucket | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | +| 235 | CKV_AWS_93 | resource | aws_s3_bucket_policy | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | +| 236 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 237 | CKV_AWS_94 | resource | aws_glue_data_catalog_encryption_settings | Ensure Glue Data Catalog Encryption is enabled | Terraform | +| 238 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 239 | CKV_AWS_95 | resource | AWS::Serverless::HttpApi | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 240 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurora is securely encrypted at rest | Cloudformation | +| 241 | CKV_AWS_96 | resource | aws_rds_cluster | Ensure all data stored in Aurora is securely encrypted at rest | Terraform | +| 242 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 243 | CKV_AWS_97 | resource | aws_ecs_task_definition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Terraform | +| 244 | CKV_AWS_98 | resource | aws_sagemaker_endpoint_configuration | Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest | Terraform | +| 245 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 246 | CKV_AWS_99 | resource | aws_glue_security_configuration | Ensure Glue Security Configuration Encryption is enabled | Terraform | +| 247 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implicit SSH access from 0.0.0.0/0 | Cloudformation | +| 248 | CKV_AWS_100 | resource | aws_eks_node_group | Ensure Amazon EKS Node group has implicit SSH access from 0.0.0.0/0 | Terraform | +| 249 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 250 | CKV_AWS_101 | resource | aws_neptune_cluster | Ensure Neptune logging is enabled | Terraform | +| 251 | CKV_AWS_102 | resource | aws_neptune_cluster_instance | Ensure Neptune Cluster instance is not publicly available | Terraform | +| 252 | CKV_AWS_103 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure that Application Load Balancer Listener is using TLS v1.2 | Cloudformation | +| 253 | CKV_AWS_103 | resource | aws_alb_listener | Ensure that load balancer is using TLS 1.2 | Terraform | +| 254 | CKV_AWS_103 | resource | aws_lb_listener | Ensure that load balancer is using TLS 1.2 | Terraform | +| 255 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 256 | CKV_AWS_104 | resource | aws_docdb_cluster_parameter_group | Ensure DocDB has audit logs enabled | Terraform | +| 257 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 258 | CKV_AWS_105 | resource | aws_redshift_parameter_group | Ensure Redshift uses SSL | Terraform | +| 259 | CKV_AWS_106 | resource | aws_ebs_encryption_by_default | Ensure EBS default encryption is enabled | Terraform | +| 260 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 261 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 262 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 263 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 264 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 265 | CKV_AWS_107 | data | aws_iam_policy_document | Ensure IAM policies does not allow credentials exposure | Terraform | +| 266 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 267 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 268 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 269 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 270 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 271 | CKV_AWS_108 | data | aws_iam_policy_document | Ensure IAM policies does not allow data exfiltration | Terraform | +| 272 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 273 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 274 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 275 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 276 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 277 | CKV_AWS_109 | data | aws_iam_policy_document | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | +| 278 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 279 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 280 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 281 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 282 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 283 | CKV_AWS_110 | data | aws_iam_policy_document | Ensure IAM policies does not allow privilege escalation | Terraform | +| 284 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 285 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 286 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 287 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 288 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 289 | CKV_AWS_111 | data | aws_iam_policy_document | Ensure IAM policies does not allow write access without constraints | Terraform | +| 290 | CKV_AWS_112 | resource | aws_ssm_document | Ensure Session Manager data is encrypted in transit | Terraform | +| 291 | CKV_AWS_113 | resource | aws_ssm_document | Ensure Session Manager logs are enabled and encrypted | Terraform | +| 292 | CKV_AWS_114 | resource | aws_emr_cluster | Ensure that EMR clusters with Kerberos have Kerberos Realm set | Terraform | +| 293 | CKV_AWS_115 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | Terraform | +| 294 | CKV_AWS_116 | resource | AWS::Lambda::Function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Cloudformation | +| 295 | CKV_AWS_116 | resource | AWS::Serverless::Function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Cloudformation | +| 296 | CKV_AWS_116 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Terraform | +| 297 | CKV_AWS_117 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured inside a VPC | Terraform | +| 298 | CKV_AWS_118 | resource | aws_db_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | +| 299 | CKV_AWS_118 | resource | aws_rds_cluster_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | +| 300 | CKV_AWS_119 | resource | AWS::DynamoDB::Table | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK | Cloudformation | +| 301 | CKV_AWS_119 | resource | aws_dynamodb_table | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK | Terraform | +| 302 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 303 | CKV_AWS_120 | resource | AWS::Serverless::Api | Ensure API Gateway caching is enabled | Cloudformation | +| 304 | CKV_AWS_120 | resource | aws_api_gateway_stage | Ensure API Gateway caching is enabled | Terraform | +| 305 | CKV_AWS_121 | resource | aws_config_configuration_aggregator | Ensure AWS Config is enabled in all regions | Terraform | +| 306 | CKV_AWS_122 | resource | aws_sagemaker_notebook_instance | Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance | Terraform | +| 307 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 308 | CKV_AWS_123 | resource | aws_vpc_endpoint_service | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Terraform | +| 309 | CKV_AWS_124 | resource | aws_cloudformation_stack | Ensure that CloudFormation stacks are sending event notifications to an SNS topic | Terraform | +| 310 | CKV_AWS_126 | resource | aws_instance | Ensure that detailed monitoring is enabled for EC2 instances | Terraform | +| 311 | CKV_AWS_127 | resource | aws_elb | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager | Terraform | +| 312 | CKV_AWS_128 | resource | aws_rds_cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | Terraform | +| 313 | CKV_AWS_129 | resource | aws_db_instance | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled | Terraform | +| 314 | CKV_AWS_130 | resource | aws_subnet | Ensure VPC subnets do not assign public IP by default | Terraform | +| 315 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 316 | CKV_AWS_131 | resource | aws_alb | Ensure that ALB drops HTTP headers | Terraform | +| 317 | CKV_AWS_131 | resource | aws_lb | Ensure that ALB drops HTTP headers | Terraform | +| 318 | CKV_AWS_133 | resource | aws_db_instance | Ensure that RDS instances has backup policy | Terraform | +| 319 | CKV_AWS_133 | resource | aws_rds_cluster | Ensure that RDS instances has backup policy | Terraform | +| 320 | CKV_AWS_134 | resource | aws_elasticache_cluster | Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on | Terraform | +| 321 | CKV_AWS_135 | resource | aws_instance | Ensure that EC2 is EBS optimized | Terraform | +| 322 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 323 | CKV_AWS_136 | resource | aws_ecr_repository | Ensure that ECR repositories are encrypted using KMS | Terraform | +| 324 | CKV_AWS_137 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform | +| 325 | CKV_AWS_137 | resource | aws_opensearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform | +| 326 | CKV_AWS_138 | resource | aws_elb | Ensure that ELB is cross-zone-load-balancing enabled | Terraform | +| 327 | CKV_AWS_139 | resource | aws_rds_cluster | Ensure that RDS clusters have deletion protection enabled | Terraform | +| 328 | CKV_AWS_140 | resource | aws_rds_global_cluster | Ensure that RDS global clusters are encrypted | Terraform | +| 329 | CKV_AWS_141 | resource | aws_redshift_cluster | Ensured that redshift cluster allowing version upgrade by default | Terraform | +| 330 | CKV_AWS_142 | resource | aws_redshift_cluster | Ensure that Redshift cluster is encrypted by KMS | Terraform | +| 331 | CKV_AWS_143 | resource | aws_s3_bucket | Ensure that S3 bucket has lock configuration enabled by default | Terraform | +| 332 | CKV_AWS_144 | resource | aws_s3_bucket | Ensure that S3 bucket has cross-region replication enabled | Terraform | +| 333 | CKV_AWS_145 | resource | aws_s3_bucket | Ensure that S3 buckets are encrypted with KMS by default | Terraform | +| 334 | CKV_AWS_145 | resource | aws_s3_bucket_server_side_encryption_configuration | Ensure that S3 buckets are encrypted with KMS by default | Terraform | +| 335 | CKV_AWS_146 | resource | aws_db_cluster_snapshot | Ensure that RDS database cluster snapshot is encrypted | Terraform | +| 336 | CKV_AWS_147 | resource | aws_codebuild_project | Ensure that CodeBuild projects are encrypted | Terraform | +| 337 | CKV_AWS_148 | resource | aws_default_vpc | Ensure no default VPC is planned to be provisioned | Terraform | +| 338 | CKV_AWS_149 | resource | AWS::SecretsManager::Secret | Ensure that Secrets Manager secret is encrypted using KMS CMK | Cloudformation | +| 339 | CKV_AWS_149 | resource | aws_secretsmanager_secret | Ensure that Secrets Manager secret is encrypted using KMS CMK | Terraform | +| 340 | CKV_AWS_150 | resource | aws_alb | Ensure that Load Balancer has deletion protection enabled | Terraform | +| 341 | CKV_AWS_150 | resource | aws_lb | Ensure that Load Balancer has deletion protection enabled | Terraform | +| 342 | CKV_AWS_152 | resource | aws_alb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | +| 343 | CKV_AWS_152 | resource | aws_lb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | +| 344 | CKV_AWS_153 | resource | aws_autoscaling_group | Autoscaling groups should supply tags to launch configurations | Terraform | +| 345 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 346 | CKV_AWS_154 | resource | aws_redshift_cluster | Ensure Redshift is not deployed outside of a VPC | Terraform | +| 347 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 348 | CKV_AWS_155 | resource | aws_workspaces_workspace | Ensure that Workspace user volumes are encrypted | Terraform | +| 349 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 350 | CKV_AWS_156 | resource | aws_workspaces_workspace | Ensure that Workspace root volumes are encrypted | Terraform | +| 351 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 352 | CKV_AWS_157 | resource | aws_db_instance | Ensure that RDS instances have Multi-AZ enabled | Terraform | +| 353 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 354 | CKV_AWS_158 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group is encrypted by KMS | Terraform | +| 355 | CKV_AWS_159 | resource | aws_athena_workgroup | Ensure that Athena Workgroup is encrypted | Terraform | +| 356 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 357 | CKV_AWS_160 | resource | aws_timestreamwrite_database | Ensure that Timestream database is encrypted with KMS CMK | Terraform | +| 358 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 359 | CKV_AWS_161 | resource | aws_db_instance | Ensure RDS database has IAM authentication enabled | Terraform | +| 360 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 361 | CKV_AWS_162 | resource | aws_rds_cluster | Ensure RDS cluster has IAM authentication enabled | Terraform | +| 362 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 363 | CKV_AWS_163 | resource | aws_ecr_repository | Ensure ECR image scanning on push is enabled | Terraform | +| 364 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 365 | CKV_AWS_164 | resource | aws_transfer_server | Ensure Transfer Server is not exposed publicly. | Terraform | +| 366 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 367 | CKV_AWS_165 | resource | aws_dynamodb_global_table | Ensure Dynamodb point in time recovery (backup) is enabled for global tables | Terraform | +| 368 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 369 | CKV_AWS_166 | resource | aws_backup_vault | Ensure Backup Vault is encrypted at rest using KMS CMK | Terraform | +| 370 | CKV_AWS_167 | resource | aws_glacier_vault | Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it | Terraform | +| 371 | CKV_AWS_168 | resource | aws_sqs_queue | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform | +| 372 | CKV_AWS_168 | resource | aws_sqs_queue_policy | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform | +| 373 | CKV_AWS_169 | resource | aws_sns_topic_policy | Ensure SNS topic policy is not public by only allowing specific services or principals to access it | Terraform | +| 374 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 375 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | +| 376 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | +| 377 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | +| 378 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | +| 379 | CKV_AWS_173 | resource | AWS::Lambda::Function | Check encryption settings for Lambda environmental variable | Cloudformation | +| 380 | CKV_AWS_173 | resource | AWS::Serverless::Function | Check encryption settings for Lambda environmental variable | Cloudformation | +| 381 | CKV_AWS_173 | resource | aws_lambda_function | Check encryption settings for Lambda environmental variable | Terraform | +| 382 | CKV_AWS_174 | resource | AWS::CloudFront::Distribution | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 | Cloudformation | +| 383 | CKV_AWS_174 | resource | aws_cloudfront_distribution | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 | Terraform | +| 384 | CKV_AWS_175 | resource | aws_waf_web_acl | Ensure WAF has associated rules | Terraform | +| 385 | CKV_AWS_175 | resource | aws_wafregional_web_acl | Ensure WAF has associated rules | Terraform | +| 386 | CKV_AWS_175 | resource | aws_wafv2_web_acl | Ensure WAF has associated rules | Terraform | +| 387 | CKV_AWS_176 | resource | aws_waf_web_acl | Ensure Logging is enabled for WAF Web Access Control Lists | Terraform | +| 388 | CKV_AWS_176 | resource | aws_wafregional_web_acl | Ensure Logging is enabled for WAF Web Access Control Lists | Terraform | +| 389 | CKV_AWS_177 | resource | aws_kinesis_video_stream | Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 390 | CKV_AWS_178 | resource | aws_fsx_ontap_file_system | Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 391 | CKV_AWS_179 | resource | aws_fsx_windows_file_system | Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 392 | CKV_AWS_180 | resource | aws_imagebuilder_component | Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 393 | CKV_AWS_181 | resource | aws_s3_object_copy | Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 394 | CKV_AWS_182 | resource | aws_docdb_cluster | Ensure Doc DB is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 395 | CKV_AWS_183 | resource | aws_ebs_snapshot_copy | Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 396 | CKV_AWS_184 | resource | aws_efs_file_system | Ensure resource is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 397 | CKV_AWS_185 | resource | aws_kinesis_stream | Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 398 | CKV_AWS_186 | resource | aws_s3_bucket_object | Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 399 | CKV_AWS_187 | resource | aws_sagemaker_domain | Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 400 | CKV_AWS_188 | resource | aws_redshift_cluster | Ensure RedShift Cluster is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 401 | CKV_AWS_189 | resource | aws_ebs_volume | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 402 | CKV_AWS_190 | resource | aws_fsx_lustre_file_system | Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 403 | CKV_AWS_191 | resource | aws_elasticache_replication_group | Ensure Elasticache replication group is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 404 | CKV_AWS_192 | resource | AWS::WAFv2::WebACL | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Cloudformation | +| 405 | CKV_AWS_192 | resource | aws_wafv2_web_acl | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | +| 406 | CKV_AWS_193 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync has Logging enabled | Cloudformation | +| 407 | CKV_AWS_193 | resource | aws_appsync_graphql_api | Ensure AppSync has Logging enabled | Terraform | +| 408 | CKV_AWS_194 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync has Field-Level logs enabled | Cloudformation | +| 409 | CKV_AWS_194 | resource | aws_appsync_graphql_api | Ensure AppSync has Field-Level logs enabled | Terraform | +| 410 | CKV_AWS_195 | resource | AWS::Glue::Crawler | Ensure Glue component has a security configuration associated | Cloudformation | +| 411 | CKV_AWS_195 | resource | AWS::Glue::DevEndpoint | Ensure Glue component has a security configuration associated | Cloudformation | +| 412 | CKV_AWS_195 | resource | AWS::Glue::Job | Ensure Glue component has a security configuration associated | Cloudformation | +| 413 | CKV_AWS_195 | resource | aws_glue_crawler | Ensure Glue component has a security configuration associated | Terraform | +| 414 | CKV_AWS_195 | resource | aws_glue_dev_endpoint | Ensure Glue component has a security configuration associated | Terraform | +| 415 | CKV_AWS_195 | resource | aws_glue_job | Ensure Glue component has a security configuration associated | Terraform | +| 416 | CKV_AWS_196 | resource | aws_elasticache_security_group | Ensure no aws_elasticache_security_group resources exist | Terraform | +| 417 | CKV_AWS_197 | resource | aws_mq_broker | Ensure MQ Broker Audit logging is enabled | Terraform | +| 418 | CKV_AWS_198 | resource | aws_db_security_group | Ensure no aws_db_security_group resources exist | Terraform | +| 419 | CKV_AWS_199 | resource | aws_imagebuilder_distribution_configuration | Ensure Image Builder Distribution Configuration encrypts AMI's using KMS - a customer managed Key (CMK) | Terraform | +| 420 | CKV_AWS_200 | resource | aws_imagebuilder_image_recipe | Ensure that Image Recipe EBS Disk are encrypted with CMK | Terraform | +| 421 | CKV_AWS_201 | resource | aws_memorydb_cluster | Ensure MemoryDB is encrypted at rest using KMS CMKs | Terraform | +| 422 | CKV_AWS_202 | resource | aws_memorydb_cluster | Ensure MemoryDB data is encrypted in transit | Terraform | +| 423 | CKV_AWS_203 | resource | aws_fsx_openzfs_file_system | Ensure resource is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 424 | CKV_AWS_204 | resource | aws_ami | Ensure AMIs are encrypted using KMS CMKs | Terraform | +| 425 | CKV_AWS_205 | resource | aws_ami_launch_permission | Ensure to Limit AMI launch Permissions | Terraform | +| 426 | CKV_AWS_206 | resource | aws_api_gateway_domain_name | Ensure API Gateway Domain uses a modern security Policy | Terraform | +| 427 | CKV_AWS_207 | resource | aws_mq_broker | Ensure MQ Broker minor version updates are enabled | Terraform | +| 428 | CKV_AWS_208 | resource | aws_mq_broker | Ensure MQBroker version is current | Terraform | +| 429 | CKV_AWS_208 | resource | aws_mq_configuration | Ensure MQBroker version is current | Terraform | +| 430 | CKV_AWS_209 | resource | aws_mq_broker | Ensure MQ broker encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 431 | CKV_AWS_210 | resource | aws_batch_job_definition | Batch job does not define a privileged container | Terraform | +| 432 | CKV_AWS_211 | resource | aws_db_instance | Ensure RDS uses a modern CaCert | Terraform | +| 433 | CKV_AWS_212 | resource | aws_dms_replication_instance | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 434 | CKV_AWS_213 | resource | aws_load_balancer_policy | Ensure ELB Policy uses only secure protocols | Terraform | +| 435 | CKV_AWS_214 | resource | aws_appsync_api_cache | Ensure Appsync API Cache is encrypted at rest | Terraform | +| 436 | CKV_AWS_215 | resource | aws_appsync_api_cache | Ensure Appsync API Cache is encrypted in transit | Terraform | +| 437 | CKV_AWS_216 | resource | aws_cloudfront_distribution | Ensure Cloudfront distribution is enabled | Terraform | +| 438 | CKV_AWS_217 | resource | aws_api_gateway_deployment | Ensure Create before destroy for API deployments | Terraform | +| 439 | CKV_AWS_218 | resource | aws_cloudsearch_domain | Ensure that Cloudsearch is using latest TLS | Terraform | +| 440 | CKV_AWS_219 | resource | aws_codepipeline | Ensure Code Pipeline Artifact store is using a KMS CMK | Terraform | +| 441 | CKV_AWS_220 | resource | aws_cloudsearch_domain | Ensure that Cloudsearch is using https | Terraform | +| 442 | CKV_AWS_221 | resource | aws_codeartifact_domain | Ensure Code artifact Domain is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 443 | CKV_AWS_222 | resource | aws_dms_replication_instance | Ensure DMS instance gets all minor upgrade automatically | Terraform | +| 444 | CKV_AWS_223 | resource | aws_ecs_cluster | Ensure ECS Cluster enables logging of ECS Exec | Terraform | +| 445 | CKV_AWS_224 | resource | aws_ecs_cluster | Ensure Cluster logging with CMK | Terraform | +| 446 | CKV_AWS_225 | resource | aws_api_gateway_method_settings | Ensure API Gateway method setting caching is enabled | Terraform | +| 447 | CKV_AWS_226 | resource | aws_db_instance | Ensure DB instance gets all minor upgrades automatically | Terraform | +| 448 | CKV_AWS_226 | resource | aws_rds_cluster_instance | Ensure DB instance gets all minor upgrades automatically | Terraform | +| 449 | CKV_AWS_227 | resource | aws_kms_key | Ensure KMS key is enabled | Terraform | +| 450 | CKV_AWS_228 | resource | aws_elasticsearch_domain | Verify Elasticsearch domain is using an up to date TLS policy | Terraform | +| 451 | CKV_AWS_228 | resource | aws_opensearch_domain | Verify Elasticsearch domain is using an up to date TLS policy | Terraform | +| 452 | CKV_AWS_229 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 | Terraform | +| 453 | CKV_AWS_229 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 | Terraform | +| 454 | CKV_AWS_230 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 | Terraform | +| 455 | CKV_AWS_230 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 | Terraform | +| 456 | CKV_AWS_231 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 | Terraform | +| 457 | CKV_AWS_231 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 | Terraform | +| 458 | CKV_AWS_232 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 | Terraform | +| 459 | CKV_AWS_232 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 | Terraform | +| 460 | CKV_AWS_233 | resource | aws_acm_certificate | Ensure Create before destroy for ACM certificates | Terraform | +| 461 | CKV_AWS_234 | resource | aws_acm_certificate | Verify logging preference for ACM certificates | Terraform | +| 462 | CKV_AWS_235 | resource | aws_ami_copy | Ensure that copied AMIs are encrypted | Terraform | +| 463 | CKV_AWS_236 | resource | aws_ami_copy | Ensure AMI copying uses a CMK | Terraform | +| 464 | CKV_AWS_237 | resource | aws_api_gateway_rest_api | Ensure Create before destroy for API GATEWAY | Terraform | +| 465 | CKV_AWS_238 | resource | aws_guardduty_detector | Ensure that Guard Duty detector is enabled | Terraform | +| 466 | CKV_AWS_239 | resource | aws_dax_cluster | Ensure DAX cluster endpoint is using TLS | Terraform | +| 467 | CKV_AWS_240 | resource | aws_kinesis_firehose_delivery_stream | Ensure Kinesis Firehose delivery stream is encrypted | Terraform | +| 468 | CKV_AWS_241 | resource | aws_kinesis_firehose_delivery_stream | Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK | Terraform | +| 469 | CKV_AWS_242 | resource | aws_mwaa_environment | Ensure MWAA environment has scheduler logs enabled | Terraform | +| 470 | CKV_AWS_243 | resource | aws_mwaa_environment | Ensure MWAA environment has worker logs enabled | Terraform | +| 471 | CKV_AWS_244 | resource | aws_mwaa_environment | Ensure MWAA environment has webserver logs enabled | Terraform | +| 472 | CKV_AWS_245 | resource | aws_db_instance_automated_backups_replication | Ensure replicated backups are encrypted at rest using KMS CMKs | Terraform | +| 473 | CKV_AWS_246 | resource | aws_rds_cluster_activity_stream | Ensure RDS Cluster activity streams are encrypted using KMS CMKs | Terraform | +| 474 | CKV_AWS_247 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is encrypted with a CMK | Terraform | +| 475 | CKV_AWS_247 | resource | aws_opensearch_domain | Ensure all data stored in the Elasticsearch is encrypted with a CMK | Terraform | +| 476 | CKV_AWS_248 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is not using the default Security Group | Terraform | +| 477 | CKV_AWS_248 | resource | aws_opensearch_domain | Ensure that Elasticsearch is not using the default Security Group | Terraform | +| 478 | CKV_AWS_249 | resource | aws_ecs_task_definition | Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions | Terraform | +| 479 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 480 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 481 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 482 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 483 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 484 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 485 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 486 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 487 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to another resource | Terraform | +| 488 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 489 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 490 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 491 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 492 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | +| 493 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | +| 494 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | +| 495 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | +| 496 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 497 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 498 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 499 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 500 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 501 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 502 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 503 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 504 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | +| 505 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 506 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 507 | CKV2_AWS_20 | resource | aws_alb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 508 | CKV2_AWS_20 | resource | aws_alb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 509 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 510 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 511 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | +| 512 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | +| 513 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | +| 514 | CKV2_AWS_27 | resource | aws_rds_cluster | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | +| 515 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | +| 516 | CKV2_AWS_28 | resource | aws_alb | Ensure public facing ALB are protected by WAF | Terraform | +| 517 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | +| 518 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 519 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 520 | CKV2_AWS_30 | resource | aws_db_instance | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | +| 521 | CKV2_AWS_30 | resource | aws_db_parameter_group | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | +| 522 | CKV2_AWS_31 | resource | aws_wafv2_web_acl | Ensure WAF2 has a Logging Configuration | Terraform | +| 523 | CKV2_AWS_32 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has a strict security headers policy attached | Terraform | +| 524 | CKV2_AWS_32 | resource | aws_cloudfront_response_headers_policy | Ensure CloudFront distribution has a strict security headers policy attached | Terraform | +| 525 | CKV2_AWS_33 | resource | aws_appsync_graphql_api | Ensure AppSync is protected by WAF | Terraform | +| 526 | CKV2_AWS_34 | resource | aws_ssm_parameter | AWS SSM Parameter should be Encrypted | Terraform | +| 527 | CKV2_AWS_35 | resource | aws_route | AWS NAT Gateways should be utilized for the default route | Terraform | +| 528 | CKV2_AWS_35 | resource | aws_route_table | AWS NAT Gateways should be utilized for the default route | Terraform | +| 529 | CKV2_AWS_36 | resource | aws_ssm_parameter | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | +| 530 | CKV2_AWS_36 | resource | data.http | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | +| 531 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | +| 532 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Bicep | +| 533 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | +| 534 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | +| 535 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | arm | +| 536 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | Bicep | +| 537 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | +| 538 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | arm | +| 539 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | Bicep | +| 540 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'Secure transfer required' is set to 'Enabled' | Terraform | +| 541 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | arm | +| 542 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | Bicep | +| 543 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | +| 544 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | arm | +| 545 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | Bicep | +| 546 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | +| 547 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | arm | +| 548 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | Bicep | +| 549 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | +| 550 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | arm | +| 551 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | Bicep | +| 552 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | +| 553 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | arm | +| 554 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | Bicep | +| 555 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kubernetes Dashboard is disabled | Terraform | +| 556 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | arm | +| 557 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | Bicep | +| 558 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | arm | +| 559 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | Bicep | +| 560 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | +| 561 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | +| 562 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | arm | +| 563 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | Bicep | +| 564 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | arm | +| 565 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | Bicep | +| 566 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | +| 567 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | +| 568 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | arm | +| 569 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Bicep | +| 570 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 571 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 572 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 573 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 574 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | +| 575 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | +| 576 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | +| 577 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | +| 578 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | +| 579 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | +| 580 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | +| 581 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | +| 582 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | +| 583 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | arm | +| 584 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | Bicep | +| 585 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | +| 586 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | arm | +| 587 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | Bicep | +| 588 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | arm | +| 589 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Bicep | +| 590 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | +| 591 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | arm | +| 592 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | Bicep | +| 593 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | +| 594 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | arm | +| 595 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | Bicep | +| 596 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | +| 597 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | arm | +| 598 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Bicep | +| 599 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | +| 600 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | arm | +| 601 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | Bicep | +| 602 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | +| 603 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | arm | +| 604 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | Bicep | +| 605 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | +| 606 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | arm | +| 607 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | Bicep | +| 608 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | +| 609 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | +| 610 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Bicep | +| 611 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | +| 612 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | +| 613 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Bicep | +| 614 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | +| 615 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | +| 616 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | +| 617 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | +| 618 | CKV_AZURE_23 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | +| 619 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | +| 620 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | arm | +| 621 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Bicep | +| 622 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | +| 623 | CKV_AZURE_24 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | +| 624 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | +| 625 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | arm | +| 626 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | Bicep | +| 627 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | +| 628 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | arm | +| 629 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Bicep | +| 630 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | +| 631 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | arm | +| 632 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Bicep | +| 633 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | +| 634 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | arm | +| 635 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Bicep | +| 636 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | +| 637 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | arm | +| 638 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Bicep | +| 639 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | +| 640 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | +| 641 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Bicep | +| 642 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 643 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | +| 644 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Bicep | +| 645 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | +| 646 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | Bicep | +| 647 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 648 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | +| 649 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | Bicep | +| 650 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | +| 651 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Bicep | +| 652 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 653 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | +| 654 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Bicep | +| 655 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | arm | +| 656 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Bicep | +| 657 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | +| 658 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | +| 659 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | +| 660 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | +| 661 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | +| 662 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | +| 663 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | arm | +| 664 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | +| 665 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | arm | +| 666 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | Bicep | +| 667 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | +| 668 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | +| 669 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | arm | +| 670 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Bicep | +| 671 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | +| 672 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | +| 673 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | +| 674 | CKV_AZURE_37 | resource | microsoft.insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | arm | +| 675 | CKV_AZURE_37 | resource | microsoft.insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | Bicep | +| 676 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | +| 677 | CKV_AZURE_38 | resource | microsoft.insights/logprofiles | Ensure audit profile captures all the activities | arm | +| 678 | CKV_AZURE_38 | resource | microsoft.insights/logprofiles | Ensure audit profile captures all the activities | Bicep | +| 679 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | arm | +| 680 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | Bicep | +| 681 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | +| 682 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | +| 683 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | arm | +| 684 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | Bicep | +| 685 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | +| 686 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | arm | +| 687 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | Bicep | +| 688 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | +| 689 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure Storage Accounts adhere to the naming rules | Terraform | +| 690 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | +| 691 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | +| 692 | CKV_AZURE_47 | resource | Microsoft.DBforMariaDB/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | arm | +| 693 | CKV_AZURE_47 | resource | Microsoft.DBforMariaDB/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Bicep | +| 694 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | +| 695 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | +| 696 | CKV_AZURE_49 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | arm | +| 697 | CKV_AZURE_49 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Bicep | +| 698 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | +| 699 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | +| 700 | CKV_AZURE_50 | resource | azurerm_windows_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | +| 701 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | +| 702 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | +| 703 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | +| 704 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | +| 705 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | +| 706 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | +| 707 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | +| 708 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | +| 709 | CKV_AZURE_60 | resource | azurerm_storage_account | Ensure that storage account enables secure transfer | Terraform | +| 710 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | +| 711 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | +| 712 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | +| 713 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | +| 714 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | +| 715 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | +| 716 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | +| 717 | CKV_AZURE_67 | resource | azurerm_function_app_slot | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | +| 718 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | +| 719 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | +| 720 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | +| 721 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | +| 722 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | +| 723 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | +| 724 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | +| 725 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | +| 726 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | +| 727 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses disk encryption | Terraform | +| 728 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | +| 729 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | +| 730 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | +| 731 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | +| 732 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | +| 733 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | +| 734 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | +| 735 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | +| 736 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | +| 737 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | +| 738 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | +| 739 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | +| 740 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | +| 741 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | +| 742 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | +| 743 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | +| 744 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | +| 745 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | +| 746 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | +| 747 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | +| 748 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | +| 749 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | +| 750 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | +| 751 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | +| 752 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | +| 753 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | +| 754 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | +| 755 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | +| 756 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | +| 757 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | +| 758 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | +| 759 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | +| 760 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | +| 761 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | +| 762 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | +| 763 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | +| 764 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | +| 765 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | +| 766 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | +| 767 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | +| 768 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | +| 769 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | +| 770 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | +| 771 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | +| 772 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | +| 773 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | +| 774 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | +| 775 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | +| 776 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | +| 777 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | +| 778 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | +| 779 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | +| 780 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform | +| 781 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | +| 782 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | +| 783 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | +| 784 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | +| 785 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | +| 786 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | +| 787 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | +| 788 | CKV_AZURE_131 | parameter | string | SecureString parameter should not have hardcoded default values | Bicep | +| 789 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | arm | +| 790 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Bicep | +| 791 | CKV_AZURE_132 | resource | azurerm_cosmosdb_account | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Terraform | +| 792 | CKV_AZURE_133 | resource | azurerm_frontdoor_firewall_policy | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | +| 793 | CKV_AZURE_134 | resource | azurerm_cognitive_account | Ensure that Cognitive Services accounts disable public network access | Terraform | +| 794 | CKV_AZURE_135 | resource | azurerm_web_application_firewall_policy | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | +| 795 | CKV_AZURE_136 | resource | azurerm_postgresql_flexible_server | Ensure that PostgreSQL Flexible server enables geo-redundant backups | Terraform | +| 796 | CKV_AZURE_137 | resource | azurerm_container_registry | Ensure ACR admin account is disabled | Terraform | +| 797 | CKV_AZURE_138 | resource | azurerm_container_registry | Ensures that ACR disables anonymous pulling of images | Terraform | +| 798 | CKV_AZURE_139 | resource | azurerm_container_registry | Ensure ACR set to disable public networking | Terraform | +| 799 | CKV_AZURE_140 | resource | azurerm_cosmosdb_account | Ensure that Local Authentication is disabled on CosmosDB | Terraform | +| 800 | CKV_AZURE_141 | resource | azurerm_kubernetes_cluster | Ensure AKS local admin account is disabled | Terraform | +| 801 | CKV_AZURE_142 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Local Authentication is disabled | Terraform | +| 802 | CKV_AZURE_143 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster nodes do not have public IP addresses | Terraform | +| 803 | CKV_AZURE_144 | resource | azurerm_machine_learning_workspace | Ensure that Public Access is disabled for Machine Learning Workspace | Terraform | +| 804 | CKV_AZURE_145 | resource | azurerm_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform | +| 805 | CKV_AZURE_146 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_retention' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 806 | CKV_AZURE_147 | resource | azurerm_postgresql_server | Ensure PostgreSQL is using the latest version of TLS encryption | Terraform | +| 807 | CKV_AZURE_148 | resource | azurerm_redis_cache | Ensure Redis Cache is using the latest version of TLS encryption | Terraform | +| 808 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine | Ensure that Virtual machine does not enable password authentication | Terraform | +| 809 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine does not enable password authentication | Terraform | +| 810 | CKV_AZURE_150 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0 | Terraform | +| 811 | CKV_AZURE_151 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables encryption | Terraform | +| 812 | CKV_AZURE_152 | resource | azurerm_api_management | Ensure Client Certificates are enforced for API management | Terraform | +| 813 | CKV_AZURE_153 | resource | azurerm_app_service_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | +| 814 | CKV_AZURE_154 | resource | azurerm_app_service_slot | Ensure the App service slot is using the latest version of TLS encryption | Terraform | +| 815 | CKV_AZURE_155 | resource | azurerm_app_service_slot | Ensure debugging is disabled for the App service slot | Terraform | +| 816 | CKV_AZURE_156 | resource | azurerm_mssql_database_extended_auditing_policy | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs | Terraform | +| 817 | CKV_AZURE_157 | resource | azurerm_synapse_workspace | Ensure that Synapse workspace has data_exfiltration_protection_enabled | Terraform | +| 818 | CKV_AZURE_158 | resource | azurerm_databricks_workspace | Ensure that databricks workspace has not public | Terraform | +| 819 | CKV_AZURE_159 | resource | azurerm_function_app | Ensure function app builtin logging is enabled | Terraform | +| 820 | CKV_AZURE_159 | resource | azurerm_function_app_slot | Ensure function app builtin logging is enabled | Terraform | +| 821 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | +| 822 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 823 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 824 | CKV2_AZURE_3 | resource | azurerm_mssql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 825 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 826 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 827 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 828 | CKV2_AZURE_4 | resource | azurerm_mssql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | +| 829 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | +| 830 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | +| 831 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | +| 832 | CKV2_AZURE_5 | resource | azurerm_mssql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 833 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 834 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 835 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 836 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 837 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 838 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | +| 839 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 840 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 841 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | +| 842 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 843 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 844 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | +| 845 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | +| 846 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 847 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 848 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 849 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 850 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | +| 851 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 852 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 853 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 854 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 855 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 856 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 857 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | +| 858 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 859 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 860 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 861 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 862 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 863 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 864 | CKV2_AZURE_22 | resource | azurerm_cognitive_account | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | +| 865 | CKV2_AZURE_22 | resource | azurerm_cognitive_account_customer_managed_key | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | +| 866 | CKV_BCW_1 | provider | bridgecrew | Ensure no hard coded API token exist in the provider | Terraform | +| 867 | CKV_BITBUCKET_1 | bitbucket_configuration | * | Merge requests should require at least 2 approvals | bitbucket_configuration | +| 868 | CKV_DIO_1 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket has versioning enabled | Terraform | +| 869 | CKV_DIO_2 | resource | digitalocean_droplet | Ensure the droplet specifies an SSH key | Terraform | +| 870 | CKV_DIO_3 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket is private | Terraform | +| 871 | CKV_DIO_4 | resource | digitalocean_firewall | Ensure the firewall ingress is not wide open | Terraform | +| 872 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | +| 873 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | +| 874 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | +| 875 | CKV_DOCKER_4 | dockerfile | ADD | Ensure that COPY is used instead of ADD in Dockerfiles | dockerfile | +| 876 | CKV_DOCKER_5 | dockerfile | RUN | Ensure update instructions are not use alone in the Dockerfile | dockerfile | +| 877 | CKV_DOCKER_6 | dockerfile | MAINTAINER | Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated) | dockerfile | +| 878 | CKV_DOCKER_7 | dockerfile | FROM | Ensure the base image uses a non latest version tag | dockerfile | +| 879 | CKV_DOCKER_8 | dockerfile | USER | Ensure the last USER is not root | dockerfile | +| 880 | CKV_DOCKER_9 | dockerfile | RUN | Ensure that APT isn't used | dockerfile | +| 881 | CKV_DOCKER_10 | dockerfile | WORKDIR | Ensure that WORKDIR values are absolute paths | dockerfile | +| 882 | CKV_DOCKER_11 | dockerfile | FROM | Ensure From Alias are unique for multistage builds. | dockerfile | +| 883 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | +| 884 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | +| 885 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | +| 886 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | +| 887 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | +| 888 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | +| 889 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | +| 890 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | +| 891 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | +| 892 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | +| 893 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | +| 894 | CKV_GCP_13 | resource | google_container_cluster | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled | Terraform | +| 895 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | +| 896 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | +| 897 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | +| 898 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | +| 899 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | +| 900 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | +| 901 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | +| 902 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | +| 903 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | +| 904 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | +| 905 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | +| 906 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | +| 907 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | +| 908 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | +| 909 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | +| 910 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | +| 911 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | +| 912 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | +| 913 | CKV_GCP_30 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account | Terraform | +| 914 | CKV_GCP_30 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account | Terraform | +| 915 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | +| 916 | CKV_GCP_31 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | +| 917 | CKV_GCP_31 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | +| 918 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | +| 919 | CKV_GCP_32 | resource | google_compute_instance_from_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | +| 920 | CKV_GCP_32 | resource | google_compute_instance_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | +| 921 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | +| 922 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | +| 923 | CKV_GCP_34 | resource | google_compute_instance_from_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | +| 924 | CKV_GCP_34 | resource | google_compute_instance_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | +| 925 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | +| 926 | CKV_GCP_35 | resource | google_compute_instance_from_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | +| 927 | CKV_GCP_35 | resource | google_compute_instance_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | +| 928 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | +| 929 | CKV_GCP_36 | resource | google_compute_instance_from_template | Ensure that IP forwarding is not enabled on Instances | Terraform | +| 930 | CKV_GCP_36 | resource | google_compute_instance_template | Ensure that IP forwarding is not enabled on Instances | Terraform | +| 931 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 932 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 933 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | +| 934 | CKV_GCP_39 | resource | google_compute_instance_from_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | +| 935 | CKV_GCP_39 | resource | google_compute_instance_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | +| 936 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | +| 937 | CKV_GCP_40 | resource | google_compute_instance_from_template | Ensure that Compute instances do not have public IP addresses | Terraform | +| 938 | CKV_GCP_40 | resource | google_compute_instance_template | Ensure that Compute instances do not have public IP addresses | Terraform | +| 939 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | +| 940 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | +| 941 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | +| 942 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | +| 943 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | +| 944 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | +| 945 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | +| 946 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | +| 947 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | +| 948 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | +| 949 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | +| 950 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | +| 951 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | +| 952 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | +| 953 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | +| 954 | CKV_GCP_49 | resource | google_project_iam_member | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | +| 955 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | +| 956 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | +| 957 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | +| 958 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | +| 959 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | +| 960 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | +| 961 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | +| 962 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | +| 963 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | +| 964 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | +| 965 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure Cloud SQL database does not have public IP | Terraform | +| 966 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | +| 967 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | +| 968 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | +| 969 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | +| 970 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | +| 971 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | +| 972 | CKV_GCP_67 | resource | google_container_cluster | Ensure legacy Compute Engine instance metadata APIs are Disabled | Terraform | +| 973 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | +| 974 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | +| 975 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | +| 976 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | +| 977 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | +| 978 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | +| 979 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | +| 980 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | +| 981 | CKV_GCP_73 | resource | google_compute_security_policy | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | +| 982 | CKV_GCP_74 | resource | google_compute_subnetwork | Ensure that private_ip_google_access is enabled for Subnet | Terraform | +| 983 | CKV_GCP_75 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted FTP access | Terraform | +| 984 | CKV_GCP_76 | resource | google_compute_subnetwork | Ensure that Private google access is enabled for IPV6 | Terraform | +| 985 | CKV_GCP_77 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow on ftp port | Terraform | +| 986 | CKV_GCP_78 | resource | google_storage_bucket | Ensure Cloud storage has versioning enabled | Terraform | +| 987 | CKV_GCP_79 | resource | google_sql_database_instance | Ensure SQL database is using latest Major version | Terraform | +| 988 | CKV_GCP_80 | resource | google_bigquery_table | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 989 | CKV_GCP_81 | resource | google_bigquery_dataset | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 990 | CKV_GCP_82 | resource | google_kms_crypto_key | Ensure KMS keys are protected from deletion | Terraform | +| 991 | CKV_GCP_83 | resource | google_pubsub_topic | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 992 | CKV_GCP_84 | resource | google_artifact_registry_repository | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 993 | CKV_GCP_85 | resource | google_bigtable_instance | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 994 | CKV_GCP_86 | resource | google_cloudbuild_worker_pool | Ensure Cloud build workers are private | Terraform | +| 995 | CKV_GCP_87 | resource | google_data_fusion_instance | Ensure Data fusion instances are private | Terraform | +| 996 | CKV_GCP_88 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted mysql access | Terraform | +| 997 | CKV_GCP_89 | resource | google_notebooks_instance | Ensure Vertex AI instances are private | Terraform | +| 998 | CKV_GCP_90 | resource | google_dataflow_job | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 999 | CKV_GCP_91 | resource | google_dataproc_cluster | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 1000 | CKV_GCP_92 | resource | google_vertex_ai_dataset | Ensure Vertex AI datasets uses a CMK (Customer Manager Key) | Terraform | +| 1001 | CKV_GCP_93 | resource | google_spanner_database | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 1002 | CKV_GCP_94 | resource | google_dataflow_job | Ensure Dataflow jobs are private | Terraform | +| 1003 | CKV_GCP_95 | resource | google_redis_instance | Ensure Memorystore for Redis has AUTH enabled | Terraform | +| 1004 | CKV_GCP_96 | resource | google_vertex_ai_metadata_store | Ensure Vertex AI Metadata Store uses a CMK (Customer Manager Key) | Terraform | +| 1005 | CKV_GCP_97 | resource | google_redis_instance | Ensure Memorystore for Redis uses intransit encryption | Terraform | +| 1006 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_binding | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | +| 1007 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_member | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | +| 1008 | CKV_GCP_99 | resource | google_pubsub_topic_iam_binding | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | +| 1009 | CKV_GCP_99 | resource | google_pubsub_topic_iam_member | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | +| 1010 | CKV_GCP_100 | resource | google_bigquery_table_iam_binding | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | +| 1011 | CKV_GCP_100 | resource | google_bigquery_table_iam_member | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | +| 1012 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_binding | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | +| 1013 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_member | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | +| 1014 | CKV_GCP_102 | resource | google_cloud_run_service_iam_binding | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | +| 1015 | CKV_GCP_102 | resource | google_cloud_run_service_iam_member | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | +| 1016 | CKV_GCP_103 | resource | google_dataproc_cluster | Ensure Dataproc Clusters do not have public IPs | Terraform | +| 1017 | CKV_GCP_104 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver logging enabled | Terraform | +| 1018 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | +| 1019 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | +| 1020 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 1021 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 1022 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 1023 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 1024 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 1025 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 1026 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 1027 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 1028 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 1029 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 1030 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 1031 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 1032 | CKV2_GCP_8 | resource | google_kms_key_ring | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | +| 1033 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_binding | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | +| 1034 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_member | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | +| 1035 | CKV2_GCP_9 | resource | google_container_registry | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | +| 1036 | CKV2_GCP_9 | resource | google_storage_bucket_iam_binding | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | +| 1037 | CKV2_GCP_9 | resource | google_storage_bucket_iam_member | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | +| 1038 | CKV_GHA_1 | jobs | jobs | Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables on a job | github_actions | +| 1039 | CKV_GHA_2 | jobs | jobs | Ensure run commands are not vulnerable to shell injection | github_actions | +| 1040 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | +| 1041 | CKV_GIT_2 | resource | github_repository_webhook | Ensure Repository Webhook uses secure Ssl | Terraform | +| 1042 | CKV_GIT_3 | resource | github_repository | Ensure GitHub repository has vulnerability alerts enabled | Terraform | +| 1043 | CKV_GIT_4 | resource | github_actions_environment_secret | Ensure Secrets are encrypted | Terraform | +| 1044 | CKV_GIT_4 | resource | github_actions_organization_secret | Ensure Secrets are encrypted | Terraform | +| 1045 | CKV_GIT_4 | resource | github_actions_secret | Ensure Secrets are encrypted | Terraform | +| 1046 | CKV_GITHUB_1 | github_configuration | * | Ensure GitHub organization security settings require 2FA | github_configuration | +| 1047 | CKV_GITHUB_2 | github_configuration | * | Ensure GitHub organization security settings require SSO | github_configuration | +| 1048 | CKV_GITHUB_3 | github_configuration | * | Ensure GitHub organization security settings has IP allow list enabled | github_configuration | +| 1049 | CKV_GITHUB_4 | github_configuration | * | Ensure GitHub branch protection rules requires signed commits | github_configuration | +| 1050 | CKV_GITHUB_5 | github_configuration | * | Ensure GitHub branch protection rules does not allow force pushes | github_configuration | +| 1051 | CKV_GITLAB_1 | gitlab_configuration | * | Merge requests should require at least 2 approvals | gitlab_configuration | +| 1052 | CKV_GITLAB_2 | gitlab_configuration | * | Ensure all Gitlab groups require two factor authentication | gitlab_configuration | +| 1053 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | +| 1054 | CKV_K8S_1 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host process ID namespace | Terraform | +| 1055 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | +| 1056 | CKV_K8S_2 | resource | kubernetes_pod_security_policy | Do not admit privileged containers | Terraform | +| 1057 | CKV_K8S_3 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host IPC namespace | Kubernetes | +| 1058 | CKV_K8S_3 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host IPC namespace | Terraform | +| 1059 | CKV_K8S_4 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host network namespace | Kubernetes | +| 1060 | CKV_K8S_4 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host network namespace | Terraform | +| 1061 | CKV_K8S_5 | resource | PodSecurityPolicy | Containers should not run with allowPrivilegeEscalation | Kubernetes | +| 1062 | CKV_K8S_5 | resource | kubernetes_pod_security_policy | Containers should not run with allowPrivilegeEscalation | Terraform | +| 1063 | CKV_K8S_6 | resource | PodSecurityPolicy | Do not admit root containers | Kubernetes | +| 1064 | CKV_K8S_6 | resource | kubernetes_pod_security_policy | Do not admit root containers | Terraform | +| 1065 | CKV_K8S_7 | resource | PodSecurityPolicy | Do not admit containers with the NET_RAW capability | Kubernetes | +| 1066 | CKV_K8S_7 | resource | kubernetes_pod_security_policy | Do not admit containers with the NET_RAW capability | Terraform | +| 1067 | CKV_K8S_8 | resource | DaemonSet | Liveness Probe Should be Configured | Kubernetes | +| 1068 | CKV_K8S_8 | resource | Deployment | Liveness Probe Should be Configured | Kubernetes | +| 1069 | CKV_K8S_8 | resource | Pod | Liveness Probe Should be Configured | Kubernetes | +| 1070 | CKV_K8S_8 | resource | PodTemplate | Liveness Probe Should be Configured | Kubernetes | +| 1071 | CKV_K8S_8 | resource | ReplicaSet | Liveness Probe Should be Configured | Kubernetes | +| 1072 | CKV_K8S_8 | resource | ReplicationController | Liveness Probe Should be Configured | Kubernetes | +| 1073 | CKV_K8S_8 | resource | StatefulSet | Liveness Probe Should be Configured | Kubernetes | +| 1074 | CKV_K8S_8 | resource | kubernetes_pod | Liveness Probe Should be Configured | Terraform | +| 1075 | CKV_K8S_9 | resource | DaemonSet | Readiness Probe Should be Configured | Kubernetes | +| 1076 | CKV_K8S_9 | resource | Deployment | Readiness Probe Should be Configured | Kubernetes | +| 1077 | CKV_K8S_9 | resource | Pod | Readiness Probe Should be Configured | Kubernetes | +| 1078 | CKV_K8S_9 | resource | PodTemplate | Readiness Probe Should be Configured | Kubernetes | +| 1079 | CKV_K8S_9 | resource | ReplicaSet | Readiness Probe Should be Configured | Kubernetes | +| 1080 | CKV_K8S_9 | resource | ReplicationController | Readiness Probe Should be Configured | Kubernetes | +| 1081 | CKV_K8S_9 | resource | StatefulSet | Readiness Probe Should be Configured | Kubernetes | +| 1082 | CKV_K8S_9 | resource | kubernetes_pod | Readiness Probe Should be Configured | Terraform | +| 1083 | CKV_K8S_10 | resource | CronJob | CPU requests should be set | Kubernetes | +| 1084 | CKV_K8S_10 | resource | DaemonSet | CPU requests should be set | Kubernetes | +| 1085 | CKV_K8S_10 | resource | Deployment | CPU requests should be set | Kubernetes | +| 1086 | CKV_K8S_10 | resource | Job | CPU requests should be set | Kubernetes | +| 1087 | CKV_K8S_10 | resource | Pod | CPU requests should be set | Kubernetes | +| 1088 | CKV_K8S_10 | resource | PodTemplate | CPU requests should be set | Kubernetes | +| 1089 | CKV_K8S_10 | resource | ReplicaSet | CPU requests should be set | Kubernetes | +| 1090 | CKV_K8S_10 | resource | ReplicationController | CPU requests should be set | Kubernetes | +| 1091 | CKV_K8S_10 | resource | StatefulSet | CPU requests should be set | Kubernetes | +| 1092 | CKV_K8S_10 | resource | kubernetes_pod | CPU requests should be set | Terraform | +| 1093 | CKV_K8S_11 | resource | CronJob | CPU limits should be set | Kubernetes | +| 1094 | CKV_K8S_11 | resource | DaemonSet | CPU limits should be set | Kubernetes | +| 1095 | CKV_K8S_11 | resource | Deployment | CPU limits should be set | Kubernetes | +| 1096 | CKV_K8S_11 | resource | Job | CPU limits should be set | Kubernetes | +| 1097 | CKV_K8S_11 | resource | Pod | CPU limits should be set | Kubernetes | +| 1098 | CKV_K8S_11 | resource | PodTemplate | CPU limits should be set | Kubernetes | +| 1099 | CKV_K8S_11 | resource | ReplicaSet | CPU limits should be set | Kubernetes | +| 1100 | CKV_K8S_11 | resource | ReplicationController | CPU limits should be set | Kubernetes | +| 1101 | CKV_K8S_11 | resource | StatefulSet | CPU limits should be set | Kubernetes | +| 1102 | CKV_K8S_11 | resource | kubernetes_pod | CPU Limits should be set | Terraform | +| 1103 | CKV_K8S_12 | resource | CronJob | Memory requests should be set | Kubernetes | +| 1104 | CKV_K8S_12 | resource | DaemonSet | Memory requests should be set | Kubernetes | +| 1105 | CKV_K8S_12 | resource | Deployment | Memory requests should be set | Kubernetes | +| 1106 | CKV_K8S_12 | resource | Job | Memory requests should be set | Kubernetes | +| 1107 | CKV_K8S_12 | resource | Pod | Memory requests should be set | Kubernetes | +| 1108 | CKV_K8S_12 | resource | PodTemplate | Memory requests should be set | Kubernetes | +| 1109 | CKV_K8S_12 | resource | ReplicaSet | Memory requests should be set | Kubernetes | +| 1110 | CKV_K8S_12 | resource | ReplicationController | Memory requests should be set | Kubernetes | +| 1111 | CKV_K8S_12 | resource | StatefulSet | Memory requests should be set | Kubernetes | +| 1112 | CKV_K8S_12 | resource | kubernetes_pod | Memory Limits should be set | Terraform | +| 1113 | CKV_K8S_13 | resource | CronJob | Memory limits should be set | Kubernetes | +| 1114 | CKV_K8S_13 | resource | DaemonSet | Memory limits should be set | Kubernetes | +| 1115 | CKV_K8S_13 | resource | Deployment | Memory limits should be set | Kubernetes | +| 1116 | CKV_K8S_13 | resource | Job | Memory limits should be set | Kubernetes | +| 1117 | CKV_K8S_13 | resource | Pod | Memory limits should be set | Kubernetes | +| 1118 | CKV_K8S_13 | resource | PodTemplate | Memory limits should be set | Kubernetes | +| 1119 | CKV_K8S_13 | resource | ReplicaSet | Memory limits should be set | Kubernetes | +| 1120 | CKV_K8S_13 | resource | ReplicationController | Memory limits should be set | Kubernetes | +| 1121 | CKV_K8S_13 | resource | StatefulSet | Memory limits should be set | Kubernetes | +| 1122 | CKV_K8S_13 | resource | kubernetes_pod | Memory requests should be set | Terraform | +| 1123 | CKV_K8S_14 | resource | CronJob | Image Tag should be fixed - not latest or blank | Kubernetes | +| 1124 | CKV_K8S_14 | resource | DaemonSet | Image Tag should be fixed - not latest or blank | Kubernetes | +| 1125 | CKV_K8S_14 | resource | Deployment | Image Tag should be fixed - not latest or blank | Kubernetes | +| 1126 | CKV_K8S_14 | resource | Job | Image Tag should be fixed - not latest or blank | Kubernetes | +| 1127 | CKV_K8S_14 | resource | Pod | Image Tag should be fixed - not latest or blank | Kubernetes | +| 1128 | CKV_K8S_14 | resource | PodTemplate | Image Tag should be fixed - not latest or blank | Kubernetes | +| 1129 | CKV_K8S_14 | resource | ReplicaSet | Image Tag should be fixed - not latest or blank | Kubernetes | +| 1130 | CKV_K8S_14 | resource | ReplicationController | Image Tag should be fixed - not latest or blank | Kubernetes | +| 1131 | CKV_K8S_14 | resource | StatefulSet | Image Tag should be fixed - not latest or blank | Kubernetes | +| 1132 | CKV_K8S_14 | resource | kubernetes_pod | Image Tag should be fixed - not latest or blank | Terraform | +| 1133 | CKV_K8S_15 | resource | CronJob | Image Pull Policy should be Always | Kubernetes | +| 1134 | CKV_K8S_15 | resource | DaemonSet | Image Pull Policy should be Always | Kubernetes | +| 1135 | CKV_K8S_15 | resource | Deployment | Image Pull Policy should be Always | Kubernetes | +| 1136 | CKV_K8S_15 | resource | Job | Image Pull Policy should be Always | Kubernetes | +| 1137 | CKV_K8S_15 | resource | Pod | Image Pull Policy should be Always | Kubernetes | +| 1138 | CKV_K8S_15 | resource | PodTemplate | Image Pull Policy should be Always | Kubernetes | +| 1139 | CKV_K8S_15 | resource | ReplicaSet | Image Pull Policy should be Always | Kubernetes | +| 1140 | CKV_K8S_15 | resource | ReplicationController | Image Pull Policy should be Always | Kubernetes | +| 1141 | CKV_K8S_15 | resource | StatefulSet | Image Pull Policy should be Always | Kubernetes | +| 1142 | CKV_K8S_15 | resource | kubernetes_pod | Image Pull Policy should be Always | Terraform | +| 1143 | CKV_K8S_16 | resource | CronJob | Container should not be privileged | Kubernetes | +| 1144 | CKV_K8S_16 | resource | DaemonSet | Container should not be privileged | Kubernetes | +| 1145 | CKV_K8S_16 | resource | Deployment | Container should not be privileged | Kubernetes | +| 1146 | CKV_K8S_16 | resource | Job | Container should not be privileged | Kubernetes | +| 1147 | CKV_K8S_16 | resource | Pod | Container should not be privileged | Kubernetes | +| 1148 | CKV_K8S_16 | resource | PodTemplate | Container should not be privileged | Kubernetes | +| 1149 | CKV_K8S_16 | resource | ReplicaSet | Container should not be privileged | Kubernetes | +| 1150 | CKV_K8S_16 | resource | ReplicationController | Container should not be privileged | Kubernetes | +| 1151 | CKV_K8S_16 | resource | StatefulSet | Container should not be privileged | Kubernetes | +| 1152 | CKV_K8S_16 | resource | kubernetes_pod | Do not admit privileged containers | Terraform | +| 1153 | CKV_K8S_17 | resource | CronJob | Containers should not share the host process ID namespace | Kubernetes | +| 1154 | CKV_K8S_17 | resource | DaemonSet | Containers should not share the host process ID namespace | Kubernetes | +| 1155 | CKV_K8S_17 | resource | Deployment | Containers should not share the host process ID namespace | Kubernetes | +| 1156 | CKV_K8S_17 | resource | Job | Containers should not share the host process ID namespace | Kubernetes | +| 1157 | CKV_K8S_17 | resource | Pod | Containers should not share the host process ID namespace | Kubernetes | +| 1158 | CKV_K8S_17 | resource | ReplicaSet | Containers should not share the host process ID namespace | Kubernetes | +| 1159 | CKV_K8S_17 | resource | ReplicationController | Containers should not share the host process ID namespace | Kubernetes | +| 1160 | CKV_K8S_17 | resource | StatefulSet | Containers should not share the host process ID namespace | Kubernetes | +| 1161 | CKV_K8S_17 | resource | kubernetes_pod | Do not admit containers wishing to share the host process ID namespace | Terraform | +| 1162 | CKV_K8S_18 | resource | CronJob | Containers should not share the host IPC namespace | Kubernetes | +| 1163 | CKV_K8S_18 | resource | DaemonSet | Containers should not share the host IPC namespace | Kubernetes | +| 1164 | CKV_K8S_18 | resource | Deployment | Containers should not share the host IPC namespace | Kubernetes | +| 1165 | CKV_K8S_18 | resource | Job | Containers should not share the host IPC namespace | Kubernetes | +| 1166 | CKV_K8S_18 | resource | Pod | Containers should not share the host IPC namespace | Kubernetes | +| 1167 | CKV_K8S_18 | resource | ReplicaSet | Containers should not share the host IPC namespace | Kubernetes | +| 1168 | CKV_K8S_18 | resource | ReplicationController | Containers should not share the host IPC namespace | Kubernetes | +| 1169 | CKV_K8S_18 | resource | StatefulSet | Containers should not share the host IPC namespace | Kubernetes | +| 1170 | CKV_K8S_18 | resource | kubernetes_pod | Do not admit containers wishing to share the host IPC namespace | Terraform | +| 1171 | CKV_K8S_19 | resource | CronJob | Containers should not share the host network namespace | Kubernetes | +| 1172 | CKV_K8S_19 | resource | DaemonSet | Containers should not share the host network namespace | Kubernetes | +| 1173 | CKV_K8S_19 | resource | Deployment | Containers should not share the host network namespace | Kubernetes | +| 1174 | CKV_K8S_19 | resource | Job | Containers should not share the host network namespace | Kubernetes | +| 1175 | CKV_K8S_19 | resource | Pod | Containers should not share the host network namespace | Kubernetes | +| 1176 | CKV_K8S_19 | resource | ReplicaSet | Containers should not share the host network namespace | Kubernetes | +| 1177 | CKV_K8S_19 | resource | ReplicationController | Containers should not share the host network namespace | Kubernetes | +| 1178 | CKV_K8S_19 | resource | StatefulSet | Containers should not share the host network namespace | Kubernetes | +| 1179 | CKV_K8S_19 | resource | kubernetes_pod | Do not admit containers wishing to share the host network namespace | Terraform | +| 1180 | CKV_K8S_20 | resource | CronJob | Containers should not run with allowPrivilegeEscalation | Kubernetes | +| 1181 | CKV_K8S_20 | resource | DaemonSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | +| 1182 | CKV_K8S_20 | resource | Deployment | Containers should not run with allowPrivilegeEscalation | Kubernetes | +| 1183 | CKV_K8S_20 | resource | Job | Containers should not run with allowPrivilegeEscalation | Kubernetes | +| 1184 | CKV_K8S_20 | resource | Pod | Containers should not run with allowPrivilegeEscalation | Kubernetes | +| 1185 | CKV_K8S_20 | resource | PodTemplate | Containers should not run with allowPrivilegeEscalation | Kubernetes | +| 1186 | CKV_K8S_20 | resource | ReplicaSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | +| 1187 | CKV_K8S_20 | resource | ReplicationController | Containers should not run with allowPrivilegeEscalation | Kubernetes | +| 1188 | CKV_K8S_20 | resource | StatefulSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | +| 1189 | CKV_K8S_20 | resource | kubernetes_pod | Containers should not run with allowPrivilegeEscalation | Terraform | +| 1190 | CKV_K8S_21 | resource | ConfigMap | The default namespace should not be used | Kubernetes | +| 1191 | CKV_K8S_21 | resource | CronJob | The default namespace should not be used | Kubernetes | +| 1192 | CKV_K8S_21 | resource | DaemonSet | The default namespace should not be used | Kubernetes | +| 1193 | CKV_K8S_21 | resource | Deployment | The default namespace should not be used | Kubernetes | +| 1194 | CKV_K8S_21 | resource | Ingress | The default namespace should not be used | Kubernetes | +| 1195 | CKV_K8S_21 | resource | Job | The default namespace should not be used | Kubernetes | +| 1196 | CKV_K8S_21 | resource | Pod | The default namespace should not be used | Kubernetes | +| 1197 | CKV_K8S_21 | resource | ReplicaSet | The default namespace should not be used | Kubernetes | +| 1198 | CKV_K8S_21 | resource | ReplicationController | The default namespace should not be used | Kubernetes | +| 1199 | CKV_K8S_21 | resource | Role | The default namespace should not be used | Kubernetes | +| 1200 | CKV_K8S_21 | resource | RoleBinding | The default namespace should not be used | Kubernetes | +| 1201 | CKV_K8S_21 | resource | Secret | The default namespace should not be used | Kubernetes | +| 1202 | CKV_K8S_21 | resource | Service | The default namespace should not be used | Kubernetes | +| 1203 | CKV_K8S_21 | resource | ServiceAccount | The default namespace should not be used | Kubernetes | +| 1204 | CKV_K8S_21 | resource | StatefulSet | The default namespace should not be used | Kubernetes | +| 1205 | CKV_K8S_21 | resource | kubernetes_config_map | The default namespace should not be used | Terraform | +| 1206 | CKV_K8S_21 | resource | kubernetes_cron_job | The default namespace should not be used | Terraform | +| 1207 | CKV_K8S_21 | resource | kubernetes_daemonset | The default namespace should not be used | Terraform | +| 1208 | CKV_K8S_21 | resource | kubernetes_deployment | The default namespace should not be used | Terraform | +| 1209 | CKV_K8S_21 | resource | kubernetes_ingress | The default namespace should not be used | Terraform | +| 1210 | CKV_K8S_21 | resource | kubernetes_job | The default namespace should not be used | Terraform | +| 1211 | CKV_K8S_21 | resource | kubernetes_pod | The default namespace should not be used | Terraform | +| 1212 | CKV_K8S_21 | resource | kubernetes_replication_controller | The default namespace should not be used | Terraform | +| 1213 | CKV_K8S_21 | resource | kubernetes_role_binding | The default namespace should not be used | Terraform | +| 1214 | CKV_K8S_21 | resource | kubernetes_secret | The default namespace should not be used | Terraform | +| 1215 | CKV_K8S_21 | resource | kubernetes_service | The default namespace should not be used | Terraform | +| 1216 | CKV_K8S_21 | resource | kubernetes_service_account | The default namespace should not be used | Terraform | +| 1217 | CKV_K8S_21 | resource | kubernetes_stateful_set | The default namespace should not be used | Terraform | +| 1218 | CKV_K8S_22 | resource | CronJob | Use read-only filesystem for containers where possible | Kubernetes | +| 1219 | CKV_K8S_22 | resource | DaemonSet | Use read-only filesystem for containers where possible | Kubernetes | +| 1220 | CKV_K8S_22 | resource | Deployment | Use read-only filesystem for containers where possible | Kubernetes | +| 1221 | CKV_K8S_22 | resource | Job | Use read-only filesystem for containers where possible | Kubernetes | +| 1222 | CKV_K8S_22 | resource | Pod | Use read-only filesystem for containers where possible | Kubernetes | +| 1223 | CKV_K8S_22 | resource | PodTemplate | Use read-only filesystem for containers where possible | Kubernetes | +| 1224 | CKV_K8S_22 | resource | ReplicaSet | Use read-only filesystem for containers where possible | Kubernetes | +| 1225 | CKV_K8S_22 | resource | ReplicationController | Use read-only filesystem for containers where possible | Kubernetes | +| 1226 | CKV_K8S_22 | resource | StatefulSet | Use read-only filesystem for containers where possible | Kubernetes | +| 1227 | CKV_K8S_22 | resource | kubernetes_pod | Use read-only filesystem for containers where possible | Terraform | +| 1228 | CKV_K8S_23 | resource | CronJob | Minimize the admission of root containers | Kubernetes | +| 1229 | CKV_K8S_23 | resource | DaemonSet | Minimize the admission of root containers | Kubernetes | +| 1230 | CKV_K8S_23 | resource | Deployment | Minimize the admission of root containers | Kubernetes | +| 1231 | CKV_K8S_23 | resource | Job | Minimize the admission of root containers | Kubernetes | +| 1232 | CKV_K8S_23 | resource | Pod | Minimize the admission of root containers | Kubernetes | +| 1233 | CKV_K8S_23 | resource | ReplicaSet | Minimize the admission of root containers | Kubernetes | +| 1234 | CKV_K8S_23 | resource | ReplicationController | Minimize the admission of root containers | Kubernetes | +| 1235 | CKV_K8S_23 | resource | StatefulSet | Minimize the admission of root containers | Kubernetes | +| 1236 | CKV_K8S_24 | resource | PodSecurityPolicy | Do not allow containers with added capability | Kubernetes | +| 1237 | CKV_K8S_24 | resource | kubernetes_pod_security_policy | Do not allow containers with added capability | Terraform | +| 1238 | CKV_K8S_25 | resource | CronJob | Minimize the admission of containers with added capability | Kubernetes | +| 1239 | CKV_K8S_25 | resource | DaemonSet | Minimize the admission of containers with added capability | Kubernetes | +| 1240 | CKV_K8S_25 | resource | Deployment | Minimize the admission of containers with added capability | Kubernetes | +| 1241 | CKV_K8S_25 | resource | Job | Minimize the admission of containers with added capability | Kubernetes | +| 1242 | CKV_K8S_25 | resource | Pod | Minimize the admission of containers with added capability | Kubernetes | +| 1243 | CKV_K8S_25 | resource | PodTemplate | Minimize the admission of containers with added capability | Kubernetes | +| 1244 | CKV_K8S_25 | resource | ReplicaSet | Minimize the admission of containers with added capability | Kubernetes | +| 1245 | CKV_K8S_25 | resource | ReplicationController | Minimize the admission of containers with added capability | Kubernetes | +| 1246 | CKV_K8S_25 | resource | StatefulSet | Minimize the admission of containers with added capability | Kubernetes | +| 1247 | CKV_K8S_25 | resource | kubernetes_pod | Minimize the admission of containers with added capability | Terraform | +| 1248 | CKV_K8S_26 | resource | CronJob | Do not specify hostPort unless absolutely necessary | Kubernetes | +| 1249 | CKV_K8S_26 | resource | DaemonSet | Do not specify hostPort unless absolutely necessary | Kubernetes | +| 1250 | CKV_K8S_26 | resource | Deployment | Do not specify hostPort unless absolutely necessary | Kubernetes | +| 1251 | CKV_K8S_26 | resource | Job | Do not specify hostPort unless absolutely necessary | Kubernetes | +| 1252 | CKV_K8S_26 | resource | Pod | Do not specify hostPort unless absolutely necessary | Kubernetes | +| 1253 | CKV_K8S_26 | resource | PodTemplate | Do not specify hostPort unless absolutely necessary | Kubernetes | +| 1254 | CKV_K8S_26 | resource | ReplicaSet | Do not specify hostPort unless absolutely necessary | Kubernetes | +| 1255 | CKV_K8S_26 | resource | ReplicationController | Do not specify hostPort unless absolutely necessary | Kubernetes | +| 1256 | CKV_K8S_26 | resource | StatefulSet | Do not specify hostPort unless absolutely necessary | Kubernetes | +| 1257 | CKV_K8S_26 | resource | kubernetes_pod | Do not specify hostPort unless absolutely necessary | Terraform | +| 1258 | CKV_K8S_27 | resource | CronJob | Do not expose the docker daemon socket to containers | Kubernetes | +| 1259 | CKV_K8S_27 | resource | DaemonSet | Do not expose the docker daemon socket to containers | Kubernetes | +| 1260 | CKV_K8S_27 | resource | Deployment | Do not expose the docker daemon socket to containers | Kubernetes | +| 1261 | CKV_K8S_27 | resource | Job | Do not expose the docker daemon socket to containers | Kubernetes | +| 1262 | CKV_K8S_27 | resource | Pod | Do not expose the docker daemon socket to containers | Kubernetes | +| 1263 | CKV_K8S_27 | resource | ReplicaSet | Do not expose the docker daemon socket to containers | Kubernetes | +| 1264 | CKV_K8S_27 | resource | ReplicationController | Do not expose the docker daemon socket to containers | Kubernetes | +| 1265 | CKV_K8S_27 | resource | StatefulSet | Do not expose the docker daemon socket to containers | Kubernetes | +| 1266 | CKV_K8S_27 | resource | kubernetes_daemonset | Do not expose the docker daemon socket to containers | Terraform | +| 1267 | CKV_K8S_27 | resource | kubernetes_deployment | Do not expose the docker daemon socket to containers | Terraform | +| 1268 | CKV_K8S_27 | resource | kubernetes_pod | Do not expose the docker daemon socket to containers | Terraform | +| 1269 | CKV_K8S_28 | resource | CronJob | Minimize the admission of containers with the NET_RAW capability | Kubernetes | +| 1270 | CKV_K8S_28 | resource | DaemonSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | +| 1271 | CKV_K8S_28 | resource | Deployment | Minimize the admission of containers with the NET_RAW capability | Kubernetes | +| 1272 | CKV_K8S_28 | resource | Job | Minimize the admission of containers with the NET_RAW capability | Kubernetes | +| 1273 | CKV_K8S_28 | resource | Pod | Minimize the admission of containers with the NET_RAW capability | Kubernetes | +| 1274 | CKV_K8S_28 | resource | PodTemplate | Minimize the admission of containers with the NET_RAW capability | Kubernetes | +| 1275 | CKV_K8S_28 | resource | ReplicaSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | +| 1276 | CKV_K8S_28 | resource | ReplicationController | Minimize the admission of containers with the NET_RAW capability | Kubernetes | +| 1277 | CKV_K8S_28 | resource | StatefulSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | +| 1278 | CKV_K8S_28 | resource | kubernetes_pod | Minimize the admission of containers with the NET_RAW capability | Terraform | +| 1279 | CKV_K8S_29 | resource | CronJob | Apply security context to your pods and containers | Kubernetes | +| 1280 | CKV_K8S_29 | resource | DaemonSet | Apply security context to your pods and containers | Kubernetes | +| 1281 | CKV_K8S_29 | resource | Deployment | Apply security context to your pods and containers | Kubernetes | +| 1282 | CKV_K8S_29 | resource | Job | Apply security context to your pods and containers | Kubernetes | +| 1283 | CKV_K8S_29 | resource | Pod | Apply security context to your pods and containers | Kubernetes | +| 1284 | CKV_K8S_29 | resource | ReplicaSet | Apply security context to your pods and containers | Kubernetes | +| 1285 | CKV_K8S_29 | resource | ReplicationController | Apply security context to your pods and containers | Kubernetes | +| 1286 | CKV_K8S_29 | resource | StatefulSet | Apply security context to your pods and containers | Kubernetes | +| 1287 | CKV_K8S_29 | resource | kubernetes_daemonset | Apply security context to your pods and containers | Terraform | +| 1288 | CKV_K8S_29 | resource | kubernetes_deployment | Apply security context to your pods and containers | Terraform | +| 1289 | CKV_K8S_29 | resource | kubernetes_pod | Apply security context to your pods and containers | Terraform | +| 1290 | CKV_K8S_30 | resource | CronJob | Apply security context to your pods and containers | Kubernetes | +| 1291 | CKV_K8S_30 | resource | DaemonSet | Apply security context to your pods and containers | Kubernetes | +| 1292 | CKV_K8S_30 | resource | Deployment | Apply security context to your pods and containers | Kubernetes | +| 1293 | CKV_K8S_30 | resource | Job | Apply security context to your pods and containers | Kubernetes | +| 1294 | CKV_K8S_30 | resource | Pod | Apply security context to your pods and containers | Kubernetes | +| 1295 | CKV_K8S_30 | resource | PodTemplate | Apply security context to your pods and containers | Kubernetes | +| 1296 | CKV_K8S_30 | resource | ReplicaSet | Apply security context to your pods and containers | Kubernetes | +| 1297 | CKV_K8S_30 | resource | ReplicationController | Apply security context to your pods and containers | Kubernetes | +| 1298 | CKV_K8S_30 | resource | StatefulSet | Apply security context to your pods and containers | Kubernetes | +| 1299 | CKV_K8S_30 | resource | kubernetes_pod | Apply security context to your pods and containers | Terraform | +| 1300 | CKV_K8S_31 | resource | CronJob | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1301 | CKV_K8S_31 | resource | DaemonSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1302 | CKV_K8S_31 | resource | Deployment | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1303 | CKV_K8S_31 | resource | Job | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1304 | CKV_K8S_31 | resource | Pod | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1305 | CKV_K8S_31 | resource | ReplicaSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1306 | CKV_K8S_31 | resource | ReplicationController | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1307 | CKV_K8S_31 | resource | StatefulSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1308 | CKV_K8S_32 | resource | PodSecurityPolicy | Ensure default seccomp profile set to docker/default or runtime/default | Kubernetes | +| 1309 | CKV_K8S_32 | resource | kubernetes_pod_security_policy | Ensure default seccomp profile set to docker/default or runtime/default | Terraform | +| 1310 | CKV_K8S_33 | resource | CronJob | Ensure the Kubernetes dashboard is not deployed | Kubernetes | +| 1311 | CKV_K8S_33 | resource | DaemonSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | +| 1312 | CKV_K8S_33 | resource | Deployment | Ensure the Kubernetes dashboard is not deployed | Kubernetes | +| 1313 | CKV_K8S_33 | resource | Job | Ensure the Kubernetes dashboard is not deployed | Kubernetes | +| 1314 | CKV_K8S_33 | resource | Pod | Ensure the Kubernetes dashboard is not deployed | Kubernetes | +| 1315 | CKV_K8S_33 | resource | PodTemplate | Ensure the Kubernetes dashboard is not deployed | Kubernetes | +| 1316 | CKV_K8S_33 | resource | ReplicaSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | +| 1317 | CKV_K8S_33 | resource | ReplicationController | Ensure the Kubernetes dashboard is not deployed | Kubernetes | +| 1318 | CKV_K8S_33 | resource | StatefulSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | +| 1319 | CKV_K8S_34 | resource | CronJob | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | +| 1320 | CKV_K8S_34 | resource | DaemonSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | +| 1321 | CKV_K8S_34 | resource | Deployment | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | +| 1322 | CKV_K8S_34 | resource | Job | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | +| 1323 | CKV_K8S_34 | resource | Pod | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | +| 1324 | CKV_K8S_34 | resource | PodTemplate | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | +| 1325 | CKV_K8S_34 | resource | ReplicaSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | +| 1326 | CKV_K8S_34 | resource | ReplicationController | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | +| 1327 | CKV_K8S_34 | resource | StatefulSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | +| 1328 | CKV_K8S_34 | resource | kubernetes_pod | Ensure that Tiller (Helm v2) is not deployed | Terraform | +| 1329 | CKV_K8S_35 | resource | CronJob | Prefer using secrets as files over secrets as environment variables | Kubernetes | +| 1330 | CKV_K8S_35 | resource | DaemonSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | +| 1331 | CKV_K8S_35 | resource | Deployment | Prefer using secrets as files over secrets as environment variables | Kubernetes | +| 1332 | CKV_K8S_35 | resource | Job | Prefer using secrets as files over secrets as environment variables | Kubernetes | +| 1333 | CKV_K8S_35 | resource | Pod | Prefer using secrets as files over secrets as environment variables | Kubernetes | +| 1334 | CKV_K8S_35 | resource | PodTemplate | Prefer using secrets as files over secrets as environment variables | Kubernetes | +| 1335 | CKV_K8S_35 | resource | ReplicaSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | +| 1336 | CKV_K8S_35 | resource | ReplicationController | Prefer using secrets as files over secrets as environment variables | Kubernetes | +| 1337 | CKV_K8S_35 | resource | StatefulSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | +| 1338 | CKV_K8S_35 | resource | kubernetes_pod | Prefer using secrets as files over secrets as environment variables | Terraform | +| 1339 | CKV_K8S_36 | resource | PodSecurityPolicy | Minimize the admission of containers with capabilities assigned | Kubernetes | +| 1340 | CKV_K8S_36 | resource | kubernetes_pod_security_policy | Minimise the admission of containers with capabilities assigned | Terraform | +| 1341 | CKV_K8S_37 | resource | CronJob | Minimize the admission of containers with capabilities assigned | Kubernetes | +| 1342 | CKV_K8S_37 | resource | DaemonSet | Minimize the admission of containers with capabilities assigned | Kubernetes | +| 1343 | CKV_K8S_37 | resource | Deployment | Minimize the admission of containers with capabilities assigned | Kubernetes | +| 1344 | CKV_K8S_37 | resource | Job | Minimize the admission of containers with capabilities assigned | Kubernetes | +| 1345 | CKV_K8S_37 | resource | Pod | Minimize the admission of containers with capabilities assigned | Kubernetes | +| 1346 | CKV_K8S_37 | resource | PodTemplate | Minimize the admission of containers with capabilities assigned | Kubernetes | +| 1347 | CKV_K8S_37 | resource | ReplicaSet | Minimize the admission of containers with capabilities assigned | Kubernetes | +| 1348 | CKV_K8S_37 | resource | ReplicationController | Minimize the admission of containers with capabilities assigned | Kubernetes | +| 1349 | CKV_K8S_37 | resource | StatefulSet | Minimize the admission of containers with capabilities assigned | Kubernetes | +| 1350 | CKV_K8S_37 | resource | kubernetes_pod | Minimise the admission of containers with capabilities assigned | Terraform | +| 1351 | CKV_K8S_38 | resource | CronJob | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1352 | CKV_K8S_38 | resource | DaemonSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1353 | CKV_K8S_38 | resource | Deployment | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1354 | CKV_K8S_38 | resource | Job | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1355 | CKV_K8S_38 | resource | Pod | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1356 | CKV_K8S_38 | resource | ReplicaSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1357 | CKV_K8S_38 | resource | ReplicationController | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1358 | CKV_K8S_38 | resource | StatefulSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1359 | CKV_K8S_39 | resource | CronJob | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | +| 1360 | CKV_K8S_39 | resource | DaemonSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | +| 1361 | CKV_K8S_39 | resource | Deployment | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | +| 1362 | CKV_K8S_39 | resource | Job | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | +| 1363 | CKV_K8S_39 | resource | Pod | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | +| 1364 | CKV_K8S_39 | resource | PodTemplate | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | +| 1365 | CKV_K8S_39 | resource | ReplicaSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | +| 1366 | CKV_K8S_39 | resource | ReplicationController | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | +| 1367 | CKV_K8S_39 | resource | StatefulSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | +| 1368 | CKV_K8S_39 | resource | kubernetes_pod | Do not use the CAP_SYS_ADMIN linux capability | Terraform | +| 1369 | CKV_K8S_40 | resource | CronJob | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1370 | CKV_K8S_40 | resource | DaemonSet | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1371 | CKV_K8S_40 | resource | Deployment | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1372 | CKV_K8S_40 | resource | Job | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1373 | CKV_K8S_40 | resource | Pod | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1374 | CKV_K8S_40 | resource | ReplicaSet | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1375 | CKV_K8S_40 | resource | ReplicationController | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1376 | CKV_K8S_40 | resource | StatefulSet | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1377 | CKV_K8S_41 | resource | ServiceAccount | Ensure that default service accounts are not actively used | Kubernetes | +| 1378 | CKV_K8S_41 | resource | kubernetes_service_account | Ensure that default service accounts are not actively used | Terraform | +| 1379 | CKV_K8S_42 | resource | ClusterRoleBinding | Ensure that default service accounts are not actively used | Kubernetes | +| 1380 | CKV_K8S_42 | resource | RoleBinding | Ensure that default service accounts are not actively used | Kubernetes | +| 1381 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding | Ensure that default service accounts are not actively used | Terraform | +| 1382 | CKV_K8S_42 | resource | kubernetes_role_binding | Ensure that default service accounts are not actively used | Terraform | +| 1383 | CKV_K8S_43 | resource | CronJob | Image should use digest | Kubernetes | +| 1384 | CKV_K8S_43 | resource | DaemonSet | Image should use digest | Kubernetes | +| 1385 | CKV_K8S_43 | resource | Deployment | Image should use digest | Kubernetes | +| 1386 | CKV_K8S_43 | resource | Job | Image should use digest | Kubernetes | +| 1387 | CKV_K8S_43 | resource | Pod | Image should use digest | Kubernetes | +| 1388 | CKV_K8S_43 | resource | PodTemplate | Image should use digest | Kubernetes | +| 1389 | CKV_K8S_43 | resource | ReplicaSet | Image should use digest | Kubernetes | +| 1390 | CKV_K8S_43 | resource | ReplicationController | Image should use digest | Kubernetes | +| 1391 | CKV_K8S_43 | resource | StatefulSet | Image should use digest | Kubernetes | +| 1392 | CKV_K8S_43 | resource | kubernetes_pod | Image should use digest | Terraform | +| 1393 | CKV_K8S_44 | resource | Service | Ensure that the Tiller Service (Helm v2) is deleted | Kubernetes | +| 1394 | CKV_K8S_44 | resource | kubernetes_service | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | +| 1395 | CKV_K8S_45 | resource | CronJob | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | +| 1396 | CKV_K8S_45 | resource | DaemonSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | +| 1397 | CKV_K8S_45 | resource | Deployment | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | +| 1398 | CKV_K8S_45 | resource | Job | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | +| 1399 | CKV_K8S_45 | resource | Pod | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | +| 1400 | CKV_K8S_45 | resource | PodTemplate | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | +| 1401 | CKV_K8S_45 | resource | ReplicaSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | +| 1402 | CKV_K8S_45 | resource | ReplicationController | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | +| 1403 | CKV_K8S_45 | resource | StatefulSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | +| 1404 | CKV_K8S_49 | resource | ClusterRole | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | +| 1405 | CKV_K8S_49 | resource | Role | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | +| 1406 | CKV_K8S_49 | resource | kubernetes_cluster_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | +| 1407 | CKV_K8S_49 | resource | kubernetes_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | +| 1408 | CKV_K8S_68 | resource | CronJob | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1409 | CKV_K8S_68 | resource | DaemonSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1410 | CKV_K8S_68 | resource | Deployment | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1411 | CKV_K8S_68 | resource | Job | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1412 | CKV_K8S_68 | resource | Pod | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1413 | CKV_K8S_68 | resource | PodTemplate | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1414 | CKV_K8S_68 | resource | ReplicaSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1415 | CKV_K8S_68 | resource | ReplicationController | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1416 | CKV_K8S_68 | resource | StatefulSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1417 | CKV_K8S_69 | resource | CronJob | Ensure that the --basic-auth-file argument is not set | Kubernetes | +| 1418 | CKV_K8S_69 | resource | DaemonSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | +| 1419 | CKV_K8S_69 | resource | Deployment | Ensure that the --basic-auth-file argument is not set | Kubernetes | +| 1420 | CKV_K8S_69 | resource | Job | Ensure that the --basic-auth-file argument is not set | Kubernetes | +| 1421 | CKV_K8S_69 | resource | Pod | Ensure that the --basic-auth-file argument is not set | Kubernetes | +| 1422 | CKV_K8S_69 | resource | PodTemplate | Ensure that the --basic-auth-file argument is not set | Kubernetes | +| 1423 | CKV_K8S_69 | resource | ReplicaSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | +| 1424 | CKV_K8S_69 | resource | ReplicationController | Ensure that the --basic-auth-file argument is not set | Kubernetes | +| 1425 | CKV_K8S_69 | resource | StatefulSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | +| 1426 | CKV_K8S_70 | resource | CronJob | Ensure that the --token-auth-file argument is not set | Kubernetes | +| 1427 | CKV_K8S_70 | resource | DaemonSet | Ensure that the --token-auth-file argument is not set | Kubernetes | +| 1428 | CKV_K8S_70 | resource | Deployment | Ensure that the --token-auth-file argument is not set | Kubernetes | +| 1429 | CKV_K8S_70 | resource | Job | Ensure that the --token-auth-file argument is not set | Kubernetes | +| 1430 | CKV_K8S_70 | resource | Pod | Ensure that the --token-auth-file argument is not set | Kubernetes | +| 1431 | CKV_K8S_70 | resource | PodTemplate | Ensure that the --token-auth-file argument is not set | Kubernetes | +| 1432 | CKV_K8S_70 | resource | ReplicaSet | Ensure that the --token-auth-file argument is not set | Kubernetes | +| 1433 | CKV_K8S_70 | resource | ReplicationController | Ensure that the --token-auth-file argument is not set | Kubernetes | +| 1434 | CKV_K8S_70 | resource | StatefulSet | Ensure that the --token-auth-file argument is not set | Kubernetes | +| 1435 | CKV_K8S_71 | resource | CronJob | Ensure that the --kubelet-https argument is set to true | Kubernetes | +| 1436 | CKV_K8S_71 | resource | DaemonSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | +| 1437 | CKV_K8S_71 | resource | Deployment | Ensure that the --kubelet-https argument is set to true | Kubernetes | +| 1438 | CKV_K8S_71 | resource | Job | Ensure that the --kubelet-https argument is set to true | Kubernetes | +| 1439 | CKV_K8S_71 | resource | Pod | Ensure that the --kubelet-https argument is set to true | Kubernetes | +| 1440 | CKV_K8S_71 | resource | PodTemplate | Ensure that the --kubelet-https argument is set to true | Kubernetes | +| 1441 | CKV_K8S_71 | resource | ReplicaSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | +| 1442 | CKV_K8S_71 | resource | ReplicationController | Ensure that the --kubelet-https argument is set to true | Kubernetes | +| 1443 | CKV_K8S_71 | resource | StatefulSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | +| 1444 | CKV_K8S_72 | resource | CronJob | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | +| 1445 | CKV_K8S_72 | resource | DaemonSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | +| 1446 | CKV_K8S_72 | resource | Deployment | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | +| 1447 | CKV_K8S_72 | resource | Job | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | +| 1448 | CKV_K8S_72 | resource | Pod | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | +| 1449 | CKV_K8S_72 | resource | PodTemplate | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | +| 1450 | CKV_K8S_72 | resource | ReplicaSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | +| 1451 | CKV_K8S_72 | resource | ReplicationController | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | +| 1452 | CKV_K8S_72 | resource | StatefulSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | +| 1453 | CKV_K8S_73 | resource | CronJob | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | +| 1454 | CKV_K8S_73 | resource | DaemonSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | +| 1455 | CKV_K8S_73 | resource | Deployment | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | +| 1456 | CKV_K8S_73 | resource | Job | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | +| 1457 | CKV_K8S_73 | resource | Pod | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | +| 1458 | CKV_K8S_73 | resource | PodTemplate | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | +| 1459 | CKV_K8S_73 | resource | ReplicaSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | +| 1460 | CKV_K8S_73 | resource | ReplicationController | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | +| 1461 | CKV_K8S_73 | resource | StatefulSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | +| 1462 | CKV_K8S_74 | resource | CronJob | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1463 | CKV_K8S_74 | resource | DaemonSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1464 | CKV_K8S_74 | resource | Deployment | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1465 | CKV_K8S_74 | resource | Job | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1466 | CKV_K8S_74 | resource | Pod | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1467 | CKV_K8S_74 | resource | PodTemplate | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1468 | CKV_K8S_74 | resource | ReplicaSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1469 | CKV_K8S_74 | resource | ReplicationController | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1470 | CKV_K8S_74 | resource | StatefulSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1471 | CKV_K8S_75 | resource | CronJob | Ensure that the --authorization-mode argument includes Node | Kubernetes | +| 1472 | CKV_K8S_75 | resource | DaemonSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | +| 1473 | CKV_K8S_75 | resource | Deployment | Ensure that the --authorization-mode argument includes Node | Kubernetes | +| 1474 | CKV_K8S_75 | resource | Job | Ensure that the --authorization-mode argument includes Node | Kubernetes | +| 1475 | CKV_K8S_75 | resource | Pod | Ensure that the --authorization-mode argument includes Node | Kubernetes | +| 1476 | CKV_K8S_75 | resource | PodTemplate | Ensure that the --authorization-mode argument includes Node | Kubernetes | +| 1477 | CKV_K8S_75 | resource | ReplicaSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | +| 1478 | CKV_K8S_75 | resource | ReplicationController | Ensure that the --authorization-mode argument includes Node | Kubernetes | +| 1479 | CKV_K8S_75 | resource | StatefulSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | +| 1480 | CKV_K8S_77 | resource | CronJob | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | +| 1481 | CKV_K8S_77 | resource | DaemonSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | +| 1482 | CKV_K8S_77 | resource | Deployment | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | +| 1483 | CKV_K8S_77 | resource | Job | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | +| 1484 | CKV_K8S_77 | resource | Pod | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | +| 1485 | CKV_K8S_77 | resource | PodTemplate | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | +| 1486 | CKV_K8S_77 | resource | ReplicaSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | +| 1487 | CKV_K8S_77 | resource | ReplicationController | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | +| 1488 | CKV_K8S_77 | resource | StatefulSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | +| 1489 | CKV_K8S_78 | resource | AdmissionConfiguration | Ensure that the admission control plugin EventRateLimit is set | Kubernetes | +| 1490 | CKV_K8S_79 | resource | CronJob | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | +| 1491 | CKV_K8S_79 | resource | DaemonSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | +| 1492 | CKV_K8S_79 | resource | Deployment | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | +| 1493 | CKV_K8S_79 | resource | Job | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | +| 1494 | CKV_K8S_79 | resource | Pod | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | +| 1495 | CKV_K8S_79 | resource | PodTemplate | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | +| 1496 | CKV_K8S_79 | resource | ReplicaSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | +| 1497 | CKV_K8S_79 | resource | ReplicationController | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | +| 1498 | CKV_K8S_79 | resource | StatefulSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | +| 1499 | CKV_K8S_80 | resource | CronJob | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | +| 1500 | CKV_K8S_80 | resource | DaemonSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | +| 1501 | CKV_K8S_80 | resource | Deployment | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | +| 1502 | CKV_K8S_80 | resource | Job | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | +| 1503 | CKV_K8S_80 | resource | Pod | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | +| 1504 | CKV_K8S_80 | resource | PodTemplate | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | +| 1505 | CKV_K8S_80 | resource | ReplicaSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | +| 1506 | CKV_K8S_80 | resource | ReplicationController | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | +| 1507 | CKV_K8S_80 | resource | StatefulSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | +| 1508 | CKV_K8S_81 | resource | CronJob | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | +| 1509 | CKV_K8S_81 | resource | DaemonSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | +| 1510 | CKV_K8S_81 | resource | Deployment | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | +| 1511 | CKV_K8S_81 | resource | Job | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | +| 1512 | CKV_K8S_81 | resource | Pod | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | +| 1513 | CKV_K8S_81 | resource | PodTemplate | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | +| 1514 | CKV_K8S_81 | resource | ReplicaSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | +| 1515 | CKV_K8S_81 | resource | ReplicationController | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | +| 1516 | CKV_K8S_81 | resource | StatefulSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | +| 1517 | CKV_K8S_82 | resource | CronJob | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | +| 1518 | CKV_K8S_82 | resource | DaemonSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | +| 1519 | CKV_K8S_82 | resource | Deployment | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | +| 1520 | CKV_K8S_82 | resource | Job | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | +| 1521 | CKV_K8S_82 | resource | Pod | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | +| 1522 | CKV_K8S_82 | resource | PodTemplate | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | +| 1523 | CKV_K8S_82 | resource | ReplicaSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | +| 1524 | CKV_K8S_82 | resource | ReplicationController | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | +| 1525 | CKV_K8S_82 | resource | StatefulSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | +| 1526 | CKV_K8S_83 | resource | CronJob | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | +| 1527 | CKV_K8S_83 | resource | DaemonSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | +| 1528 | CKV_K8S_83 | resource | Deployment | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | +| 1529 | CKV_K8S_83 | resource | Job | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | +| 1530 | CKV_K8S_83 | resource | Pod | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | +| 1531 | CKV_K8S_83 | resource | PodTemplate | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | +| 1532 | CKV_K8S_83 | resource | ReplicaSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | +| 1533 | CKV_K8S_83 | resource | ReplicationController | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | +| 1534 | CKV_K8S_83 | resource | StatefulSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | +| 1535 | CKV_K8S_84 | resource | CronJob | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | +| 1536 | CKV_K8S_84 | resource | DaemonSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | +| 1537 | CKV_K8S_84 | resource | Deployment | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | +| 1538 | CKV_K8S_84 | resource | Job | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | +| 1539 | CKV_K8S_84 | resource | Pod | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | +| 1540 | CKV_K8S_84 | resource | PodTemplate | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | +| 1541 | CKV_K8S_84 | resource | ReplicaSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | +| 1542 | CKV_K8S_84 | resource | ReplicationController | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | +| 1543 | CKV_K8S_84 | resource | StatefulSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | +| 1544 | CKV_K8S_85 | resource | CronJob | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | +| 1545 | CKV_K8S_85 | resource | DaemonSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | +| 1546 | CKV_K8S_85 | resource | Deployment | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | +| 1547 | CKV_K8S_85 | resource | Job | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | +| 1548 | CKV_K8S_85 | resource | Pod | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | +| 1549 | CKV_K8S_85 | resource | PodTemplate | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | +| 1550 | CKV_K8S_85 | resource | ReplicaSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | +| 1551 | CKV_K8S_85 | resource | ReplicationController | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | +| 1552 | CKV_K8S_85 | resource | StatefulSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | +| 1553 | CKV_K8S_86 | resource | CronJob | Ensure that the --insecure-bind-address argument is not set | Kubernetes | +| 1554 | CKV_K8S_86 | resource | DaemonSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | +| 1555 | CKV_K8S_86 | resource | Deployment | Ensure that the --insecure-bind-address argument is not set | Kubernetes | +| 1556 | CKV_K8S_86 | resource | Job | Ensure that the --insecure-bind-address argument is not set | Kubernetes | +| 1557 | CKV_K8S_86 | resource | Pod | Ensure that the --insecure-bind-address argument is not set | Kubernetes | +| 1558 | CKV_K8S_86 | resource | PodTemplate | Ensure that the --insecure-bind-address argument is not set | Kubernetes | +| 1559 | CKV_K8S_86 | resource | ReplicaSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | +| 1560 | CKV_K8S_86 | resource | ReplicationController | Ensure that the --insecure-bind-address argument is not set | Kubernetes | +| 1561 | CKV_K8S_86 | resource | StatefulSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | +| 1562 | CKV_K8S_88 | resource | CronJob | Ensure that the --insecure-port argument is set to 0 | Kubernetes | +| 1563 | CKV_K8S_88 | resource | DaemonSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | +| 1564 | CKV_K8S_88 | resource | Deployment | Ensure that the --insecure-port argument is set to 0 | Kubernetes | +| 1565 | CKV_K8S_88 | resource | Job | Ensure that the --insecure-port argument is set to 0 | Kubernetes | +| 1566 | CKV_K8S_88 | resource | Pod | Ensure that the --insecure-port argument is set to 0 | Kubernetes | +| 1567 | CKV_K8S_88 | resource | PodTemplate | Ensure that the --insecure-port argument is set to 0 | Kubernetes | +| 1568 | CKV_K8S_88 | resource | ReplicaSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | +| 1569 | CKV_K8S_88 | resource | ReplicationController | Ensure that the --insecure-port argument is set to 0 | Kubernetes | +| 1570 | CKV_K8S_88 | resource | StatefulSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | +| 1571 | CKV_K8S_89 | resource | CronJob | Ensure that the --secure-port argument is not set to 0 | Kubernetes | +| 1572 | CKV_K8S_89 | resource | DaemonSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | +| 1573 | CKV_K8S_89 | resource | Deployment | Ensure that the --secure-port argument is not set to 0 | Kubernetes | +| 1574 | CKV_K8S_89 | resource | Job | Ensure that the --secure-port argument is not set to 0 | Kubernetes | +| 1575 | CKV_K8S_89 | resource | Pod | Ensure that the --secure-port argument is not set to 0 | Kubernetes | +| 1576 | CKV_K8S_89 | resource | PodTemplate | Ensure that the --secure-port argument is not set to 0 | Kubernetes | +| 1577 | CKV_K8S_89 | resource | ReplicaSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | +| 1578 | CKV_K8S_89 | resource | ReplicationController | Ensure that the --secure-port argument is not set to 0 | Kubernetes | +| 1579 | CKV_K8S_89 | resource | StatefulSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | +| 1580 | CKV_K8S_90 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | +| 1581 | CKV_K8S_90 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | +| 1582 | CKV_K8S_90 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | +| 1583 | CKV_K8S_90 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | +| 1584 | CKV_K8S_90 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | +| 1585 | CKV_K8S_90 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | +| 1586 | CKV_K8S_90 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | +| 1587 | CKV_K8S_90 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | +| 1588 | CKV_K8S_90 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | +| 1589 | CKV_K8S_91 | resource | CronJob | Ensure that the --audit-log-path argument is set | Kubernetes | +| 1590 | CKV_K8S_91 | resource | DaemonSet | Ensure that the --audit-log-path argument is set | Kubernetes | +| 1591 | CKV_K8S_91 | resource | Deployment | Ensure that the --audit-log-path argument is set | Kubernetes | +| 1592 | CKV_K8S_91 | resource | Job | Ensure that the --audit-log-path argument is set | Kubernetes | +| 1593 | CKV_K8S_91 | resource | Pod | Ensure that the --audit-log-path argument is set | Kubernetes | +| 1594 | CKV_K8S_91 | resource | PodTemplate | Ensure that the --audit-log-path argument is set | Kubernetes | +| 1595 | CKV_K8S_91 | resource | ReplicaSet | Ensure that the --audit-log-path argument is set | Kubernetes | +| 1596 | CKV_K8S_91 | resource | ReplicationController | Ensure that the --audit-log-path argument is set | Kubernetes | +| 1597 | CKV_K8S_91 | resource | StatefulSet | Ensure that the --audit-log-path argument is set | Kubernetes | +| 1598 | CKV_K8S_92 | resource | CronJob | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | +| 1599 | CKV_K8S_92 | resource | DaemonSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | +| 1600 | CKV_K8S_92 | resource | Deployment | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | +| 1601 | CKV_K8S_92 | resource | Job | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | +| 1602 | CKV_K8S_92 | resource | Pod | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | +| 1603 | CKV_K8S_92 | resource | PodTemplate | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | +| 1604 | CKV_K8S_92 | resource | ReplicaSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | +| 1605 | CKV_K8S_92 | resource | ReplicationController | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | +| 1606 | CKV_K8S_92 | resource | StatefulSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | +| 1607 | CKV_K8S_93 | resource | CronJob | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | +| 1608 | CKV_K8S_93 | resource | DaemonSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | +| 1609 | CKV_K8S_93 | resource | Deployment | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | +| 1610 | CKV_K8S_93 | resource | Job | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | +| 1611 | CKV_K8S_93 | resource | Pod | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | +| 1612 | CKV_K8S_93 | resource | PodTemplate | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | +| 1613 | CKV_K8S_93 | resource | ReplicaSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | +| 1614 | CKV_K8S_93 | resource | ReplicationController | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | +| 1615 | CKV_K8S_93 | resource | StatefulSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | +| 1616 | CKV_K8S_94 | resource | CronJob | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | +| 1617 | CKV_K8S_94 | resource | DaemonSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | +| 1618 | CKV_K8S_94 | resource | Deployment | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | +| 1619 | CKV_K8S_94 | resource | Job | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | +| 1620 | CKV_K8S_94 | resource | Pod | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | +| 1621 | CKV_K8S_94 | resource | PodTemplate | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | +| 1622 | CKV_K8S_94 | resource | ReplicaSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | +| 1623 | CKV_K8S_94 | resource | ReplicationController | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | +| 1624 | CKV_K8S_94 | resource | StatefulSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | +| 1625 | CKV_K8S_95 | resource | CronJob | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | +| 1626 | CKV_K8S_95 | resource | DaemonSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | +| 1627 | CKV_K8S_95 | resource | Deployment | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | +| 1628 | CKV_K8S_95 | resource | Job | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | +| 1629 | CKV_K8S_95 | resource | Pod | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | +| 1630 | CKV_K8S_95 | resource | PodTemplate | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | +| 1631 | CKV_K8S_95 | resource | ReplicaSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | +| 1632 | CKV_K8S_95 | resource | ReplicationController | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | +| 1633 | CKV_K8S_95 | resource | StatefulSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | +| 1634 | CKV_K8S_96 | resource | CronJob | Ensure that the --service-account-lookup argument is set to true | Kubernetes | +| 1635 | CKV_K8S_96 | resource | DaemonSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | +| 1636 | CKV_K8S_96 | resource | Deployment | Ensure that the --service-account-lookup argument is set to true | Kubernetes | +| 1637 | CKV_K8S_96 | resource | Job | Ensure that the --service-account-lookup argument is set to true | Kubernetes | +| 1638 | CKV_K8S_96 | resource | Pod | Ensure that the --service-account-lookup argument is set to true | Kubernetes | +| 1639 | CKV_K8S_96 | resource | PodTemplate | Ensure that the --service-account-lookup argument is set to true | Kubernetes | +| 1640 | CKV_K8S_96 | resource | ReplicaSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | +| 1641 | CKV_K8S_96 | resource | ReplicationController | Ensure that the --service-account-lookup argument is set to true | Kubernetes | +| 1642 | CKV_K8S_96 | resource | StatefulSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | +| 1643 | CKV_K8S_97 | resource | CronJob | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | +| 1644 | CKV_K8S_97 | resource | DaemonSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | +| 1645 | CKV_K8S_97 | resource | Deployment | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | +| 1646 | CKV_K8S_97 | resource | Job | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | +| 1647 | CKV_K8S_97 | resource | Pod | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | +| 1648 | CKV_K8S_97 | resource | PodTemplate | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | +| 1649 | CKV_K8S_97 | resource | ReplicaSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | +| 1650 | CKV_K8S_97 | resource | ReplicationController | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | +| 1651 | CKV_K8S_97 | resource | StatefulSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | +| 1652 | CKV_K8S_99 | resource | CronJob | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | +| 1653 | CKV_K8S_99 | resource | DaemonSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | +| 1654 | CKV_K8S_99 | resource | Deployment | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | +| 1655 | CKV_K8S_99 | resource | Job | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | +| 1656 | CKV_K8S_99 | resource | Pod | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | +| 1657 | CKV_K8S_99 | resource | PodTemplate | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | +| 1658 | CKV_K8S_99 | resource | ReplicaSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | +| 1659 | CKV_K8S_99 | resource | ReplicationController | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | +| 1660 | CKV_K8S_99 | resource | StatefulSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | +| 1661 | CKV_K8S_100 | resource | CronJob | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1662 | CKV_K8S_100 | resource | DaemonSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1663 | CKV_K8S_100 | resource | Deployment | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1664 | CKV_K8S_100 | resource | Job | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1665 | CKV_K8S_100 | resource | Pod | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1666 | CKV_K8S_100 | resource | PodTemplate | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1667 | CKV_K8S_100 | resource | ReplicaSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1668 | CKV_K8S_100 | resource | ReplicationController | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1669 | CKV_K8S_100 | resource | StatefulSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1670 | CKV_K8S_102 | resource | CronJob | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | +| 1671 | CKV_K8S_102 | resource | DaemonSet | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | +| 1672 | CKV_K8S_102 | resource | Deployment | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | +| 1673 | CKV_K8S_102 | resource | Job | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | +| 1674 | CKV_K8S_102 | resource | Pod | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | +| 1675 | CKV_K8S_102 | resource | PodTemplate | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | +| 1676 | CKV_K8S_102 | resource | ReplicaSet | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | +| 1677 | CKV_K8S_102 | resource | ReplicationController | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | +| 1678 | CKV_K8S_102 | resource | StatefulSet | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | +| 1679 | CKV_K8S_104 | resource | CronJob | Ensure that encryption providers are appropriately configured | Kubernetes | +| 1680 | CKV_K8S_104 | resource | DaemonSet | Ensure that encryption providers are appropriately configured | Kubernetes | +| 1681 | CKV_K8S_104 | resource | Deployment | Ensure that encryption providers are appropriately configured | Kubernetes | +| 1682 | CKV_K8S_104 | resource | Job | Ensure that encryption providers are appropriately configured | Kubernetes | +| 1683 | CKV_K8S_104 | resource | Pod | Ensure that encryption providers are appropriately configured | Kubernetes | +| 1684 | CKV_K8S_104 | resource | PodTemplate | Ensure that encryption providers are appropriately configured | Kubernetes | +| 1685 | CKV_K8S_104 | resource | ReplicaSet | Ensure that encryption providers are appropriately configured | Kubernetes | +| 1686 | CKV_K8S_104 | resource | ReplicationController | Ensure that encryption providers are appropriately configured | Kubernetes | +| 1687 | CKV_K8S_104 | resource | StatefulSet | Ensure that encryption providers are appropriately configured | Kubernetes | +| 1688 | CKV_K8S_105 | resource | CronJob | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1689 | CKV_K8S_105 | resource | DaemonSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1690 | CKV_K8S_105 | resource | Deployment | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1691 | CKV_K8S_105 | resource | Job | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1692 | CKV_K8S_105 | resource | Pod | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1693 | CKV_K8S_105 | resource | PodTemplate | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1694 | CKV_K8S_105 | resource | ReplicaSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1695 | CKV_K8S_105 | resource | ReplicationController | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1696 | CKV_K8S_105 | resource | StatefulSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1697 | CKV_K8S_106 | resource | CronJob | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | +| 1698 | CKV_K8S_106 | resource | DaemonSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | +| 1699 | CKV_K8S_106 | resource | Deployment | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | +| 1700 | CKV_K8S_106 | resource | Job | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | +| 1701 | CKV_K8S_106 | resource | Pod | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | +| 1702 | CKV_K8S_106 | resource | PodTemplate | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | +| 1703 | CKV_K8S_106 | resource | ReplicaSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | +| 1704 | CKV_K8S_106 | resource | ReplicationController | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | +| 1705 | CKV_K8S_106 | resource | StatefulSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | +| 1706 | CKV_K8S_107 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | +| 1707 | CKV_K8S_107 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | +| 1708 | CKV_K8S_107 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | +| 1709 | CKV_K8S_107 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | +| 1710 | CKV_K8S_107 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | +| 1711 | CKV_K8S_107 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | +| 1712 | CKV_K8S_107 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | +| 1713 | CKV_K8S_107 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | +| 1714 | CKV_K8S_107 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | +| 1715 | CKV_K8S_108 | resource | CronJob | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | +| 1716 | CKV_K8S_108 | resource | DaemonSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | +| 1717 | CKV_K8S_108 | resource | Deployment | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | +| 1718 | CKV_K8S_108 | resource | Job | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | +| 1719 | CKV_K8S_108 | resource | Pod | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | +| 1720 | CKV_K8S_108 | resource | PodTemplate | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | +| 1721 | CKV_K8S_108 | resource | ReplicaSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | +| 1722 | CKV_K8S_108 | resource | ReplicationController | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | +| 1723 | CKV_K8S_108 | resource | StatefulSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | +| 1724 | CKV_K8S_110 | resource | CronJob | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | +| 1725 | CKV_K8S_110 | resource | DaemonSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | +| 1726 | CKV_K8S_110 | resource | Deployment | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | +| 1727 | CKV_K8S_110 | resource | Job | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | +| 1728 | CKV_K8S_110 | resource | Pod | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | +| 1729 | CKV_K8S_110 | resource | PodTemplate | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | +| 1730 | CKV_K8S_110 | resource | ReplicaSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | +| 1731 | CKV_K8S_110 | resource | ReplicationController | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | +| 1732 | CKV_K8S_110 | resource | StatefulSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | +| 1733 | CKV_K8S_111 | resource | CronJob | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | +| 1734 | CKV_K8S_111 | resource | DaemonSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | +| 1735 | CKV_K8S_111 | resource | Deployment | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | +| 1736 | CKV_K8S_111 | resource | Job | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | +| 1737 | CKV_K8S_111 | resource | Pod | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | +| 1738 | CKV_K8S_111 | resource | PodTemplate | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | +| 1739 | CKV_K8S_111 | resource | ReplicaSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | +| 1740 | CKV_K8S_111 | resource | ReplicationController | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | +| 1741 | CKV_K8S_111 | resource | StatefulSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | +| 1742 | CKV_K8S_112 | resource | CronJob | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | +| 1743 | CKV_K8S_112 | resource | DaemonSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | +| 1744 | CKV_K8S_112 | resource | Deployment | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | +| 1745 | CKV_K8S_112 | resource | Job | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | +| 1746 | CKV_K8S_112 | resource | Pod | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | +| 1747 | CKV_K8S_112 | resource | PodTemplate | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | +| 1748 | CKV_K8S_112 | resource | ReplicaSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | +| 1749 | CKV_K8S_112 | resource | ReplicationController | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | +| 1750 | CKV_K8S_112 | resource | StatefulSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | +| 1751 | CKV_K8S_113 | resource | CronJob | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1752 | CKV_K8S_113 | resource | DaemonSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1753 | CKV_K8S_113 | resource | Deployment | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1754 | CKV_K8S_113 | resource | Job | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1755 | CKV_K8S_113 | resource | Pod | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1756 | CKV_K8S_113 | resource | PodTemplate | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1757 | CKV_K8S_113 | resource | ReplicaSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1758 | CKV_K8S_113 | resource | ReplicationController | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1759 | CKV_K8S_113 | resource | StatefulSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1760 | CKV_K8S_114 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | +| 1761 | CKV_K8S_114 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | +| 1762 | CKV_K8S_114 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | +| 1763 | CKV_K8S_114 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | +| 1764 | CKV_K8S_114 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | +| 1765 | CKV_K8S_114 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | +| 1766 | CKV_K8S_114 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | +| 1767 | CKV_K8S_114 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | +| 1768 | CKV_K8S_114 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | +| 1769 | CKV_K8S_115 | resource | CronJob | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1770 | CKV_K8S_115 | resource | DaemonSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1771 | CKV_K8S_115 | resource | Deployment | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1772 | CKV_K8S_115 | resource | Job | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1773 | CKV_K8S_115 | resource | Pod | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1774 | CKV_K8S_115 | resource | PodTemplate | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1775 | CKV_K8S_115 | resource | ReplicaSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1776 | CKV_K8S_115 | resource | ReplicationController | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1777 | CKV_K8S_115 | resource | StatefulSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1778 | CKV_K8S_116 | resource | CronJob | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | +| 1779 | CKV_K8S_116 | resource | DaemonSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | +| 1780 | CKV_K8S_116 | resource | Deployment | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | +| 1781 | CKV_K8S_116 | resource | Job | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | +| 1782 | CKV_K8S_116 | resource | Pod | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | +| 1783 | CKV_K8S_116 | resource | PodTemplate | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | +| 1784 | CKV_K8S_116 | resource | ReplicaSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | +| 1785 | CKV_K8S_116 | resource | ReplicationController | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | +| 1786 | CKV_K8S_116 | resource | StatefulSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | +| 1787 | CKV_K8S_117 | resource | CronJob | Ensure that the --client-cert-auth argument is set to true | Kubernetes | +| 1788 | CKV_K8S_117 | resource | DaemonSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | +| 1789 | CKV_K8S_117 | resource | Deployment | Ensure that the --client-cert-auth argument is set to true | Kubernetes | +| 1790 | CKV_K8S_117 | resource | Job | Ensure that the --client-cert-auth argument is set to true | Kubernetes | +| 1791 | CKV_K8S_117 | resource | Pod | Ensure that the --client-cert-auth argument is set to true | Kubernetes | +| 1792 | CKV_K8S_117 | resource | PodTemplate | Ensure that the --client-cert-auth argument is set to true | Kubernetes | +| 1793 | CKV_K8S_117 | resource | ReplicaSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | +| 1794 | CKV_K8S_117 | resource | ReplicationController | Ensure that the --client-cert-auth argument is set to true | Kubernetes | +| 1795 | CKV_K8S_117 | resource | StatefulSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | +| 1796 | CKV_K8S_118 | resource | CronJob | Ensure that the --auto-tls argument is not set to true | Kubernetes | +| 1797 | CKV_K8S_118 | resource | DaemonSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | +| 1798 | CKV_K8S_118 | resource | Deployment | Ensure that the --auto-tls argument is not set to true | Kubernetes | +| 1799 | CKV_K8S_118 | resource | Job | Ensure that the --auto-tls argument is not set to true | Kubernetes | +| 1800 | CKV_K8S_118 | resource | Pod | Ensure that the --auto-tls argument is not set to true | Kubernetes | +| 1801 | CKV_K8S_118 | resource | PodTemplate | Ensure that the --auto-tls argument is not set to true | Kubernetes | +| 1802 | CKV_K8S_118 | resource | ReplicaSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | +| 1803 | CKV_K8S_118 | resource | ReplicationController | Ensure that the --auto-tls argument is not set to true | Kubernetes | +| 1804 | CKV_K8S_118 | resource | StatefulSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | +| 1805 | CKV_K8S_119 | resource | CronJob | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | +| 1806 | CKV_K8S_119 | resource | DaemonSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | +| 1807 | CKV_K8S_119 | resource | Deployment | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | +| 1808 | CKV_K8S_119 | resource | Job | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | +| 1809 | CKV_K8S_119 | resource | Pod | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | +| 1810 | CKV_K8S_119 | resource | PodTemplate | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | +| 1811 | CKV_K8S_119 | resource | ReplicaSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | +| 1812 | CKV_K8S_119 | resource | ReplicationController | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | +| 1813 | CKV_K8S_119 | resource | StatefulSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | +| 1814 | CKV_K8S_121 | resource | Pod | Ensure that the --peer-client-cert-auth argument is set to true | Kubernetes | +| 1815 | CKV_K8S_138 | resource | CronJob | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1816 | CKV_K8S_138 | resource | DaemonSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1817 | CKV_K8S_138 | resource | Deployment | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1818 | CKV_K8S_138 | resource | Job | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1819 | CKV_K8S_138 | resource | Pod | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1820 | CKV_K8S_138 | resource | PodTemplate | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1821 | CKV_K8S_138 | resource | ReplicaSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1822 | CKV_K8S_138 | resource | ReplicationController | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1823 | CKV_K8S_138 | resource | StatefulSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1824 | CKV_K8S_139 | resource | CronJob | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1825 | CKV_K8S_139 | resource | DaemonSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1826 | CKV_K8S_139 | resource | Deployment | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1827 | CKV_K8S_139 | resource | Job | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1828 | CKV_K8S_139 | resource | Pod | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1829 | CKV_K8S_139 | resource | PodTemplate | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1830 | CKV_K8S_139 | resource | ReplicaSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1831 | CKV_K8S_139 | resource | ReplicationController | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1832 | CKV_K8S_139 | resource | StatefulSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1833 | CKV_K8S_140 | resource | CronJob | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | +| 1834 | CKV_K8S_140 | resource | DaemonSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | +| 1835 | CKV_K8S_140 | resource | Deployment | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | +| 1836 | CKV_K8S_140 | resource | Job | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | +| 1837 | CKV_K8S_140 | resource | Pod | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | +| 1838 | CKV_K8S_140 | resource | PodTemplate | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | +| 1839 | CKV_K8S_140 | resource | ReplicaSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | +| 1840 | CKV_K8S_140 | resource | ReplicationController | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | +| 1841 | CKV_K8S_140 | resource | StatefulSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | +| 1842 | CKV_K8S_141 | resource | CronJob | Ensure that the --read-only-port argument is set to 0 | Kubernetes | +| 1843 | CKV_K8S_141 | resource | DaemonSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | +| 1844 | CKV_K8S_141 | resource | Deployment | Ensure that the --read-only-port argument is set to 0 | Kubernetes | +| 1845 | CKV_K8S_141 | resource | Job | Ensure that the --read-only-port argument is set to 0 | Kubernetes | +| 1846 | CKV_K8S_141 | resource | Pod | Ensure that the --read-only-port argument is set to 0 | Kubernetes | +| 1847 | CKV_K8S_141 | resource | PodTemplate | Ensure that the --read-only-port argument is set to 0 | Kubernetes | +| 1848 | CKV_K8S_141 | resource | ReplicaSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | +| 1849 | CKV_K8S_141 | resource | ReplicationController | Ensure that the --read-only-port argument is set to 0 | Kubernetes | +| 1850 | CKV_K8S_141 | resource | StatefulSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | +| 1851 | CKV_K8S_143 | resource | CronJob | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | +| 1852 | CKV_K8S_143 | resource | DaemonSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | +| 1853 | CKV_K8S_143 | resource | Deployment | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | +| 1854 | CKV_K8S_143 | resource | Job | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | +| 1855 | CKV_K8S_143 | resource | Pod | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | +| 1856 | CKV_K8S_143 | resource | PodTemplate | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | +| 1857 | CKV_K8S_143 | resource | ReplicaSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | +| 1858 | CKV_K8S_143 | resource | ReplicationController | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | +| 1859 | CKV_K8S_143 | resource | StatefulSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | +| 1860 | CKV_K8S_144 | resource | CronJob | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | +| 1861 | CKV_K8S_144 | resource | DaemonSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | +| 1862 | CKV_K8S_144 | resource | Deployment | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | +| 1863 | CKV_K8S_144 | resource | Job | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | +| 1864 | CKV_K8S_144 | resource | Pod | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | +| 1865 | CKV_K8S_144 | resource | PodTemplate | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | +| 1866 | CKV_K8S_144 | resource | ReplicaSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | +| 1867 | CKV_K8S_144 | resource | ReplicationController | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | +| 1868 | CKV_K8S_144 | resource | StatefulSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | +| 1869 | CKV_K8S_145 | resource | CronJob | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | +| 1870 | CKV_K8S_145 | resource | DaemonSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | +| 1871 | CKV_K8S_145 | resource | Deployment | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | +| 1872 | CKV_K8S_145 | resource | Job | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | +| 1873 | CKV_K8S_145 | resource | Pod | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | +| 1874 | CKV_K8S_145 | resource | PodTemplate | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | +| 1875 | CKV_K8S_145 | resource | ReplicaSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | +| 1876 | CKV_K8S_145 | resource | ReplicationController | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | +| 1877 | CKV_K8S_145 | resource | StatefulSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | +| 1878 | CKV_K8S_146 | resource | CronJob | Ensure that the --hostname-override argument is not set | Kubernetes | +| 1879 | CKV_K8S_146 | resource | DaemonSet | Ensure that the --hostname-override argument is not set | Kubernetes | +| 1880 | CKV_K8S_146 | resource | Deployment | Ensure that the --hostname-override argument is not set | Kubernetes | +| 1881 | CKV_K8S_146 | resource | Job | Ensure that the --hostname-override argument is not set | Kubernetes | +| 1882 | CKV_K8S_146 | resource | Pod | Ensure that the --hostname-override argument is not set | Kubernetes | +| 1883 | CKV_K8S_146 | resource | PodTemplate | Ensure that the --hostname-override argument is not set | Kubernetes | +| 1884 | CKV_K8S_146 | resource | ReplicaSet | Ensure that the --hostname-override argument is not set | Kubernetes | +| 1885 | CKV_K8S_146 | resource | ReplicationController | Ensure that the --hostname-override argument is not set | Kubernetes | +| 1886 | CKV_K8S_146 | resource | StatefulSet | Ensure that the --hostname-override argument is not set | Kubernetes | +| 1887 | CKV_K8S_147 | resource | CronJob | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | +| 1888 | CKV_K8S_147 | resource | DaemonSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | +| 1889 | CKV_K8S_147 | resource | Deployment | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | +| 1890 | CKV_K8S_147 | resource | Job | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | +| 1891 | CKV_K8S_147 | resource | Pod | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | +| 1892 | CKV_K8S_147 | resource | PodTemplate | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | +| 1893 | CKV_K8S_147 | resource | ReplicaSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | +| 1894 | CKV_K8S_147 | resource | ReplicationController | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | +| 1895 | CKV_K8S_147 | resource | StatefulSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | +| 1896 | CKV_K8S_148 | resource | CronJob | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1897 | CKV_K8S_148 | resource | DaemonSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1898 | CKV_K8S_148 | resource | Deployment | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1899 | CKV_K8S_148 | resource | Job | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1900 | CKV_K8S_148 | resource | Pod | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1901 | CKV_K8S_148 | resource | PodTemplate | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1902 | CKV_K8S_148 | resource | ReplicaSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1903 | CKV_K8S_148 | resource | ReplicationController | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1904 | CKV_K8S_148 | resource | StatefulSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1905 | CKV_K8S_149 | resource | CronJob | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | +| 1906 | CKV_K8S_149 | resource | DaemonSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | +| 1907 | CKV_K8S_149 | resource | Deployment | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | +| 1908 | CKV_K8S_149 | resource | Job | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | +| 1909 | CKV_K8S_149 | resource | Pod | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | +| 1910 | CKV_K8S_149 | resource | PodTemplate | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | +| 1911 | CKV_K8S_149 | resource | ReplicaSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | +| 1912 | CKV_K8S_149 | resource | ReplicationController | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | +| 1913 | CKV_K8S_149 | resource | StatefulSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | +| 1914 | CKV_K8S_151 | resource | CronJob | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1915 | CKV_K8S_151 | resource | DaemonSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1916 | CKV_K8S_151 | resource | Deployment | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1917 | CKV_K8S_151 | resource | Job | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1918 | CKV_K8S_151 | resource | Pod | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1919 | CKV_K8S_151 | resource | PodTemplate | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1920 | CKV_K8S_151 | resource | ReplicaSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1921 | CKV_K8S_151 | resource | ReplicationController | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1922 | CKV_K8S_151 | resource | StatefulSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1923 | CKV_K8S_152 | resource | Ingress | Prevent NGINX Ingress annotation snippets which contain LUA code execution. See CVE-2021-25742 | Kubernetes | +| 1924 | CKV_K8S_153 | resource | Ingress | Prevent All NGINX Ingress annotation snippets. See CVE-2021-25742 | Kubernetes | +| 1925 | CKV_K8S_154 | resource | Ingress | Prevent NGINX Ingress annotation snippets which contain alias statements See CVE-2021-25742 | Kubernetes | +| 1926 | CKV_K8S_155 | resource | ClusterRole | Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations | Kubernetes | +| 1927 | CKV_K8S_156 | resource | ClusterRole | Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests | Kubernetes | +| 1928 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | +| 1929 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | +| 1930 | CKV_LIN_3 | resource | linode_user | Ensure email is set | Terraform | +| 1931 | CKV_LIN_4 | resource | linode_user | Ensure username is set | Terraform | +| 1932 | CKV_LIN_5 | resource | linode_firewall | Ensure Inbound Firewall Policy is not set to ACCEPT | Terraform | +| 1933 | CKV_LIN_6 | resource | linode_firewall | Ensure Outbound Firewall Policy is not set to ACCEPT | Terraform | +| 1934 | CKV_OCI_1 | provider | oci | Ensure no hard coded OCI private key in provider | Terraform | +| 1935 | CKV_OCI_2 | resource | oci_core_volume | Ensure OCI Block Storage Block Volume has backup enabled | Terraform | +| 1936 | CKV_OCI_3 | resource | oci_core_volume | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) | Terraform | +| 1937 | CKV_OCI_4 | resource | oci_core_instance | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled | Terraform | +| 1938 | CKV_OCI_5 | resource | oci_core_instance | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | Terraform | +| 1939 | CKV_OCI_6 | resource | oci_core_instance | Ensure OCI Compute Instance has monitoring enabled | Terraform | +| 1940 | CKV_OCI_7 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage bucket can emit object events | Terraform | +| 1941 | CKV_OCI_8 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage has versioning enabled | Terraform | +| 1942 | CKV_OCI_9 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is encrypted with Customer Managed Key | Terraform | +| 1943 | CKV_OCI_10 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is not Public | Terraform | +| 1944 | CKV_OCI_11 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain lower case | Terraform | +| 1945 | CKV_OCI_12 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Numeric characters | Terraform | +| 1946 | CKV_OCI_13 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Special characters | Terraform | +| 1947 | CKV_OCI_14 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Uppercase characters | Terraform | +| 1948 | CKV_OCI_15 | resource | oci_file_storage_file_system | Ensure OCI File System is Encrypted with a customer Managed Key | Terraform | +| 1949 | CKV_OCI_16 | resource | oci_core_security_list | Ensure VCN has an inbound security list | Terraform | +| 1950 | CKV_OCI_17 | resource | oci_core_security_list | Ensure VCN inbound security lists are stateless | Terraform | +| 1951 | CKV_OCI_18 | resource | oci_identity_authentication_policy | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters | Terraform | +| 1952 | CKV_OCI_19 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 22. | Terraform | +| 1953 | CKV_OCI_20 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. | Terraform | +| 1954 | CKV_OCI_21 | resource | oci_core_network_security_group_security_rule | Ensure security group has stateless ingress security rules | Terraform | +| 1955 | CKV_OCI_22 | resource | oci_core_network_security_group_security_rule | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 | Terraform | +| 1956 | CKV2_OCI_1 | resource | oci_identity_group | Ensure administrator users are not associated with API keys | Terraform | +| 1957 | CKV2_OCI_1 | resource | oci_identity_user | Ensure administrator users are not associated with API keys | Terraform | +| 1958 | CKV2_OCI_1 | resource | oci_identity_user_group_membership | Ensure administrator users are not associated with API keys | Terraform | +| 1959 | CKV_OPENSTACK_1 | provider | openstack | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider | Terraform | +| 1960 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | +| 1961 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | +| 1962 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | +| 1963 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | +| 1964 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2 | Ensure that instance does not use basic credentials | Terraform | +| 1965 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1 | Ensure firewall rule set a destination IP | Terraform | +| 1966 | CKV_PAN_1 | provider | panos | Ensure no hard coded PAN-OS credentials exist in provider | Terraform | +| 1967 | CKV_PAN_2 | resource | panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Terraform | +| 1968 | CKV_PAN_3 | resource | panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Terraform | +| 1969 | CKV_PAN_4 | resource | panos_security_policy | Ensure DSRI is not enabled within security policies | Terraform | +| 1970 | CKV_PAN_4 | resource | panos_security_rule_group | Ensure DSRI is not enabled within security policies | Terraform | +| 1971 | CKV_PAN_5 | resource | panos_security_policy | Ensure security rules do not have 'applications' set to 'any' | Terraform | +| 1972 | CKV_PAN_5 | resource | panos_security_rule_group | Ensure security rules do not have 'applications' set to 'any' | Terraform | +| 1973 | CKV_PAN_6 | resource | panos_security_policy | Ensure security rules do not have 'services' set to 'any' | Terraform | +| 1974 | CKV_PAN_6 | resource | panos_security_rule_group | Ensure security rules do not have 'services' set to 'any' | Terraform | +| 1975 | CKV_PAN_7 | resource | panos_security_policy | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | +| 1976 | CKV_PAN_7 | resource | panos_security_rule_group | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | +| 1977 | CKV_PAN_8 | resource | panos_security_policy | Ensure description is populated within security policies | Terraform | +| 1978 | CKV_PAN_8 | resource | panos_security_rule_group | Ensure description is populated within security policies | Terraform | +| 1979 | CKV_PAN_9 | resource | panos_security_policy | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | +| 1980 | CKV_PAN_9 | resource | panos_security_rule_group | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | +| 1981 | CKV_PAN_10 | resource | panos_security_policy | Ensure logging at session end is enabled within security policies | Terraform | +| 1982 | CKV_PAN_10 | resource | panos_security_rule_group | Ensure logging at session end is enabled within security policies | Terraform | +| 1983 | CKV_PAN_11 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | +| 1984 | CKV_PAN_11 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | +| 1985 | CKV_PAN_12 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | +| 1986 | CKV_PAN_12 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | +| 1987 | CKV_PAN_13 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | +| 1988 | CKV_PAN_13 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | +| 1989 | CKV_PAN_14 | resource | panos_panorama_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | +| 1990 | CKV_PAN_14 | resource | panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | +| 1991 | CKV_PAN_14 | resource | panos_zone_entry | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | +| 1992 | CKV_PAN_15 | resource | panos_panorama_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | +| 1993 | CKV_PAN_15 | resource | panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | +| 1994 | CKV_SECRET_1 | Artifactory Credentials | secrets | Artifactory Credentials | secrets | +| 1995 | CKV_SECRET_2 | AWS Access Key | secrets | AWS Access Key | secrets | +| 1996 | CKV_SECRET_3 | Azure Storage Account access key | secrets | Azure Storage Account access key | secrets | +| 1997 | CKV_SECRET_4 | Basic Auth Credentials | secrets | Basic Auth Credentials | secrets | +| 1998 | CKV_SECRET_5 | Cloudant Credentials | secrets | Cloudant Credentials | secrets | +| 1999 | CKV_SECRET_6 | Base64 High Entropy String | secrets | Base64 High Entropy String | secrets | +| 2000 | CKV_SECRET_7 | IBM Cloud IAM Key | secrets | IBM Cloud IAM Key | secrets | +| 2001 | CKV_SECRET_8 | IBM COS HMAC Credentials | secrets | IBM COS HMAC Credentials | secrets | +| 2002 | CKV_SECRET_9 | JSON Web Token | secrets | JSON Web Token | secrets | +| 2003 | CKV_SECRET_11 | Mailchimp Access Key | secrets | Mailchimp Access Key | secrets | +| 2004 | CKV_SECRET_12 | NPM tokens | secrets | NPM tokens | secrets | +| 2005 | CKV_SECRET_13 | Private Key | secrets | Private Key | secrets | +| 2006 | CKV_SECRET_14 | Slack Token | secrets | Slack Token | secrets | +| 2007 | CKV_SECRET_15 | SoftLayer Credentials | secrets | SoftLayer Credentials | secrets | +| 2008 | CKV_SECRET_16 | Square OAuth Secret | secrets | Square OAuth Secret | secrets | +| 2009 | CKV_SECRET_17 | Stripe Access Key | secrets | Stripe Access Key | secrets | +| 2010 | CKV_SECRET_18 | Twilio API Key | secrets | Twilio API Key | secrets | +| 2011 | CKV_SECRET_19 | Hex High Entropy String | secrets | Hex High Entropy String | secrets | --- diff --git a/docs/5.Policy Index/kubernetes.md b/docs/5.Policy Index/kubernetes.md index ec89696cc86..69f43214fd6 100644 --- a/docs/5.Policy Index/kubernetes.md +++ b/docs/5.Policy Index/kubernetes.md @@ -823,6 +823,8 @@ nav_order: 1 | 812 | CKV_K8S_152 | resource | Ingress | Prevent NGINX Ingress annotation snippets which contain LUA code execution. See CVE-2021-25742 | Kubernetes | | 813 | CKV_K8S_153 | resource | Ingress | Prevent All NGINX Ingress annotation snippets. See CVE-2021-25742 | Kubernetes | | 814 | CKV_K8S_154 | resource | Ingress | Prevent NGINX Ingress annotation snippets which contain alias statements See CVE-2021-25742 | Kubernetes | +| 815 | CKV_K8S_155 | resource | ClusterRole | Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations | Kubernetes | +| 816 | CKV_K8S_156 | resource | ClusterRole | Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests | Kubernetes | --- diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index 650dc802519..a117eb59a5c 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -33,871 +33,872 @@ nav_order: 1 | 22 | CKV_ALI_23 | resource | alicloud_ram_account_password_policy | Ensure Ram Account Password Policy Max Login Attempts not > 5 | Terraform | | 23 | CKV_ALI_24 | resource | alicloud_ram_account_password_policy | Ensure Ram Account Password Policy Max Age less than/equal to 90 days | Terraform | | 24 | CKV_ALI_25 | resource | alicloud_db_instance | Ensure RDS Instance SQL Collector Retention Period should be greater than 180 | Terraform | -| 25 | CKV_AWS_1 | data | aws_iam_policy_document | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 26 | CKV_AWS_2 | resource | aws_alb_listener | Ensure ALB protocol is HTTPS | Terraform | -| 27 | CKV_AWS_2 | resource | aws_lb_listener | Ensure ALB protocol is HTTPS | Terraform | -| 28 | CKV_AWS_3 | resource | aws_ebs_volume | Ensure all data stored in the EBS is securely encrypted | Terraform | -| 29 | CKV_AWS_5 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform | -| 30 | CKV_AWS_5 | resource | aws_opensearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform | -| 31 | CKV_AWS_6 | resource | aws_elasticsearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform | -| 32 | CKV_AWS_6 | resource | aws_opensearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform | -| 33 | CKV_AWS_7 | resource | aws_kms_key | Ensure rotation for customer created CMKs is enabled | Terraform | -| 34 | CKV_AWS_8 | resource | aws_instance | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | Terraform | -| 35 | CKV_AWS_8 | resource | aws_launch_configuration | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | Terraform | -| 36 | CKV_AWS_9 | resource | aws_iam_account_password_policy | Ensure IAM password policy expires passwords within 90 days or less | Terraform | -| 37 | CKV_AWS_10 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires minimum length of 14 or greater | Terraform | -| 38 | CKV_AWS_11 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one lowercase letter | Terraform | -| 39 | CKV_AWS_12 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one number | Terraform | -| 40 | CKV_AWS_13 | resource | aws_iam_account_password_policy | Ensure IAM password policy prevents password reuse | Terraform | -| 41 | CKV_AWS_14 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one symbol | Terraform | -| 42 | CKV_AWS_15 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one uppercase letter | Terraform | -| 43 | CKV_AWS_16 | resource | aws_db_instance | Ensure all data stored in the RDS is securely encrypted at rest | Terraform | -| 44 | CKV_AWS_17 | resource | aws_db_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | -| 45 | CKV_AWS_17 | resource | aws_rds_cluster_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | -| 46 | CKV_AWS_18 | resource | aws_s3_bucket | Ensure the S3 bucket has access logging enabled | Terraform | -| 47 | CKV_AWS_19 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform | -| 48 | CKV_AWS_19 | resource | aws_s3_bucket_server_side_encryption_configuration | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform | -| 49 | CKV_AWS_20 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public READ access. | Terraform | -| 50 | CKV_AWS_20 | resource | aws_s3_bucket_acl | S3 Bucket has an ACL defined which allows public READ access. | Terraform | -| 51 | CKV_AWS_21 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket have versioning enabled | Terraform | -| 52 | CKV_AWS_21 | resource | aws_s3_bucket_versioning | Ensure all data stored in the S3 bucket have versioning enabled | Terraform | -| 53 | CKV_AWS_22 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker Notebook is encrypted at rest using KMS CMK | Terraform | -| 54 | CKV_AWS_23 | resource | aws_db_security_group | Ensure every security groups rule has a description | Terraform | -| 55 | CKV_AWS_23 | resource | aws_elasticache_security_group | Ensure every security groups rule has a description | Terraform | -| 56 | CKV_AWS_23 | resource | aws_redshift_security_group | Ensure every security groups rule has a description | Terraform | -| 57 | CKV_AWS_23 | resource | aws_security_group | Ensure every security groups rule has a description | Terraform | -| 58 | CKV_AWS_23 | resource | aws_security_group_rule | Ensure every security groups rule has a description | Terraform | -| 59 | CKV_AWS_24 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | -| 60 | CKV_AWS_24 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | -| 61 | CKV_AWS_25 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | -| 62 | CKV_AWS_25 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | -| 63 | CKV_AWS_26 | resource | aws_sns_topic | Ensure all data stored in the SNS topic is encrypted | Terraform | -| 64 | CKV_AWS_27 | resource | aws_sqs_queue | Ensure all data stored in the SQS queue is encrypted | Terraform | -| 65 | CKV_AWS_28 | resource | aws_dynamodb_table | Ensure Dynamodb point in time recovery (backup) is enabled | Terraform | -| 66 | CKV_AWS_29 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Terraform | -| 67 | CKV_AWS_30 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Terraform | -| 68 | CKV_AWS_31 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Terraform | -| 69 | CKV_AWS_32 | resource | aws_ecr_repository_policy | Ensure ECR policy is not set to public | Terraform | -| 70 | CKV_AWS_33 | resource | aws_kms_key | Ensure KMS key policy does not contain wildcard (*) principal | Terraform | -| 71 | CKV_AWS_34 | resource | aws_cloudfront_distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Terraform | -| 72 | CKV_AWS_35 | resource | aws_cloudtrail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Terraform | -| 73 | CKV_AWS_36 | resource | aws_cloudtrail | Ensure CloudTrail log file validation is enabled | Terraform | -| 74 | CKV_AWS_37 | resource | aws_eks_cluster | Ensure Amazon EKS control plane logging enabled for all log types | Terraform | -| 75 | CKV_AWS_38 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 | Terraform | -| 76 | CKV_AWS_39 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint disabled | Terraform | -| 77 | CKV_AWS_40 | resource | aws_iam_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | -| 78 | CKV_AWS_40 | resource | aws_iam_user_policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | -| 79 | CKV_AWS_40 | resource | aws_iam_user_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | -| 80 | CKV_AWS_41 | provider | aws | Ensure no hard coded AWS access key and secret key exists in provider | Terraform | -| 81 | CKV_AWS_42 | resource | aws_efs_file_system | Ensure EFS is securely encrypted | Terraform | -| 82 | CKV_AWS_43 | resource | aws_kinesis_stream | Ensure Kinesis Stream is securely encrypted | Terraform | -| 83 | CKV_AWS_44 | resource | aws_neptune_cluster | Ensure Neptune storage is securely encrypted | Terraform | -| 84 | CKV_AWS_45 | resource | aws_lambda_function | Ensure no hard-coded secrets exist in lambda environment | Terraform | -| 85 | CKV_AWS_46 | resource | aws_instance | Ensure no hard-coded secrets exist in EC2 user data | Terraform | -| 86 | CKV_AWS_47 | resource | aws_dax_cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Terraform | -| 87 | CKV_AWS_48 | resource | aws_mq_broker | Ensure MQ Broker logging is enabled | Terraform | -| 88 | CKV_AWS_49 | data | aws_iam_policy_document | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 89 | CKV_AWS_50 | resource | aws_lambda_function | X-ray tracing is enabled for Lambda | Terraform | -| 90 | CKV_AWS_51 | resource | aws_ecr_repository | Ensure ECR Image Tags are immutable | Terraform | -| 91 | CKV_AWS_53 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public ACLS enabled | Terraform | -| 92 | CKV_AWS_54 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public policy enabled | Terraform | -| 93 | CKV_AWS_55 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has ignore public ACLs enabled | Terraform | -| 94 | CKV_AWS_56 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has 'restrict_public_bucket' enabled | Terraform | -| 95 | CKV_AWS_57 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform | -| 96 | CKV_AWS_57 | resource | aws_s3_bucket_acl | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform | -| 97 | CKV_AWS_58 | resource | aws_eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Terraform | -| 98 | CKV_AWS_59 | resource | aws_api_gateway_method | Ensure there is no open access to back-end resources through API | Terraform | -| 99 | CKV_AWS_60 | resource | aws_iam_role | Ensure IAM role allows only specific services or principals to assume it | Terraform | -| 100 | CKV_AWS_61 | resource | aws_iam_role | Ensure IAM role allows only specific principals in account to assume it | Terraform | -| 101 | CKV_AWS_62 | resource | aws_iam_group_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 102 | CKV_AWS_62 | resource | aws_iam_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 103 | CKV_AWS_62 | resource | aws_iam_role_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 104 | CKV_AWS_62 | resource | aws_iam_user_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 105 | CKV_AWS_62 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 106 | CKV_AWS_63 | resource | aws_iam_group_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 107 | CKV_AWS_63 | resource | aws_iam_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 108 | CKV_AWS_63 | resource | aws_iam_role_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 109 | CKV_AWS_63 | resource | aws_iam_user_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 110 | CKV_AWS_63 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 111 | CKV_AWS_64 | resource | aws_redshift_cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Terraform | -| 112 | CKV_AWS_65 | resource | aws_ecs_cluster | Ensure container insights are enabled on ECS cluster | Terraform | -| 113 | CKV_AWS_66 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group specifies retention days | Terraform | -| 114 | CKV_AWS_67 | resource | aws_cloudtrail | Ensure CloudTrail is enabled in all Regions | Terraform | -| 115 | CKV_AWS_68 | resource | aws_cloudfront_distribution | CloudFront Distribution should have WAF enabled | Terraform | -| 116 | CKV_AWS_69 | resource | aws_mq_broker | Ensure MQ Broker is not publicly exposed | Terraform | -| 117 | CKV_AWS_70 | resource | aws_s3_bucket | Ensure S3 bucket does not allow an action with any Principal | Terraform | -| 118 | CKV_AWS_70 | resource | aws_s3_bucket_policy | Ensure S3 bucket does not allow an action with any Principal | Terraform | -| 119 | CKV_AWS_71 | resource | aws_redshift_cluster | Ensure Redshift Cluster logging is enabled | Terraform | -| 120 | CKV_AWS_72 | resource | aws_sqs_queue_policy | Ensure SQS policy does not allow ALL (*) actions. | Terraform | -| 121 | CKV_AWS_73 | resource | aws_api_gateway_stage | Ensure API Gateway has X-Ray Tracing enabled | Terraform | -| 122 | CKV_AWS_74 | resource | aws_docdb_cluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Terraform | -| 123 | CKV_AWS_75 | resource | aws_globalaccelerator_accelerator | Ensure Global Accelerator accelerator has flow logs enabled | Terraform | -| 124 | CKV_AWS_76 | resource | aws_api_gateway_stage | Ensure API Gateway has Access Logging enabled | Terraform | -| 125 | CKV_AWS_76 | resource | aws_apigatewayv2_stage | Ensure API Gateway has Access Logging enabled | Terraform | -| 126 | CKV_AWS_77 | resource | aws_athena_database | Ensure Athena Database is encrypted at rest (default is unencrypted) | Terraform | -| 127 | CKV_AWS_78 | resource | aws_codebuild_project | Ensure that CodeBuild Project encryption is not disabled | Terraform | -| 128 | CKV_AWS_79 | resource | aws_instance | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | -| 129 | CKV_AWS_79 | resource | aws_launch_configuration | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | -| 130 | CKV_AWS_79 | resource | aws_launch_template | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | -| 131 | CKV_AWS_80 | resource | aws_msk_cluster | Ensure MSK Cluster logging is enabled | Terraform | -| 132 | CKV_AWS_81 | resource | aws_msk_cluster | Ensure MSK Cluster encryption in rest and transit is enabled | Terraform | -| 133 | CKV_AWS_82 | resource | aws_athena_workgroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Terraform | -| 134 | CKV_AWS_83 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform | -| 135 | CKV_AWS_83 | resource | aws_opensearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform | -| 136 | CKV_AWS_84 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform | -| 137 | CKV_AWS_84 | resource | aws_opensearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform | -| 138 | CKV_AWS_85 | resource | aws_docdb_cluster | Ensure DocDB Logging is enabled | Terraform | -| 139 | CKV_AWS_86 | resource | aws_cloudfront_distribution | Ensure Cloudfront distribution has Access Logging enabled | Terraform | -| 140 | CKV_AWS_87 | resource | aws_redshift_cluster | Redshift cluster should not be publicly accessible | Terraform | -| 141 | CKV_AWS_88 | resource | aws_instance | EC2 instance should not have public IP. | Terraform | -| 142 | CKV_AWS_88 | resource | aws_launch_template | EC2 instance should not have public IP. | Terraform | -| 143 | CKV_AWS_89 | resource | aws_dms_replication_instance | DMS replication instance should not be publicly accessible | Terraform | -| 144 | CKV_AWS_90 | resource | aws_docdb_cluster_parameter_group | Ensure DocDB TLS is not disabled | Terraform | -| 145 | CKV_AWS_91 | resource | aws_alb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | -| 146 | CKV_AWS_91 | resource | aws_lb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | -| 147 | CKV_AWS_92 | resource | aws_elb | Ensure the ELB has access logging enabled | Terraform | -| 148 | CKV_AWS_93 | resource | aws_s3_bucket | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | -| 149 | CKV_AWS_93 | resource | aws_s3_bucket_policy | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | -| 150 | CKV_AWS_94 | resource | aws_glue_data_catalog_encryption_settings | Ensure Glue Data Catalog Encryption is enabled | Terraform | -| 151 | CKV_AWS_96 | resource | aws_rds_cluster | Ensure all data stored in Aurora is securely encrypted at rest | Terraform | -| 152 | CKV_AWS_97 | resource | aws_ecs_task_definition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Terraform | -| 153 | CKV_AWS_98 | resource | aws_sagemaker_endpoint_configuration | Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest | Terraform | -| 154 | CKV_AWS_99 | resource | aws_glue_security_configuration | Ensure Glue Security Configuration Encryption is enabled | Terraform | -| 155 | CKV_AWS_100 | resource | aws_eks_node_group | Ensure Amazon EKS Node group has implicit SSH access from 0.0.0.0/0 | Terraform | -| 156 | CKV_AWS_101 | resource | aws_neptune_cluster | Ensure Neptune logging is enabled | Terraform | -| 157 | CKV_AWS_102 | resource | aws_neptune_cluster_instance | Ensure Neptune Cluster instance is not publicly available | Terraform | -| 158 | CKV_AWS_103 | resource | aws_alb_listener | Ensure that load balancer is using TLS 1.2 | Terraform | -| 159 | CKV_AWS_103 | resource | aws_lb_listener | Ensure that load balancer is using TLS 1.2 | Terraform | -| 160 | CKV_AWS_104 | resource | aws_docdb_cluster_parameter_group | Ensure DocDB has audit logs enabled | Terraform | -| 161 | CKV_AWS_105 | resource | aws_redshift_parameter_group | Ensure Redshift uses SSL | Terraform | -| 162 | CKV_AWS_106 | resource | aws_ebs_encryption_by_default | Ensure EBS default encryption is enabled | Terraform | -| 163 | CKV_AWS_107 | data | aws_iam_policy_document | Ensure IAM policies does not allow credentials exposure | Terraform | -| 164 | CKV_AWS_108 | data | aws_iam_policy_document | Ensure IAM policies does not allow data exfiltration | Terraform | -| 165 | CKV_AWS_109 | data | aws_iam_policy_document | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | -| 166 | CKV_AWS_110 | data | aws_iam_policy_document | Ensure IAM policies does not allow privilege escalation | Terraform | -| 167 | CKV_AWS_111 | data | aws_iam_policy_document | Ensure IAM policies does not allow write access without constraints | Terraform | -| 168 | CKV_AWS_112 | resource | aws_ssm_document | Ensure Session Manager data is encrypted in transit | Terraform | -| 169 | CKV_AWS_113 | resource | aws_ssm_document | Ensure Session Manager logs are enabled and encrypted | Terraform | -| 170 | CKV_AWS_114 | resource | aws_emr_cluster | Ensure that EMR clusters with Kerberos have Kerberos Realm set | Terraform | -| 171 | CKV_AWS_115 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | Terraform | -| 172 | CKV_AWS_116 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Terraform | -| 173 | CKV_AWS_117 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured inside a VPC | Terraform | -| 174 | CKV_AWS_118 | resource | aws_db_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | -| 175 | CKV_AWS_118 | resource | aws_rds_cluster_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | -| 176 | CKV_AWS_119 | resource | aws_dynamodb_table | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK | Terraform | -| 177 | CKV_AWS_120 | resource | aws_api_gateway_stage | Ensure API Gateway caching is enabled | Terraform | -| 178 | CKV_AWS_121 | resource | aws_config_configuration_aggregator | Ensure AWS Config is enabled in all regions | Terraform | -| 179 | CKV_AWS_122 | resource | aws_sagemaker_notebook_instance | Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance | Terraform | -| 180 | CKV_AWS_123 | resource | aws_vpc_endpoint_service | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Terraform | -| 181 | CKV_AWS_124 | resource | aws_cloudformation_stack | Ensure that CloudFormation stacks are sending event notifications to an SNS topic | Terraform | -| 182 | CKV_AWS_126 | resource | aws_instance | Ensure that detailed monitoring is enabled for EC2 instances | Terraform | -| 183 | CKV_AWS_127 | resource | aws_elb | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager | Terraform | -| 184 | CKV_AWS_128 | resource | aws_rds_cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | Terraform | -| 185 | CKV_AWS_129 | resource | aws_db_instance | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled | Terraform | -| 186 | CKV_AWS_130 | resource | aws_subnet | Ensure VPC subnets do not assign public IP by default | Terraform | -| 187 | CKV_AWS_131 | resource | aws_alb | Ensure that ALB drops HTTP headers | Terraform | -| 188 | CKV_AWS_131 | resource | aws_lb | Ensure that ALB drops HTTP headers | Terraform | -| 189 | CKV_AWS_133 | resource | aws_db_instance | Ensure that RDS instances has backup policy | Terraform | -| 190 | CKV_AWS_133 | resource | aws_rds_cluster | Ensure that RDS instances has backup policy | Terraform | -| 191 | CKV_AWS_134 | resource | aws_elasticache_cluster | Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on | Terraform | -| 192 | CKV_AWS_135 | resource | aws_instance | Ensure that EC2 is EBS optimized | Terraform | -| 193 | CKV_AWS_136 | resource | aws_ecr_repository | Ensure that ECR repositories are encrypted using KMS | Terraform | -| 194 | CKV_AWS_137 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform | -| 195 | CKV_AWS_137 | resource | aws_opensearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform | -| 196 | CKV_AWS_138 | resource | aws_elb | Ensure that ELB is cross-zone-load-balancing enabled | Terraform | -| 197 | CKV_AWS_139 | resource | aws_rds_cluster | Ensure that RDS clusters have deletion protection enabled | Terraform | -| 198 | CKV_AWS_140 | resource | aws_rds_global_cluster | Ensure that RDS global clusters are encrypted | Terraform | -| 199 | CKV_AWS_141 | resource | aws_redshift_cluster | Ensured that redshift cluster allowing version upgrade by default | Terraform | -| 200 | CKV_AWS_142 | resource | aws_redshift_cluster | Ensure that Redshift cluster is encrypted by KMS | Terraform | -| 201 | CKV_AWS_143 | resource | aws_s3_bucket | Ensure that S3 bucket has lock configuration enabled by default | Terraform | -| 202 | CKV_AWS_144 | resource | aws_s3_bucket | Ensure that S3 bucket has cross-region replication enabled | Terraform | -| 203 | CKV_AWS_145 | resource | aws_s3_bucket | Ensure that S3 buckets are encrypted with KMS by default | Terraform | -| 204 | CKV_AWS_145 | resource | aws_s3_bucket_server_side_encryption_configuration | Ensure that S3 buckets are encrypted with KMS by default | Terraform | -| 205 | CKV_AWS_146 | resource | aws_db_cluster_snapshot | Ensure that RDS database cluster snapshot is encrypted | Terraform | -| 206 | CKV_AWS_147 | resource | aws_codebuild_project | Ensure that CodeBuild projects are encrypted | Terraform | -| 207 | CKV_AWS_148 | resource | aws_default_vpc | Ensure no default VPC is planned to be provisioned | Terraform | -| 208 | CKV_AWS_149 | resource | aws_secretsmanager_secret | Ensure that Secrets Manager secret is encrypted using KMS CMK | Terraform | -| 209 | CKV_AWS_150 | resource | aws_alb | Ensure that Load Balancer has deletion protection enabled | Terraform | -| 210 | CKV_AWS_150 | resource | aws_lb | Ensure that Load Balancer has deletion protection enabled | Terraform | -| 211 | CKV_AWS_152 | resource | aws_alb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | -| 212 | CKV_AWS_152 | resource | aws_lb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | -| 213 | CKV_AWS_153 | resource | aws_autoscaling_group | Autoscaling groups should supply tags to launch configurations | Terraform | -| 214 | CKV_AWS_154 | resource | aws_redshift_cluster | Ensure Redshift is not deployed outside of a VPC | Terraform | -| 215 | CKV_AWS_155 | resource | aws_workspaces_workspace | Ensure that Workspace user volumes are encrypted | Terraform | -| 216 | CKV_AWS_156 | resource | aws_workspaces_workspace | Ensure that Workspace root volumes are encrypted | Terraform | -| 217 | CKV_AWS_157 | resource | aws_db_instance | Ensure that RDS instances have Multi-AZ enabled | Terraform | -| 218 | CKV_AWS_158 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group is encrypted by KMS | Terraform | -| 219 | CKV_AWS_159 | resource | aws_athena_workgroup | Ensure that Athena Workgroup is encrypted | Terraform | -| 220 | CKV_AWS_160 | resource | aws_timestreamwrite_database | Ensure that Timestream database is encrypted with KMS CMK | Terraform | -| 221 | CKV_AWS_161 | resource | aws_db_instance | Ensure RDS database has IAM authentication enabled | Terraform | -| 222 | CKV_AWS_162 | resource | aws_rds_cluster | Ensure RDS cluster has IAM authentication enabled | Terraform | -| 223 | CKV_AWS_163 | resource | aws_ecr_repository | Ensure ECR image scanning on push is enabled | Terraform | -| 224 | CKV_AWS_164 | resource | aws_transfer_server | Ensure Transfer Server is not exposed publicly. | Terraform | -| 225 | CKV_AWS_165 | resource | aws_dynamodb_global_table | Ensure Dynamodb point in time recovery (backup) is enabled for global tables | Terraform | -| 226 | CKV_AWS_166 | resource | aws_backup_vault | Ensure Backup Vault is encrypted at rest using KMS CMK | Terraform | -| 227 | CKV_AWS_167 | resource | aws_glacier_vault | Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it | Terraform | -| 228 | CKV_AWS_168 | resource | aws_sqs_queue | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform | -| 229 | CKV_AWS_168 | resource | aws_sqs_queue_policy | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform | -| 230 | CKV_AWS_169 | resource | aws_sns_topic_policy | Ensure SNS topic policy is not public by only allowing specific services or principals to access it | Terraform | -| 231 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | -| 232 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | -| 233 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | -| 234 | CKV_AWS_173 | resource | aws_lambda_function | Check encryption settings for Lambda environmental variable | Terraform | -| 235 | CKV_AWS_174 | resource | aws_cloudfront_distribution | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 | Terraform | -| 236 | CKV_AWS_175 | resource | aws_waf_web_acl | Ensure WAF has associated rules | Terraform | -| 237 | CKV_AWS_175 | resource | aws_wafregional_web_acl | Ensure WAF has associated rules | Terraform | -| 238 | CKV_AWS_175 | resource | aws_wafv2_web_acl | Ensure WAF has associated rules | Terraform | -| 239 | CKV_AWS_176 | resource | aws_waf_web_acl | Ensure Logging is enabled for WAF Web Access Control Lists | Terraform | -| 240 | CKV_AWS_176 | resource | aws_wafregional_web_acl | Ensure Logging is enabled for WAF Web Access Control Lists | Terraform | -| 241 | CKV_AWS_177 | resource | aws_kinesis_video_stream | Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 242 | CKV_AWS_178 | resource | aws_fsx_ontap_file_system | Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 243 | CKV_AWS_179 | resource | aws_fsx_windows_file_system | Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 244 | CKV_AWS_180 | resource | aws_imagebuilder_component | Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 245 | CKV_AWS_181 | resource | aws_s3_object_copy | Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 246 | CKV_AWS_182 | resource | aws_docdb_cluster | Ensure Doc DB is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 247 | CKV_AWS_183 | resource | aws_ebs_snapshot_copy | Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 248 | CKV_AWS_184 | resource | aws_efs_file_system | Ensure resource is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 249 | CKV_AWS_185 | resource | aws_kinesis_stream | Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 250 | CKV_AWS_186 | resource | aws_s3_bucket_object | Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 251 | CKV_AWS_187 | resource | aws_sagemaker_domain | Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 252 | CKV_AWS_188 | resource | aws_redshift_cluster | Ensure RedShift Cluster is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 253 | CKV_AWS_189 | resource | aws_ebs_volume | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 254 | CKV_AWS_190 | resource | aws_fsx_lustre_file_system | Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 255 | CKV_AWS_191 | resource | aws_elasticache_replication_group | Ensure Elasticache replication group is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 256 | CKV_AWS_192 | resource | aws_wafv2_web_acl | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | -| 257 | CKV_AWS_193 | resource | aws_appsync_graphql_api | Ensure AppSync has Logging enabled | Terraform | -| 258 | CKV_AWS_194 | resource | aws_appsync_graphql_api | Ensure AppSync has Field-Level logs enabled | Terraform | -| 259 | CKV_AWS_195 | resource | aws_glue_crawler | Ensure Glue component has a security configuration associated | Terraform | -| 260 | CKV_AWS_195 | resource | aws_glue_dev_endpoint | Ensure Glue component has a security configuration associated | Terraform | -| 261 | CKV_AWS_195 | resource | aws_glue_job | Ensure Glue component has a security configuration associated | Terraform | -| 262 | CKV_AWS_196 | resource | aws_elasticache_security_group | Ensure no aws_elasticache_security_group resources exist | Terraform | -| 263 | CKV_AWS_197 | resource | aws_mq_broker | Ensure MQ Broker Audit logging is enabled | Terraform | -| 264 | CKV_AWS_198 | resource | aws_db_security_group | Ensure no aws_db_security_group resources exist | Terraform | -| 265 | CKV_AWS_199 | resource | aws_imagebuilder_distribution_configuration | Ensure Image Builder Distribution Configuration encrypts AMI's using KMS - a customer managed Key (CMK) | Terraform | -| 266 | CKV_AWS_200 | resource | aws_imagebuilder_image_recipe | Ensure that Image Recipe EBS Disk are encrypted with CMK | Terraform | -| 267 | CKV_AWS_201 | resource | aws_memorydb_cluster | Ensure MemoryDB is encrypted at rest using KMS CMKs | Terraform | -| 268 | CKV_AWS_202 | resource | aws_memorydb_cluster | Ensure MemoryDB data is encrypted in transit | Terraform | -| 269 | CKV_AWS_203 | resource | aws_fsx_openzfs_file_system | Ensure resource is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 270 | CKV_AWS_204 | resource | aws_ami | Ensure AMIs are encrypted using KMS CMKs | Terraform | -| 271 | CKV_AWS_205 | resource | aws_ami_launch_permission | Ensure to Limit AMI launch Permissions | Terraform | -| 272 | CKV_AWS_206 | resource | aws_api_gateway_domain_name | Ensure API Gateway Domain uses a modern security Policy | Terraform | -| 273 | CKV_AWS_207 | resource | aws_mq_broker | Ensure MQ Broker minor version updates are enabled | Terraform | -| 274 | CKV_AWS_208 | resource | aws_mq_broker | Ensure MQBroker version is current | Terraform | -| 275 | CKV_AWS_208 | resource | aws_mq_configuration | Ensure MQBroker version is current | Terraform | -| 276 | CKV_AWS_209 | resource | aws_mq_broker | Ensure MQ broker encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 277 | CKV_AWS_210 | resource | aws_batch_job_definition | Batch job does not define a privileged container | Terraform | -| 278 | CKV_AWS_211 | resource | aws_db_instance | Ensure RDS uses a modern CaCert | Terraform | -| 279 | CKV_AWS_212 | resource | aws_dms_replication_instance | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 280 | CKV_AWS_213 | resource | aws_load_balancer_policy | Ensure ELB Policy uses only secure protocols | Terraform | -| 281 | CKV_AWS_214 | resource | aws_appsync_api_cache | Ensure Appsync API Cache is encrypted at rest | Terraform | -| 282 | CKV_AWS_215 | resource | aws_appsync_api_cache | Ensure Appsync API Cache is encrypted in transit | Terraform | -| 283 | CKV_AWS_216 | resource | aws_cloudfront_distribution | Ensure Cloudfront distribution is enabled | Terraform | -| 284 | CKV_AWS_217 | resource | aws_api_gateway_deployment | Ensure Create before destroy for API deployments | Terraform | -| 285 | CKV_AWS_218 | resource | aws_cloudsearch_domain | Ensure that Cloudsearch is using latest TLS | Terraform | -| 286 | CKV_AWS_219 | resource | aws_codepipeline | Ensure Code Pipeline Artifact store is using a KMS CMK | Terraform | -| 287 | CKV_AWS_220 | resource | aws_cloudsearch_domain | Ensure that Cloudsearch is using https | Terraform | -| 288 | CKV_AWS_221 | resource | aws_codeartifact_domain | Ensure Code artifact Domain is encrypted by KMS using a customer managed Key (CMK) | Terraform | -| 289 | CKV_AWS_222 | resource | aws_dms_replication_instance | Ensure DMS instance gets all minor upgrade automatically | Terraform | -| 290 | CKV_AWS_223 | resource | aws_ecs_cluster | Ensure ECS Cluster enables logging of ECS Exec | Terraform | -| 291 | CKV_AWS_224 | resource | aws_ecs_cluster | Ensure Cluster logging with CMK | Terraform | -| 292 | CKV_AWS_225 | resource | aws_api_gateway_method_settings | Ensure API Gateway method setting caching is enabled | Terraform | -| 293 | CKV_AWS_226 | resource | aws_db_instance | Ensure DB instance gets all minor upgrades automatically | Terraform | -| 294 | CKV_AWS_226 | resource | aws_rds_cluster_instance | Ensure DB instance gets all minor upgrades automatically | Terraform | -| 295 | CKV_AWS_227 | resource | aws_kms_key | Ensure KMS key is enabled | Terraform | -| 296 | CKV_AWS_228 | resource | aws_elasticsearch_domain | Verify Elasticsearch domain is using an up to date TLS policy | Terraform | -| 297 | CKV_AWS_228 | resource | aws_opensearch_domain | Verify Elasticsearch domain is using an up to date TLS policy | Terraform | -| 298 | CKV_AWS_229 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 | Terraform | -| 299 | CKV_AWS_229 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 | Terraform | -| 300 | CKV_AWS_230 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 | Terraform | -| 301 | CKV_AWS_230 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 | Terraform | -| 302 | CKV_AWS_231 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 | Terraform | -| 303 | CKV_AWS_231 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 | Terraform | -| 304 | CKV_AWS_232 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 | Terraform | -| 305 | CKV_AWS_232 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 | Terraform | -| 306 | CKV_AWS_233 | resource | aws_acm_certificate | Ensure Create before destroy for ACM certificates | Terraform | -| 307 | CKV_AWS_234 | resource | aws_acm_certificate | Verify logging preference for ACM certificates | Terraform | -| 308 | CKV_AWS_235 | resource | aws_ami_copy | Ensure that copied AMIs are encrypted | Terraform | -| 309 | CKV_AWS_236 | resource | aws_ami_copy | Ensure AMI copying uses a CMK | Terraform | -| 310 | CKV_AWS_237 | resource | aws_api_gateway_rest_api | Ensure Create before destroy for API GATEWAY | Terraform | -| 311 | CKV_AWS_238 | resource | aws_guardduty_detector | Ensure that Guard Duty detector is enabled | Terraform | -| 312 | CKV_AWS_239 | resource | aws_dax_cluster | Ensure DAX cluster endpoint is using TLS | Terraform | -| 313 | CKV_AWS_240 | resource | aws_kinesis_firehose_delivery_stream | Ensure Kinesis Firehose delivery stream is encrypted | Terraform | -| 314 | CKV_AWS_241 | resource | aws_kinesis_firehose_delivery_stream | Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK | Terraform | -| 315 | CKV_AWS_242 | resource | aws_mwaa_environment | Ensure MWAA environment has scheduler logs enabled | Terraform | -| 316 | CKV_AWS_243 | resource | aws_mwaa_environment | Ensure MWAA environment has worker logs enabled | Terraform | -| 317 | CKV_AWS_244 | resource | aws_mwaa_environment | Ensure MWAA environment has webserver logs enabled | Terraform | -| 318 | CKV_AWS_245 | resource | aws_db_instance_automated_backups_replication | Ensure replicated backups are encrypted at rest using KMS CMKs | Terraform | -| 319 | CKV_AWS_246 | resource | aws_rds_cluster_activity_stream | Ensure RDS Cluster activity streams are encrypted using KMS CMKs | Terraform | -| 320 | CKV_AWS_247 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is encrypted with a CMK | Terraform | -| 321 | CKV_AWS_247 | resource | aws_opensearch_domain | Ensure all data stored in the Elasticsearch is encrypted with a CMK | Terraform | -| 322 | CKV_AWS_248 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is not using the default Security Group | Terraform | -| 323 | CKV_AWS_248 | resource | aws_opensearch_domain | Ensure that Elasticsearch is not using the default Security Group | Terraform | -| 324 | CKV_AWS_249 | resource | aws_ecs_task_definition | Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions | Terraform | -| 325 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 326 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 327 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 328 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 329 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 330 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 331 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 332 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 333 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to another resource | Terraform | -| 334 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 335 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 336 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 337 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 338 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | -| 339 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | -| 340 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | -| 341 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 342 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 343 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 344 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 345 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 346 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 347 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 348 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 349 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 350 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 351 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 352 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 353 | CKV2_AWS_20 | resource | aws_alb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 354 | CKV2_AWS_20 | resource | aws_alb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 355 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 356 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 357 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | -| 358 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | -| 359 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 360 | CKV2_AWS_27 | resource | aws_rds_cluster | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | -| 361 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | -| 362 | CKV2_AWS_28 | resource | aws_alb | Ensure public facing ALB are protected by WAF | Terraform | -| 363 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 364 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | -| 365 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | -| 366 | CKV2_AWS_30 | resource | aws_db_instance | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | -| 367 | CKV2_AWS_30 | resource | aws_db_parameter_group | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | -| 368 | CKV2_AWS_31 | resource | aws_wafv2_web_acl | Ensure WAF2 has a Logging Configuration | Terraform | -| 369 | CKV2_AWS_32 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has a strict security headers policy attached | Terraform | -| 370 | CKV2_AWS_32 | resource | aws_cloudfront_response_headers_policy | Ensure CloudFront distribution has a strict security headers policy attached | Terraform | -| 371 | CKV2_AWS_33 | resource | aws_appsync_graphql_api | Ensure AppSync is protected by WAF | Terraform | -| 372 | CKV2_AWS_34 | resource | aws_ssm_parameter | AWS SSM Parameter should be Encrypted | Terraform | -| 373 | CKV2_AWS_35 | resource | aws_route | AWS NAT Gateways should be utilized for the default route | Terraform | -| 374 | CKV2_AWS_35 | resource | aws_route_table | AWS NAT Gateways should be utilized for the default route | Terraform | -| 375 | CKV2_AWS_36 | resource | aws_ssm_parameter | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | -| 376 | CKV2_AWS_36 | resource | data.http | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | -| 377 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | -| 378 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | -| 379 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | -| 380 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'Secure transfer required' is set to 'Enabled' | Terraform | -| 381 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | -| 382 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | -| 383 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | -| 384 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | -| 385 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kubernetes Dashboard is disabled | Terraform | -| 386 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | -| 387 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | -| 388 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | -| 389 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | -| 390 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 391 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 392 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 393 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 394 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | -| 395 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | -| 396 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | -| 397 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | -| 398 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | -| 399 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | -| 400 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | -| 401 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | -| 402 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | -| 403 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | -| 404 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | -| 405 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | -| 406 | CKV_AZURE_23 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | -| 407 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | -| 408 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | -| 409 | CKV_AZURE_24 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | -| 410 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | -| 411 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | -| 412 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | -| 413 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | -| 414 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | -| 415 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | -| 416 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 417 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 418 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 419 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | -| 420 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | -| 421 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | -| 422 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | -| 423 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | -| 424 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | -| 425 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | -| 426 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | -| 427 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | -| 428 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | -| 429 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | -| 430 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | -| 431 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure Storage Accounts adhere to the naming rules | Terraform | -| 432 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | -| 433 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | -| 434 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | -| 435 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | -| 436 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | -| 437 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | -| 438 | CKV_AZURE_50 | resource | azurerm_windows_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | -| 439 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | -| 440 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | -| 441 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | -| 442 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | -| 443 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | -| 444 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | -| 445 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | -| 446 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | -| 447 | CKV_AZURE_60 | resource | azurerm_storage_account | Ensure that storage account enables secure transfer | Terraform | -| 448 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | -| 449 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | -| 450 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | -| 451 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | -| 452 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | -| 453 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | -| 454 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | -| 455 | CKV_AZURE_67 | resource | azurerm_function_app_slot | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | -| 456 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | -| 457 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | -| 458 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | -| 459 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | -| 460 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | -| 461 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | -| 462 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | -| 463 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | -| 464 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | -| 465 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses disk encryption | Terraform | -| 466 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | -| 467 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | -| 468 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | -| 469 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | -| 470 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | -| 471 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | -| 472 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | -| 473 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | -| 474 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | -| 475 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | -| 476 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | -| 477 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | -| 478 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | -| 479 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | -| 480 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | -| 481 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | -| 482 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | -| 483 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | -| 484 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | -| 485 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | -| 486 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | -| 487 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | -| 488 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | -| 489 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | -| 490 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | -| 491 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | -| 492 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | -| 493 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | -| 494 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | -| 495 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | -| 496 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | -| 497 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | -| 498 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | -| 499 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | -| 500 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | -| 501 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | -| 502 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | -| 503 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | -| 504 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | -| 505 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | -| 506 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | -| 507 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | -| 508 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | -| 509 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | -| 510 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | -| 511 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | -| 512 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | -| 513 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | -| 514 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | -| 515 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | -| 516 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | -| 517 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | -| 518 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform | -| 519 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | -| 520 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | -| 521 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | -| 522 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | -| 523 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | -| 524 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | -| 525 | CKV_AZURE_132 | resource | azurerm_cosmosdb_account | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Terraform | -| 526 | CKV_AZURE_133 | resource | azurerm_frontdoor_firewall_policy | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | -| 527 | CKV_AZURE_134 | resource | azurerm_cognitive_account | Ensure that Cognitive Services accounts disable public network access | Terraform | -| 528 | CKV_AZURE_135 | resource | azurerm_web_application_firewall_policy | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | -| 529 | CKV_AZURE_136 | resource | azurerm_postgresql_flexible_server | Ensure that PostgreSQL Flexible server enables geo-redundant backups | Terraform | -| 530 | CKV_AZURE_137 | resource | azurerm_container_registry | Ensure ACR admin account is disabled | Terraform | -| 531 | CKV_AZURE_138 | resource | azurerm_container_registry | Ensures that ACR disables anonymous pulling of images | Terraform | -| 532 | CKV_AZURE_139 | resource | azurerm_container_registry | Ensure ACR set to disable public networking | Terraform | -| 533 | CKV_AZURE_140 | resource | azurerm_cosmosdb_account | Ensure that Local Authentication is disabled on CosmosDB | Terraform | -| 534 | CKV_AZURE_141 | resource | azurerm_kubernetes_cluster | Ensure AKS local admin account is disabled | Terraform | -| 535 | CKV_AZURE_142 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Local Authentication is disabled | Terraform | -| 536 | CKV_AZURE_143 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster nodes do not have public IP addresses | Terraform | -| 537 | CKV_AZURE_144 | resource | azurerm_machine_learning_workspace | Ensure that Public Access is disabled for Machine Learning Workspace | Terraform | -| 538 | CKV_AZURE_145 | resource | azurerm_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform | -| 539 | CKV_AZURE_146 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_retention' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 540 | CKV_AZURE_147 | resource | azurerm_postgresql_server | Ensure PostgreSQL is using the latest version of TLS encryption | Terraform | -| 541 | CKV_AZURE_148 | resource | azurerm_redis_cache | Ensure Redis Cache is using the latest version of TLS encryption | Terraform | -| 542 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine | Ensure that Virtual machine does not enable password authentication | Terraform | -| 543 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine does not enable password authentication | Terraform | -| 544 | CKV_AZURE_150 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0 | Terraform | -| 545 | CKV_AZURE_151 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables encryption | Terraform | -| 546 | CKV_AZURE_152 | resource | azurerm_api_management | Ensure Client Certificates are enforced for API management | Terraform | -| 547 | CKV_AZURE_153 | resource | azurerm_app_service_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | -| 548 | CKV_AZURE_154 | resource | azurerm_app_service_slot | Ensure the App service slot is using the latest version of TLS encryption | Terraform | -| 549 | CKV_AZURE_155 | resource | azurerm_app_service_slot | Ensure debugging is disabled for the App service slot | Terraform | -| 550 | CKV_AZURE_156 | resource | azurerm_mssql_database_extended_auditing_policy | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs | Terraform | -| 551 | CKV_AZURE_157 | resource | azurerm_synapse_workspace | Ensure that Synapse workspace has data_exfiltration_protection_enabled | Terraform | -| 552 | CKV_AZURE_158 | resource | azurerm_databricks_workspace | Ensure that databricks workspace has not public | Terraform | -| 553 | CKV_AZURE_159 | resource | azurerm_function_app | Ensure function app builtin logging is enabled | Terraform | -| 554 | CKV_AZURE_159 | resource | azurerm_function_app_slot | Ensure function app builtin logging is enabled | Terraform | -| 555 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 556 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 557 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 558 | CKV2_AZURE_3 | resource | azurerm_mssql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 559 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 560 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 562 | CKV2_AZURE_4 | resource | azurerm_mssql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | -| 563 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | -| 565 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | -| 566 | CKV2_AZURE_5 | resource | azurerm_mssql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 569 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 570 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 571 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 572 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 573 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 574 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 575 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 578 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | -| 579 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 580 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 581 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 582 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | -| 583 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | -| 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 592 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 593 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 594 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 595 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 596 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 597 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 598 | CKV2_AZURE_22 | resource | azurerm_cognitive_account | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | -| 599 | CKV2_AZURE_22 | resource | azurerm_cognitive_account_customer_managed_key | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | -| 600 | CKV_BCW_1 | provider | bridgecrew | Ensure no hard coded API token exist in the provider | Terraform | -| 601 | CKV_DIO_1 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket has versioning enabled | Terraform | -| 602 | CKV_DIO_2 | resource | digitalocean_droplet | Ensure the droplet specifies an SSH key | Terraform | -| 603 | CKV_DIO_3 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket is private | Terraform | -| 604 | CKV_DIO_4 | resource | digitalocean_firewall | Ensure the firewall ingress is not wide open | Terraform | -| 605 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | -| 606 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | -| 607 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | -| 608 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | -| 609 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | -| 610 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | -| 611 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | -| 612 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | -| 613 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | -| 614 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | -| 615 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | -| 616 | CKV_GCP_13 | resource | google_container_cluster | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled | Terraform | -| 617 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | -| 618 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | -| 619 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | -| 620 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | -| 621 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | -| 622 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | -| 623 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | -| 624 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | -| 625 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | -| 626 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | -| 627 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | -| 628 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | -| 629 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | -| 630 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | -| 631 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | -| 632 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | -| 633 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | -| 634 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | -| 635 | CKV_GCP_30 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account | Terraform | -| 636 | CKV_GCP_30 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account | Terraform | -| 637 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | -| 638 | CKV_GCP_31 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | -| 639 | CKV_GCP_31 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | -| 640 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | -| 641 | CKV_GCP_32 | resource | google_compute_instance_from_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | -| 642 | CKV_GCP_32 | resource | google_compute_instance_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | -| 643 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | -| 644 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | -| 645 | CKV_GCP_34 | resource | google_compute_instance_from_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | -| 646 | CKV_GCP_34 | resource | google_compute_instance_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | -| 647 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | -| 648 | CKV_GCP_35 | resource | google_compute_instance_from_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | -| 649 | CKV_GCP_35 | resource | google_compute_instance_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | -| 650 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | -| 651 | CKV_GCP_36 | resource | google_compute_instance_from_template | Ensure that IP forwarding is not enabled on Instances | Terraform | -| 652 | CKV_GCP_36 | resource | google_compute_instance_template | Ensure that IP forwarding is not enabled on Instances | Terraform | -| 653 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 654 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 655 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | -| 656 | CKV_GCP_39 | resource | google_compute_instance_from_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | -| 657 | CKV_GCP_39 | resource | google_compute_instance_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | -| 658 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | -| 659 | CKV_GCP_40 | resource | google_compute_instance_from_template | Ensure that Compute instances do not have public IP addresses | Terraform | -| 660 | CKV_GCP_40 | resource | google_compute_instance_template | Ensure that Compute instances do not have public IP addresses | Terraform | -| 661 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | -| 662 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | -| 663 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | -| 664 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | -| 665 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | -| 666 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | -| 667 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | -| 668 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | -| 669 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | -| 670 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | -| 671 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | -| 672 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | -| 673 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | -| 674 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | -| 675 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | -| 676 | CKV_GCP_49 | resource | google_project_iam_member | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | -| 677 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | -| 678 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | -| 679 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | -| 680 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | -| 681 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | -| 682 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | -| 683 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | -| 684 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | -| 685 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | -| 686 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | -| 687 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure Cloud SQL database does not have public IP | Terraform | -| 688 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | -| 689 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | -| 690 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | -| 691 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | -| 692 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | -| 693 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | -| 694 | CKV_GCP_67 | resource | google_container_cluster | Ensure legacy Compute Engine instance metadata APIs are Disabled | Terraform | -| 695 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | -| 696 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | -| 697 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | -| 698 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | -| 699 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | -| 700 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | -| 701 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | -| 702 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | -| 703 | CKV_GCP_73 | resource | google_compute_security_policy | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | -| 704 | CKV_GCP_74 | resource | google_compute_subnetwork | Ensure that private_ip_google_access is enabled for Subnet | Terraform | -| 705 | CKV_GCP_75 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted FTP access | Terraform | -| 706 | CKV_GCP_76 | resource | google_compute_subnetwork | Ensure that Private google access is enabled for IPV6 | Terraform | -| 707 | CKV_GCP_77 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow on ftp port | Terraform | -| 708 | CKV_GCP_78 | resource | google_storage_bucket | Ensure Cloud storage has versioning enabled | Terraform | -| 709 | CKV_GCP_79 | resource | google_sql_database_instance | Ensure SQL database is using latest Major version | Terraform | -| 710 | CKV_GCP_80 | resource | google_bigquery_table | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 711 | CKV_GCP_81 | resource | google_bigquery_dataset | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 712 | CKV_GCP_82 | resource | google_kms_crypto_key | Ensure KMS keys are protected from deletion | Terraform | -| 713 | CKV_GCP_83 | resource | google_pubsub_topic | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 714 | CKV_GCP_84 | resource | google_artifact_registry_repository | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 715 | CKV_GCP_85 | resource | google_bigtable_instance | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 716 | CKV_GCP_86 | resource | google_cloudbuild_worker_pool | Ensure Cloud build workers are private | Terraform | -| 717 | CKV_GCP_87 | resource | google_data_fusion_instance | Ensure Data fusion instances are private | Terraform | -| 718 | CKV_GCP_88 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted mysql access | Terraform | -| 719 | CKV_GCP_89 | resource | google_notebooks_instance | Ensure Vertex AI instances are private | Terraform | -| 720 | CKV_GCP_90 | resource | google_dataflow_job | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 721 | CKV_GCP_91 | resource | google_dataproc_cluster | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 722 | CKV_GCP_92 | resource | google_vertex_ai_dataset | Ensure Vertex AI datasets uses a CMK (Customer Manager Key) | Terraform | -| 723 | CKV_GCP_93 | resource | google_spanner_database | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 724 | CKV_GCP_94 | resource | google_dataflow_job | Ensure Dataflow jobs are private | Terraform | -| 725 | CKV_GCP_95 | resource | google_redis_instance | Ensure Memorystore for Redis has AUTH enabled | Terraform | -| 726 | CKV_GCP_96 | resource | google_vertex_ai_metadata_store | Ensure Vertex AI Metadata Store uses a CMK (Customer Manager Key) | Terraform | -| 727 | CKV_GCP_97 | resource | google_redis_instance | Ensure Memorystore for Redis uses intransit encryption | Terraform | -| 728 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_binding | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | -| 729 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_member | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | -| 730 | CKV_GCP_99 | resource | google_pubsub_topic_iam_binding | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | -| 731 | CKV_GCP_99 | resource | google_pubsub_topic_iam_member | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | -| 732 | CKV_GCP_100 | resource | google_bigquery_table_iam_binding | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | -| 733 | CKV_GCP_100 | resource | google_bigquery_table_iam_member | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | -| 734 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_binding | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | -| 735 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_member | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | -| 736 | CKV_GCP_102 | resource | google_cloud_run_service_iam_binding | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | -| 737 | CKV_GCP_102 | resource | google_cloud_run_service_iam_member | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | -| 738 | CKV_GCP_103 | resource | google_dataproc_cluster | Ensure Dataproc Clusters do not have public IPs | Terraform | -| 739 | CKV_GCP_104 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver logging enabled | Terraform | -| 740 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | -| 741 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 742 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 744 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 745 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 746 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 747 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 748 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 749 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 750 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 751 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 752 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 753 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 754 | CKV2_GCP_8 | resource | google_kms_key_ring | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | -| 755 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_binding | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | -| 756 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_member | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | -| 757 | CKV2_GCP_9 | resource | google_container_registry | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | -| 758 | CKV2_GCP_9 | resource | google_storage_bucket_iam_binding | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | -| 759 | CKV2_GCP_9 | resource | google_storage_bucket_iam_member | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | -| 760 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | -| 761 | CKV_GIT_2 | resource | github_repository_webhook | Ensure Repository Webhook uses secure Ssl | Terraform | -| 762 | CKV_GIT_3 | resource | github_repository | Ensure GitHub repository has vulnerability alerts enabled | Terraform | -| 763 | CKV_GIT_4 | resource | github_actions_environment_secret | Ensure Secrets are encrypted | Terraform | -| 764 | CKV_GIT_4 | resource | github_actions_organization_secret | Ensure Secrets are encrypted | Terraform | -| 765 | CKV_GIT_4 | resource | github_actions_secret | Ensure Secrets are encrypted | Terraform | -| 766 | CKV_K8S_1 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host process ID namespace | Terraform | -| 767 | CKV_K8S_2 | resource | kubernetes_pod_security_policy | Do not admit privileged containers | Terraform | -| 768 | CKV_K8S_3 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host IPC namespace | Terraform | -| 769 | CKV_K8S_4 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host network namespace | Terraform | -| 770 | CKV_K8S_5 | resource | kubernetes_pod_security_policy | Containers should not run with allowPrivilegeEscalation | Terraform | -| 771 | CKV_K8S_6 | resource | kubernetes_pod_security_policy | Do not admit root containers | Terraform | -| 772 | CKV_K8S_7 | resource | kubernetes_pod_security_policy | Do not admit containers with the NET_RAW capability | Terraform | -| 773 | CKV_K8S_8 | resource | kubernetes_pod | Liveness Probe Should be Configured | Terraform | -| 774 | CKV_K8S_9 | resource | kubernetes_pod | Readiness Probe Should be Configured | Terraform | -| 775 | CKV_K8S_10 | resource | kubernetes_pod | CPU requests should be set | Terraform | -| 776 | CKV_K8S_11 | resource | kubernetes_pod | CPU Limits should be set | Terraform | -| 777 | CKV_K8S_12 | resource | kubernetes_pod | Memory Limits should be set | Terraform | -| 778 | CKV_K8S_13 | resource | kubernetes_pod | Memory requests should be set | Terraform | -| 779 | CKV_K8S_14 | resource | kubernetes_pod | Image Tag should be fixed - not latest or blank | Terraform | -| 780 | CKV_K8S_15 | resource | kubernetes_pod | Image Pull Policy should be Always | Terraform | -| 781 | CKV_K8S_16 | resource | kubernetes_pod | Do not admit privileged containers | Terraform | -| 782 | CKV_K8S_17 | resource | kubernetes_pod | Do not admit containers wishing to share the host process ID namespace | Terraform | -| 783 | CKV_K8S_18 | resource | kubernetes_pod | Do not admit containers wishing to share the host IPC namespace | Terraform | -| 784 | CKV_K8S_19 | resource | kubernetes_pod | Do not admit containers wishing to share the host network namespace | Terraform | -| 785 | CKV_K8S_20 | resource | kubernetes_pod | Containers should not run with allowPrivilegeEscalation | Terraform | -| 786 | CKV_K8S_21 | resource | kubernetes_config_map | The default namespace should not be used | Terraform | -| 787 | CKV_K8S_21 | resource | kubernetes_cron_job | The default namespace should not be used | Terraform | -| 788 | CKV_K8S_21 | resource | kubernetes_daemonset | The default namespace should not be used | Terraform | -| 789 | CKV_K8S_21 | resource | kubernetes_deployment | The default namespace should not be used | Terraform | -| 790 | CKV_K8S_21 | resource | kubernetes_ingress | The default namespace should not be used | Terraform | -| 791 | CKV_K8S_21 | resource | kubernetes_job | The default namespace should not be used | Terraform | -| 792 | CKV_K8S_21 | resource | kubernetes_pod | The default namespace should not be used | Terraform | -| 793 | CKV_K8S_21 | resource | kubernetes_replication_controller | The default namespace should not be used | Terraform | -| 794 | CKV_K8S_21 | resource | kubernetes_role_binding | The default namespace should not be used | Terraform | -| 795 | CKV_K8S_21 | resource | kubernetes_secret | The default namespace should not be used | Terraform | -| 796 | CKV_K8S_21 | resource | kubernetes_service | The default namespace should not be used | Terraform | -| 797 | CKV_K8S_21 | resource | kubernetes_service_account | The default namespace should not be used | Terraform | -| 798 | CKV_K8S_21 | resource | kubernetes_stateful_set | The default namespace should not be used | Terraform | -| 799 | CKV_K8S_22 | resource | kubernetes_pod | Use read-only filesystem for containers where possible | Terraform | -| 800 | CKV_K8S_24 | resource | kubernetes_pod_security_policy | Do not allow containers with added capability | Terraform | -| 801 | CKV_K8S_25 | resource | kubernetes_pod | Minimize the admission of containers with added capability | Terraform | -| 802 | CKV_K8S_26 | resource | kubernetes_pod | Do not specify hostPort unless absolutely necessary | Terraform | -| 803 | CKV_K8S_27 | resource | kubernetes_daemonset | Do not expose the docker daemon socket to containers | Terraform | -| 804 | CKV_K8S_27 | resource | kubernetes_deployment | Do not expose the docker daemon socket to containers | Terraform | -| 805 | CKV_K8S_27 | resource | kubernetes_pod | Do not expose the docker daemon socket to containers | Terraform | -| 806 | CKV_K8S_28 | resource | kubernetes_pod | Minimize the admission of containers with the NET_RAW capability | Terraform | -| 807 | CKV_K8S_29 | resource | kubernetes_daemonset | Apply security context to your pods and containers | Terraform | -| 808 | CKV_K8S_29 | resource | kubernetes_deployment | Apply security context to your pods and containers | Terraform | -| 809 | CKV_K8S_29 | resource | kubernetes_pod | Apply security context to your pods and containers | Terraform | -| 810 | CKV_K8S_30 | resource | kubernetes_pod | Apply security context to your pods and containers | Terraform | -| 811 | CKV_K8S_32 | resource | kubernetes_pod_security_policy | Ensure default seccomp profile set to docker/default or runtime/default | Terraform | -| 812 | CKV_K8S_34 | resource | kubernetes_pod | Ensure that Tiller (Helm v2) is not deployed | Terraform | -| 813 | CKV_K8S_35 | resource | kubernetes_pod | Prefer using secrets as files over secrets as environment variables | Terraform | -| 814 | CKV_K8S_36 | resource | kubernetes_pod_security_policy | Minimise the admission of containers with capabilities assigned | Terraform | -| 815 | CKV_K8S_37 | resource | kubernetes_pod | Minimise the admission of containers with capabilities assigned | Terraform | -| 816 | CKV_K8S_39 | resource | kubernetes_pod | Do not use the CAP_SYS_ADMIN linux capability | Terraform | -| 817 | CKV_K8S_41 | resource | kubernetes_service_account | Ensure that default service accounts are not actively used | Terraform | -| 818 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding | Ensure that default service accounts are not actively used | Terraform | -| 819 | CKV_K8S_42 | resource | kubernetes_role_binding | Ensure that default service accounts are not actively used | Terraform | -| 820 | CKV_K8S_43 | resource | kubernetes_pod | Image should use digest | Terraform | -| 821 | CKV_K8S_44 | resource | kubernetes_service | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | -| 822 | CKV_K8S_49 | resource | kubernetes_cluster_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | -| 823 | CKV_K8S_49 | resource | kubernetes_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | -| 824 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | -| 825 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | -| 826 | CKV_LIN_3 | resource | linode_user | Ensure email is set | Terraform | -| 827 | CKV_LIN_4 | resource | linode_user | Ensure username is set | Terraform | -| 828 | CKV_LIN_5 | resource | linode_firewall | Ensure Inbound Firewall Policy is not set to ACCEPT | Terraform | -| 829 | CKV_LIN_6 | resource | linode_firewall | Ensure Outbound Firewall Policy is not set to ACCEPT | Terraform | -| 830 | CKV_OCI_1 | provider | oci | Ensure no hard coded OCI private key in provider | Terraform | -| 831 | CKV_OCI_2 | resource | oci_core_volume | Ensure OCI Block Storage Block Volume has backup enabled | Terraform | -| 832 | CKV_OCI_3 | resource | oci_core_volume | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) | Terraform | -| 833 | CKV_OCI_4 | resource | oci_core_instance | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled | Terraform | -| 834 | CKV_OCI_5 | resource | oci_core_instance | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | Terraform | -| 835 | CKV_OCI_6 | resource | oci_core_instance | Ensure OCI Compute Instance has monitoring enabled | Terraform | -| 836 | CKV_OCI_7 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage bucket can emit object events | Terraform | -| 837 | CKV_OCI_8 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage has versioning enabled | Terraform | -| 838 | CKV_OCI_9 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is encrypted with Customer Managed Key | Terraform | -| 839 | CKV_OCI_10 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is not Public | Terraform | -| 840 | CKV_OCI_11 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain lower case | Terraform | -| 841 | CKV_OCI_12 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Numeric characters | Terraform | -| 842 | CKV_OCI_13 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Special characters | Terraform | -| 843 | CKV_OCI_14 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Uppercase characters | Terraform | -| 844 | CKV_OCI_15 | resource | oci_file_storage_file_system | Ensure OCI File System is Encrypted with a customer Managed Key | Terraform | -| 845 | CKV_OCI_16 | resource | oci_core_security_list | Ensure VCN has an inbound security list | Terraform | -| 846 | CKV_OCI_17 | resource | oci_core_security_list | Ensure VCN inbound security lists are stateless | Terraform | -| 847 | CKV_OCI_18 | resource | oci_identity_authentication_policy | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters | Terraform | -| 848 | CKV_OCI_19 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 22. | Terraform | -| 849 | CKV_OCI_20 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. | Terraform | -| 850 | CKV_OCI_21 | resource | oci_core_network_security_group_security_rule | Ensure security group has stateless ingress security rules | Terraform | -| 851 | CKV_OCI_22 | resource | oci_core_network_security_group_security_rule | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 | Terraform | -| 852 | CKV2_OCI_1 | resource | oci_identity_group | Ensure administrator users are not associated with API keys | Terraform | -| 853 | CKV2_OCI_1 | resource | oci_identity_user | Ensure administrator users are not associated with API keys | Terraform | -| 854 | CKV2_OCI_1 | resource | oci_identity_user_group_membership | Ensure administrator users are not associated with API keys | Terraform | -| 855 | CKV_OPENSTACK_1 | provider | openstack | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider | Terraform | -| 856 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | -| 857 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | -| 858 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | -| 859 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | -| 860 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2 | Ensure that instance does not use basic credentials | Terraform | -| 861 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1 | Ensure firewall rule set a destination IP | Terraform | -| 862 | CKV_PAN_1 | provider | panos | Ensure no hard coded PAN-OS credentials exist in provider | Terraform | -| 863 | CKV_PAN_2 | resource | panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Terraform | -| 864 | CKV_PAN_3 | resource | panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Terraform | -| 865 | CKV_PAN_4 | resource | panos_security_policy | Ensure DSRI is not enabled within security policies | Terraform | -| 866 | CKV_PAN_4 | resource | panos_security_rule_group | Ensure DSRI is not enabled within security policies | Terraform | -| 867 | CKV_PAN_5 | resource | panos_security_policy | Ensure security rules do not have 'applications' set to 'any' | Terraform | -| 868 | CKV_PAN_5 | resource | panos_security_rule_group | Ensure security rules do not have 'applications' set to 'any' | Terraform | -| 869 | CKV_PAN_6 | resource | panos_security_policy | Ensure security rules do not have 'services' set to 'any' | Terraform | -| 870 | CKV_PAN_6 | resource | panos_security_rule_group | Ensure security rules do not have 'services' set to 'any' | Terraform | -| 871 | CKV_PAN_7 | resource | panos_security_policy | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | -| 872 | CKV_PAN_7 | resource | panos_security_rule_group | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | -| 873 | CKV_PAN_8 | resource | panos_security_policy | Ensure description is populated within security policies | Terraform | -| 874 | CKV_PAN_8 | resource | panos_security_rule_group | Ensure description is populated within security policies | Terraform | -| 875 | CKV_PAN_9 | resource | panos_security_policy | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | -| 876 | CKV_PAN_9 | resource | panos_security_rule_group | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | -| 877 | CKV_PAN_10 | resource | panos_security_policy | Ensure logging at session end is enabled within security policies | Terraform | -| 878 | CKV_PAN_10 | resource | panos_security_rule_group | Ensure logging at session end is enabled within security policies | Terraform | -| 879 | CKV_PAN_11 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | -| 880 | CKV_PAN_11 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | -| 881 | CKV_PAN_12 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | -| 882 | CKV_PAN_12 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | -| 883 | CKV_PAN_13 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | -| 884 | CKV_PAN_13 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | -| 885 | CKV_PAN_14 | resource | panos_panorama_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | -| 886 | CKV_PAN_14 | resource | panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | -| 887 | CKV_PAN_14 | resource | panos_zone_entry | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | -| 888 | CKV_PAN_15 | resource | panos_panorama_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | -| 889 | CKV_PAN_15 | resource | panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | +| 25 | CKV_ALI_26 | resource | alicloud_cs_kubernetes | Ensure Kubernetes installs plugin Terway or Flannel to support standard policies | Terraform | +| 26 | CKV_AWS_1 | data | aws_iam_policy_document | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 27 | CKV_AWS_2 | resource | aws_alb_listener | Ensure ALB protocol is HTTPS | Terraform | +| 28 | CKV_AWS_2 | resource | aws_lb_listener | Ensure ALB protocol is HTTPS | Terraform | +| 29 | CKV_AWS_3 | resource | aws_ebs_volume | Ensure all data stored in the EBS is securely encrypted | Terraform | +| 30 | CKV_AWS_5 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform | +| 31 | CKV_AWS_5 | resource | aws_opensearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform | +| 32 | CKV_AWS_6 | resource | aws_elasticsearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform | +| 33 | CKV_AWS_6 | resource | aws_opensearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform | +| 34 | CKV_AWS_7 | resource | aws_kms_key | Ensure rotation for customer created CMKs is enabled | Terraform | +| 35 | CKV_AWS_8 | resource | aws_instance | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | Terraform | +| 36 | CKV_AWS_8 | resource | aws_launch_configuration | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | Terraform | +| 37 | CKV_AWS_9 | resource | aws_iam_account_password_policy | Ensure IAM password policy expires passwords within 90 days or less | Terraform | +| 38 | CKV_AWS_10 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires minimum length of 14 or greater | Terraform | +| 39 | CKV_AWS_11 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one lowercase letter | Terraform | +| 40 | CKV_AWS_12 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one number | Terraform | +| 41 | CKV_AWS_13 | resource | aws_iam_account_password_policy | Ensure IAM password policy prevents password reuse | Terraform | +| 42 | CKV_AWS_14 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one symbol | Terraform | +| 43 | CKV_AWS_15 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one uppercase letter | Terraform | +| 44 | CKV_AWS_16 | resource | aws_db_instance | Ensure all data stored in the RDS is securely encrypted at rest | Terraform | +| 45 | CKV_AWS_17 | resource | aws_db_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | +| 46 | CKV_AWS_17 | resource | aws_rds_cluster_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | +| 47 | CKV_AWS_18 | resource | aws_s3_bucket | Ensure the S3 bucket has access logging enabled | Terraform | +| 48 | CKV_AWS_19 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform | +| 49 | CKV_AWS_19 | resource | aws_s3_bucket_server_side_encryption_configuration | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform | +| 50 | CKV_AWS_20 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public READ access. | Terraform | +| 51 | CKV_AWS_20 | resource | aws_s3_bucket_acl | S3 Bucket has an ACL defined which allows public READ access. | Terraform | +| 52 | CKV_AWS_21 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket have versioning enabled | Terraform | +| 53 | CKV_AWS_21 | resource | aws_s3_bucket_versioning | Ensure all data stored in the S3 bucket have versioning enabled | Terraform | +| 54 | CKV_AWS_22 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker Notebook is encrypted at rest using KMS CMK | Terraform | +| 55 | CKV_AWS_23 | resource | aws_db_security_group | Ensure every security groups rule has a description | Terraform | +| 56 | CKV_AWS_23 | resource | aws_elasticache_security_group | Ensure every security groups rule has a description | Terraform | +| 57 | CKV_AWS_23 | resource | aws_redshift_security_group | Ensure every security groups rule has a description | Terraform | +| 58 | CKV_AWS_23 | resource | aws_security_group | Ensure every security groups rule has a description | Terraform | +| 59 | CKV_AWS_23 | resource | aws_security_group_rule | Ensure every security groups rule has a description | Terraform | +| 60 | CKV_AWS_24 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | +| 61 | CKV_AWS_24 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | +| 62 | CKV_AWS_25 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | +| 63 | CKV_AWS_25 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | +| 64 | CKV_AWS_26 | resource | aws_sns_topic | Ensure all data stored in the SNS topic is encrypted | Terraform | +| 65 | CKV_AWS_27 | resource | aws_sqs_queue | Ensure all data stored in the SQS queue is encrypted | Terraform | +| 66 | CKV_AWS_28 | resource | aws_dynamodb_table | Ensure Dynamodb point in time recovery (backup) is enabled | Terraform | +| 67 | CKV_AWS_29 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Terraform | +| 68 | CKV_AWS_30 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Terraform | +| 69 | CKV_AWS_31 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Terraform | +| 70 | CKV_AWS_32 | resource | aws_ecr_repository_policy | Ensure ECR policy is not set to public | Terraform | +| 71 | CKV_AWS_33 | resource | aws_kms_key | Ensure KMS key policy does not contain wildcard (*) principal | Terraform | +| 72 | CKV_AWS_34 | resource | aws_cloudfront_distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Terraform | +| 73 | CKV_AWS_35 | resource | aws_cloudtrail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Terraform | +| 74 | CKV_AWS_36 | resource | aws_cloudtrail | Ensure CloudTrail log file validation is enabled | Terraform | +| 75 | CKV_AWS_37 | resource | aws_eks_cluster | Ensure Amazon EKS control plane logging enabled for all log types | Terraform | +| 76 | CKV_AWS_38 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 | Terraform | +| 77 | CKV_AWS_39 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint disabled | Terraform | +| 78 | CKV_AWS_40 | resource | aws_iam_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | +| 79 | CKV_AWS_40 | resource | aws_iam_user_policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | +| 80 | CKV_AWS_40 | resource | aws_iam_user_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | +| 81 | CKV_AWS_41 | provider | aws | Ensure no hard coded AWS access key and secret key exists in provider | Terraform | +| 82 | CKV_AWS_42 | resource | aws_efs_file_system | Ensure EFS is securely encrypted | Terraform | +| 83 | CKV_AWS_43 | resource | aws_kinesis_stream | Ensure Kinesis Stream is securely encrypted | Terraform | +| 84 | CKV_AWS_44 | resource | aws_neptune_cluster | Ensure Neptune storage is securely encrypted | Terraform | +| 85 | CKV_AWS_45 | resource | aws_lambda_function | Ensure no hard-coded secrets exist in lambda environment | Terraform | +| 86 | CKV_AWS_46 | resource | aws_instance | Ensure no hard-coded secrets exist in EC2 user data | Terraform | +| 87 | CKV_AWS_47 | resource | aws_dax_cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Terraform | +| 88 | CKV_AWS_48 | resource | aws_mq_broker | Ensure MQ Broker logging is enabled | Terraform | +| 89 | CKV_AWS_49 | data | aws_iam_policy_document | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 90 | CKV_AWS_50 | resource | aws_lambda_function | X-ray tracing is enabled for Lambda | Terraform | +| 91 | CKV_AWS_51 | resource | aws_ecr_repository | Ensure ECR Image Tags are immutable | Terraform | +| 92 | CKV_AWS_53 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public ACLS enabled | Terraform | +| 93 | CKV_AWS_54 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public policy enabled | Terraform | +| 94 | CKV_AWS_55 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has ignore public ACLs enabled | Terraform | +| 95 | CKV_AWS_56 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has 'restrict_public_bucket' enabled | Terraform | +| 96 | CKV_AWS_57 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform | +| 97 | CKV_AWS_57 | resource | aws_s3_bucket_acl | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform | +| 98 | CKV_AWS_58 | resource | aws_eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Terraform | +| 99 | CKV_AWS_59 | resource | aws_api_gateway_method | Ensure there is no open access to back-end resources through API | Terraform | +| 100 | CKV_AWS_60 | resource | aws_iam_role | Ensure IAM role allows only specific services or principals to assume it | Terraform | +| 101 | CKV_AWS_61 | resource | aws_iam_role | Ensure IAM role allows only specific principals in account to assume it | Terraform | +| 102 | CKV_AWS_62 | resource | aws_iam_group_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 103 | CKV_AWS_62 | resource | aws_iam_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 104 | CKV_AWS_62 | resource | aws_iam_role_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 105 | CKV_AWS_62 | resource | aws_iam_user_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 106 | CKV_AWS_62 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 107 | CKV_AWS_63 | resource | aws_iam_group_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 108 | CKV_AWS_63 | resource | aws_iam_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 109 | CKV_AWS_63 | resource | aws_iam_role_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 110 | CKV_AWS_63 | resource | aws_iam_user_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 111 | CKV_AWS_63 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 112 | CKV_AWS_64 | resource | aws_redshift_cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Terraform | +| 113 | CKV_AWS_65 | resource | aws_ecs_cluster | Ensure container insights are enabled on ECS cluster | Terraform | +| 114 | CKV_AWS_66 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group specifies retention days | Terraform | +| 115 | CKV_AWS_67 | resource | aws_cloudtrail | Ensure CloudTrail is enabled in all Regions | Terraform | +| 116 | CKV_AWS_68 | resource | aws_cloudfront_distribution | CloudFront Distribution should have WAF enabled | Terraform | +| 117 | CKV_AWS_69 | resource | aws_mq_broker | Ensure MQ Broker is not publicly exposed | Terraform | +| 118 | CKV_AWS_70 | resource | aws_s3_bucket | Ensure S3 bucket does not allow an action with any Principal | Terraform | +| 119 | CKV_AWS_70 | resource | aws_s3_bucket_policy | Ensure S3 bucket does not allow an action with any Principal | Terraform | +| 120 | CKV_AWS_71 | resource | aws_redshift_cluster | Ensure Redshift Cluster logging is enabled | Terraform | +| 121 | CKV_AWS_72 | resource | aws_sqs_queue_policy | Ensure SQS policy does not allow ALL (*) actions. | Terraform | +| 122 | CKV_AWS_73 | resource | aws_api_gateway_stage | Ensure API Gateway has X-Ray Tracing enabled | Terraform | +| 123 | CKV_AWS_74 | resource | aws_docdb_cluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Terraform | +| 124 | CKV_AWS_75 | resource | aws_globalaccelerator_accelerator | Ensure Global Accelerator accelerator has flow logs enabled | Terraform | +| 125 | CKV_AWS_76 | resource | aws_api_gateway_stage | Ensure API Gateway has Access Logging enabled | Terraform | +| 126 | CKV_AWS_76 | resource | aws_apigatewayv2_stage | Ensure API Gateway has Access Logging enabled | Terraform | +| 127 | CKV_AWS_77 | resource | aws_athena_database | Ensure Athena Database is encrypted at rest (default is unencrypted) | Terraform | +| 128 | CKV_AWS_78 | resource | aws_codebuild_project | Ensure that CodeBuild Project encryption is not disabled | Terraform | +| 129 | CKV_AWS_79 | resource | aws_instance | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | +| 130 | CKV_AWS_79 | resource | aws_launch_configuration | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | +| 131 | CKV_AWS_79 | resource | aws_launch_template | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | +| 132 | CKV_AWS_80 | resource | aws_msk_cluster | Ensure MSK Cluster logging is enabled | Terraform | +| 133 | CKV_AWS_81 | resource | aws_msk_cluster | Ensure MSK Cluster encryption in rest and transit is enabled | Terraform | +| 134 | CKV_AWS_82 | resource | aws_athena_workgroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Terraform | +| 135 | CKV_AWS_83 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform | +| 136 | CKV_AWS_83 | resource | aws_opensearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform | +| 137 | CKV_AWS_84 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform | +| 138 | CKV_AWS_84 | resource | aws_opensearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform | +| 139 | CKV_AWS_85 | resource | aws_docdb_cluster | Ensure DocDB Logging is enabled | Terraform | +| 140 | CKV_AWS_86 | resource | aws_cloudfront_distribution | Ensure Cloudfront distribution has Access Logging enabled | Terraform | +| 141 | CKV_AWS_87 | resource | aws_redshift_cluster | Redshift cluster should not be publicly accessible | Terraform | +| 142 | CKV_AWS_88 | resource | aws_instance | EC2 instance should not have public IP. | Terraform | +| 143 | CKV_AWS_88 | resource | aws_launch_template | EC2 instance should not have public IP. | Terraform | +| 144 | CKV_AWS_89 | resource | aws_dms_replication_instance | DMS replication instance should not be publicly accessible | Terraform | +| 145 | CKV_AWS_90 | resource | aws_docdb_cluster_parameter_group | Ensure DocDB TLS is not disabled | Terraform | +| 146 | CKV_AWS_91 | resource | aws_alb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | +| 147 | CKV_AWS_91 | resource | aws_lb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | +| 148 | CKV_AWS_92 | resource | aws_elb | Ensure the ELB has access logging enabled | Terraform | +| 149 | CKV_AWS_93 | resource | aws_s3_bucket | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | +| 150 | CKV_AWS_93 | resource | aws_s3_bucket_policy | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | +| 151 | CKV_AWS_94 | resource | aws_glue_data_catalog_encryption_settings | Ensure Glue Data Catalog Encryption is enabled | Terraform | +| 152 | CKV_AWS_96 | resource | aws_rds_cluster | Ensure all data stored in Aurora is securely encrypted at rest | Terraform | +| 153 | CKV_AWS_97 | resource | aws_ecs_task_definition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Terraform | +| 154 | CKV_AWS_98 | resource | aws_sagemaker_endpoint_configuration | Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest | Terraform | +| 155 | CKV_AWS_99 | resource | aws_glue_security_configuration | Ensure Glue Security Configuration Encryption is enabled | Terraform | +| 156 | CKV_AWS_100 | resource | aws_eks_node_group | Ensure Amazon EKS Node group has implicit SSH access from 0.0.0.0/0 | Terraform | +| 157 | CKV_AWS_101 | resource | aws_neptune_cluster | Ensure Neptune logging is enabled | Terraform | +| 158 | CKV_AWS_102 | resource | aws_neptune_cluster_instance | Ensure Neptune Cluster instance is not publicly available | Terraform | +| 159 | CKV_AWS_103 | resource | aws_alb_listener | Ensure that load balancer is using TLS 1.2 | Terraform | +| 160 | CKV_AWS_103 | resource | aws_lb_listener | Ensure that load balancer is using TLS 1.2 | Terraform | +| 161 | CKV_AWS_104 | resource | aws_docdb_cluster_parameter_group | Ensure DocDB has audit logs enabled | Terraform | +| 162 | CKV_AWS_105 | resource | aws_redshift_parameter_group | Ensure Redshift uses SSL | Terraform | +| 163 | CKV_AWS_106 | resource | aws_ebs_encryption_by_default | Ensure EBS default encryption is enabled | Terraform | +| 164 | CKV_AWS_107 | data | aws_iam_policy_document | Ensure IAM policies does not allow credentials exposure | Terraform | +| 165 | CKV_AWS_108 | data | aws_iam_policy_document | Ensure IAM policies does not allow data exfiltration | Terraform | +| 166 | CKV_AWS_109 | data | aws_iam_policy_document | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | +| 167 | CKV_AWS_110 | data | aws_iam_policy_document | Ensure IAM policies does not allow privilege escalation | Terraform | +| 168 | CKV_AWS_111 | data | aws_iam_policy_document | Ensure IAM policies does not allow write access without constraints | Terraform | +| 169 | CKV_AWS_112 | resource | aws_ssm_document | Ensure Session Manager data is encrypted in transit | Terraform | +| 170 | CKV_AWS_113 | resource | aws_ssm_document | Ensure Session Manager logs are enabled and encrypted | Terraform | +| 171 | CKV_AWS_114 | resource | aws_emr_cluster | Ensure that EMR clusters with Kerberos have Kerberos Realm set | Terraform | +| 172 | CKV_AWS_115 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | Terraform | +| 173 | CKV_AWS_116 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Terraform | +| 174 | CKV_AWS_117 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured inside a VPC | Terraform | +| 175 | CKV_AWS_118 | resource | aws_db_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | +| 176 | CKV_AWS_118 | resource | aws_rds_cluster_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | +| 177 | CKV_AWS_119 | resource | aws_dynamodb_table | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK | Terraform | +| 178 | CKV_AWS_120 | resource | aws_api_gateway_stage | Ensure API Gateway caching is enabled | Terraform | +| 179 | CKV_AWS_121 | resource | aws_config_configuration_aggregator | Ensure AWS Config is enabled in all regions | Terraform | +| 180 | CKV_AWS_122 | resource | aws_sagemaker_notebook_instance | Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance | Terraform | +| 181 | CKV_AWS_123 | resource | aws_vpc_endpoint_service | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Terraform | +| 182 | CKV_AWS_124 | resource | aws_cloudformation_stack | Ensure that CloudFormation stacks are sending event notifications to an SNS topic | Terraform | +| 183 | CKV_AWS_126 | resource | aws_instance | Ensure that detailed monitoring is enabled for EC2 instances | Terraform | +| 184 | CKV_AWS_127 | resource | aws_elb | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager | Terraform | +| 185 | CKV_AWS_128 | resource | aws_rds_cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | Terraform | +| 186 | CKV_AWS_129 | resource | aws_db_instance | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled | Terraform | +| 187 | CKV_AWS_130 | resource | aws_subnet | Ensure VPC subnets do not assign public IP by default | Terraform | +| 188 | CKV_AWS_131 | resource | aws_alb | Ensure that ALB drops HTTP headers | Terraform | +| 189 | CKV_AWS_131 | resource | aws_lb | Ensure that ALB drops HTTP headers | Terraform | +| 190 | CKV_AWS_133 | resource | aws_db_instance | Ensure that RDS instances has backup policy | Terraform | +| 191 | CKV_AWS_133 | resource | aws_rds_cluster | Ensure that RDS instances has backup policy | Terraform | +| 192 | CKV_AWS_134 | resource | aws_elasticache_cluster | Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on | Terraform | +| 193 | CKV_AWS_135 | resource | aws_instance | Ensure that EC2 is EBS optimized | Terraform | +| 194 | CKV_AWS_136 | resource | aws_ecr_repository | Ensure that ECR repositories are encrypted using KMS | Terraform | +| 195 | CKV_AWS_137 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform | +| 196 | CKV_AWS_137 | resource | aws_opensearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform | +| 197 | CKV_AWS_138 | resource | aws_elb | Ensure that ELB is cross-zone-load-balancing enabled | Terraform | +| 198 | CKV_AWS_139 | resource | aws_rds_cluster | Ensure that RDS clusters have deletion protection enabled | Terraform | +| 199 | CKV_AWS_140 | resource | aws_rds_global_cluster | Ensure that RDS global clusters are encrypted | Terraform | +| 200 | CKV_AWS_141 | resource | aws_redshift_cluster | Ensured that redshift cluster allowing version upgrade by default | Terraform | +| 201 | CKV_AWS_142 | resource | aws_redshift_cluster | Ensure that Redshift cluster is encrypted by KMS | Terraform | +| 202 | CKV_AWS_143 | resource | aws_s3_bucket | Ensure that S3 bucket has lock configuration enabled by default | Terraform | +| 203 | CKV_AWS_144 | resource | aws_s3_bucket | Ensure that S3 bucket has cross-region replication enabled | Terraform | +| 204 | CKV_AWS_145 | resource | aws_s3_bucket | Ensure that S3 buckets are encrypted with KMS by default | Terraform | +| 205 | CKV_AWS_145 | resource | aws_s3_bucket_server_side_encryption_configuration | Ensure that S3 buckets are encrypted with KMS by default | Terraform | +| 206 | CKV_AWS_146 | resource | aws_db_cluster_snapshot | Ensure that RDS database cluster snapshot is encrypted | Terraform | +| 207 | CKV_AWS_147 | resource | aws_codebuild_project | Ensure that CodeBuild projects are encrypted | Terraform | +| 208 | CKV_AWS_148 | resource | aws_default_vpc | Ensure no default VPC is planned to be provisioned | Terraform | +| 209 | CKV_AWS_149 | resource | aws_secretsmanager_secret | Ensure that Secrets Manager secret is encrypted using KMS CMK | Terraform | +| 210 | CKV_AWS_150 | resource | aws_alb | Ensure that Load Balancer has deletion protection enabled | Terraform | +| 211 | CKV_AWS_150 | resource | aws_lb | Ensure that Load Balancer has deletion protection enabled | Terraform | +| 212 | CKV_AWS_152 | resource | aws_alb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | +| 213 | CKV_AWS_152 | resource | aws_lb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | +| 214 | CKV_AWS_153 | resource | aws_autoscaling_group | Autoscaling groups should supply tags to launch configurations | Terraform | +| 215 | CKV_AWS_154 | resource | aws_redshift_cluster | Ensure Redshift is not deployed outside of a VPC | Terraform | +| 216 | CKV_AWS_155 | resource | aws_workspaces_workspace | Ensure that Workspace user volumes are encrypted | Terraform | +| 217 | CKV_AWS_156 | resource | aws_workspaces_workspace | Ensure that Workspace root volumes are encrypted | Terraform | +| 218 | CKV_AWS_157 | resource | aws_db_instance | Ensure that RDS instances have Multi-AZ enabled | Terraform | +| 219 | CKV_AWS_158 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group is encrypted by KMS | Terraform | +| 220 | CKV_AWS_159 | resource | aws_athena_workgroup | Ensure that Athena Workgroup is encrypted | Terraform | +| 221 | CKV_AWS_160 | resource | aws_timestreamwrite_database | Ensure that Timestream database is encrypted with KMS CMK | Terraform | +| 222 | CKV_AWS_161 | resource | aws_db_instance | Ensure RDS database has IAM authentication enabled | Terraform | +| 223 | CKV_AWS_162 | resource | aws_rds_cluster | Ensure RDS cluster has IAM authentication enabled | Terraform | +| 224 | CKV_AWS_163 | resource | aws_ecr_repository | Ensure ECR image scanning on push is enabled | Terraform | +| 225 | CKV_AWS_164 | resource | aws_transfer_server | Ensure Transfer Server is not exposed publicly. | Terraform | +| 226 | CKV_AWS_165 | resource | aws_dynamodb_global_table | Ensure Dynamodb point in time recovery (backup) is enabled for global tables | Terraform | +| 227 | CKV_AWS_166 | resource | aws_backup_vault | Ensure Backup Vault is encrypted at rest using KMS CMK | Terraform | +| 228 | CKV_AWS_167 | resource | aws_glacier_vault | Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it | Terraform | +| 229 | CKV_AWS_168 | resource | aws_sqs_queue | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform | +| 230 | CKV_AWS_168 | resource | aws_sqs_queue_policy | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform | +| 231 | CKV_AWS_169 | resource | aws_sns_topic_policy | Ensure SNS topic policy is not public by only allowing specific services or principals to access it | Terraform | +| 232 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | +| 233 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | +| 234 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | +| 235 | CKV_AWS_173 | resource | aws_lambda_function | Check encryption settings for Lambda environmental variable | Terraform | +| 236 | CKV_AWS_174 | resource | aws_cloudfront_distribution | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 | Terraform | +| 237 | CKV_AWS_175 | resource | aws_waf_web_acl | Ensure WAF has associated rules | Terraform | +| 238 | CKV_AWS_175 | resource | aws_wafregional_web_acl | Ensure WAF has associated rules | Terraform | +| 239 | CKV_AWS_175 | resource | aws_wafv2_web_acl | Ensure WAF has associated rules | Terraform | +| 240 | CKV_AWS_176 | resource | aws_waf_web_acl | Ensure Logging is enabled for WAF Web Access Control Lists | Terraform | +| 241 | CKV_AWS_176 | resource | aws_wafregional_web_acl | Ensure Logging is enabled for WAF Web Access Control Lists | Terraform | +| 242 | CKV_AWS_177 | resource | aws_kinesis_video_stream | Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 243 | CKV_AWS_178 | resource | aws_fsx_ontap_file_system | Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 244 | CKV_AWS_179 | resource | aws_fsx_windows_file_system | Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 245 | CKV_AWS_180 | resource | aws_imagebuilder_component | Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 246 | CKV_AWS_181 | resource | aws_s3_object_copy | Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 247 | CKV_AWS_182 | resource | aws_docdb_cluster | Ensure Doc DB is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 248 | CKV_AWS_183 | resource | aws_ebs_snapshot_copy | Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 249 | CKV_AWS_184 | resource | aws_efs_file_system | Ensure resource is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 250 | CKV_AWS_185 | resource | aws_kinesis_stream | Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 251 | CKV_AWS_186 | resource | aws_s3_bucket_object | Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 252 | CKV_AWS_187 | resource | aws_sagemaker_domain | Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 253 | CKV_AWS_188 | resource | aws_redshift_cluster | Ensure RedShift Cluster is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 254 | CKV_AWS_189 | resource | aws_ebs_volume | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 255 | CKV_AWS_190 | resource | aws_fsx_lustre_file_system | Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 256 | CKV_AWS_191 | resource | aws_elasticache_replication_group | Ensure Elasticache replication group is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 257 | CKV_AWS_192 | resource | aws_wafv2_web_acl | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | +| 258 | CKV_AWS_193 | resource | aws_appsync_graphql_api | Ensure AppSync has Logging enabled | Terraform | +| 259 | CKV_AWS_194 | resource | aws_appsync_graphql_api | Ensure AppSync has Field-Level logs enabled | Terraform | +| 260 | CKV_AWS_195 | resource | aws_glue_crawler | Ensure Glue component has a security configuration associated | Terraform | +| 261 | CKV_AWS_195 | resource | aws_glue_dev_endpoint | Ensure Glue component has a security configuration associated | Terraform | +| 262 | CKV_AWS_195 | resource | aws_glue_job | Ensure Glue component has a security configuration associated | Terraform | +| 263 | CKV_AWS_196 | resource | aws_elasticache_security_group | Ensure no aws_elasticache_security_group resources exist | Terraform | +| 264 | CKV_AWS_197 | resource | aws_mq_broker | Ensure MQ Broker Audit logging is enabled | Terraform | +| 265 | CKV_AWS_198 | resource | aws_db_security_group | Ensure no aws_db_security_group resources exist | Terraform | +| 266 | CKV_AWS_199 | resource | aws_imagebuilder_distribution_configuration | Ensure Image Builder Distribution Configuration encrypts AMI's using KMS - a customer managed Key (CMK) | Terraform | +| 267 | CKV_AWS_200 | resource | aws_imagebuilder_image_recipe | Ensure that Image Recipe EBS Disk are encrypted with CMK | Terraform | +| 268 | CKV_AWS_201 | resource | aws_memorydb_cluster | Ensure MemoryDB is encrypted at rest using KMS CMKs | Terraform | +| 269 | CKV_AWS_202 | resource | aws_memorydb_cluster | Ensure MemoryDB data is encrypted in transit | Terraform | +| 270 | CKV_AWS_203 | resource | aws_fsx_openzfs_file_system | Ensure resource is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 271 | CKV_AWS_204 | resource | aws_ami | Ensure AMIs are encrypted using KMS CMKs | Terraform | +| 272 | CKV_AWS_205 | resource | aws_ami_launch_permission | Ensure to Limit AMI launch Permissions | Terraform | +| 273 | CKV_AWS_206 | resource | aws_api_gateway_domain_name | Ensure API Gateway Domain uses a modern security Policy | Terraform | +| 274 | CKV_AWS_207 | resource | aws_mq_broker | Ensure MQ Broker minor version updates are enabled | Terraform | +| 275 | CKV_AWS_208 | resource | aws_mq_broker | Ensure MQBroker version is current | Terraform | +| 276 | CKV_AWS_208 | resource | aws_mq_configuration | Ensure MQBroker version is current | Terraform | +| 277 | CKV_AWS_209 | resource | aws_mq_broker | Ensure MQ broker encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 278 | CKV_AWS_210 | resource | aws_batch_job_definition | Batch job does not define a privileged container | Terraform | +| 279 | CKV_AWS_211 | resource | aws_db_instance | Ensure RDS uses a modern CaCert | Terraform | +| 280 | CKV_AWS_212 | resource | aws_dms_replication_instance | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 281 | CKV_AWS_213 | resource | aws_load_balancer_policy | Ensure ELB Policy uses only secure protocols | Terraform | +| 282 | CKV_AWS_214 | resource | aws_appsync_api_cache | Ensure Appsync API Cache is encrypted at rest | Terraform | +| 283 | CKV_AWS_215 | resource | aws_appsync_api_cache | Ensure Appsync API Cache is encrypted in transit | Terraform | +| 284 | CKV_AWS_216 | resource | aws_cloudfront_distribution | Ensure Cloudfront distribution is enabled | Terraform | +| 285 | CKV_AWS_217 | resource | aws_api_gateway_deployment | Ensure Create before destroy for API deployments | Terraform | +| 286 | CKV_AWS_218 | resource | aws_cloudsearch_domain | Ensure that Cloudsearch is using latest TLS | Terraform | +| 287 | CKV_AWS_219 | resource | aws_codepipeline | Ensure Code Pipeline Artifact store is using a KMS CMK | Terraform | +| 288 | CKV_AWS_220 | resource | aws_cloudsearch_domain | Ensure that Cloudsearch is using https | Terraform | +| 289 | CKV_AWS_221 | resource | aws_codeartifact_domain | Ensure Code artifact Domain is encrypted by KMS using a customer managed Key (CMK) | Terraform | +| 290 | CKV_AWS_222 | resource | aws_dms_replication_instance | Ensure DMS instance gets all minor upgrade automatically | Terraform | +| 291 | CKV_AWS_223 | resource | aws_ecs_cluster | Ensure ECS Cluster enables logging of ECS Exec | Terraform | +| 292 | CKV_AWS_224 | resource | aws_ecs_cluster | Ensure Cluster logging with CMK | Terraform | +| 293 | CKV_AWS_225 | resource | aws_api_gateway_method_settings | Ensure API Gateway method setting caching is enabled | Terraform | +| 294 | CKV_AWS_226 | resource | aws_db_instance | Ensure DB instance gets all minor upgrades automatically | Terraform | +| 295 | CKV_AWS_226 | resource | aws_rds_cluster_instance | Ensure DB instance gets all minor upgrades automatically | Terraform | +| 296 | CKV_AWS_227 | resource | aws_kms_key | Ensure KMS key is enabled | Terraform | +| 297 | CKV_AWS_228 | resource | aws_elasticsearch_domain | Verify Elasticsearch domain is using an up to date TLS policy | Terraform | +| 298 | CKV_AWS_228 | resource | aws_opensearch_domain | Verify Elasticsearch domain is using an up to date TLS policy | Terraform | +| 299 | CKV_AWS_229 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 | Terraform | +| 300 | CKV_AWS_229 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 | Terraform | +| 301 | CKV_AWS_230 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 | Terraform | +| 302 | CKV_AWS_230 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 | Terraform | +| 303 | CKV_AWS_231 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 | Terraform | +| 304 | CKV_AWS_231 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 | Terraform | +| 305 | CKV_AWS_232 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 | Terraform | +| 306 | CKV_AWS_232 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 | Terraform | +| 307 | CKV_AWS_233 | resource | aws_acm_certificate | Ensure Create before destroy for ACM certificates | Terraform | +| 308 | CKV_AWS_234 | resource | aws_acm_certificate | Verify logging preference for ACM certificates | Terraform | +| 309 | CKV_AWS_235 | resource | aws_ami_copy | Ensure that copied AMIs are encrypted | Terraform | +| 310 | CKV_AWS_236 | resource | aws_ami_copy | Ensure AMI copying uses a CMK | Terraform | +| 311 | CKV_AWS_237 | resource | aws_api_gateway_rest_api | Ensure Create before destroy for API GATEWAY | Terraform | +| 312 | CKV_AWS_238 | resource | aws_guardduty_detector | Ensure that Guard Duty detector is enabled | Terraform | +| 313 | CKV_AWS_239 | resource | aws_dax_cluster | Ensure DAX cluster endpoint is using TLS | Terraform | +| 314 | CKV_AWS_240 | resource | aws_kinesis_firehose_delivery_stream | Ensure Kinesis Firehose delivery stream is encrypted | Terraform | +| 315 | CKV_AWS_241 | resource | aws_kinesis_firehose_delivery_stream | Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK | Terraform | +| 316 | CKV_AWS_242 | resource | aws_mwaa_environment | Ensure MWAA environment has scheduler logs enabled | Terraform | +| 317 | CKV_AWS_243 | resource | aws_mwaa_environment | Ensure MWAA environment has worker logs enabled | Terraform | +| 318 | CKV_AWS_244 | resource | aws_mwaa_environment | Ensure MWAA environment has webserver logs enabled | Terraform | +| 319 | CKV_AWS_245 | resource | aws_db_instance_automated_backups_replication | Ensure replicated backups are encrypted at rest using KMS CMKs | Terraform | +| 320 | CKV_AWS_246 | resource | aws_rds_cluster_activity_stream | Ensure RDS Cluster activity streams are encrypted using KMS CMKs | Terraform | +| 321 | CKV_AWS_247 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is encrypted with a CMK | Terraform | +| 322 | CKV_AWS_247 | resource | aws_opensearch_domain | Ensure all data stored in the Elasticsearch is encrypted with a CMK | Terraform | +| 323 | CKV_AWS_248 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is not using the default Security Group | Terraform | +| 324 | CKV_AWS_248 | resource | aws_opensearch_domain | Ensure that Elasticsearch is not using the default Security Group | Terraform | +| 325 | CKV_AWS_249 | resource | aws_ecs_task_definition | Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions | Terraform | +| 326 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 327 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 328 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 329 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 330 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 331 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 332 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 333 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 334 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to another resource | Terraform | +| 335 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 336 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 337 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 338 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 339 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | +| 340 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | +| 341 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | +| 342 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | +| 343 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 344 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 345 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 346 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 347 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 348 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 349 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 350 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 351 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | +| 352 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 353 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 354 | CKV2_AWS_20 | resource | aws_alb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 355 | CKV2_AWS_20 | resource | aws_alb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 356 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 357 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 358 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | +| 359 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | +| 360 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | +| 361 | CKV2_AWS_27 | resource | aws_rds_cluster | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | +| 362 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | +| 363 | CKV2_AWS_28 | resource | aws_alb | Ensure public facing ALB are protected by WAF | Terraform | +| 364 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | +| 365 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 366 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 367 | CKV2_AWS_30 | resource | aws_db_instance | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | +| 368 | CKV2_AWS_30 | resource | aws_db_parameter_group | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | +| 369 | CKV2_AWS_31 | resource | aws_wafv2_web_acl | Ensure WAF2 has a Logging Configuration | Terraform | +| 370 | CKV2_AWS_32 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has a strict security headers policy attached | Terraform | +| 371 | CKV2_AWS_32 | resource | aws_cloudfront_response_headers_policy | Ensure CloudFront distribution has a strict security headers policy attached | Terraform | +| 372 | CKV2_AWS_33 | resource | aws_appsync_graphql_api | Ensure AppSync is protected by WAF | Terraform | +| 373 | CKV2_AWS_34 | resource | aws_ssm_parameter | AWS SSM Parameter should be Encrypted | Terraform | +| 374 | CKV2_AWS_35 | resource | aws_route | AWS NAT Gateways should be utilized for the default route | Terraform | +| 375 | CKV2_AWS_35 | resource | aws_route_table | AWS NAT Gateways should be utilized for the default route | Terraform | +| 376 | CKV2_AWS_36 | resource | aws_ssm_parameter | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | +| 377 | CKV2_AWS_36 | resource | data.http | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | +| 378 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | +| 379 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | +| 380 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | +| 381 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'Secure transfer required' is set to 'Enabled' | Terraform | +| 382 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | +| 383 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | +| 384 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | +| 385 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | +| 386 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kubernetes Dashboard is disabled | Terraform | +| 387 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | +| 388 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | +| 389 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | +| 390 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | +| 391 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 392 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 393 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 394 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 395 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | +| 396 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | +| 397 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | +| 398 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | +| 399 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | +| 400 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | +| 401 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | +| 402 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | +| 403 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | +| 404 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | +| 405 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | +| 406 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | +| 407 | CKV_AZURE_23 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | +| 408 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | +| 409 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | +| 410 | CKV_AZURE_24 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | +| 411 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | +| 412 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | +| 413 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | +| 414 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | +| 415 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | +| 416 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | +| 417 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 418 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 419 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 420 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | +| 421 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | +| 422 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | +| 423 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | +| 424 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | +| 425 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | +| 426 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | +| 427 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | +| 428 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | +| 429 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | +| 430 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | +| 431 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | +| 432 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure Storage Accounts adhere to the naming rules | Terraform | +| 433 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | +| 434 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | +| 435 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | +| 436 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | +| 437 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | +| 438 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | +| 439 | CKV_AZURE_50 | resource | azurerm_windows_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | +| 440 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | +| 441 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | +| 442 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | +| 443 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | +| 444 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | +| 445 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | +| 446 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | +| 447 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | +| 448 | CKV_AZURE_60 | resource | azurerm_storage_account | Ensure that storage account enables secure transfer | Terraform | +| 449 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | +| 450 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | +| 451 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | +| 452 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | +| 453 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | +| 454 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | +| 455 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | +| 456 | CKV_AZURE_67 | resource | azurerm_function_app_slot | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | +| 457 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | +| 458 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | +| 459 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | +| 460 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | +| 461 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | +| 462 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | +| 463 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | +| 464 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | +| 465 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | +| 466 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses disk encryption | Terraform | +| 467 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | +| 468 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | +| 469 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | +| 470 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | +| 471 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | +| 472 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | +| 473 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | +| 474 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | +| 475 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | +| 476 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | +| 477 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | +| 478 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | +| 479 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | +| 480 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | +| 481 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | +| 482 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | +| 483 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | +| 484 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | +| 485 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | +| 486 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | +| 487 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | +| 488 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | +| 489 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | +| 490 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | +| 491 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | +| 492 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | +| 493 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | +| 494 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | +| 495 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | +| 496 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | +| 497 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | +| 498 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | +| 499 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | +| 500 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | +| 501 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | +| 502 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | +| 503 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | +| 504 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | +| 505 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | +| 506 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | +| 507 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | +| 508 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | +| 509 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | +| 510 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | +| 511 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | +| 512 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | +| 513 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | +| 514 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | +| 515 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | +| 516 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | +| 517 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | +| 518 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | +| 519 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform | +| 520 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | +| 521 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | +| 522 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | +| 523 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | +| 524 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | +| 525 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | +| 526 | CKV_AZURE_132 | resource | azurerm_cosmosdb_account | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Terraform | +| 527 | CKV_AZURE_133 | resource | azurerm_frontdoor_firewall_policy | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | +| 528 | CKV_AZURE_134 | resource | azurerm_cognitive_account | Ensure that Cognitive Services accounts disable public network access | Terraform | +| 529 | CKV_AZURE_135 | resource | azurerm_web_application_firewall_policy | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | +| 530 | CKV_AZURE_136 | resource | azurerm_postgresql_flexible_server | Ensure that PostgreSQL Flexible server enables geo-redundant backups | Terraform | +| 531 | CKV_AZURE_137 | resource | azurerm_container_registry | Ensure ACR admin account is disabled | Terraform | +| 532 | CKV_AZURE_138 | resource | azurerm_container_registry | Ensures that ACR disables anonymous pulling of images | Terraform | +| 533 | CKV_AZURE_139 | resource | azurerm_container_registry | Ensure ACR set to disable public networking | Terraform | +| 534 | CKV_AZURE_140 | resource | azurerm_cosmosdb_account | Ensure that Local Authentication is disabled on CosmosDB | Terraform | +| 535 | CKV_AZURE_141 | resource | azurerm_kubernetes_cluster | Ensure AKS local admin account is disabled | Terraform | +| 536 | CKV_AZURE_142 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Local Authentication is disabled | Terraform | +| 537 | CKV_AZURE_143 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster nodes do not have public IP addresses | Terraform | +| 538 | CKV_AZURE_144 | resource | azurerm_machine_learning_workspace | Ensure that Public Access is disabled for Machine Learning Workspace | Terraform | +| 539 | CKV_AZURE_145 | resource | azurerm_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform | +| 540 | CKV_AZURE_146 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_retention' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 541 | CKV_AZURE_147 | resource | azurerm_postgresql_server | Ensure PostgreSQL is using the latest version of TLS encryption | Terraform | +| 542 | CKV_AZURE_148 | resource | azurerm_redis_cache | Ensure Redis Cache is using the latest version of TLS encryption | Terraform | +| 543 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine | Ensure that Virtual machine does not enable password authentication | Terraform | +| 544 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine does not enable password authentication | Terraform | +| 545 | CKV_AZURE_150 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0 | Terraform | +| 546 | CKV_AZURE_151 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables encryption | Terraform | +| 547 | CKV_AZURE_152 | resource | azurerm_api_management | Ensure Client Certificates are enforced for API management | Terraform | +| 548 | CKV_AZURE_153 | resource | azurerm_app_service_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | +| 549 | CKV_AZURE_154 | resource | azurerm_app_service_slot | Ensure the App service slot is using the latest version of TLS encryption | Terraform | +| 550 | CKV_AZURE_155 | resource | azurerm_app_service_slot | Ensure debugging is disabled for the App service slot | Terraform | +| 551 | CKV_AZURE_156 | resource | azurerm_mssql_database_extended_auditing_policy | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs | Terraform | +| 552 | CKV_AZURE_157 | resource | azurerm_synapse_workspace | Ensure that Synapse workspace has data_exfiltration_protection_enabled | Terraform | +| 553 | CKV_AZURE_158 | resource | azurerm_databricks_workspace | Ensure that databricks workspace has not public | Terraform | +| 554 | CKV_AZURE_159 | resource | azurerm_function_app | Ensure function app builtin logging is enabled | Terraform | +| 555 | CKV_AZURE_159 | resource | azurerm_function_app_slot | Ensure function app builtin logging is enabled | Terraform | +| 556 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | +| 557 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 558 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 559 | CKV2_AZURE_3 | resource | azurerm_mssql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 560 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 562 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 563 | CKV2_AZURE_4 | resource | azurerm_mssql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | +| 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | +| 566 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 570 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 571 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 572 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 573 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | +| 574 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 575 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 576 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | +| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 578 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 579 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | +| 580 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | +| 581 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 582 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 583 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 584 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 585 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | +| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 587 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 589 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 591 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 592 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | +| 593 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 594 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 595 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 596 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 597 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 598 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 599 | CKV2_AZURE_22 | resource | azurerm_cognitive_account | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | +| 600 | CKV2_AZURE_22 | resource | azurerm_cognitive_account_customer_managed_key | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | +| 601 | CKV_BCW_1 | provider | bridgecrew | Ensure no hard coded API token exist in the provider | Terraform | +| 602 | CKV_DIO_1 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket has versioning enabled | Terraform | +| 603 | CKV_DIO_2 | resource | digitalocean_droplet | Ensure the droplet specifies an SSH key | Terraform | +| 604 | CKV_DIO_3 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket is private | Terraform | +| 605 | CKV_DIO_4 | resource | digitalocean_firewall | Ensure the firewall ingress is not wide open | Terraform | +| 606 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | +| 607 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | +| 608 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | +| 609 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | +| 610 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | +| 611 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | +| 612 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | +| 613 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | +| 614 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | +| 615 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | +| 616 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | +| 617 | CKV_GCP_13 | resource | google_container_cluster | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled | Terraform | +| 618 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | +| 619 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | +| 620 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | +| 621 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | +| 622 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | +| 623 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | +| 624 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | +| 625 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | +| 626 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | +| 627 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | +| 628 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | +| 629 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | +| 630 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | +| 631 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | +| 632 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | +| 633 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | +| 634 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | +| 635 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | +| 636 | CKV_GCP_30 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account | Terraform | +| 637 | CKV_GCP_30 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account | Terraform | +| 638 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | +| 639 | CKV_GCP_31 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | +| 640 | CKV_GCP_31 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | +| 641 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | +| 642 | CKV_GCP_32 | resource | google_compute_instance_from_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | +| 643 | CKV_GCP_32 | resource | google_compute_instance_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | +| 644 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | +| 645 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | +| 646 | CKV_GCP_34 | resource | google_compute_instance_from_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | +| 647 | CKV_GCP_34 | resource | google_compute_instance_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | +| 648 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | +| 649 | CKV_GCP_35 | resource | google_compute_instance_from_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | +| 650 | CKV_GCP_35 | resource | google_compute_instance_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | +| 651 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | +| 652 | CKV_GCP_36 | resource | google_compute_instance_from_template | Ensure that IP forwarding is not enabled on Instances | Terraform | +| 653 | CKV_GCP_36 | resource | google_compute_instance_template | Ensure that IP forwarding is not enabled on Instances | Terraform | +| 654 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 655 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 656 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | +| 657 | CKV_GCP_39 | resource | google_compute_instance_from_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | +| 658 | CKV_GCP_39 | resource | google_compute_instance_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | +| 659 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | +| 660 | CKV_GCP_40 | resource | google_compute_instance_from_template | Ensure that Compute instances do not have public IP addresses | Terraform | +| 661 | CKV_GCP_40 | resource | google_compute_instance_template | Ensure that Compute instances do not have public IP addresses | Terraform | +| 662 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | +| 663 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | +| 664 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | +| 665 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | +| 666 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | +| 667 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | +| 668 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | +| 669 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | +| 670 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | +| 671 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | +| 672 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | +| 673 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | +| 674 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | +| 675 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | +| 676 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | +| 677 | CKV_GCP_49 | resource | google_project_iam_member | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | +| 678 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | +| 679 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | +| 680 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | +| 681 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | +| 682 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | +| 683 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | +| 684 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | +| 685 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | +| 686 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | +| 687 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | +| 688 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure Cloud SQL database does not have public IP | Terraform | +| 689 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | +| 690 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | +| 691 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | +| 692 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | +| 693 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | +| 694 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | +| 695 | CKV_GCP_67 | resource | google_container_cluster | Ensure legacy Compute Engine instance metadata APIs are Disabled | Terraform | +| 696 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | +| 697 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | +| 698 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | +| 699 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | +| 700 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | +| 701 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | +| 702 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | +| 703 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | +| 704 | CKV_GCP_73 | resource | google_compute_security_policy | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | +| 705 | CKV_GCP_74 | resource | google_compute_subnetwork | Ensure that private_ip_google_access is enabled for Subnet | Terraform | +| 706 | CKV_GCP_75 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted FTP access | Terraform | +| 707 | CKV_GCP_76 | resource | google_compute_subnetwork | Ensure that Private google access is enabled for IPV6 | Terraform | +| 708 | CKV_GCP_77 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow on ftp port | Terraform | +| 709 | CKV_GCP_78 | resource | google_storage_bucket | Ensure Cloud storage has versioning enabled | Terraform | +| 710 | CKV_GCP_79 | resource | google_sql_database_instance | Ensure SQL database is using latest Major version | Terraform | +| 711 | CKV_GCP_80 | resource | google_bigquery_table | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 712 | CKV_GCP_81 | resource | google_bigquery_dataset | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 713 | CKV_GCP_82 | resource | google_kms_crypto_key | Ensure KMS keys are protected from deletion | Terraform | +| 714 | CKV_GCP_83 | resource | google_pubsub_topic | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 715 | CKV_GCP_84 | resource | google_artifact_registry_repository | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 716 | CKV_GCP_85 | resource | google_bigtable_instance | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 717 | CKV_GCP_86 | resource | google_cloudbuild_worker_pool | Ensure Cloud build workers are private | Terraform | +| 718 | CKV_GCP_87 | resource | google_data_fusion_instance | Ensure Data fusion instances are private | Terraform | +| 719 | CKV_GCP_88 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted mysql access | Terraform | +| 720 | CKV_GCP_89 | resource | google_notebooks_instance | Ensure Vertex AI instances are private | Terraform | +| 721 | CKV_GCP_90 | resource | google_dataflow_job | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 722 | CKV_GCP_91 | resource | google_dataproc_cluster | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 723 | CKV_GCP_92 | resource | google_vertex_ai_dataset | Ensure Vertex AI datasets uses a CMK (Customer Manager Key) | Terraform | +| 724 | CKV_GCP_93 | resource | google_spanner_database | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 725 | CKV_GCP_94 | resource | google_dataflow_job | Ensure Dataflow jobs are private | Terraform | +| 726 | CKV_GCP_95 | resource | google_redis_instance | Ensure Memorystore for Redis has AUTH enabled | Terraform | +| 727 | CKV_GCP_96 | resource | google_vertex_ai_metadata_store | Ensure Vertex AI Metadata Store uses a CMK (Customer Manager Key) | Terraform | +| 728 | CKV_GCP_97 | resource | google_redis_instance | Ensure Memorystore for Redis uses intransit encryption | Terraform | +| 729 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_binding | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | +| 730 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_member | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | +| 731 | CKV_GCP_99 | resource | google_pubsub_topic_iam_binding | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | +| 732 | CKV_GCP_99 | resource | google_pubsub_topic_iam_member | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | +| 733 | CKV_GCP_100 | resource | google_bigquery_table_iam_binding | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | +| 734 | CKV_GCP_100 | resource | google_bigquery_table_iam_member | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | +| 735 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_binding | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | +| 736 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_member | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | +| 737 | CKV_GCP_102 | resource | google_cloud_run_service_iam_binding | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | +| 738 | CKV_GCP_102 | resource | google_cloud_run_service_iam_member | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | +| 739 | CKV_GCP_103 | resource | google_dataproc_cluster | Ensure Dataproc Clusters do not have public IPs | Terraform | +| 740 | CKV_GCP_104 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver logging enabled | Terraform | +| 741 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | +| 742 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | +| 743 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 745 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 746 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 747 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 748 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 749 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 750 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 751 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 752 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 753 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 754 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 755 | CKV2_GCP_8 | resource | google_kms_key_ring | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | +| 756 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_binding | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | +| 757 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_member | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | +| 758 | CKV2_GCP_9 | resource | google_container_registry | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | +| 759 | CKV2_GCP_9 | resource | google_storage_bucket_iam_binding | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | +| 760 | CKV2_GCP_9 | resource | google_storage_bucket_iam_member | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | +| 761 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | +| 762 | CKV_GIT_2 | resource | github_repository_webhook | Ensure Repository Webhook uses secure Ssl | Terraform | +| 763 | CKV_GIT_3 | resource | github_repository | Ensure GitHub repository has vulnerability alerts enabled | Terraform | +| 764 | CKV_GIT_4 | resource | github_actions_environment_secret | Ensure Secrets are encrypted | Terraform | +| 765 | CKV_GIT_4 | resource | github_actions_organization_secret | Ensure Secrets are encrypted | Terraform | +| 766 | CKV_GIT_4 | resource | github_actions_secret | Ensure Secrets are encrypted | Terraform | +| 767 | CKV_K8S_1 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host process ID namespace | Terraform | +| 768 | CKV_K8S_2 | resource | kubernetes_pod_security_policy | Do not admit privileged containers | Terraform | +| 769 | CKV_K8S_3 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host IPC namespace | Terraform | +| 770 | CKV_K8S_4 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host network namespace | Terraform | +| 771 | CKV_K8S_5 | resource | kubernetes_pod_security_policy | Containers should not run with allowPrivilegeEscalation | Terraform | +| 772 | CKV_K8S_6 | resource | kubernetes_pod_security_policy | Do not admit root containers | Terraform | +| 773 | CKV_K8S_7 | resource | kubernetes_pod_security_policy | Do not admit containers with the NET_RAW capability | Terraform | +| 774 | CKV_K8S_8 | resource | kubernetes_pod | Liveness Probe Should be Configured | Terraform | +| 775 | CKV_K8S_9 | resource | kubernetes_pod | Readiness Probe Should be Configured | Terraform | +| 776 | CKV_K8S_10 | resource | kubernetes_pod | CPU requests should be set | Terraform | +| 777 | CKV_K8S_11 | resource | kubernetes_pod | CPU Limits should be set | Terraform | +| 778 | CKV_K8S_12 | resource | kubernetes_pod | Memory Limits should be set | Terraform | +| 779 | CKV_K8S_13 | resource | kubernetes_pod | Memory requests should be set | Terraform | +| 780 | CKV_K8S_14 | resource | kubernetes_pod | Image Tag should be fixed - not latest or blank | Terraform | +| 781 | CKV_K8S_15 | resource | kubernetes_pod | Image Pull Policy should be Always | Terraform | +| 782 | CKV_K8S_16 | resource | kubernetes_pod | Do not admit privileged containers | Terraform | +| 783 | CKV_K8S_17 | resource | kubernetes_pod | Do not admit containers wishing to share the host process ID namespace | Terraform | +| 784 | CKV_K8S_18 | resource | kubernetes_pod | Do not admit containers wishing to share the host IPC namespace | Terraform | +| 785 | CKV_K8S_19 | resource | kubernetes_pod | Do not admit containers wishing to share the host network namespace | Terraform | +| 786 | CKV_K8S_20 | resource | kubernetes_pod | Containers should not run with allowPrivilegeEscalation | Terraform | +| 787 | CKV_K8S_21 | resource | kubernetes_config_map | The default namespace should not be used | Terraform | +| 788 | CKV_K8S_21 | resource | kubernetes_cron_job | The default namespace should not be used | Terraform | +| 789 | CKV_K8S_21 | resource | kubernetes_daemonset | The default namespace should not be used | Terraform | +| 790 | CKV_K8S_21 | resource | kubernetes_deployment | The default namespace should not be used | Terraform | +| 791 | CKV_K8S_21 | resource | kubernetes_ingress | The default namespace should not be used | Terraform | +| 792 | CKV_K8S_21 | resource | kubernetes_job | The default namespace should not be used | Terraform | +| 793 | CKV_K8S_21 | resource | kubernetes_pod | The default namespace should not be used | Terraform | +| 794 | CKV_K8S_21 | resource | kubernetes_replication_controller | The default namespace should not be used | Terraform | +| 795 | CKV_K8S_21 | resource | kubernetes_role_binding | The default namespace should not be used | Terraform | +| 796 | CKV_K8S_21 | resource | kubernetes_secret | The default namespace should not be used | Terraform | +| 797 | CKV_K8S_21 | resource | kubernetes_service | The default namespace should not be used | Terraform | +| 798 | CKV_K8S_21 | resource | kubernetes_service_account | The default namespace should not be used | Terraform | +| 799 | CKV_K8S_21 | resource | kubernetes_stateful_set | The default namespace should not be used | Terraform | +| 800 | CKV_K8S_22 | resource | kubernetes_pod | Use read-only filesystem for containers where possible | Terraform | +| 801 | CKV_K8S_24 | resource | kubernetes_pod_security_policy | Do not allow containers with added capability | Terraform | +| 802 | CKV_K8S_25 | resource | kubernetes_pod | Minimize the admission of containers with added capability | Terraform | +| 803 | CKV_K8S_26 | resource | kubernetes_pod | Do not specify hostPort unless absolutely necessary | Terraform | +| 804 | CKV_K8S_27 | resource | kubernetes_daemonset | Do not expose the docker daemon socket to containers | Terraform | +| 805 | CKV_K8S_27 | resource | kubernetes_deployment | Do not expose the docker daemon socket to containers | Terraform | +| 806 | CKV_K8S_27 | resource | kubernetes_pod | Do not expose the docker daemon socket to containers | Terraform | +| 807 | CKV_K8S_28 | resource | kubernetes_pod | Minimize the admission of containers with the NET_RAW capability | Terraform | +| 808 | CKV_K8S_29 | resource | kubernetes_daemonset | Apply security context to your pods and containers | Terraform | +| 809 | CKV_K8S_29 | resource | kubernetes_deployment | Apply security context to your pods and containers | Terraform | +| 810 | CKV_K8S_29 | resource | kubernetes_pod | Apply security context to your pods and containers | Terraform | +| 811 | CKV_K8S_30 | resource | kubernetes_pod | Apply security context to your pods and containers | Terraform | +| 812 | CKV_K8S_32 | resource | kubernetes_pod_security_policy | Ensure default seccomp profile set to docker/default or runtime/default | Terraform | +| 813 | CKV_K8S_34 | resource | kubernetes_pod | Ensure that Tiller (Helm v2) is not deployed | Terraform | +| 814 | CKV_K8S_35 | resource | kubernetes_pod | Prefer using secrets as files over secrets as environment variables | Terraform | +| 815 | CKV_K8S_36 | resource | kubernetes_pod_security_policy | Minimise the admission of containers with capabilities assigned | Terraform | +| 816 | CKV_K8S_37 | resource | kubernetes_pod | Minimise the admission of containers with capabilities assigned | Terraform | +| 817 | CKV_K8S_39 | resource | kubernetes_pod | Do not use the CAP_SYS_ADMIN linux capability | Terraform | +| 818 | CKV_K8S_41 | resource | kubernetes_service_account | Ensure that default service accounts are not actively used | Terraform | +| 819 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding | Ensure that default service accounts are not actively used | Terraform | +| 820 | CKV_K8S_42 | resource | kubernetes_role_binding | Ensure that default service accounts are not actively used | Terraform | +| 821 | CKV_K8S_43 | resource | kubernetes_pod | Image should use digest | Terraform | +| 822 | CKV_K8S_44 | resource | kubernetes_service | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | +| 823 | CKV_K8S_49 | resource | kubernetes_cluster_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | +| 824 | CKV_K8S_49 | resource | kubernetes_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | +| 825 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | +| 826 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | +| 827 | CKV_LIN_3 | resource | linode_user | Ensure email is set | Terraform | +| 828 | CKV_LIN_4 | resource | linode_user | Ensure username is set | Terraform | +| 829 | CKV_LIN_5 | resource | linode_firewall | Ensure Inbound Firewall Policy is not set to ACCEPT | Terraform | +| 830 | CKV_LIN_6 | resource | linode_firewall | Ensure Outbound Firewall Policy is not set to ACCEPT | Terraform | +| 831 | CKV_OCI_1 | provider | oci | Ensure no hard coded OCI private key in provider | Terraform | +| 832 | CKV_OCI_2 | resource | oci_core_volume | Ensure OCI Block Storage Block Volume has backup enabled | Terraform | +| 833 | CKV_OCI_3 | resource | oci_core_volume | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) | Terraform | +| 834 | CKV_OCI_4 | resource | oci_core_instance | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled | Terraform | +| 835 | CKV_OCI_5 | resource | oci_core_instance | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | Terraform | +| 836 | CKV_OCI_6 | resource | oci_core_instance | Ensure OCI Compute Instance has monitoring enabled | Terraform | +| 837 | CKV_OCI_7 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage bucket can emit object events | Terraform | +| 838 | CKV_OCI_8 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage has versioning enabled | Terraform | +| 839 | CKV_OCI_9 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is encrypted with Customer Managed Key | Terraform | +| 840 | CKV_OCI_10 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is not Public | Terraform | +| 841 | CKV_OCI_11 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain lower case | Terraform | +| 842 | CKV_OCI_12 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Numeric characters | Terraform | +| 843 | CKV_OCI_13 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Special characters | Terraform | +| 844 | CKV_OCI_14 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Uppercase characters | Terraform | +| 845 | CKV_OCI_15 | resource | oci_file_storage_file_system | Ensure OCI File System is Encrypted with a customer Managed Key | Terraform | +| 846 | CKV_OCI_16 | resource | oci_core_security_list | Ensure VCN has an inbound security list | Terraform | +| 847 | CKV_OCI_17 | resource | oci_core_security_list | Ensure VCN inbound security lists are stateless | Terraform | +| 848 | CKV_OCI_18 | resource | oci_identity_authentication_policy | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters | Terraform | +| 849 | CKV_OCI_19 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 22. | Terraform | +| 850 | CKV_OCI_20 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. | Terraform | +| 851 | CKV_OCI_21 | resource | oci_core_network_security_group_security_rule | Ensure security group has stateless ingress security rules | Terraform | +| 852 | CKV_OCI_22 | resource | oci_core_network_security_group_security_rule | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 | Terraform | +| 853 | CKV2_OCI_1 | resource | oci_identity_group | Ensure administrator users are not associated with API keys | Terraform | +| 854 | CKV2_OCI_1 | resource | oci_identity_user | Ensure administrator users are not associated with API keys | Terraform | +| 855 | CKV2_OCI_1 | resource | oci_identity_user_group_membership | Ensure administrator users are not associated with API keys | Terraform | +| 856 | CKV_OPENSTACK_1 | provider | openstack | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider | Terraform | +| 857 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | +| 858 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | +| 859 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | +| 860 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | +| 861 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2 | Ensure that instance does not use basic credentials | Terraform | +| 862 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1 | Ensure firewall rule set a destination IP | Terraform | +| 863 | CKV_PAN_1 | provider | panos | Ensure no hard coded PAN-OS credentials exist in provider | Terraform | +| 864 | CKV_PAN_2 | resource | panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Terraform | +| 865 | CKV_PAN_3 | resource | panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Terraform | +| 866 | CKV_PAN_4 | resource | panos_security_policy | Ensure DSRI is not enabled within security policies | Terraform | +| 867 | CKV_PAN_4 | resource | panos_security_rule_group | Ensure DSRI is not enabled within security policies | Terraform | +| 868 | CKV_PAN_5 | resource | panos_security_policy | Ensure security rules do not have 'applications' set to 'any' | Terraform | +| 869 | CKV_PAN_5 | resource | panos_security_rule_group | Ensure security rules do not have 'applications' set to 'any' | Terraform | +| 870 | CKV_PAN_6 | resource | panos_security_policy | Ensure security rules do not have 'services' set to 'any' | Terraform | +| 871 | CKV_PAN_6 | resource | panos_security_rule_group | Ensure security rules do not have 'services' set to 'any' | Terraform | +| 872 | CKV_PAN_7 | resource | panos_security_policy | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | +| 873 | CKV_PAN_7 | resource | panos_security_rule_group | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | +| 874 | CKV_PAN_8 | resource | panos_security_policy | Ensure description is populated within security policies | Terraform | +| 875 | CKV_PAN_8 | resource | panos_security_rule_group | Ensure description is populated within security policies | Terraform | +| 876 | CKV_PAN_9 | resource | panos_security_policy | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | +| 877 | CKV_PAN_9 | resource | panos_security_rule_group | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | +| 878 | CKV_PAN_10 | resource | panos_security_policy | Ensure logging at session end is enabled within security policies | Terraform | +| 879 | CKV_PAN_10 | resource | panos_security_rule_group | Ensure logging at session end is enabled within security policies | Terraform | +| 880 | CKV_PAN_11 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | +| 881 | CKV_PAN_11 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | +| 882 | CKV_PAN_12 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | +| 883 | CKV_PAN_12 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | +| 884 | CKV_PAN_13 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | +| 885 | CKV_PAN_13 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | +| 886 | CKV_PAN_14 | resource | panos_panorama_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | +| 887 | CKV_PAN_14 | resource | panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | +| 888 | CKV_PAN_14 | resource | panos_zone_entry | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | +| 889 | CKV_PAN_15 | resource | panos_panorama_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | +| 890 | CKV_PAN_15 | resource | panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | --- From 1b6edbf38898a2cd8e667d7ba9f54c78fd5c7fde Mon Sep 17 00:00:00 2001 From: Yuval Avrahami <39744677+yuvalavra@users.noreply.github.com> Date: Tue, 12 Apr 2022 22:09:56 +0300 Subject: [PATCH 21/26] Add base_rbac_check for k8s along with CKV_K8S_155 & CKV_K8S_156 (#2776) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add base_rbac_check for k8s alongwith CKV_K8S_155 & CKV_K8S_156 * fix linting * Update checkov/kubernetes/checks/resource/base_rbac_check.py Co-authored-by: Anton Grübel Co-authored-by: Anton Grübel --- admissioncontroller/checkov-requirements.txt | 2 +- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/admissioncontroller/checkov-requirements.txt b/admissioncontroller/checkov-requirements.txt index 53e068df193..e0caf521cc2 100644 --- a/admissioncontroller/checkov-requirements.txt +++ b/admissioncontroller/checkov-requirements.txt @@ -1 +1 @@ -checkov==2.0.1056 +checkov==2.0.1057 diff --git a/checkov/version.py b/checkov/version.py index 47f496d7d4c..69c048d8a11 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.1056' +version = '2.0.1057' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 53e068df193..e0caf521cc2 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.1056 +checkov==2.0.1057 From 74242f3aceb456d54d46a3aaeb93b2c3706b2766 Mon Sep 17 00:00:00 2001 From: Yuval Avrahami <39744677+yuvalavra@users.noreply.github.com> Date: Tue, 12 Apr 2022 22:09:56 +0300 Subject: [PATCH 22/26] Add base_rbac_check for k8s along with CKV_K8S_155 & CKV_K8S_156 (#2776) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add base_rbac_check for k8s alongwith CKV_K8S_155 & CKV_K8S_156 * fix linting * Update checkov/kubernetes/checks/resource/base_rbac_check.py Co-authored-by: Anton Grübel Co-authored-by: Anton Grübel --- admissioncontroller/k8s/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admissioncontroller/k8s/deployment.yaml b/admissioncontroller/k8s/deployment.yaml index 1956b6bf7df..9187fd2c8cc 100644 --- a/admissioncontroller/k8s/deployment.yaml +++ b/admissioncontroller/k8s/deployment.yaml @@ -31,7 +31,7 @@ spec: drop: - ALL - NET_RAW - image: bridgecrew/whorf@sha256:1057b38b045e69ec2fdf327f54138462f782819d3bb94d328506146c71f97ca0 + image: bridgecrew/whorf@sha256:06ae1829ce3efea8149b89104babd12baf370d7a778d1f46793f2aac8583dabb resources: limits: cpu: "1" From 62cc3d61e9b0cd909a357b89912e95e6ca4506de Mon Sep 17 00:00:00 2001 From: achiar99 <34912231+achiar99@users.noreply.github.com> Date: Wed, 13 Apr 2022 10:40:59 +0300 Subject: [PATCH 23/26] kustomize check type (#2809) --- checkov/kustomize/runner.py | 1 + 1 file changed, 1 insertion(+) diff --git a/checkov/kustomize/runner.py b/checkov/kustomize/runner.py index ba9585132e9..4c7134004b2 100644 --- a/checkov/kustomize/runner.py +++ b/checkov/kustomize/runner.py @@ -32,6 +32,7 @@ def __init__(self, graph_class: Type[LocalGraph] = KubernetesLocalGraph, external_registries: Optional[List[BaseRegistry]] = None) -> None: super().__init__(graph_class, db_connector, source, graph_manager, external_registries) self.report_mutator_data = {} + self.check_type = CheckType.KUSTOMIZE def set_external_data(self, definitions: Optional[Dict[str, Dict[str, Any]]], From 97ac3bb916aafcb9b7b9005384a09fba77b02d0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anton=20Gr=C3=BCbel?= Date: Wed, 13 Apr 2022 09:41:21 +0200 Subject: [PATCH 24/26] skip json checks for non json files (#2807) * skip json checks for non json files * fix miss spelling --- checkov/bicep/runner.py | 3 +++ checkov/common/parsers/yaml/parser.py | 18 +++++++++--------- checkov/common/runners/object_runner.py | 2 +- checkov/example_runner/runner.py | 4 ++-- checkov/github/dal.py | 2 ++ checkov/json_doc/runner.py | 7 +++++-- checkov/yaml_doc/runner.py | 4 ++-- 7 files changed, 24 insertions(+), 16 deletions(-) diff --git a/checkov/bicep/runner.py b/checkov/bicep/runner.py index 9f0f0d42fe1..5e7e6416fa1 100644 --- a/checkov/bicep/runner.py +++ b/checkov/bicep/runner.py @@ -72,6 +72,9 @@ def run( if not self.context or not self.definitions: file_paths = get_scannable_file_paths(root_folder=root_folder, files=files) + if not file_paths: + return report + self.definitions, self.definitions_raw, parsing_errors = Parser().get_files_definitions(file_paths) report.add_parsing_errors(parsing_errors) diff --git a/checkov/common/parsers/yaml/parser.py b/checkov/common/parsers/yaml/parser.py index 5cf01b66a26..fea6f1a25b3 100644 --- a/checkov/common/parsers/yaml/parser.py +++ b/checkov/common/parsers/yaml/parser.py @@ -10,7 +10,7 @@ logger = logging.getLogger(__name__) -def parse(filename: str) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | tuple[None, None]: +def parse(filename: str) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None: template = None template_lines = None try: @@ -23,27 +23,27 @@ def parse(filename: str) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tu if t and (isinstance(t, dict) or isinstance(t, list)): return t, template_lines else: - return None, None + return None else: - return None, None + return None except IOError as e: if e.errno == 2: logger.error('Template file not found: %s', filename) - return None, None + return None elif e.errno == 21: logger.error('Template references a directory, not a file: %s', filename) - return None, None + return None elif e.errno == 13: logger.error('Permission denied when accessing template file: %s', filename) - return None, None + return None except UnicodeDecodeError: logger.error('Cannot read file contents: %s', filename) - return None, None + return None except YAMLError: if filename.endswith(".yaml") or filename.endswith(".yml"): logger.debug('Cannot read file contents: %s - is it a yaml?', filename) - return None, None + return None - return None, None + return None diff --git a/checkov/common/runners/object_runner.py b/checkov/common/runners/object_runner.py index 7bb3913b1a8..7a52c7e0d6a 100644 --- a/checkov/common/runners/object_runner.py +++ b/checkov/common/runners/object_runner.py @@ -32,7 +32,7 @@ def _load_files( @abstractmethod def _parse_file( self, f: str - ) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | tuple[None, None]: + ) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None: raise Exception("parser should be imported by deriving class") def run( diff --git a/checkov/example_runner/runner.py b/checkov/example_runner/runner.py index 2d47bdd7b41..a08ee7c6686 100644 --- a/checkov/example_runner/runner.py +++ b/checkov/example_runner/runner.py @@ -44,7 +44,7 @@ def import_registry(self) -> BaseCheckRegistry: def _parse_file( self, f: str - ) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | tuple[None, None]: + ) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None: # EDIT" add conditional here to ensure this file is something we should parse. # Below is this example for github actions # as the file is always located in a predictable path @@ -52,7 +52,7 @@ def _parse_file( if ".github/workflows/" in os.path.abspath(f): return super()._parse_file(f) - return None, None + return None # An abstract function placeholder to determine the start and end lines. diff --git a/checkov/github/dal.py b/checkov/github/dal.py index 233464a7b00..a3083d72548 100644 --- a/checkov/github/dal.py +++ b/checkov/github/dal.py @@ -74,6 +74,8 @@ def get_organization_security(self): } } """, variables={'org': self.org}) + if not data: + return None if org_security_schema.validate(data): self._organization_security = data return self._organization_security diff --git a/checkov/json_doc/runner.py b/checkov/json_doc/runner.py index 08e3c92d6ef..75b06efbca3 100644 --- a/checkov/json_doc/runner.py +++ b/checkov/json_doc/runner.py @@ -16,8 +16,11 @@ def import_registry(self) -> Registry: from checkov.json_doc.registry import registry return registry - def _parse_file(self, f: str) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | tuple[None, None]: - content: tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | tuple[None, None] = parse(f) + def _parse_file(self, f: str) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None: + if not f.endswith(".json"): + return None + + content: tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None = parse(f) return content def get_start_end_lines(self, end: int, result_config: DictNode, start: int) -> tuple[int, int]: diff --git a/checkov/yaml_doc/runner.py b/checkov/yaml_doc/runner.py index 6a696dd96a1..f3c3a261411 100644 --- a/checkov/yaml_doc/runner.py +++ b/checkov/yaml_doc/runner.py @@ -20,8 +20,8 @@ def import_registry(self) -> BaseCheckRegistry: def _parse_file( self, f: str - ) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | tuple[None, None]: - content: tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | tuple[None, None] = parse(f) + ) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None: + content: tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None = parse(f) return content def get_start_end_lines( From aef978529920dc388a17da1c84db7d2b38a42cb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anton=20Gr=C3=BCbel?= Date: Wed, 13 Apr 2022 09:41:21 +0200 Subject: [PATCH 25/26] skip json checks for non json files (#2807) * skip json checks for non json files * fix miss spelling --- admissioncontroller/checkov-requirements.txt | 2 +- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/admissioncontroller/checkov-requirements.txt b/admissioncontroller/checkov-requirements.txt index e0caf521cc2..76290801f9b 100644 --- a/admissioncontroller/checkov-requirements.txt +++ b/admissioncontroller/checkov-requirements.txt @@ -1 +1 @@ -checkov==2.0.1057 +checkov==2.0.1058 diff --git a/checkov/version.py b/checkov/version.py index 69c048d8a11..d1f9dea95dd 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.1057' +version = '2.0.1058' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index e0caf521cc2..76290801f9b 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.1057 +checkov==2.0.1058 From 4c72288bb41f142d81fd12e32347f32c6407f1b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anton=20Gr=C3=BCbel?= Date: Wed, 13 Apr 2022 09:41:21 +0200 Subject: [PATCH 26/26] skip json checks for non json files (#2807) * skip json checks for non json files * fix miss spelling --- admissioncontroller/k8s/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admissioncontroller/k8s/deployment.yaml b/admissioncontroller/k8s/deployment.yaml index 9187fd2c8cc..8f67dd8c1fb 100644 --- a/admissioncontroller/k8s/deployment.yaml +++ b/admissioncontroller/k8s/deployment.yaml @@ -31,7 +31,7 @@ spec: drop: - ALL - NET_RAW - image: bridgecrew/whorf@sha256:06ae1829ce3efea8149b89104babd12baf370d7a778d1f46793f2aac8583dabb + image: bridgecrew/whorf@sha256:4eec51a5818b74e6d6a003e2b2c0f7a9e0d32b0f69e298427ed16bfb0245a657 resources: limits: cpu: "1"