Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
This query detects Cloud SQL Database instances with backup_configuration disabled. Checks if, within the 'settings' block, the 'backup_configuration' block exists with the 'enable' field equal to 'false'.
This query ensures that object versioning is enabled on a Google Storage Bucket by checking if the 'versioning' block exists within the 'google_storage_bucket' resource and with the 'enabled' field equal to 'true'.
GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty
Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true
Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty
Currently the queries are divided in code by "system/provider" (e.g. terraform/aws). A structure grouping the queries per category is recommended to be more readable -> "system/category/provider".
Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false
Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true
Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE
This query detects Cloud SQL Database instances with SSL disabled for incoming connections. Checks if, within the 'settings' block, the 'ip_configuration' block exists with the 'require_ssl' field equal to 'false'.
Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'
This query detects if a Cloud Storage Bucket is anonymously or publicly accessible by checking if the member/members field inside the resource 'google_storage_bucket_iam_member' equals/includes 'allUsers' or 'allAuthenticatedUsers'.