Skip to content

Rules Index

CI/CD - Supply Chain

Name Id Description
CI/CD - Weak GitHub OIDC Claim Verification cicd-aws-github-oidc-sub Checks for IAM policies with lax validation of GitHub's OIDC subject claim.
CI/CD - Azure DevOps Project Limit Pipelines Authorization Scope cicd-azure-devops-missing-authz-for-project Ensure Azure DevOps projects limit autorization scope of Azure Pipelines.
CI/CD - Azure Pipeline Self-Hosted Agent Pools cicd-azure-devops-using-user-managed-agent-pools Ensure pipelines run using Microsoft-hosted agents
CI/CD - Limit Azure Pipelines Variables cicd-azure-devops-variables-settable-at-queue-time Ensure Azure Pipelines limit variables that can be set a queue time.
CI/CD - Binary artifacts stored in SCM cicd-binary-artifacts-stored-in-scm Ensure that binary / executable artifacts are not stored in SCM.
CI/CD - Branch Protection - Allows reviewer to self-review their own changes cicd-branch-protection Ensure that default repository branches are protected.
CI/CD - CircleCI $BASH_ENV Injection cicd-circleci-bash-env-injection Checks for CircleCI workflows where unescaped output is added to $BASH_ENV.
CI/CD - CircleCI Shell Injection cicd-circleci-bash-env-injection Ensure CircleCI workflows use pipeline variables safely.
CI/CD - CircleCI Unversionned Orb cicd-circleci-unversioned-orb Ensure CircleCI workflows do not use unversionned Orbs.
CI/CD - GitHub Actions can approve pull requests cicd-gha-can-create-and-approve-pull-requests Ensure that GitHub Actions cannot approve Pull Requests automatically.
CI/CD - GitHub Action evaluates curl's output cicd-gha-curl-eval Checks for data evaluted from a curl command.
CI/CD - All GitHub Actions are allowed to run cicd-gha-org-allows-all-actions Ensure that not all GitHub Actions are allowed to run.
CI/CD - GitHub Organization Secret visible from public repositories cicd-gha-org-secret-publicly-visible Ensure that GitHub organizations do not have Organization-level secrets that can be accessed by workflows from public repositories.
CI/CD - GitHub Actions have Read / Write permissions cicd-gha-read-write-token-permissions Ensure that GitHub Actions do not have Read / Write permissions token.
CI/CD - GitHub Action risky pull_request_target usage cicd-gha-risky-pull-request-target-usage Ensure that GitHub Actions are not making risky usage of pull_request_target events.
CI/CD - GitHub Action risky workflow_run usgae cicd-gha-risky-pull-request-target-usage Checks for GitHub Action workflow using workflow_run where the code from the incoming PR is checked out.
CI/CD - GitHub Script Injection cicd-gha-script-injection Checks for GitHub Action workflows using actions/github-script with untrusted attributes.
CI/CD - GitHub Action with shell injection cicd-gha-shell-injection-detected Ensure that GitHub Actions do not have shell injection.
CI/CD - GitHub Action Unsecure Commands cicd-gha-unsecure-commands Ensure that GitHub Actions do not enable deprecated unsecure commands.
CI/CD - GitHub Action uses inputs cicd-gha-workflow-dispatch-inputs Checks for GitHub Action workflows defines workflow_dispatch inputs.
CI/CD - GitHub Action uses write-all permissions cicd-gha-write-all-permissions Checks for GitHub Action workflows that enables write on all permissions.
CI/CD - GitLab Environment no approvals required for deployments cicd-gl-deployment-approval GitLab Environment does not require approvals for deployments.
CI/CD - Missing Software Composition Analysis (SCA) Scanning cicd-sca-scanning-absent Ensure that Software Composition Analysis (SCA) is performed.
CI/CD - Missing SCM 2FA Enforcement cicd-scm-2fa-enforcement-absent Ensure the SCM is enforcing that all members have 2FA enabled.
CI/CD - Elevated GitHub App Permissions cicd-scm-gh-app-with-elevated-permissions Checks for GitHub organizations with third-party applications that have elevated permissions.
CI/CD - Audit Log - Branch Protection Overriden by Admin cicd-scm-gh-audit-log-branch-protection-overriden Checks for GitHub repositories where an Audit Log event indicates that Branch Protection was overriden using administrator's privilege.
CI/CD - Audit Log - OAuth App Restriction Disabled cicd-scm-gh-audit-log-oauth-app-restriction-disabled Checks for GitHub organizations where an Audit Log event indicates that OAuth App restrictions were disabled.
CI/CD - GitHub Organization has Outside Collaborators cicd-scm-gh-org-has-outside-collaborators Checks for GitHub organizations with outside collaborators.
CI/CD - Privileged Default Member Permissions cicd-scm-gh-org-high-default-member-permissions Checks for GitHub organizations with privileged default member permissions.
CI/CD - Insecure GitHub Webhooks cicd-scm-gh-org-insecure-webhook Checks for GitHub organizations with insecure webhooks.
CI/CD - Invalid Number of GitHub Organization Owners cicd-scm-gh-org-number-of-owners Checks for the number of GitHub Organization owners
CI/CD - Invalid Number of GitHub Repository Admins cicd-scm-gh-repo-number-of-admins Checks for the number of GitHub Repository contributors with administrative privileges.
CI/CD - GitHub Repository with Privileged Outside Collaborators cicd-scm-gh-repo-outside-collaborator-admin-maintainer Checks for GitHub repositories with privileged outside collaborators
CI/CD - GitLab On Push Secret File Detection Missing cicd-scm-gl-on-push-secret-detection GitLab project does not have the push rule for secret file detection enabled.
CI/CD - Inactive SCM Members cicd-scm-inactive-members Checks for SCMs with inactive members.
CI/CD - SCM Repository Creation Not Restricted cicd-scm-limit-repo-creation Checks the creation of repositories is restricted.
CI/CD - SCM Organization Not Verified cicd-scm-org-verified Check the SCM organization has been verified.
CI/CD - SCM Private Forks cicd-scm-private-forks Ensure SCM does not allow private repository forks.
CI/CD - Using unpinned dependencies cicd-unpinned-dependencies Ensure that dependency management lock files are being used.

Cloud Misconfigurations

AWS Infrastructure

Name Id Description
AWS Athena Encryption Off aws-athena-encryption-off Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption
AWS Cloudtrail All Regions aws-cloudtrail-all-regions Ensure CloudTrail is enabled in all Regions
AWS Cloudtrail Validation Off aws-cloudtrail-validation-off Ensure CloudTrail log file validation is enabled
AWS Cloudwatch Log Retention aws-cloudwatch-log-retention Ensure cloudwatch log groups specify retention days
AWS Database Backup Off aws-db-backup-off Ensure that database backup is enabled
AWS Database No Version Upgrade aws-db-no-version-upgrade Ensured that database auto-upgrade is enabled
AWS EC2 Public IP aws-ec2-public-ip EC2 instance should not have public IP.
AWS ECR Scanning Off aws-ecr-scanning-off Ensure ECR image scanning on push is enabled
AWS ECR Tags Mutable aws-ecr-tags-mutable Ensure ECR Image Tags are immutable
AWS ECS Container Insights Off aws-ecs-container-insights-off Ensure container insights are enabled on ECS cluster
AWS IAM Password Policy aws-iam-password-policy Ensure that IAM password policy has sufficient complexity based on industry best practices
AWS IAM Policy Lax Full Admin aws-iam-policy-lax-full-admin Ensure IAM policies that allow full "*-*" administrative privileges are not created
AWS IAM Policy On Users aws-iam-policy-on-users Ensure IAM policies are attached only to groups or roles
AWS IAM Wildcard Actions aws-iam-wildcard-actions Ensure no IAM policies documents allow "*" as a statement's actions
AWS KMS Key Rotation aws-kms-key-rotation Ensure rotation for customer created CMKs is enabled
AWS Load Balancer Allow Invalid Headers aws-lb-allow-invalid-headers Ensure that the load balancer drops invalid HTTP headers
AWS Legacy Instance Meta aws-legacy-instance-meta Ensure Instance Metadata Service Version 1 is not enabled
AWS Network Https Off aws-network-https-off Ensure the the networking resource enforces the use of HTTPS
AWS Network Insecure TLS aws-network-insecure-tls Ensure that load balancer is using TLS 1.2
AWS Network Public RDP aws-network-public-rdp Ensure no security groups allow ingress from to port 3389 (RDP)
AWS Network Public SSH aws-network-public-ssh Ensure that the resource or security group allow ingress from to port 22 (SSH)
AWS S3 Logging Off aws-resource-logging-off Ensure that the resource has some form of audit logging enabled to help with forensics
AWS Resource Outside VPC aws-resource-outside-vpc Ensure that the resource is configured inside a VPC
AWS Resource Public Access aws-resource-public-access Ensure that all data stored in the managed service is not publicly accessible
AWS Resource Public Policy aws-resource-public-policy Ensure that the resource policy is not set to public
AWS Resource Unencrypted At Rest aws-resource-unencrypted-at-rest Ensure that all data stored in the managed service is securely encrypted at rest
AWS Resource Unencrypted In Transit aws-resource-unencrypted-in-transit Ensure that data going to and from the managed service is securely encrypted at transit
AWS S3 Public Access aws-s3-public-access Ensure the S3 bucket does not allow Read or Write permissions to anyone on the Internet
AWS S3 Public Policy aws-s3-public-policy Ensure S3 bucket does not allow an action with any Principal (i.e. anyone on the Internet)
AWS S3 Unencrypted At Rest aws-s3-unencrypted-at-rest Ensure all data stored in the S3 bucket is securely encrypted at rest
AWS VPC Assign Public Ip aws-vpc-assign-public-ip Ensure VPC subnets do not assign public IP by default
AWS VPC Endpoint Auto Accept aws-vpc-endpoint-auto-accept Ensure that VPC Endpoint Service is configured for Manual Acceptance

Azure Infrastructure

Name Id Description
Azure AKS Api Iprange azure-aks-api-iprange Ensure AKS has an API Server Authorized IP Ranges enabled
Azure AKS Logging Enable azure-aks-logging-enable Ensure AKS logging to Azure Monitoring is Configured
Azure AKS Networkpolicy azure-aks-networkpolicy Ensure AKS cluster has Network Policy configured
Azure AKS Private Cluster azure-aks-private-cluster Ensure that AKS enables private clusters
Azure AKS RBAC Enabled azure-aks-rbac-enabled Ensure RBAC is enabled on AKS clusters
Azure App Service Ad Enabled azure-appsvc-ad-enabled Ensure that Register with Azure Active Directory is enabled on App Service
Azure App Service Auth Enabled azure-appsvc-auth-enabled Ensure App Service Authentication is set on Azure App Service
Azure App Service Cors Restrictive azure-appsvc-cors-restrictive Ensure that CORS disallows every resource to access app services
Azure App Service Disable Debug azure-appsvc-disable-debug Ensure that remote debugging is not enabled for app services
Azure App Service FTP Disabled azure-appsvc-ftp-disabled Ensure FTP deployments are disabled
Azure App Service HTTP Redirect azure-appsvc-http-redirect Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
Azure App Service HTTP TLS Version azure-appsvc-http-tls-version Ensure web app is using the latest version of TLS encryption
Azure App Service Http Version azure-appsvc-http-version Ensure that 'HTTP Version' is the latest if used to run the web app
Azure Automation Variable Encrypted azure-automn-variable-encrypted Ensure that Automation account variables are encrypted
Azure Batch Keyvault azure-batch-keyvault Ensure that Azure Batch account uses key vault to encrypt data
Azure Dashboard Disable azure-dashboard-disable Ensure Kube Dashboard is disabled
Azure Database Audit Enabled azure-db-audit-enabled Ensure that 'Auditing' is set to 'On' for SQL servers
Azure Database Audit Retention azure-db-audit-retention Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers
Azure Database Public Ingress azure-db-public-ingress Ensure no SQL Databases allow ingress from (ANY IP)
Azure Function App Auth Enabled azure-funcapp-auth-enabled Ensure that function apps enables Authentication
Azure Function App Http Version azure-funcapp-http-version Ensure that 'HTTP Version' is the latest, if used to run the Function app
Azure Function App Https Only azure-funcapp-https-only Ensure that Function apps is only accessible over HTTPS
Azure Machine Scaleset Auth azure-machine-scaleset-auth Ensure Azure linux scale set does not use basic authentication
Azure Machine Scaleset Encrypt azure-machine-scaleset-encrypt Ensure that Virtual machine scale sets have encryption at host enabled
Azure Machine Sensitive Data azure-machine-sensitive-data Ensure that no sensitive credentials are exposed in VM custom_data
Azure MariaDB Public Ingress azure-mariadb-public-ingress Ensure 'public network access enabled' is set to 'False' for MariaDB servers
Azure MariaDB SSL Enabled azure-mariadb-ssl-enabled Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers
Azure Monitor Audit Activities azure-monitor-audit-activities Ensure audit profile captures all the activities
Azure Monitor Log Retention azure-monitor-log-retention Ensure that Activity Log Retention is set 365 days or greater
Azure MSSQL Audit Retention azure-mssql-audit-retention Ensure an audit log retention period greater than 90 days.
Azure MSSQL Email Service azure-mssql-email-service Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers
Azure MSSQL Send Alerts azure-mssql-send-alerts Ensure that 'Send Alerts To' is enabled for MSSQL servers
Azure MSSQL Threat Types azure-mssql-threat-types Ensure that 'Threat Detection types' is set to 'All'
Azure MSSQL TLS Version azure-mssql-tls-version Ensure MSSQL is using the latest version of TLS encryption
Azure MySQL Enforce SSL azure-mysql-enforce-ssl Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
Azure MySQL Public Ingress azure-mysql-public-ingress Ensure 'public network access enabled' is set to 'False' for mySQL servers
Azure MySQL Tls Version azure-mysql-tls-version Ensure MySQL is using the latest version of TLS encryption
Azure Network Log Retention azure-network-log-retention Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
Azure Network Public RDP azure-network-public-rdp Ensure that RDP access is restricted from the internet
Azure Network Public UDP azure-network-public-udp Ensure that UDP Services are restricted from the Internet
Azure PSQL Enforce SSL azure-psql-enforce-ssl Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Azure PSQL Param Conn Throttling azure-psql-param-conn-throttling Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
Azure PSQL Public Ingress azure-psql-public-ingress Ensure that PostgreSQL server disables public network access
Azure Security Center Email Alerts azure-seccntr-email-alerts Ensure that 'Send email notification for high severity alerts' is set to 'On'
Azure Storage Public Access azure-storage-public-access Ensure that 'Public access level' is set to Private for blob containers
Azure Storage Public Ingress azure-storage-public-ingress Ensure default network access rule for Storage Accounts is set to deny
Azure Storage Secure Transfer azure-storage-secure-xfer Ensure that 'Secure transfer required' is set to 'Enabled'
Azure Storage TLS Version azure-storage-tls-version Ensure Storage Account is using the latest version of TLS encryption
Azure Storage Trusted Microsoft Service azure-storage-trust-msft Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
Azure Storage Sync Public Ingress azure-storsync-public-ingress Ensure that Azure File Sync disables public network access
Azure Vault Allow Firewall azure-vault-allow-firewall Ensure that key vault allows firewall rules settings
Azure Vault Key Expiry azure-vault-key-expiry Ensure that the expiration date is set on all keys
Azure Vault Purge Protection azure-vault-purge-protection Ensure that key vault enables purge protection
Azure Vault Secret Expiry azure-vault-secret-expiry Ensure that the expiration date is set on all secrets

GCP Infrastructure

Name Id Description
GCP BigQuery Anonymous Or Publicly Accessible gcp-bq-anon-or-public Ensure that BigQuery datasets are not anonymously or publicly accessible
GCP GCE Default Service Account gcp-gce-default-svcacct Ensure that instances are not configured to use the default service account
GCP GCE Firewall Unrestricted RDP Access gcp-gce-fw-public-rdp Ensure Google compute firewall ingress does not allow unrestricted rdp access
GCP GCE Firewall Public SSH Access gcp-gce-fw-public-ssh Ensure Google compute firewall ingress does not allow unrestricted ssh access
GCP GCE IP Forwarding On gcp-gce-ip-fwd-on Ensure that IP forwarding is not enabled on Instances
GCP GCE Instance Public IP gcp-gce-public-ip Ensure that Compute instances do not have public IP addresses
GCP GCE Serialport On gcp-gce-serialport-on Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
GCP GCS Anon Or Public Access gcp-gcs-anon-or-public Ensure that Cloud Storage bucket is not anonymously or publicly accessible
GCP GCS Access Logs Off gcp-gcs-logs-off Bucket should log access
GCP IAM Service Account Admin Role gcp-iam-svcacct-admin-role Ensure that Service Account has no Admin privileges
GCP IAM Service Account Allow Sudo gcp-iam-svcacct-allo-sudo Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
GCP K8S Basic Auth On gcp-k8s-basic-auth-on Ensure GKE basic auth is disabled
GCP K8S Legacy Instance Metadata On gcp-k8s-legacy-instance-metadata-on Ensure legacy Compute Engine instance metadata APIs are Disabled
GCP K8S Legacy RBAC On gcp-k8s-legacy-rbac-on Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
GCP K8S Metadata Server Off gcp-k8s-metadata-server-off Ensure the GKE Metadata Server is Enabled
GCP K8S Stackdriver Monitor Off gcp-k8s-stackdriver-monitor-off Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters
GCP K8S Strackdriver Logs Off gcp-k8s-strackdriver-logs-off Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters
GCP KMS Bad Key Rotation gcp-kms-bad-key-rotation Ensure KMS encryption keys are rotated within a period of 90 days
GCP Load Balancer Weak SSL Ciphers gcp-lb-ssl-weak-ciphers Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
GCP Default Service Account in Project gcp-res-man-default-svcacct Ensure Default Service account is not used at a project level
GCP Cloud SQL Backup Disabled gcp-sql-backup-off Ensure all Cloud SQL database instance have backup configuration enabled
GCP MySQL Local_Infile On gcp-sql-mysql-local_infile-on Ensure MySQL database 'local_infile' flag is set to 'off'
GCP Cloud SQL Public Access gcp-sql-public-access Ensure that Cloud SQL database Instances are not open to the world
GCP Cloud SQL Public IP gcp-sql-public-ip Ensure SQL database do not have public IP
GCP SQL SSL Disabled gcp-sql-ssl-off Ensure all Cloud SQL database instance requires all incoming connections to use SSL

Kubernetes (K8S)

Name Id Description
K8S Dashboard Present k8s-dashboard-present Ensure the Kubernetes dashboard is not deployed
K8S Docker Daemon k8s-docker-daemon Do not expose the docker daemon socket to containers
K8S Host Namespace k8s-host-namespace Containers should not share the host namespaces
K8S Immutable Image k8s-immutable-image Image Tag should be fixed - not latest or blank
K8S Podsecuritypolicy Defined k8s-podsecuritypolicy-defined Ensure that if a Pod Security Policy exists, it enforces best practices.
K8S Rbac Wildcards k8s-rbac-wildcards Minimize wildcard use in Roles and ClusterRoles
K8S Resources Defined k8s-resources-defined CPU, Memory requests and limit should be set
K8S Securitycontext Capabilities k8s-securitycontext-capabilities Minimize the admission of containers with added capability
K8S Securitycontext Defined k8s-securitycontext-defined Apply security context to your pods and containers
K8S Securitycontext Privileged k8s-securitycontext-privileged Container should not be privileged
K8S Serviceaccount Default k8s-serviceaccount-default Ensure that default service accounts are not actively used
K8S Tiller Present k8s-tiller-present Ensure that Tiller (Helm v2) is not deployed

X509 Certficiates

Name Id Description
Cert Expired x509-cert-expired x509 certificate has expired and is no longer valid
Cert Expires Soon x509-cert-expires-soon x509 certificate will expire in the near future
Cert Insecure Signing Algorithm x509-cert-insecure-signing-algorithm x509 certificate uses a weak cryptographic algorithm
Cert Insufficient Key Length x509-cert-insufficient-key-length x509 certificate Public Key length that is considered insecure.

Insecure Coding Practices

Name Id Description
Bypass Safe-by-Default Framework Output Encoding bypass-framework-safe-default-output-encoding Ensure framework default output encoding
Cookie Secure Flag Not Set cookie-secure-flag-not-set Ensure cookies are set to secure
Dangerous Function Buffer allocUnsafe dangerous-function-buffer-alloc-unsafe Ensure buffer does not use allocUnsafe
Dangerous Function Buffer noAssert dangerous-function-buffer-noassert Ensure buffer does not use noAssert
Dangerous Function Buffer Not Initialized With Literal dangerous-function-buffer-non-literal-alloc Ensure buffer is initialized with a literal value
Dangerous Deserialization dangerous-function-deserialization Ensure safe deserialization
Ensure no raw SQL queries are used despite using an ORM dangerous-raw-sql-used-with-orm Ensure no raw SQL queries
Debugging interface publicly exposed debugging-interface-publicly-exposed Ensure debug interface is not exposed
Uncontrolled data decompression (decompression bomb) dos-via-decompression-bomb Ensure proper handling of highly compressed data
Dynamic Code Injection dynamic-code-injection Ensure no dynamic code injection
Eval With Expression eval-with-expression Ensure no dynamic eval expression
Express Detect No CSRF Before Method Override express-detect-no-csrf-before-method-override Ensure express detects CSRF before override
Insecure Crypto Algorithm insecure-crypto-algorithm Ensure usage of secure cryptograhic alogrithms
JWT Hardcoded Secret Key jwt-hardcoded-secret-key Ensure JWT secret is not hard coded
JWT Without Signature jwt-none-algorithm-usage Ensure JWT algorithm defined
Missing Reverse-Tabnabbing Protection missing-reverse-tabnabbing-protection Ensure secure link target
Node TLS Certificate Validation Disabled node-disable-ssl Ensure Node performs TLS validation
Node Unsafe Property Access node-unsafe-property-access Ensure safe property access
Node vm use runInThisContext node-vm-runinthiscontext Ensure node function runInThisContext used securely
Non-Literal Used to Require a Module non-literal-require Ensure node uses literal require statements
OS Command Injection os-command-injection Ensure secure usage of os commands
Path traversal path-traversal Ensure the function validates filesystem paths
XHR Request Over Plaintext plaintext-client-request Ensure XHR requests use encrypted transport
Javascript Serialize use Unsafe serialize-option-unsafe Ensure javascript serialize does not use unsafe
Server-Side Template Injection (SSTI) server-side-template-injection Ensure server side templates are validated
Server-Side Request Forgery (SSRF) ssrf Ensure server side requests are validated
TLS Verification Disabled tls-disabled-cert-validation Ensure TLS validation is enabled
TLS Insecure Protocol Config tls-insecure-protocol-config Ensure strong TLS protocols are used
Unrestricted server socket binding unrestricted-server-socket-binding Ensure binding to limited interfaces
Unsafe child_process unsafe-child-process Ensure child_process usage is secure
Wildcard In System Call wildcard-in-system-call Ensure system calls do not use wildcards
Unsafe Use of Window.postMessage window-postmessage-unsafe-target-origin Ensure safe usage of window.postMessage
Request Parameter Reflected in Response xss-request-parameter-reflected-in-response Ensure safe encoding of response