Skip to content

Checkmarx Scanner

The BoostSecurity Checkmarx scanner supports an extensive set of rules designed to ensure comprehensive security coverage. You can find the complete list of rules in the Scanner Registry.

Here are some of the key rules:

Name Id Description
ALB Is Not Integrated With WAF alb-not-integrated-with-waf All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service
API Gateway Without SSL Certificate api-gateway-without-ssl-certificate SSL Client Certificate should be enabled
API Gateway Without Configured Authorizer api-gateway-without-configured-authorizer API Gateway REST API should have an API Gateway Authorizer
BOM - AWS EBS bom-aws-ebs A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).
BOM - AWS Kinesis bom-aws-kinesis A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time
CloudFront Without Minimum Protocol TLS 1.2 cloudfront-without-minimum-protocol CloudFront Minimum Protocol version should be at least TLS 1.2
CloudFront Without WAF cloudfront-without-waf All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service
CloudWatch Changes To NACL Alarm Missing cloudwatch-changes-nacl-missing Ensure a log metric filter and alarm exist for changes to NACL
CloudWatch Changes To NACL Alarm Missing cloudwatch-changes-nacl-missing Ensure a log metric filter and alarm exist for changes to NACL
Cloudwatch Cloudtrail Configuration Changes Alarm Missing cloudwatch-cloudtrail-configuration-changes-alarm-missing Ensure a log metric filter and alarm exist for CloudTrail configuration changes
CloudWatch Log Group Without KMS cloudwatch-log-group-without-kms AWS CloudWatch Log groups should be encrypted using KMS
CloudWatch Logging Disabled cloudwatch-logging-disabled Check if CloudWatch logging is disabled for Route53 hosted zones
Container Runs Unmasked container-runs-unmasked Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.
Dynamodb VPC Endpoint Without Route Table Association dynamodb-vpc-endpoint-without-route-table-association Dynamodb VPC Endpoint should be associated with Route Table Association
EC2 Instance Using API Keys ec2-instance-using-api-keys EC2 instances should use roles to be granted access to other AWS services
ECR Repository Not Encrypted With CMK ecr-repository-not-encrypted-with-cmk ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation
Global Responses Definition Not Being Used global-responses-definition-not-used All global responses definitions should be in use
IAM Database Auth Not Enabled iam-database-auth-not-enabled IAM Database Auth Enabled should be configured to true when using compatible engine and version
IAM Managed Policy Applied to a User iam-managed-policy-applied-to-user Make sure that any managed IAM policies are implemented in a group and not in a user.
KMS Key With No Deletion Window kms-key-without-deletion-window AWS KMS Key should have a valid deletion window
Lambda IAM InvokeFunction Misconfigured lambda-iam-invokefunction-misconfigured Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'
MSK Broker Is Publicly Accessible msk-broker-is-publicy-accessible Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible
Operation Object Without 'consumes' operation-object-without-consumes Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations
Path Parameter Not Required (v3) path-parameter-not-required The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.
Property 'allowEmptyValue' Improperly Defined (v2) allowemptyvalue-improperly-defined Property 'allowEmptyValue' should be only defined for query parameters and formData parameters
Redis Entirely Accessible redis-entirely-accessible Firewall rule allowing unrestricted access to Redis from the Internet
Redshift Cluster Without VPC redshift-cluster-without-vpc Redshift Cluster should be configured in VPC (Virtual Private Cloud)
Request Body With Incorrect Ref request-body-with-incorrect-ref Request Body reference must always point to '#/components/RequestBodies'
Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' role-with-privilege-escalation Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see
Sensitive Port Is Exposed To Entire Network sensitive-port-is-exposed-to-entire-network A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
Serverless API Access Logging Setting Undefined serverless-api-access-logging-setting-undefined AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined
Serverless Function Without X-Ray Tracing serverless-function-without-xray-tracing Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active'
SQL DB Instance Backup Disabled sql-db-instance-backup-disabled Checks if backup configuration is enabled for all Cloud SQL Database instances
Pattern Undefined (v3) string-schema-pattern-undefined String schema should have 'pattern' defined.
User With Privilege Escalation By Actions 'iam:PutUserPolicy' user-with-privilege-escalation-by-actions User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see