Checkmarx Scanner¶
The BoostSecurity Checkmarx scanner supports an extensive set of rules designed to ensure comprehensive security coverage. You can find the complete list of rules in the Scanner Registry.
Here are some of the key rules:
| Name | Id | Description |
|---|---|---|
| ALB Is Not Integrated With WAF | alb-not-integrated-with-waf | All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service |
| API Gateway Without SSL Certificate | api-gateway-without-ssl-certificate | SSL Client Certificate should be enabled |
| API Gateway Without Configured Authorizer | api-gateway-without-configured-authorizer | API Gateway REST API should have an API Gateway Authorizer |
| BOM - AWS EBS | bom-aws-ebs | A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). |
| BOM - AWS Kinesis | bom-aws-kinesis | A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time |
| CloudFront Without Minimum Protocol TLS 1.2 | cloudfront-without-minimum-protocol | CloudFront Minimum Protocol version should be at least TLS 1.2 |
| CloudFront Without WAF | cloudfront-without-waf | All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service |
| CloudWatch Changes To NACL Alarm Missing | cloudwatch-changes-nacl-missing | Ensure a log metric filter and alarm exist for changes to NACL |
| CloudWatch Changes To NACL Alarm Missing | cloudwatch-changes-nacl-missing | Ensure a log metric filter and alarm exist for changes to NACL |
| Cloudwatch Cloudtrail Configuration Changes Alarm Missing | cloudwatch-cloudtrail-configuration-changes-alarm-missing | Ensure a log metric filter and alarm exist for CloudTrail configuration changes |
| CloudWatch Log Group Without KMS | cloudwatch-log-group-without-kms | AWS CloudWatch Log groups should be encrypted using KMS |
| CloudWatch Logging Disabled | cloudwatch-logging-disabled | Check if CloudWatch logging is disabled for Route53 hosted zones |
| Container Runs Unmasked | container-runs-unmasked | Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. |
| Dynamodb VPC Endpoint Without Route Table Association | dynamodb-vpc-endpoint-without-route-table-association | Dynamodb VPC Endpoint should be associated with Route Table Association |
| EC2 Instance Using API Keys | ec2-instance-using-api-keys | EC2 instances should use roles to be granted access to other AWS services |
| ECR Repository Not Encrypted With CMK | ecr-repository-not-encrypted-with-cmk | ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation |
| Global Responses Definition Not Being Used | global-responses-definition-not-used | All global responses definitions should be in use |
| IAM Database Auth Not Enabled | iam-database-auth-not-enabled | IAM Database Auth Enabled should be configured to true when using compatible engine and version |
| IAM Managed Policy Applied to a User | iam-managed-policy-applied-to-user | Make sure that any managed IAM policies are implemented in a group and not in a user. |
| KMS Key With No Deletion Window | kms-key-without-deletion-window | AWS KMS Key should have a valid deletion window |
| Lambda IAM InvokeFunction Misconfigured | lambda-iam-invokefunction-misconfigured | Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' |
| MSK Broker Is Publicly Accessible | msk-broker-is-publicy-accessible | Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible |
| Operation Object Without 'consumes' | operation-object-without-consumes | Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations |
| Path Parameter Not Required (v3) | path-parameter-not-required | The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. |
| Property 'allowEmptyValue' Improperly Defined (v2) | allowemptyvalue-improperly-defined | Property 'allowEmptyValue' should be only defined for query parameters and formData parameters |
| Redis Entirely Accessible | redis-entirely-accessible | Firewall rule allowing unrestricted access to Redis from the Internet |
| Redshift Cluster Without VPC | redshift-cluster-without-vpc | Redshift Cluster should be configured in VPC (Virtual Private Cloud) |
| Request Body With Incorrect Ref | request-body-with-incorrect-ref | Request Body reference must always point to '#/components/RequestBodies' |
| Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' | role-with-privilege-escalation | Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. |
| Sensitive Port Is Exposed To Entire Network | sensitive-port-is-exposed-to-entire-network | A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol |
| Serverless API Access Logging Setting Undefined | serverless-api-access-logging-setting-undefined | AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined |
| Serverless Function Without X-Ray Tracing | serverless-function-without-xray-tracing | Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' |
| SQL DB Instance Backup Disabled | sql-db-instance-backup-disabled | Checks if backup configuration is enabled for all Cloud SQL Database instances |
| Pattern Undefined (v3) | string-schema-pattern-undefined | String schema should have 'pattern' defined. |
| User With Privilege Escalation By Actions 'iam:PutUserPolicy' | user-with-privilege-escalation-by-actions | User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. |