diff --git a/.github/workflows/verify-schema.yml b/.github/workflows/verify-schema.yml deleted file mode 100644 index 8bb1bc74..00000000 --- a/.github/workflows/verify-schema.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: verify schema -on: - pull_request: - merge_group: -jobs: - build: - name: verifying schema - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - - - uses: actions/setup-go@v5 - with: - go-version-file: go.mod - cache: true - cache-dependency-path: go.sum - - - run: go run ./cmd/schema verify diff --git a/Makefile b/Makefile index 9d2ea5a6..7ad18213 100755 --- a/Makefile +++ b/Makefile @@ -12,10 +12,6 @@ update-aws-deps: @grep aws-sdk-go-v2 go.mod | grep -v '// indirect' | sed 's/^[\t\s]*//g' | sed 's/\s.*//g' | xargs go get @go mod tidy -.PHONY: schema -schema: - go run ./cmd/schema generate - .PHONY: docs docs: go run ./cmd/avd_generator diff --git a/cmd/avd_generator/main.go b/cmd/avd_generator/main.go index f0d7c1c7..26e96dfe 100644 --- a/cmd/avd_generator/main.go +++ b/cmd/avd_generator/main.go @@ -12,11 +12,10 @@ import ( "text/template" "github.com/aquasecurity/defsec/pkg/framework" + _ "github.com/aquasecurity/defsec/pkg/rego" + registered "github.com/aquasecurity/defsec/pkg/rules" + types "github.com/aquasecurity/defsec/pkg/types/rules" policies "github.com/aquasecurity/trivy-policies" - - _ "github.com/aquasecurity/trivy-iac/pkg/rego" - registered "github.com/aquasecurity/trivy-iac/pkg/rules" - "github.com/aquasecurity/trivy-iac/pkg/types" ) func main() { diff --git a/cmd/avd_generator/main_test.go b/cmd/avd_generator/main_test.go index 6687c0ba..38324137 100644 --- a/cmd/avd_generator/main_test.go +++ b/cmd/avd_generator/main_test.go @@ -8,11 +8,10 @@ import ( "runtime" "testing" + "github.com/aquasecurity/defsec/pkg/framework" + registered "github.com/aquasecurity/defsec/pkg/rules" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - - "github.com/aquasecurity/defsec/pkg/framework" - registered "github.com/aquasecurity/trivy-iac/pkg/rules" ) func init() { // change the pwd for the test to top level defesc dir diff --git a/cmd/schema/main.go b/cmd/schema/main.go deleted file mode 100644 index 08553e3f..00000000 --- a/cmd/schema/main.go +++ /dev/null @@ -1,79 +0,0 @@ -package main - -import ( - "encoding/json" - "fmt" - "os" - - "github.com/spf13/cobra" - - "github.com/aquasecurity/trivy-iac/pkg/rego/schemas" -) - -// generate a json schema document for cloud rego input (state.State) - -const schemaPath = "pkg/rego/schemas/cloud.json" - -func main() { - if err := rootCmd.Execute(); err != nil { - _, _ = fmt.Fprintln(os.Stderr, err) - os.Exit(1) - } -} - -var rootCmd = &cobra.Command{ - Use: "schema", -} - -func init() { - rootCmd.AddCommand(generateCmd) - rootCmd.AddCommand(verifyCmd) -} - -var generateCmd = &cobra.Command{ - Use: "generate", - Short: "generate a json schema document for cloud rego input (state.State)", - RunE: func(cmd *cobra.Command, args []string) error { - cmd.SilenceErrors = true - cmd.SilenceUsage = true - schema, err := schemas.Build() - if err != nil { - return err - } - data, err := json.MarshalIndent(schema, "", " ") - if err != nil { - return err - } - if err := os.WriteFile(schemaPath, data, 0600); err != nil { - return err - } - fmt.Println("done") - return nil - }, -} - -var verifyCmd = &cobra.Command{ - Use: "verify", - Short: "verify that the schema is up to date", - RunE: func(cmd *cobra.Command, args []string) error { - cmd.SilenceErrors = true - cmd.SilenceUsage = true - schema, err := schemas.Build() - if err != nil { - return err - } - data, err := json.MarshalIndent(schema, "", " ") - if err != nil { - return err - } - existing, err := os.ReadFile(schemaPath) - if err != nil { - return err - } - if string(data) != string(existing) { - return fmt.Errorf("schema is out of date:\n\nplease run 'make schema' and commit the changes") - } - fmt.Println("schema is valid") - return nil - }, -} diff --git a/go.mod b/go.mod index d00451a4..9827e8db 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/BurntSushi/toml v1.3.2 github.com/Masterminds/semver v1.5.0 github.com/apparentlymart/go-cidr v1.1.0 - github.com/aquasecurity/defsec v0.93.2-0.20240110230225-29e47649c35d + github.com/aquasecurity/defsec v0.94.1 github.com/aquasecurity/trivy-policies v0.8.0 github.com/aws/smithy-go v1.19.0 github.com/bmatcuk/doublestar/v4 v4.6.0 @@ -18,11 +18,8 @@ require ( github.com/liamg/jfather v0.0.7 github.com/liamg/memoryfs v1.6.0 github.com/mitchellh/go-homedir v1.1.0 - github.com/mitchellh/mapstructure v1.5.0 github.com/moby/buildkit v0.11.6 github.com/olekukonko/tablewriter v0.0.5 - github.com/open-policy-agent/opa v0.60.0 - github.com/spf13/cobra v1.8.0 github.com/stretchr/testify v1.8.4 github.com/zclconf/go-cty v1.13.0 github.com/zclconf/go-cty-yaml v1.0.3 @@ -136,6 +133,7 @@ require ( github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/go-testing-interface v1.14.1 // indirect github.com/mitchellh/go-wordwrap v1.0.1 // indirect + github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/moby/locker v1.0.1 // indirect github.com/moby/spdystream v0.2.0 // indirect @@ -145,6 +143,7 @@ require ( github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect github.com/morikuni/aec v1.0.0 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/open-policy-agent/opa v0.60.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0-rc5 // indirect github.com/owenrumney/squealer v1.2.1 // indirect @@ -165,6 +164,7 @@ require ( github.com/sirupsen/logrus v1.9.3 // indirect github.com/skeema/knownhosts v1.2.1 // indirect github.com/spf13/cast v1.5.0 // indirect + github.com/spf13/cobra v1.8.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/ulikunitz/xz v0.5.10 // indirect diff --git a/go.sum b/go.sum index 8d9fdbd8..16a74230 100644 --- a/go.sum +++ b/go.sum @@ -236,8 +236,8 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= -github.com/aquasecurity/defsec v0.93.2-0.20240110230225-29e47649c35d h1:veoNgFVDMDCFat+yGX5g+QX4cins/NmoYztdSo14weQ= -github.com/aquasecurity/defsec v0.93.2-0.20240110230225-29e47649c35d/go.mod h1:NBF6hvbQSc4s/WCHdKV5sNNxLl258M2OiIFoUfgEn/k= +github.com/aquasecurity/defsec v0.94.1 h1:lk44bfUltm0f0Dw4DbO3Ka9d/bf3N8cWclSdHXMyKF4= +github.com/aquasecurity/defsec v0.94.1/go.mod h1:wiX9BX0SOG0ZWjVIPYGPl46fyO3Gu8lJnk4rmhFR7IA= github.com/aquasecurity/trivy-policies v0.8.0 h1:LvmIdw/DfTF72Lc8L+CKLYzfb5BFYzLBGFFR95PKC74= github.com/aquasecurity/trivy-policies v0.8.0/go.mod h1:qF/t59pgK/0JTV6tXaeA3Iw3opzoMgzGCDcTDBmqb30= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= diff --git a/internal/rules/register.go b/internal/rules/register.go deleted file mode 100755 index f6ef02fe..00000000 --- a/internal/rules/register.go +++ /dev/null @@ -1,134 +0,0 @@ -package rules - -import ( - "sync" - - "gopkg.in/yaml.v3" - - "github.com/aquasecurity/defsec/pkg/framework" - "github.com/aquasecurity/defsec/pkg/scan" - dftypes "github.com/aquasecurity/defsec/pkg/types" - "github.com/aquasecurity/trivy-policies/specs" - - "github.com/aquasecurity/trivy-iac/pkg/types" -) - -type registry struct { - sync.RWMutex - index int - frameworks map[framework.Framework][]types.RegisteredRule -} - -var coreRegistry = registry{ - frameworks: make(map[framework.Framework][]types.RegisteredRule), -} - -func Reset() { - coreRegistry.Reset() -} - -func Register(rule scan.Rule) types.RegisteredRule { - return coreRegistry.register(rule) -} - -func Deregister(rule types.RegisteredRule) { - coreRegistry.deregister(rule) -} - -func (r *registry) register(rule scan.Rule) types.RegisteredRule { - r.Lock() - defer r.Unlock() - if len(rule.Frameworks) == 0 { - rule.Frameworks = map[framework.Framework][]string{framework.Default: nil} - } - registeredRule := types.RegisteredRule{ - Number: r.index, - Rule: rule, - } - r.index++ - for fw := range rule.Frameworks { - r.frameworks[fw] = append(r.frameworks[fw], registeredRule) - } - - r.frameworks[framework.ALL] = append(r.frameworks[framework.ALL], registeredRule) - - return registeredRule -} - -func (r *registry) deregister(rule types.RegisteredRule) { - r.Lock() - defer r.Unlock() - for fw := range r.frameworks { - for i, registered := range r.frameworks[fw] { - if registered.Number == rule.Number { - r.frameworks[fw] = append(r.frameworks[fw][:i], r.frameworks[fw][i+1:]...) - break - } - } - } -} - -func (r *registry) getFrameworkRules(fw ...framework.Framework) []types.RegisteredRule { - r.RLock() - defer r.RUnlock() - var registered []types.RegisteredRule - if len(fw) == 0 { - fw = []framework.Framework{framework.Default} - } - unique := make(map[int]struct{}) - for _, f := range fw { - for _, rule := range r.frameworks[f] { - if _, ok := unique[rule.Number]; ok { - continue - } - registered = append(registered, rule) - unique[rule.Number] = struct{}{} - } - } - return registered -} - -func (r *registry) getSpecRules(spec string) []types.RegisteredRule { - r.RLock() - defer r.RUnlock() - var specRules []types.RegisteredRule - - var complianceSpec dftypes.ComplianceSpec - specContent := specs.GetSpec(spec) - if err := yaml.Unmarshal([]byte(specContent), &complianceSpec); err != nil { - return nil - } - - registered := r.getFrameworkRules(framework.ALL) - for _, rule := range registered { - for _, csRule := range complianceSpec.Spec.Controls { - if len(csRule.Checks) > 0 { - for _, c := range csRule.Checks { - if rule.GetRule().AVDID == c.ID { - specRules = append(specRules, rule) - } - } - } - } - } - - return specRules -} - -func (r *registry) Reset() { - r.Lock() - defer r.Unlock() - r.frameworks = make(map[framework.Framework][]types.RegisteredRule) -} - -func GetFrameworkRules(fw ...framework.Framework) []types.RegisteredRule { - return coreRegistry.getFrameworkRules(fw...) -} - -func GetSpecRules(spec string) []types.RegisteredRule { - if len(spec) > 0 { - return coreRegistry.getSpecRules(spec) - } - - return GetFrameworkRules() -} diff --git a/internal/rules/register_test.go b/internal/rules/register_test.go deleted file mode 100644 index ff9c5033..00000000 --- a/internal/rules/register_test.go +++ /dev/null @@ -1,139 +0,0 @@ -package rules - -import ( - "fmt" - "testing" - - "github.com/stretchr/testify/require" - - "github.com/aquasecurity/defsec/pkg/framework" - "github.com/aquasecurity/defsec/pkg/scan" - "github.com/stretchr/testify/assert" -) - -func Test_Reset(t *testing.T) { - rule := scan.Rule{} - _ = Register(rule) - assert.Equal(t, 1, len(GetFrameworkRules())) - Reset() - assert.Equal(t, 0, len(GetFrameworkRules())) -} - -func Test_Registration(t *testing.T) { - var tests = []struct { - name string - registeredFrameworks map[framework.Framework][]string - inputFrameworks []framework.Framework - expected bool - }{ - { - name: "rule without framework specified should be returned when no frameworks are requested", - expected: true, - }, - { - name: "rule without framework specified should not be returned when a specific framework is requested", - inputFrameworks: []framework.Framework{framework.CIS_AWS_1_2}, - expected: false, - }, - { - name: "rule without framework specified should be returned when the default framework is requested", - inputFrameworks: []framework.Framework{framework.Default}, - expected: true, - }, - { - name: "rule with default framework specified should be returned when the default framework is requested", - registeredFrameworks: map[framework.Framework][]string{framework.Default: {"1.1"}}, - inputFrameworks: []framework.Framework{framework.Default}, - expected: true, - }, - { - name: "rule with default framework specified should not be returned when a specific framework is requested", - registeredFrameworks: map[framework.Framework][]string{framework.Default: {"1.1"}}, - inputFrameworks: []framework.Framework{framework.CIS_AWS_1_2}, - expected: false, - }, - { - name: "rule with specific framework specified should not be returned when a default framework is requested", - registeredFrameworks: map[framework.Framework][]string{framework.CIS_AWS_1_2: {"1.1"}}, - inputFrameworks: []framework.Framework{framework.Default}, - expected: false, - }, - { - name: "rule with specific framework specified should be returned when the specific framework is requested", - registeredFrameworks: map[framework.Framework][]string{framework.CIS_AWS_1_2: {"1.1"}}, - inputFrameworks: []framework.Framework{framework.CIS_AWS_1_2}, - expected: true, - }, - { - name: "rule with multiple frameworks specified should be returned when the specific framework is requested", - registeredFrameworks: map[framework.Framework][]string{framework.CIS_AWS_1_2: {"1.1"}, "blah": {"1.2"}}, - inputFrameworks: []framework.Framework{framework.CIS_AWS_1_2}, - expected: true, - }, - { - name: "rule with multiple frameworks specified should be returned only once when multiple matching frameworks are requested", - registeredFrameworks: map[framework.Framework][]string{framework.CIS_AWS_1_2: {"1.1"}, "blah": {"1.2"}, "something": {"1.3"}}, - inputFrameworks: []framework.Framework{framework.CIS_AWS_1_2, "blah", "other"}, - expected: true, - }, - } - - for i, test := range tests { - t.Run(test.name, func(t *testing.T) { - Reset() - rule := scan.Rule{ - AVDID: fmt.Sprintf("%d-%s", i, test.name), - Frameworks: test.registeredFrameworks, - } - _ = Register(rule) - var found bool - for _, matchedRule := range GetFrameworkRules(test.inputFrameworks...) { - if matchedRule.GetRule().AVDID == rule.AVDID { - assert.False(t, found, "rule should not be returned more than once") - found = true - } - } - assert.Equal(t, test.expected, found, "rule should be returned if it matches any of the input frameworks") - }) - } -} - -func Test_Deregistration(t *testing.T) { - Reset() - registrationA := Register(scan.Rule{ - AVDID: "A", - }) - registrationB := Register(scan.Rule{ - AVDID: "B", - }) - assert.Equal(t, 2, len(GetFrameworkRules())) - Deregister(registrationA) - actual := GetFrameworkRules() - require.Equal(t, 1, len(actual)) - assert.Equal(t, "B", actual[0].GetRule().AVDID) - Deregister(registrationB) - assert.Equal(t, 0, len(GetFrameworkRules())) -} - -func Test_DeregistrationMultipleFrameworks(t *testing.T) { - Reset() - registrationA := Register(scan.Rule{ - AVDID: "A", - }) - registrationB := Register(scan.Rule{ - AVDID: "B", - Frameworks: map[framework.Framework][]string{ - "a": nil, - "b": nil, - "c": nil, - framework.Default: nil, - }, - }) - assert.Equal(t, 2, len(GetFrameworkRules())) - Deregister(registrationA) - actual := GetFrameworkRules() - require.Equal(t, 1, len(actual)) - assert.Equal(t, "B", actual[0].GetRule().AVDID) - Deregister(registrationB) - assert.Equal(t, 0, len(GetFrameworkRules())) -} diff --git a/pkg/rego/build.go b/pkg/rego/build.go deleted file mode 100644 index db20c04c..00000000 --- a/pkg/rego/build.go +++ /dev/null @@ -1,84 +0,0 @@ -package rego - -import ( - "io/fs" - "path/filepath" - "strings" - - "github.com/aquasecurity/defsec/pkg/types" - "github.com/aquasecurity/trivy-iac/pkg/rego/schemas" - "github.com/open-policy-agent/opa/ast" - "github.com/open-policy-agent/opa/util" -) - -func BuildSchemaSetFromPolicies(policies map[string]*ast.Module, paths []string, fsys fs.FS) (*ast.SchemaSet, bool, error) { - schemaSet := ast.NewSchemaSet() - schemaSet.Put(ast.MustParseRef("schema.input"), map[string]interface{}{}) // for backwards compat only - var customFound bool - for _, policy := range policies { - for _, annotation := range policy.Annotations { - for _, ss := range annotation.Schemas { - schemaName, err := ss.Schema.Ptr() - if err != nil { - continue - } - if schemaName != "input" { - if schema, ok := schemas.SchemaMap[types.Source(schemaName)]; ok { - customFound = true - schemaSet.Put(ast.MustParseRef(ss.Schema.String()), util.MustUnmarshalJSON([]byte(schema))) - } else { - b, err := findSchemaInFS(paths, fsys, schemaName) - if err != nil { - return schemaSet, true, err - } - if b != nil { - customFound = true - schemaSet.Put(ast.MustParseRef(ss.Schema.String()), util.MustUnmarshalJSON(b)) - } - } - } - } - } - } - - return schemaSet, customFound, nil -} - -// findSchemaInFS tries to find the schema anywhere in the specified FS -func findSchemaInFS(paths []string, srcFS fs.FS, schemaName string) ([]byte, error) { - var schema []byte - for _, path := range paths { - if err := fs.WalkDir(srcFS, sanitisePath(path), func(path string, info fs.DirEntry, err error) error { - if err != nil { - return err - } - if info.IsDir() { - return nil - } - if !IsJSONFile(info.Name()) { - return nil - } - if info.Name() == schemaName+".json" { - schema, err = fs.ReadFile(srcFS, filepath.ToSlash(path)) - if err != nil { - return err - } - return nil - } - return nil - }); err != nil { - return nil, err - } - } - return schema, nil -} - -func IsJSONFile(name string) bool { - return strings.HasSuffix(name, ".json") -} - -func sanitisePath(path string) string { - vol := filepath.VolumeName(path) - path = strings.TrimPrefix(path, vol) - return strings.TrimPrefix(strings.TrimPrefix(filepath.ToSlash(path), "./"), "/") -} diff --git a/pkg/rego/custom.go b/pkg/rego/custom.go deleted file mode 100644 index c15b05a4..00000000 --- a/pkg/rego/custom.go +++ /dev/null @@ -1,109 +0,0 @@ -package rego - -import ( - "github.com/open-policy-agent/opa/ast" - "github.com/open-policy-agent/opa/rego" - "github.com/open-policy-agent/opa/types" -) - -func init() { - rego.RegisterBuiltin2(®o.Function{ - Name: "result.new", - Decl: types.NewFunction(types.Args(types.S, types.A), types.A), - }, - createResult, - ) - - rego.RegisterBuiltin1(®o.Function{ - Name: "isManaged", - Decl: types.NewFunction(types.Args(types.A), types.B), - }, - func(c rego.BuiltinContext, resource *ast.Term) (*ast.Term, error) { - metadata, err := createResult(c, ast.StringTerm(""), resource) - if err != nil { - return nil, err - } - return metadata.Get(ast.StringTerm("managed")), nil - }, - ) -} - -func createResult(ctx rego.BuiltinContext, msg, cause *ast.Term) (*ast.Term, error) { - - metadata := map[string]*ast.Term{ - "startline": ast.IntNumberTerm(0), - "endline": ast.IntNumberTerm(0), - "sourceprefix": ast.StringTerm(""), - "filepath": ast.StringTerm(""), - "explicit": ast.BooleanTerm(false), - "managed": ast.BooleanTerm(true), - "fskey": ast.StringTerm(""), - "resource": ast.StringTerm(""), - "parent": ast.NullTerm(), - } - if msg != nil { - metadata["msg"] = msg - } - - // universal - input := cause.Get(ast.StringTerm("__defsec_metadata")) - if input == nil { - // docker - input = cause - } - metadata = updateMetadata(metadata, input) - - if term := input.Get(ast.StringTerm("parent")); term != nil { - var err error - metadata["parent"], err = createResult(ctx, nil, term) - if err != nil { - return nil, err - } - } - - var values [][2]*ast.Term - for key, val := range metadata { - values = append(values, [2]*ast.Term{ - ast.StringTerm(key), - val, - }) - } - return ast.ObjectTerm(values...), nil -} - -func updateMetadata(metadata map[string]*ast.Term, input *ast.Term) map[string]*ast.Term { - if term := input.Get(ast.StringTerm("startline")); term != nil { - metadata["startline"] = term - } - if term := input.Get(ast.StringTerm("StartLine")); term != nil { - metadata["startline"] = term - } - if term := input.Get(ast.StringTerm("endline")); term != nil { - metadata["endline"] = term - } - if term := input.Get(ast.StringTerm("EndLine")); term != nil { - metadata["endline"] = term - } - if term := input.Get(ast.StringTerm("filepath")); term != nil { - metadata["filepath"] = term - } - if term := input.Get(ast.StringTerm("sourceprefix")); term != nil { - metadata["sourceprefix"] = term - } - if term := input.Get(ast.StringTerm("Path")); term != nil { - metadata["filepath"] = term - } - if term := input.Get(ast.StringTerm("explicit")); term != nil { - metadata["explicit"] = term - } - if term := input.Get(ast.StringTerm("managed")); term != nil { - metadata["managed"] = term - } - if term := input.Get(ast.StringTerm("fskey")); term != nil { - metadata["fskey"] = term - } - if term := input.Get(ast.StringTerm("resource")); term != nil { - metadata["resource"] = term - } - return metadata -} diff --git a/pkg/rego/embed.go b/pkg/rego/embed.go deleted file mode 100644 index ac497e8b..00000000 --- a/pkg/rego/embed.go +++ /dev/null @@ -1,107 +0,0 @@ -package rego - -import ( - "context" - "io/fs" - "path/filepath" - "strings" - - "github.com/aquasecurity/trivy-iac/pkg/rules" - policies "github.com/aquasecurity/trivy-policies" - "github.com/open-policy-agent/opa/ast" -) - -func init() { - - modules, err := LoadEmbeddedPolicies() - if err != nil { - // we should panic as the policies were not embedded properly - panic(err) - } - loadedLibs, err := LoadEmbeddedLibraries() - if err != nil { - panic(err) - } - for name, policy := range loadedLibs { - modules[name] = policy - } - - RegisterRegoRules(modules) -} - -func RegisterRegoRules(modules map[string]*ast.Module) { - ctx := context.TODO() - - schemaSet, _, _ := BuildSchemaSetFromPolicies(modules, nil, nil) - - compiler := ast.NewCompiler(). - WithSchemas(schemaSet). - WithCapabilities(nil). - WithUseTypeCheckAnnotations(true) - - compiler.Compile(modules) - if compiler.Failed() { - // we should panic as the embedded rego policies are syntactically incorrect... - panic(compiler.Errors) - } - - retriever := NewMetadataRetriever(compiler) - for _, module := range modules { - metadata, err := retriever.RetrieveMetadata(ctx, module) - if err != nil { - continue - } - if metadata.AVDID == "" { - continue - } - rules.Register( - metadata.ToRule(), - ) - } -} - -func LoadEmbeddedPolicies() (map[string]*ast.Module, error) { - return LoadPoliciesFromDirs(policies.EmbeddedPolicyFileSystem, ".") -} - -func LoadEmbeddedLibraries() (map[string]*ast.Module, error) { - return LoadPoliciesFromDirs(policies.EmbeddedLibraryFileSystem, ".") -} - -func LoadPoliciesFromDirs(target fs.FS, paths ...string) (map[string]*ast.Module, error) { - modules := make(map[string]*ast.Module) - for _, path := range paths { - if err := fs.WalkDir(target, sanitisePath(path), func(path string, info fs.DirEntry, err error) error { - if err != nil { - return err - } - if info.IsDir() { - return nil - } - - if strings.HasSuffix(filepath.Dir(filepath.ToSlash(path)), "advanced/optional") { - return fs.SkipDir - } - - if !IsRegoFile(info.Name()) || IsDotFile(info.Name()) { - return nil - } - data, err := fs.ReadFile(target, filepath.ToSlash(path)) - if err != nil { - return err - } - module, err := ast.ParseModuleWithOpts(path, string(data), ast.ParserOptions{ - ProcessAnnotation: true, - }) - if err != nil { - // s.debug.Log("Failed to load module: %s, err: %s", filepath.ToSlash(path), err.Error()) - return err - } - modules[path] = module - return nil - }); err != nil { - return nil, err - } - } - return modules, nil -} diff --git a/pkg/rego/embed_test.go b/pkg/rego/embed_test.go deleted file mode 100644 index f5ce5ad2..00000000 --- a/pkg/rego/embed_test.go +++ /dev/null @@ -1,123 +0,0 @@ -package rego - -import ( - "testing" - - "github.com/aquasecurity/trivy-iac/pkg/rules" - policies "github.com/aquasecurity/trivy-policies" - "github.com/open-policy-agent/opa/ast" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" -) - -func Test_EmbeddedLoading(t *testing.T) { - - frameworkRules := rules.GetRegistered() - var found bool - for _, rule := range frameworkRules { - if rule.GetRule().RegoPackage != "" { - found = true - } - } - assert.True(t, found, "no embedded rego policies were registered as rules") -} - -func Test_RegisterRegoRules(t *testing.T) { - var testCases = []struct { - name string - inputPolicy string - expectedError bool - }{ - { - name: "happy path old single schema", - inputPolicy: `# METADATA -# title: "dummy title" -# description: "some description" -# scope: package -# schemas: -# - input: schema["input"] -# custom: -# input: -# selector: -# - type: dockerfile -package builtin.dockerfile.DS1234 -deny[res]{ - res := true -}`, - }, - { - name: "happy path new builtin single schema", - inputPolicy: `# METADATA -# title: "dummy title" -# description: "some description" -# scope: package -# schemas: -# - input: schema["dockerfile"] -# custom: -# input: -# selector: -# - type: dockerfile -package builtin.dockerfile.DS1234 -deny[res]{ - res := true -}`, - }, - { - name: "happy path new multiple schemas", - inputPolicy: `# METADATA -# title: "dummy title" -# description: "some description" -# scope: package -# schemas: -# - input: schema["dockerfile"] -# - input: schema["kubernetes"] -# custom: -# input: -# selector: -# - type: dockerfile -package builtin.dockerfile.DS1234 -deny[res]{ - res := true -}`, - }, - { - name: "sad path schema does not exist", - inputPolicy: `# METADATA -# title: "dummy title" -# description: "some description" -# scope: package -# schemas: -# - input: schema["invalid schema"] -# custom: -# input: -# selector: -# - type: dockerfile -package builtin.dockerfile.DS1234 -deny[res]{ - res := true -}`, - expectedError: true, - }, - } - - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - policies, err := LoadPoliciesFromDirs(policies.EmbeddedLibraryFileSystem, ".") - require.NoError(t, err) - newRule, err := ast.ParseModuleWithOpts("/rules/newrule.rego", tc.inputPolicy, ast.ParserOptions{ - ProcessAnnotation: true, - }) - require.NoError(t, err) - - policies["/rules/newrule.rego"] = newRule - switch { - case tc.expectedError: - assert.Panics(t, func() { - RegisterRegoRules(policies) - }, tc.name) - default: - RegisterRegoRules(policies) - } - }) - } -} diff --git a/pkg/rego/exceptions.go b/pkg/rego/exceptions.go deleted file mode 100644 index ab202ec0..00000000 --- a/pkg/rego/exceptions.go +++ /dev/null @@ -1,33 +0,0 @@ -package rego - -import ( - "context" - "fmt" -) - -func (s *Scanner) isIgnored(ctx context.Context, namespace string, ruleName string, input interface{}) (bool, error) { - if ignored, err := s.isNamespaceIgnored(ctx, namespace, input); err != nil { - return false, err - } else if ignored { - return true, nil - } - return s.isRuleIgnored(ctx, namespace, ruleName, input) -} - -func (s *Scanner) isNamespaceIgnored(ctx context.Context, namespace string, input interface{}) (bool, error) { - exceptionQuery := fmt.Sprintf("data.namespace.exceptions.exception[_] == %q", namespace) - result, _, err := s.runQuery(ctx, exceptionQuery, input, true) - if err != nil { - return false, fmt.Errorf("query namespace exceptions: %w", err) - } - return result.Allowed(), nil -} - -func (s *Scanner) isRuleIgnored(ctx context.Context, namespace string, ruleName string, input interface{}) (bool, error) { - exceptionQuery := fmt.Sprintf("endswith(%q, data.%s.exception[_][_])", ruleName, namespace) - result, _, err := s.runQuery(ctx, exceptionQuery, input, true) - if err != nil { - return false, err - } - return result.Allowed(), nil -} diff --git a/pkg/rego/load.go b/pkg/rego/load.go deleted file mode 100644 index 909510e8..00000000 --- a/pkg/rego/load.go +++ /dev/null @@ -1,210 +0,0 @@ -package rego - -import ( - "context" - "fmt" - "io" - "io/fs" - "strings" - - "github.com/open-policy-agent/opa/ast" - "github.com/open-policy-agent/opa/bundle" -) - -func IsRegoFile(name string) bool { - return strings.HasSuffix(name, bundle.RegoExt) && !strings.HasSuffix(name, "_test"+bundle.RegoExt) -} - -func IsDotFile(name string) bool { - return strings.HasPrefix(name, ".") -} - -func (s *Scanner) loadPoliciesFromReaders(readers []io.Reader) (map[string]*ast.Module, error) { - modules := make(map[string]*ast.Module) - for i, r := range readers { - moduleName := fmt.Sprintf("reader_%d", i) - data, err := io.ReadAll(r) - if err != nil { - return nil, err - } - module, err := ast.ParseModuleWithOpts(moduleName, string(data), ast.ParserOptions{ - ProcessAnnotation: true, - }) - if err != nil { - return nil, err - } - modules[moduleName] = module - } - return modules, nil -} - -func (s *Scanner) loadEmbedded(enableEmbeddedLibraries, enableEmbeddedPolicies bool) error { - if enableEmbeddedLibraries { - loadedLibs, errLoad := LoadEmbeddedLibraries() - if errLoad != nil { - return fmt.Errorf("failed to load embedded rego libraries: %w", errLoad) - } - for name, policy := range loadedLibs { - s.policies[name] = policy - } - s.debug.Log("Loaded %d embedded libraries.", len(loadedLibs)) - } - - if enableEmbeddedPolicies { - loaded, err := LoadEmbeddedPolicies() - if err != nil { - return fmt.Errorf("failed to load embedded rego policies: %w", err) - } - for name, policy := range loaded { - s.policies[name] = policy - } - s.debug.Log("Loaded %d embedded policies.", len(loaded)) - } - - return nil -} - -func (s *Scanner) LoadPolicies(enableEmbeddedLibraries, enableEmbeddedPolicies bool, srcFS fs.FS, paths []string, readers []io.Reader) error { - - if s.policies == nil { - s.policies = make(map[string]*ast.Module) - } - - if s.policyFS != nil { - s.debug.Log("Overriding filesystem for policies!") - srcFS = s.policyFS - } - - if err := s.loadEmbedded(enableEmbeddedLibraries, enableEmbeddedPolicies); err != nil { - return err - } - - var err error - if len(paths) > 0 { - loaded, err := LoadPoliciesFromDirs(srcFS, paths...) - if err != nil { - return fmt.Errorf("failed to load rego policies from %s: %w", paths, err) - } - for name, policy := range loaded { - s.policies[name] = policy - } - s.debug.Log("Loaded %d policies from disk.", len(loaded)) - } - - if len(readers) > 0 { - loaded, err := s.loadPoliciesFromReaders(readers) - if err != nil { - return fmt.Errorf("failed to load rego policies from reader(s): %w", err) - } - for name, policy := range loaded { - s.policies[name] = policy - } - s.debug.Log("Loaded %d policies from reader(s).", len(loaded)) - } - - // gather namespaces - uniq := make(map[string]struct{}) - for _, module := range s.policies { - namespace := getModuleNamespace(module) - uniq[namespace] = struct{}{} - } - var namespaces []string - for namespace := range uniq { - namespaces = append(namespaces, namespace) - } - - dataFS := srcFS - if s.dataFS != nil { - s.debug.Log("Overriding filesystem for data!") - dataFS = s.dataFS - } - store, err := initStore(dataFS, s.dataDirs, namespaces) - if err != nil { - return fmt.Errorf("unable to load data: %w", err) - } - s.store = store - - return s.compilePolicies(srcFS, paths) -} - -func (s *Scanner) prunePoliciesWithError(compiler *ast.Compiler) error { - if len(compiler.Errors) > s.regoErrorLimit { - s.debug.Log("Error(s) occurred while loading policies") - return compiler.Errors - } - - for _, e := range compiler.Errors { - s.debug.Log("Error occurred while parsing: %s, %s", e.Location.File, e.Error()) - delete(s.policies, e.Location.File) - } - return nil -} - -func (s *Scanner) compilePolicies(srcFS fs.FS, paths []string) error { - - schemaSet, custom, err := BuildSchemaSetFromPolicies(s.policies, paths, srcFS) - if err != nil { - return err - } - if custom { - s.inputSchema = nil // discard auto detected input schema in favour of policy defined schema - } - - compiler := ast.NewCompiler(). - WithUseTypeCheckAnnotations(true). - WithCapabilities(ast.CapabilitiesForThisVersion()). - WithSchemas(schemaSet) - - compiler.Compile(s.policies) - if compiler.Failed() { - if err := s.prunePoliciesWithError(compiler); err != nil { - return err - } - return s.compilePolicies(srcFS, paths) - } - retriever := NewMetadataRetriever(compiler) - - if err := s.filterModules(retriever); err != nil { - return err - } - if s.inputSchema != nil { - schemaSet := ast.NewSchemaSet() - schemaSet.Put(ast.MustParseRef("schema.input"), s.inputSchema) - compiler.WithSchemas(schemaSet) - compiler.Compile(s.policies) - if compiler.Failed() { - if err := s.prunePoliciesWithError(compiler); err != nil { - return err - } - return s.compilePolicies(srcFS, paths) - } - } - s.compiler = compiler - s.retriever = retriever - return nil -} - -func (s *Scanner) filterModules(retriever *MetadataRetriever) error { - - filtered := make(map[string]*ast.Module) - for name, module := range s.policies { - meta, err := retriever.RetrieveMetadata(context.TODO(), module) - if err != nil { - return err - } - if len(meta.InputOptions.Selectors) == 0 { - s.debug.Log("WARNING: Module %s has no input selectors - it will be loaded for all inputs!", name) - filtered[name] = module - continue - } - for _, selector := range meta.InputOptions.Selectors { - if selector.Type == string(s.sourceType) { - filtered[name] = module - break - } - } - } - - s.policies = filtered - return nil -} diff --git a/pkg/rego/load_test.go b/pkg/rego/load_test.go deleted file mode 100644 index 3240bc20..00000000 --- a/pkg/rego/load_test.go +++ /dev/null @@ -1,46 +0,0 @@ -package rego - -import ( - "bytes" - "embed" - "testing" - - "github.com/aquasecurity/defsec/pkg/types" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" -) - -//go:embed all:testdata/policies -var testEmbedFS embed.FS - -func Test_RegoScanning_WithSomeInvalidPolicies(t *testing.T) { - t.Run("allow no errors", func(t *testing.T) { - var debugBuf bytes.Buffer - scanner := NewScanner(types.SourceDockerfile) - scanner.SetRegoErrorLimit(0) - scanner.SetDebugWriter(&debugBuf) - p, _ := LoadPoliciesFromDirs(testEmbedFS, ".") - require.NotNil(t, p) - - scanner.policies = p - err := scanner.compilePolicies(testEmbedFS, []string{"policies"}) - require.ErrorContains(t, err, `want (one of): ["Cmd" "EndLine" "Flags" "JSON" "Original" "Path" "Stage" "StartLine" "SubCmd" "Value"]`) - assert.Contains(t, debugBuf.String(), "Error(s) occurred while loading policies") - }) - - t.Run("allow up to max 1 error", func(t *testing.T) { - var debugBuf bytes.Buffer - scanner := NewScanner(types.SourceDockerfile) - scanner.SetRegoErrorLimit(1) - scanner.SetDebugWriter(&debugBuf) - - p, _ := LoadPoliciesFromDirs(testEmbedFS, ".") - scanner.policies = p - - err := scanner.compilePolicies(testEmbedFS, []string{"policies"}) - require.NoError(t, err) - - assert.Contains(t, debugBuf.String(), "Error occurred while parsing: testdata/policies/invalid.rego, testdata/policies/invalid.rego:7") - }) - -} diff --git a/pkg/rego/metadata.go b/pkg/rego/metadata.go deleted file mode 100644 index ee6b5d1d..00000000 --- a/pkg/rego/metadata.go +++ /dev/null @@ -1,380 +0,0 @@ -package rego - -import ( - "context" - "fmt" - "strings" - - "github.com/aquasecurity/defsec/pkg/framework" - "github.com/aquasecurity/defsec/pkg/providers" - "github.com/aquasecurity/defsec/pkg/scan" - "github.com/aquasecurity/defsec/pkg/severity" - defsecTypes "github.com/aquasecurity/defsec/pkg/types" - "github.com/mitchellh/mapstructure" - "github.com/open-policy-agent/opa/ast" - "github.com/open-policy-agent/opa/rego" -) - -type StaticMetadata struct { - ID string - AVDID string - Title string - ShortCode string - Description string - Severity string - RecommendedActions string - PrimaryURL string - References []string - InputOptions InputOptions - Package string - Frameworks map[framework.Framework][]string - Provider string - Service string - Library bool - CloudFormation *scan.EngineMetadata - Terraform *scan.EngineMetadata -} - -func NewStaticMetadata(pkgPath string, inputOpt InputOptions) *StaticMetadata { - return &StaticMetadata{ - ID: "N/A", - Title: "N/A", - Severity: "UNKNOWN", - Description: fmt.Sprintf("Rego module: %s", pkgPath), - Package: pkgPath, - InputOptions: inputOpt, - Frameworks: make(map[framework.Framework][]string), - } -} - -func (sm *StaticMetadata) Update(meta map[string]any) error { - - upd := func(field *string, key string) { - if raw, ok := meta[key]; ok { - *field = fmt.Sprintf("%s", raw) - } - } - - upd(&sm.ID, "id") - upd(&sm.AVDID, "avd_id") - upd(&sm.Title, "title") - upd(&sm.ShortCode, "short_code") - upd(&sm.Description, "description") - upd(&sm.Service, "service") - upd(&sm.Provider, "provider") - upd(&sm.RecommendedActions, "recommended_actions") - upd(&sm.RecommendedActions, "recommended_action") - - if raw, ok := meta["severity"]; ok { - sm.Severity = strings.ToUpper(fmt.Sprintf("%s", raw)) - } - - if raw, ok := meta["library"]; ok { - if lib, ok := raw.(bool); ok { - sm.Library = lib - } - } - - if raw, ok := meta["url"]; ok { - sm.References = append(sm.References, fmt.Sprintf("%s", raw)) - } - if raw, ok := meta["frameworks"]; ok { - frameworks, ok := raw.(map[string][]string) - if !ok { - return fmt.Errorf("failed to parse framework metadata: not an object") - } - for fw, sections := range frameworks { - sm.Frameworks[framework.Framework(fw)] = sections - } - } - if raw, ok := meta["related_resources"]; ok { - if relatedResources, ok := raw.([]map[string]any); ok { - for _, relatedResource := range relatedResources { - if raw, ok := relatedResource["ref"]; ok { - sm.References = append(sm.References, fmt.Sprintf("%s", raw)) - } - } - } else if relatedResources, ok := raw.([]string); ok { - sm.References = append(sm.References, relatedResources...) - } - } - - var err error - if sm.CloudFormation, err = NewEngineMetadata("cloud_formation", meta); err != nil { - return err - } - - if sm.Terraform, err = NewEngineMetadata("terraform", meta); err != nil { - return err - } - - return nil -} - -func (sm *StaticMetadata) FromAnnotations(annotations *ast.Annotations) error { - sm.Title = annotations.Title - sm.Description = annotations.Description - for _, resource := range annotations.RelatedResources { - if !resource.Ref.IsAbs() { - continue - } - sm.References = append(sm.References, resource.Ref.String()) - } - if custom := annotations.Custom; custom != nil { - if err := sm.Update(custom); err != nil { - return err - } - } - if len(annotations.RelatedResources) > 0 { - sm.PrimaryURL = annotations.RelatedResources[0].Ref.String() - } - return nil -} - -func NewEngineMetadata(schema string, meta map[string]interface{}) (*scan.EngineMetadata, error) { - var sMap map[string]interface{} - if raw, ok := meta[schema]; ok { - sMap, ok = raw.(map[string]interface{}) - if !ok { - return nil, fmt.Errorf("failed to parse %s metadata: not an object", schema) - } - } - - var em scan.EngineMetadata - if val, ok := sMap["good_examples"].(string); ok { - em.GoodExamples = []string{val} - } - if val, ok := sMap["bad_examples"].(string); ok { - em.BadExamples = []string{val} - } - if val, ok := sMap["links"].(string); ok { - em.Links = []string{val} - } - if val, ok := sMap["remediation_markdown"].(string); ok { - em.RemediationMarkdown = val - } - - return &em, nil -} - -type InputOptions struct { - Combined bool - Selectors []Selector -} - -type Selector struct { - Type string - Subtypes []SubType -} - -type SubType struct { - Group string - Version string - Kind string - Namespace string - Service string // only for cloud - Provider string // only for cloud -} - -func (m StaticMetadata) ToRule() scan.Rule { - - provider := "generic" - if m.Provider != "" { - provider = m.Provider - } else if len(m.InputOptions.Selectors) > 0 { - provider = m.InputOptions.Selectors[0].Type - } - service := "general" - if m.Service != "" { - service = m.Service - } - - return scan.Rule{ - AVDID: m.AVDID, - Aliases: []string{m.ID}, - ShortCode: m.ShortCode, - Summary: m.Title, - Explanation: m.Description, - Impact: "", - Resolution: m.RecommendedActions, - Provider: providers.Provider(provider), - Service: service, - Links: m.References, - Severity: severity.Severity(m.Severity), - RegoPackage: m.Package, - Frameworks: m.Frameworks, - CloudFormation: m.CloudFormation, - Terraform: m.Terraform, - } -} - -type MetadataRetriever struct { - compiler *ast.Compiler -} - -func NewMetadataRetriever(compiler *ast.Compiler) *MetadataRetriever { - return &MetadataRetriever{ - compiler: compiler, - } -} - -func (m *MetadataRetriever) findPackageAnnotations(module *ast.Module) *ast.Annotations { - annotationSet := m.compiler.GetAnnotationSet() - if annotationSet == nil { - return nil - } - for _, annotation := range annotationSet.Flatten() { - if annotation.GetPackage().Path.String() != module.Package.Path.String() || annotation.Annotations.Scope != "package" { - continue - } - return annotation.Annotations - } - return nil -} - -func (m *MetadataRetriever) RetrieveMetadata(ctx context.Context, module *ast.Module, contents ...any) (*StaticMetadata, error) { - - metadata := NewStaticMetadata( - module.Package.Path.String(), - m.queryInputOptions(ctx, module), - ) - - // read metadata from official rego annotations if possible - if annotations := m.findPackageAnnotations(module); annotations != nil { - if err := metadata.FromAnnotations(annotations); err != nil { - return nil, err - } - return metadata, nil - } - - // otherwise, try to read metadata from the rego module itself - we used to do this before annotations were a thing - namespace := getModuleNamespace(module) - metadataQuery := fmt.Sprintf("data.%s.__rego_metadata__", namespace) - - options := []func(*rego.Rego){ - rego.Query(metadataQuery), - rego.Compiler(m.compiler), - rego.Capabilities(nil), - } - // support dynamic metadata fields - for _, in := range contents { - options = append(options, rego.Input(in)) - } - - instance := rego.New(options...) - set, err := instance.Eval(ctx) - if err != nil { - return nil, err - } - - // no metadata supplied - if set == nil { - return metadata, nil - } - - if len(set) != 1 { - return nil, fmt.Errorf("failed to parse metadata: unexpected set length") - } - if len(set[0].Expressions) != 1 { - return nil, fmt.Errorf("failed to parse metadata: unexpected expression length") - } - expression := set[0].Expressions[0] - meta, ok := expression.Value.(map[string]interface{}) - if !ok { - return nil, fmt.Errorf("failed to parse metadata: not an object") - } - - if err := metadata.Update(meta); err != nil { - return nil, err - } - - return metadata, nil -} - -// nolint: cyclop -func (m *MetadataRetriever) queryInputOptions(ctx context.Context, module *ast.Module) InputOptions { - - options := InputOptions{ - Combined: false, - Selectors: nil, - } - - var metadata map[string]interface{} - - // read metadata from official rego annotations if possible - if annotation := m.findPackageAnnotations(module); annotation != nil && annotation.Custom != nil { - if input, ok := annotation.Custom["input"]; ok { - if mapped, ok := input.(map[string]interface{}); ok { - metadata = mapped - } - } - } - - if metadata == nil { - - namespace := getModuleNamespace(module) - inputOptionQuery := fmt.Sprintf("data.%s.__rego_input__", namespace) - instance := rego.New( - rego.Query(inputOptionQuery), - rego.Compiler(m.compiler), - rego.Capabilities(nil), - ) - set, err := instance.Eval(ctx) - if err != nil { - return options - } - - if len(set) != 1 { - return options - } - if len(set[0].Expressions) != 1 { - return options - } - expression := set[0].Expressions[0] - meta, ok := expression.Value.(map[string]interface{}) - if !ok { - return options - } - metadata = meta - } - - if raw, ok := metadata["combine"]; ok { - if combine, ok := raw.(bool); ok { - options.Combined = combine - } - } - - if raw, ok := metadata["selector"]; ok { - if each, ok := raw.([]interface{}); ok { - for _, rawSelector := range each { - var selector Selector - if selectorMap, ok := rawSelector.(map[string]interface{}); ok { - if rawType, ok := selectorMap["type"]; ok { - selector.Type = fmt.Sprintf("%s", rawType) - // handle backward compatibility for "defsec" source type which is now "cloud" - if selector.Type == string(defsecTypes.SourceDefsec) { - selector.Type = string(defsecTypes.SourceCloud) - } - } - if subType, ok := selectorMap["subtypes"].([]interface{}); ok { - for _, subT := range subType { - if st, ok := subT.(map[string]interface{}); ok { - s := SubType{} - _ = mapstructure.Decode(st, &s) - selector.Subtypes = append(selector.Subtypes, s) - } - } - } - } - options.Selectors = append(options.Selectors, selector) - } - } - } - - return options - -} - -func getModuleNamespace(module *ast.Module) string { - return strings.TrimPrefix(module.Package.Path.String(), "data.") -} diff --git a/pkg/rego/metadata_test.go b/pkg/rego/metadata_test.go deleted file mode 100644 index 935c027d..00000000 --- a/pkg/rego/metadata_test.go +++ /dev/null @@ -1,188 +0,0 @@ -package rego - -import ( - "testing" - - "github.com/aquasecurity/defsec/pkg/framework" - "github.com/aquasecurity/defsec/pkg/scan" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" -) - -func Test_UpdateStaticMetadata(t *testing.T) { - t.Run("happy", func(t *testing.T) { - sm := StaticMetadata{ - ID: "i", - AVDID: "a", - Title: "t", - ShortCode: "sc", - Description: "d", - Severity: "s", - RecommendedActions: "ra", - PrimaryURL: "pu", - References: []string{"r"}, - Package: "pkg", - Provider: "pr", - Service: "srvc", - Library: false, - Frameworks: map[framework.Framework][]string{ - framework.Default: {"dd"}, - }, - } - - require.NoError(t, sm.Update( - map[string]any{ - "id": "i_n", - "avd_id": "a_n", - "title": "t_n", - "short_code": "sc_n", - "description": "d_n", - "service": "srvc_n", - "provider": "pr_n", - "recommended_actions": "ra_n", - "severity": "s_n", - "library": true, - "url": "r_n", - "frameworks": map[string][]string{ - "all": {"aa"}, - }, - }, - )) - - expected := StaticMetadata{ - ID: "i_n", - AVDID: "a_n", - Title: "t_n", - ShortCode: "sc_n", - Description: "d_n", - Severity: "S_N", - RecommendedActions: "ra_n", - PrimaryURL: "pu", - References: []string{"r", "r_n"}, - Package: "pkg", - Provider: "pr_n", - Service: "srvc_n", - Library: true, - Frameworks: map[framework.Framework][]string{ - framework.Default: {"dd"}, - framework.ALL: {"aa"}, - }, - CloudFormation: &scan.EngineMetadata{}, - Terraform: &scan.EngineMetadata{}, - } - - assert.Equal(t, expected, sm) - }) - - t.Run("related resources are a map", func(t *testing.T) { - sm := StaticMetadata{ - References: []string{"r"}, - } - require.NoError(t, sm.Update(map[string]any{ - "related_resources": []map[string]any{ - { - "ref": "r1_n", - }, - { - "ref": "r2_n", - }, - }, - })) - - expected := StaticMetadata{ - References: []string{"r", "r1_n", "r2_n"}, - CloudFormation: &scan.EngineMetadata{}, - Terraform: &scan.EngineMetadata{}, - } - - assert.Equal(t, expected, sm) - }) - - t.Run("related resources are a string", func(t *testing.T) { - sm := StaticMetadata{ - References: []string{"r"}, - } - require.NoError(t, sm.Update(map[string]any{ - "related_resources": []string{"r1_n", "r2_n"}, - })) - - expected := StaticMetadata{ - References: []string{"r", "r1_n", "r2_n"}, - CloudFormation: &scan.EngineMetadata{}, - Terraform: &scan.EngineMetadata{}, - } - - assert.Equal(t, expected, sm) - }) -} - -func Test_getEngineMetadata(t *testing.T) { - inputSchema := map[string]interface{}{ - "terraform": map[string]interface{}{ - "good_examples": `resource "aws_cloudtrail" "good_example" { - is_multi_region_trail = true - - event_selector { - read_write_type = "All" - include_management_events = true - - data_resource { - type = "AWS::S3::Object" - values = ["${data.aws_s3_bucket.important-bucket.arn}/"] - } - } - }`, - }, - "cloud_formation": map[string]interface{}{"good_examples": `--- -Resources: - GoodExample: - Type: AWS::CloudTrail::Trail - Properties: - IsLogging: true - IsMultiRegionTrail: true - S3BucketName: "CloudtrailBucket" - S3KeyPrefix: "/trailing" - TrailName: "Cloudtrail"`, - }} - - var testCases = []struct { - schema string - want string - }{ - { - schema: "terraform", - want: `resource "aws_cloudtrail" "good_example" { - is_multi_region_trail = true - - event_selector { - read_write_type = "All" - include_management_events = true - - data_resource { - type = "AWS::S3::Object" - values = ["${data.aws_s3_bucket.important-bucket.arn}/"] - } - } - }`, - }, - {schema: "cloud_formation", - want: `--- -Resources: - GoodExample: - Type: AWS::CloudTrail::Trail - Properties: - IsLogging: true - IsMultiRegionTrail: true - S3BucketName: "CloudtrailBucket" - S3KeyPrefix: "/trailing" - TrailName: "Cloudtrail"`}, - } - - for _, tc := range testCases { - t.Run(tc.schema, func(t *testing.T) { - em, err := NewEngineMetadata(tc.schema, inputSchema) - assert.NoError(t, err) - assert.Equal(t, tc.want, em.GoodExamples[0]) - }) - } -} diff --git a/pkg/rego/result.go b/pkg/rego/result.go deleted file mode 100644 index 94319eee..00000000 --- a/pkg/rego/result.go +++ /dev/null @@ -1,166 +0,0 @@ -package rego - -import ( - "fmt" - "io/fs" - "strconv" - - "github.com/aquasecurity/defsec/pkg/scan" - defsecTypes "github.com/aquasecurity/defsec/pkg/types" - "github.com/open-policy-agent/opa/rego" -) - -type regoResult struct { - Filepath string - Resource string - StartLine int - EndLine int - SourcePrefix string - Message string - Explicit bool - Managed bool - FSKey string - FS fs.FS - Parent *regoResult -} - -func (r regoResult) GetMetadata() defsecTypes.Metadata { - var m defsecTypes.Metadata - if !r.Managed { - m = defsecTypes.NewUnmanagedMetadata() - } else { - rng := defsecTypes.NewRangeWithFSKey(r.Filepath, r.StartLine, r.EndLine, r.SourcePrefix, r.FSKey, r.FS) - if r.Explicit { - m = defsecTypes.NewExplicitMetadata(rng, r.Resource) - } else { - m = defsecTypes.NewMetadata(rng, r.Resource) - } - } - if r.Parent != nil { - return m.WithParent(r.Parent.GetMetadata()) - } - return m -} - -func (r regoResult) GetRawValue() interface{} { - return nil -} - -func parseResult(raw interface{}) *regoResult { - var result regoResult - result.Managed = true - switch val := raw.(type) { - case []interface{}: - var msg string - for _, item := range val { - switch raw := item.(type) { - case map[string]interface{}: - result = parseCause(raw) - case string: - msg = raw - } - } - result.Message = msg - case string: - result.Message = val - case map[string]interface{}: - result = parseCause(val) - default: - result.Message = "Rego policy resulted in DENY" - } - return &result -} - -func parseCause(cause map[string]interface{}) regoResult { - var result regoResult - result.Managed = true - if msg, ok := cause["msg"]; ok { - result.Message = fmt.Sprintf("%s", msg) - } - if filepath, ok := cause["filepath"]; ok { - result.Filepath = fmt.Sprintf("%s", filepath) - } - if msg, ok := cause["fskey"]; ok { - result.FSKey = fmt.Sprintf("%s", msg) - } - if msg, ok := cause["resource"]; ok { - result.Resource = fmt.Sprintf("%s", msg) - } - if start, ok := cause["startline"]; ok { - result.StartLine = parseLineNumber(start) - } - if end, ok := cause["endline"]; ok { - result.EndLine = parseLineNumber(end) - } - if prefix, ok := cause["sourceprefix"]; ok { - result.SourcePrefix = fmt.Sprintf("%s", prefix) - } - if explicit, ok := cause["explicit"]; ok { - if set, ok := explicit.(bool); ok { - result.Explicit = set - } - } - if managed, ok := cause["managed"]; ok { - if set, ok := managed.(bool); ok { - result.Managed = set - } - } - if parent, ok := cause["parent"]; ok { - if m, ok := parent.(map[string]interface{}); ok { - parentResult := parseCause(m) - result.Parent = &parentResult - } - } - return result -} - -func parseLineNumber(raw interface{}) int { - str := fmt.Sprintf("%s", raw) - n, _ := strconv.Atoi(str) - return n -} - -func (s *Scanner) convertResults(set rego.ResultSet, input Input, namespace string, rule string, traces []string) scan.Results { - var results scan.Results - - offset := 0 - if input.Contents != nil { - if xx, ok := input.Contents.(map[string]interface{}); ok { - if md, ok := xx["__defsec_metadata"]; ok { - if md2, ok := md.(map[string]interface{}); ok { - if sl, ok := md2["offset"]; ok { - offset, _ = sl.(int) - } - } - } - } - } - for _, result := range set { - for _, expression := range result.Expressions { - values, ok := expression.Value.([]interface{}) - if !ok { - values = []interface{}{expression.Value} - } - - for _, value := range values { - regoResult := parseResult(value) - regoResult.FS = input.FS - if regoResult.Filepath == "" && input.Path != "" { - regoResult.Filepath = input.Path - } - if regoResult.Message == "" { - regoResult.Message = fmt.Sprintf("Rego policy rule: %s.%s", namespace, rule) - } - regoResult.StartLine += offset - regoResult.EndLine += offset - results.AddRego(regoResult.Message, namespace, rule, traces, regoResult) - } - } - } - return results -} - -func (s *Scanner) embellishResultsWithRuleMetadata(results scan.Results, metadata StaticMetadata) scan.Results { - results.SetRule(metadata.ToRule()) - return results -} diff --git a/pkg/rego/result_test.go b/pkg/rego/result_test.go deleted file mode 100644 index d958f796..00000000 --- a/pkg/rego/result_test.go +++ /dev/null @@ -1,104 +0,0 @@ -package rego - -import ( - "testing" - - "github.com/stretchr/testify/assert" -) - -func Test_parseResult(t *testing.T) { - var testCases = []struct { - name string - input interface{} - want regoResult - }{ - { - name: "unknown", - input: nil, - want: regoResult{ - Managed: true, - Message: "Rego policy resulted in DENY", - }, - }, - { - name: "string", - input: "message", - want: regoResult{ - Managed: true, - Message: "message", - }, - }, - { - name: "strings", - input: []interface{}{"message"}, - want: regoResult{ - Managed: true, - Message: "message", - }, - }, - { - name: "maps", - input: []interface{}{ - "message", - map[string]interface{}{ - "filepath": "a.out", - }, - }, - want: regoResult{ - Managed: true, - Message: "message", - Filepath: "a.out", - }, - }, - { - name: "map", - input: map[string]interface{}{ - "msg": "message", - "filepath": "a.out", - "fskey": "abcd", - "resource": "resource", - "startline": "123", - "endline": "456", - "sourceprefix": "git", - "explicit": true, - "managed": true, - }, - want: regoResult{ - Message: "message", - Filepath: "a.out", - Resource: "resource", - StartLine: 123, - EndLine: 456, - SourcePrefix: "git", - FSKey: "abcd", - Explicit: true, - Managed: true, - }, - }, - { - name: "parent", - input: map[string]interface{}{ - "msg": "child", - "parent": map[string]interface{}{ - "msg": "parent", - }, - }, - want: regoResult{ - Message: "child", - Managed: true, - Parent: ®oResult{ - Message: "parent", - Managed: true, - }, - }, - }, - } - - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - have := parseResult(tc.input) - assert.NotNil(t, have) - assert.Equal(t, tc.want, *have) - }) - } -} diff --git a/pkg/rego/runtime.go b/pkg/rego/runtime.go deleted file mode 100644 index 6e28268d..00000000 --- a/pkg/rego/runtime.go +++ /dev/null @@ -1,28 +0,0 @@ -package rego - -import ( - "os" - "strings" - - "github.com/open-policy-agent/opa/ast" - "github.com/open-policy-agent/opa/version" -) - -func addRuntimeValues() *ast.Term { - env := ast.NewObject() - for _, pair := range os.Environ() { - parts := strings.SplitN(pair, "=", 2) - if len(parts) == 1 { - env.Insert(ast.StringTerm(parts[0]), ast.NullTerm()) - } else if len(parts) > 1 { - env.Insert(ast.StringTerm(parts[0]), ast.StringTerm(parts[1])) - } - } - - obj := ast.NewObject() - obj.Insert(ast.StringTerm("env"), ast.NewTerm(env)) - obj.Insert(ast.StringTerm("version"), ast.StringTerm(version.Version)) - obj.Insert(ast.StringTerm("commit"), ast.StringTerm(version.Vcs)) - - return ast.NewTerm(obj) -} diff --git a/pkg/rego/scanner.go b/pkg/rego/scanner.go deleted file mode 100644 index 667c4c04..00000000 --- a/pkg/rego/scanner.go +++ /dev/null @@ -1,413 +0,0 @@ -package rego - -import ( - "bytes" - "context" - "encoding/json" - "fmt" - "io" - "io/fs" - "strings" - - "github.com/aquasecurity/defsec/pkg/debug" - "github.com/aquasecurity/defsec/pkg/framework" - "github.com/aquasecurity/defsec/pkg/scan" - "github.com/aquasecurity/defsec/pkg/types" - "github.com/aquasecurity/trivy-iac/pkg/rego/schemas" - "github.com/open-policy-agent/opa/ast" - "github.com/open-policy-agent/opa/rego" - "github.com/open-policy-agent/opa/storage" - - "github.com/aquasecurity/defsec/pkg/scanners/options" -) - -var _ options.ConfigurableScanner = (*Scanner)(nil) - -type Scanner struct { - ruleNamespaces map[string]struct{} - policies map[string]*ast.Module - store storage.Store - dataDirs []string - runtimeValues *ast.Term - compiler *ast.Compiler - regoErrorLimit int - debug debug.Logger - traceWriter io.Writer - tracePerResult bool - retriever *MetadataRetriever - policyFS fs.FS - dataFS fs.FS - frameworks []framework.Framework - spec string - inputSchema interface{} // unmarshalled into this from a json schema document - sourceType types.Source -} - -func (s *Scanner) SetUseEmbeddedLibraries(b bool) { - // handled externally -} - -func (s *Scanner) SetSpec(spec string) { - s.spec = spec -} - -func (s *Scanner) SetRegoOnly(bool) {} - -func (s *Scanner) SetFrameworks(frameworks []framework.Framework) { - s.frameworks = frameworks -} - -func (s *Scanner) SetUseEmbeddedPolicies(b bool) { - // handled externally -} - -func (s *Scanner) trace(heading string, input interface{}) { - if s.traceWriter == nil { - return - } - data, err := json.MarshalIndent(input, "", " ") - if err != nil { - return - } - _, _ = fmt.Fprintf(s.traceWriter, "REGO %[1]s:\n%s\nEND REGO %[1]s\n\n", heading, string(data)) -} - -func (s *Scanner) SetPolicyFilesystem(fs fs.FS) { - s.policyFS = fs -} - -func (s *Scanner) SetDataFilesystem(fs fs.FS) { - s.dataFS = fs -} - -func (s *Scanner) SetPolicyReaders(_ []io.Reader) { - // NOTE: Policy readers option not applicable for rego, policies are loaded on-demand by other scanners. -} - -func (s *Scanner) SetDebugWriter(writer io.Writer) { - s.debug = debug.New(writer, "rego", "scanner") -} - -func (s *Scanner) SetTraceWriter(writer io.Writer) { - s.traceWriter = writer -} - -func (s *Scanner) SetPerResultTracingEnabled(b bool) { - s.tracePerResult = b -} - -func (s *Scanner) SetPolicyDirs(_ ...string) { - // NOTE: Policy dirs option not applicable for rego, policies are loaded on-demand by other scanners. -} - -func (s *Scanner) SetDataDirs(dirs ...string) { - s.dataDirs = dirs -} - -func (s *Scanner) SetPolicyNamespaces(namespaces ...string) { - for _, namespace := range namespaces { - s.ruleNamespaces[namespace] = struct{}{} - } -} - -func (s *Scanner) SetSkipRequiredCheck(_ bool) { - // NOTE: Skip required option not applicable for rego. -} - -func (s *Scanner) SetRegoErrorLimit(limit int) { - s.regoErrorLimit = limit -} - -type DynamicMetadata struct { - Warning bool - Filepath string - Message string - StartLine int - EndLine int -} - -func NewScanner(source types.Source, options ...options.ScannerOption) *Scanner { - schema, ok := schemas.SchemaMap[source] - if !ok { - schema = schemas.Anything - } - - s := &Scanner{ - regoErrorLimit: ast.CompileErrorLimitDefault, - sourceType: source, - ruleNamespaces: map[string]struct{}{ - "builtin": {}, - "appshield": {}, - "defsec": {}, - }, - runtimeValues: addRuntimeValues(), - } - for _, opt := range options { - opt(s) - } - if schema != schemas.None { - err := json.Unmarshal([]byte(schema), &s.inputSchema) - if err != nil { - panic(err) - } - } - return s -} - -func (s *Scanner) SetParentDebugLogger(l debug.Logger) { - s.debug = l.Extend("rego") -} - -func (s *Scanner) runQuery(ctx context.Context, query string, input interface{}, disableTracing bool) (rego.ResultSet, []string, error) { - - trace := (s.traceWriter != nil || s.tracePerResult) && !disableTracing - - regoOptions := []func(*rego.Rego){ - rego.Query(query), - rego.Compiler(s.compiler), - rego.Store(s.store), - rego.Runtime(s.runtimeValues), - rego.Trace(trace), - } - - if s.inputSchema != nil { - schemaSet := ast.NewSchemaSet() - schemaSet.Put(ast.MustParseRef("schema.input"), s.inputSchema) - regoOptions = append(regoOptions, rego.Schemas(schemaSet)) - } - - if input != nil { - regoOptions = append(regoOptions, rego.Input(input)) - } - - instance := rego.New(regoOptions...) - set, err := instance.Eval(ctx) - if err != nil { - return nil, nil, err - } - - // we also build a slice of trace lines for per-result tracing - primarily for fanal/trivy - var traces []string - - if trace { - if s.traceWriter != nil { - rego.PrintTrace(s.traceWriter, instance) - } - if s.tracePerResult { - traceBuffer := bytes.NewBuffer([]byte{}) - rego.PrintTrace(traceBuffer, instance) - traces = strings.Split(traceBuffer.String(), "\n") - } - } - return set, traces, nil -} - -type Input struct { - Path string `json:"path"` - FS fs.FS `json:"-"` - Contents interface{} `json:"contents"` -} - -func GetInputsContents(inputs []Input) []any { - results := make([]any, len(inputs)) - for i, c := range inputs { - results[i] = c.Contents - } - return results -} - -func (s *Scanner) ScanInput(ctx context.Context, inputs ...Input) (scan.Results, error) { - - s.debug.Log("Scanning %d inputs...", len(inputs)) - - var results scan.Results - - for _, module := range s.policies { - - select { - case <-ctx.Done(): - return nil, ctx.Err() - default: - } - - namespace := getModuleNamespace(module) - topLevel := strings.Split(namespace, ".")[0] - if _, ok := s.ruleNamespaces[topLevel]; !ok { - continue - } - - staticMeta, err := s.retriever.RetrieveMetadata(ctx, module, GetInputsContents(inputs)...) - if err != nil { - return nil, err - } - - if isPolicyWithSubtype(s.sourceType) { - // skip if policy isn't relevant to what is being scanned - if !isPolicyApplicable(staticMeta, inputs...) { - continue - } - } - - if len(inputs) == 0 { - continue - } - - usedRules := make(map[string]struct{}) - - // all rules - for _, rule := range module.Rules { - ruleName := rule.Head.Name.String() - if _, ok := usedRules[ruleName]; ok { - continue - } - usedRules[ruleName] = struct{}{} - if isEnforcedRule(ruleName) { - ruleResults, err := s.applyRule(ctx, namespace, ruleName, inputs, staticMeta.InputOptions.Combined) - if err != nil { - return nil, err - } - results = append(results, s.embellishResultsWithRuleMetadata(ruleResults, *staticMeta)...) - } - } - - } - - return results, nil -} - -func isPolicyWithSubtype(sourceType types.Source) bool { - for _, s := range []types.Source{types.SourceCloud, types.SourceDefsec} { // TODO(simar): Add types.Kubernetes once all k8s policy have subtype - if sourceType == s { - return true - } - } - return false -} - -func checkSubtype(ii map[string]interface{}, provider string, subTypes []SubType) bool { - if len(subTypes) == 0 { - return true - } - - for _, st := range subTypes { - switch services := ii[provider].(type) { - case map[string]interface{}: // cloud - for service := range services { - if (service == st.Service) && (st.Provider == provider) { - return true - } - } - case string: // k8s - // TODO(simar): This logic probably needs to be revisited - if services == st.Group || - services == st.Version || - services == st.Kind { - return true - } - } - } - return false -} - -func isPolicyApplicable(staticMetadata *StaticMetadata, inputs ...Input) bool { - for _, input := range inputs { - if ii, ok := input.Contents.(map[string]interface{}); ok { - for provider := range ii { - // TODO(simar): Add other providers - if !strings.Contains(strings.Join([]string{"kind", "aws", "azure"}, ","), provider) { - continue - } - - if len(staticMetadata.InputOptions.Selectors) == 0 { // policy always applies if no selectors - return true - } - - // check metadata for subtype - for _, s := range staticMetadata.InputOptions.Selectors { - if checkSubtype(ii, provider, s.Subtypes) { - return true - } - } - } - } - } - return false -} - -func (s *Scanner) applyRule(ctx context.Context, namespace string, rule string, inputs []Input, combined bool) (scan.Results, error) { - - // handle combined evaluations if possible - if combined { - s.trace("INPUT", inputs) - return s.applyRuleCombined(ctx, namespace, rule, inputs) - } - - var results scan.Results - qualified := fmt.Sprintf("data.%s.%s", namespace, rule) - for _, input := range inputs { - s.trace("INPUT", input) - if ignored, err := s.isIgnored(ctx, namespace, rule, input.Contents); err != nil { - return nil, err - } else if ignored { - var result regoResult - result.FS = input.FS - result.Filepath = input.Path - result.Managed = true - results.AddIgnored(result) - continue - } - set, traces, err := s.runQuery(ctx, qualified, input.Contents, false) - if err != nil { - return nil, err - } - s.trace("RESULTSET", set) - ruleResults := s.convertResults(set, input, namespace, rule, traces) - if len(ruleResults) == 0 { // It passed because we didn't find anything wrong (NOT because it didn't exist) - var result regoResult - result.FS = input.FS - result.Filepath = input.Path - result.Managed = true - results.AddPassedRego(namespace, rule, traces, result) - continue - } - results = append(results, ruleResults...) - } - - return results, nil -} - -func (s *Scanner) applyRuleCombined(ctx context.Context, namespace string, rule string, inputs []Input) (scan.Results, error) { - if len(inputs) == 0 { - return nil, nil - } - var results scan.Results - qualified := fmt.Sprintf("data.%s.%s", namespace, rule) - if ignored, err := s.isIgnored(ctx, namespace, rule, inputs); err != nil { - return nil, err - } else if ignored { - for _, input := range inputs { - var result regoResult - result.FS = input.FS - result.Filepath = input.Path - result.Managed = true - results.AddIgnored(result) - } - return results, nil - } - set, traces, err := s.runQuery(ctx, qualified, inputs, false) - if err != nil { - return nil, err - } - return s.convertResults(set, inputs[0], namespace, rule, traces), nil -} - -// severity is now set with metadata, so deny/warn/violation now behave the same way -func isEnforcedRule(name string) bool { - switch { - case name == "deny", strings.HasPrefix(name, "deny_"), - name == "warn", strings.HasPrefix(name, "warn_"), - name == "violation", strings.HasPrefix(name, "violation_"): - return true - } - return false -} diff --git a/pkg/rego/scanner_test.go b/pkg/rego/scanner_test.go deleted file mode 100644 index d1aca509..00000000 --- a/pkg/rego/scanner_test.go +++ /dev/null @@ -1,978 +0,0 @@ -package rego - -import ( - "bytes" - "context" - "io/fs" - "os" - "path/filepath" - "strings" - "testing" - - "github.com/aquasecurity/defsec/pkg/severity" - "github.com/aquasecurity/defsec/pkg/types" - "github.com/liamg/memoryfs" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - - "github.com/aquasecurity/defsec/pkg/scanners/options" -) - -func CreateFS(t *testing.T, files map[string]string) fs.FS { - memfs := memoryfs.New() - for name, content := range files { - name := strings.TrimPrefix(name, "/") - err := memfs.MkdirAll(filepath.Dir(name), 0o700) - require.NoError(t, err) - err = memfs.WriteFile(name, []byte(content), 0o644) - require.NoError(t, err) - } - return memfs -} - -func Test_RegoScanning_Deny(t *testing.T) { - - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test - -deny { - input.evil -} -`, - }) - - scanner := NewScanner(types.SourceJSON) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "evil": true, - }, - FS: srcFS, - }) - require.NoError(t, err) - - require.Equal(t, 1, len(results.GetFailed())) - assert.Equal(t, 0, len(results.GetPassed())) - assert.Equal(t, 0, len(results.GetIgnored())) - - assert.Equal(t, "/evil.lol", results.GetFailed()[0].Metadata().Range().GetFilename()) - assert.False(t, results.GetFailed()[0].IsWarning()) -} - -func Test_RegoScanning_AbsolutePolicyPath_Deny(t *testing.T) { - - tmp := t.TempDir() - require.NoError(t, os.Mkdir(filepath.Join(tmp, "policies"), 0755)) - require.NoError(t, os.WriteFile(filepath.Join(tmp, "policies", "test.rego"), []byte(`package defsec.test - -deny { - input.evil -}`), 0600)) - - srcFS := os.DirFS(tmp) - - scanner := NewScanner(types.SourceJSON) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"/policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "evil": true, - }, - FS: srcFS, - }) - require.NoError(t, err) - - require.Equal(t, 1, len(results.GetFailed())) - assert.Equal(t, 0, len(results.GetPassed())) - assert.Equal(t, 0, len(results.GetIgnored())) - - assert.Equal(t, "/evil.lol", results.GetFailed()[0].Metadata().Range().GetFilename()) - assert.False(t, results.GetFailed()[0].IsWarning()) -} - -func Test_RegoScanning_Warn(t *testing.T) { - - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test - -warn { - input.evil -} -`, - }) - - scanner := NewScanner(types.SourceJSON) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "evil": true, - }, - }) - require.NoError(t, err) - - require.Equal(t, 1, len(results.GetFailed())) - require.Equal(t, 0, len(results.GetPassed())) - require.Equal(t, 0, len(results.GetIgnored())) - - assert.True(t, results.GetFailed()[0].IsWarning()) -} - -func Test_RegoScanning_Allow(t *testing.T) { - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test - -deny { - input.evil -} -`, - }) - - scanner := NewScanner(types.SourceJSON) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "evil": false, - }, - }) - require.NoError(t, err) - - assert.Equal(t, 0, len(results.GetFailed())) - require.Equal(t, 1, len(results.GetPassed())) - assert.Equal(t, 0, len(results.GetIgnored())) - - assert.Equal(t, "/evil.lol", results.GetPassed()[0].Metadata().Range().GetFilename()) -} - -func Test_RegoScanning_Namespace_Exception(t *testing.T) { - - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test - -deny { - input.evil -} -`, - "policies/exceptions.rego": ` -package namespace.exceptions - -import data.namespaces - -exception[ns] { - ns := data.namespaces[_] - startswith(ns, "defsec") -} -`, - }) - - scanner := NewScanner(types.SourceJSON) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "evil": true, - }, - }) - require.NoError(t, err) - - assert.Equal(t, 0, len(results.GetFailed())) - assert.Equal(t, 0, len(results.GetPassed())) - assert.Equal(t, 1, len(results.GetIgnored())) - -} - -func Test_RegoScanning_Namespace_Exception_WithoutMatch(t *testing.T) { - - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test - -deny { - input.evil -} -`, "policies/something.rego": ` -package builtin.test - -deny_something { - input.something -} -`, - "policies/exceptions.rego": ` -package namespace.exceptions - -import data.namespaces - -exception[ns] { - ns := data.namespaces[_] - startswith(ns, "builtin") -} -`, - }) - - scanner := NewScanner(types.SourceJSON) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "evil": true, - }, - }) - require.NoError(t, err) - - assert.Equal(t, 1, len(results.GetFailed())) - assert.Equal(t, 0, len(results.GetPassed())) - assert.Equal(t, 1, len(results.GetIgnored())) - -} - -func Test_RegoScanning_Rule_Exception(t *testing.T) { - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test -deny_evil { - input.evil -} -`, - "policies/exceptions.rego": ` -package defsec.test - -exception[rules] { - rules := ["evil"] -} -`, - }) - - scanner := NewScanner(types.SourceJSON) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "evil": true, - }, - }) - require.NoError(t, err) - - assert.Equal(t, 0, len(results.GetFailed())) - assert.Equal(t, 0, len(results.GetPassed())) - assert.Equal(t, 1, len(results.GetIgnored())) -} - -func Test_RegoScanning_Rule_Exception_WithoutMatch(t *testing.T) { - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test -deny_evil { - input.evil -} -`, - "policies/exceptions.rego": ` -package defsec.test - -exception[rules] { - rules := ["good"] -} -`, - }) - - scanner := NewScanner(types.SourceJSON) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "evil": true, - }, - }) - require.NoError(t, err) - - assert.Equal(t, 1, len(results.GetFailed())) - assert.Equal(t, 0, len(results.GetPassed())) - assert.Equal(t, 0, len(results.GetIgnored())) -} - -func Test_RegoScanning_WithRuntimeValues(t *testing.T) { - - _ = os.Setenv("DEFSEC_RUNTIME_VAL", "AOK") - - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test - -deny_evil { - output := opa.runtime() - output.env.DEFSEC_RUNTIME_VAL == "AOK" -} -`, - }) - - scanner := NewScanner(types.SourceJSON) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "evil": true, - }, - }) - require.NoError(t, err) - - assert.Equal(t, 1, len(results.GetFailed())) - assert.Equal(t, 0, len(results.GetPassed())) - assert.Equal(t, 0, len(results.GetIgnored())) -} - -func Test_RegoScanning_WithDenyMessage(t *testing.T) { - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test - -deny[msg] { - input.evil - msg := "oh no" -} -`, - }) - - scanner := NewScanner(types.SourceJSON) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "evil": true, - }, - }) - require.NoError(t, err) - - require.Equal(t, 1, len(results.GetFailed())) - assert.Equal(t, 0, len(results.GetPassed())) - assert.Equal(t, 0, len(results.GetIgnored())) - - assert.Equal(t, "oh no", results.GetFailed()[0].Description()) - assert.Equal(t, "/evil.lol", results.GetFailed()[0].Metadata().Range().GetFilename()) -} - -func Test_RegoScanning_WithDenyMetadata_ImpliedPath(t *testing.T) { - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test - -deny[res] { - input.evil - res := { - "msg": "oh no", - "startline": 123, - "endline": 456, - } -} -`, - }) - - scanner := NewScanner(types.SourceJSON) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "evil": true, - }, - }) - require.NoError(t, err) - - require.Equal(t, 1, len(results.GetFailed())) - assert.Equal(t, 0, len(results.GetPassed())) - assert.Equal(t, 0, len(results.GetIgnored())) - - assert.Equal(t, "oh no", results.GetFailed()[0].Description()) - assert.Equal(t, "/evil.lol", results.GetFailed()[0].Metadata().Range().GetFilename()) - assert.Equal(t, 123, results.GetFailed()[0].Metadata().Range().GetStartLine()) - assert.Equal(t, 456, results.GetFailed()[0].Metadata().Range().GetEndLine()) - -} - -func Test_RegoScanning_WithDenyMetadata_PersistedPath(t *testing.T) { - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test - -deny[res] { - input.evil - res := { - "msg": "oh no", - "startline": 123, - "endline": 456, - "filepath": "/blah.txt", - } -} -`, - }) - - scanner := NewScanner(types.SourceJSON) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "evil": true, - }, - }) - require.NoError(t, err) - - require.Equal(t, 1, len(results.GetFailed())) - assert.Equal(t, 0, len(results.GetPassed())) - assert.Equal(t, 0, len(results.GetIgnored())) - - assert.Equal(t, "oh no", results.GetFailed()[0].Description()) - assert.Equal(t, "/blah.txt", results.GetFailed()[0].Metadata().Range().GetFilename()) - assert.Equal(t, 123, results.GetFailed()[0].Metadata().Range().GetStartLine()) - assert.Equal(t, 456, results.GetFailed()[0].Metadata().Range().GetEndLine()) - -} - -func Test_RegoScanning_WithStaticMetadata(t *testing.T) { - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test - -__rego_metadata__ := { - "id": "AA001", - "avd_id": "AVD-XX-9999", - "title": "This is a title", - "short_code": "short-code", - "severity": "LOW", - "type": "Dockerfile Security Check", - "description": "This is a description", - "recommended_actions": "This is a recommendation", - "url": "https://google.com", -} - -deny[res] { - input.evil - res := { - "msg": "oh no", - "startline": 123, - "endline": 456, - "filepath": "/blah.txt", - } -} -`, - }) - - scanner := NewScanner(types.SourceJSON) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "evil": true, - }, - }) - require.NoError(t, err) - - require.Equal(t, 1, len(results.GetFailed())) - assert.Equal(t, 0, len(results.GetPassed())) - assert.Equal(t, 0, len(results.GetIgnored())) - - failure := results.GetFailed()[0] - - assert.Equal(t, "oh no", failure.Description()) - assert.Equal(t, "/blah.txt", failure.Metadata().Range().GetFilename()) - assert.Equal(t, 123, failure.Metadata().Range().GetStartLine()) - assert.Equal(t, 456, failure.Metadata().Range().GetEndLine()) - assert.Equal(t, "AVD-XX-9999", failure.Rule().AVDID) - assert.True(t, failure.Rule().HasID("AA001")) - assert.Equal(t, "This is a title", failure.Rule().Summary) - assert.Equal(t, severity.Low, failure.Rule().Severity) - assert.Equal(t, "This is a recommendation", failure.Rule().Resolution) - assert.Equal(t, "https://google.com", failure.Rule().Links[0]) - -} - -func Test_RegoScanning_WithMatchingInputSelector(t *testing.T) { - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test - -__rego_input__ := { - "selector": [{"type": "json"}], -} - -deny { - input.evil -} - -`, - }) - - scanner := NewScanner(types.SourceJSON) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "evil": true, - }, - }) - require.NoError(t, err) - - assert.Equal(t, 1, len(results.GetFailed())) - assert.Equal(t, 0, len(results.GetPassed())) - assert.Equal(t, 0, len(results.GetIgnored())) -} - -func Test_RegoScanning_WithNonMatchingInputSelector(t *testing.T) { - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test - -__rego_input__ := { - "selector": [{"type": "testing"}], -} - -deny { - input.evil -} -`, - }) - - scanner := NewScanner(types.SourceJSON) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "evil": true, - }, - }) - require.NoError(t, err) - - assert.Equal(t, 0, len(results.GetFailed())) - assert.Equal(t, 0, len(results.GetPassed())) - assert.Equal(t, 0, len(results.GetIgnored())) -} - -func Test_RegoScanning_NoTracingByDefault(t *testing.T) { - - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test - -deny { - input.evil -} -`, - }) - - scanner := NewScanner(types.SourceJSON) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "evil": true, - }, - }) - require.NoError(t, err) - - assert.Equal(t, 1, len(results.GetFailed())) - assert.Equal(t, 0, len(results.GetPassed())) - assert.Equal(t, 0, len(results.GetIgnored())) - - assert.Len(t, results.GetFailed()[0].Traces(), 0) -} - -func Test_RegoScanning_GlobalTracingEnabled(t *testing.T) { - - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test - -deny { - input.evil -} -`, - }) - - traceBuffer := bytes.NewBuffer([]byte{}) - - scanner := NewScanner(types.SourceJSON, options.ScannerWithTrace(traceBuffer)) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "evil": true, - }, - }) - require.NoError(t, err) - - assert.Equal(t, 1, len(results.GetFailed())) - assert.Equal(t, 0, len(results.GetPassed())) - assert.Equal(t, 0, len(results.GetIgnored())) - - assert.Len(t, results.GetFailed()[0].Traces(), 0) - assert.Greater(t, len(traceBuffer.Bytes()), 0) -} - -func Test_RegoScanning_PerResultTracingEnabled(t *testing.T) { - - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test - -deny { - input.evil -} -`, - }) - - scanner := NewScanner(types.SourceJSON, options.ScannerWithPerResultTracing(true)) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "evil": true, - }, - }) - require.NoError(t, err) - - assert.Equal(t, 1, len(results.GetFailed())) - assert.Equal(t, 0, len(results.GetPassed())) - assert.Equal(t, 0, len(results.GetIgnored())) - - assert.Greater(t, len(results.GetFailed()[0].Traces()), 0) -} - -func Test_dynamicMetadata(t *testing.T) { - - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test - -__rego_metadata__ := { - "title" : sprintf("i am %s",[input.text]) -} - -deny { - input.text -} - -`, - }) - - scanner := NewScanner(types.SourceJSON) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "text": "dynamic", - }, - }) - require.NoError(t, err) - assert.Equal(t, results[0].Rule().Summary, "i am dynamic") -} - -func Test_staticMetadata(t *testing.T) { - - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test - -__rego_metadata__ := { - "title" : "i am static" -} - -deny { - input.text -} - -`, - }) - - scanner := NewScanner(types.SourceJSON) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "text": "test", - }, - }) - require.NoError(t, err) - assert.Equal(t, results[0].Rule().Summary, "i am static") -} - -func Test_annotationMetadata(t *testing.T) { - - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": `# METADATA -# title: i am a title -# description: i am a description -# related_resources: -# - https://google.com -# custom: -# id: EG123 -# avd_id: AVD-EG-0123 -# severity: LOW -# recommended_action: have a cup of tea -package defsec.test - -deny { - input.text -} - -`, - "policies/test2.rego": `# METADATA -# title: i am another title -package defsec.test2 - -deny { - input.blah -} - -`, - }) - - scanner := NewScanner(types.SourceJSON) - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{ - Path: "/evil.lol", - Contents: map[string]interface{}{ - "text": "test", - }, - }) - require.NoError(t, err) - require.Len(t, results.GetFailed(), 1) - failure := results.GetFailed()[0].Rule() - assert.Equal(t, "i am a title", failure.Summary) - assert.Equal(t, "i am a description", failure.Explanation) - require.Len(t, failure.Links, 1) - assert.Equal(t, "https://google.com", failure.Links[0]) - assert.Equal(t, "AVD-EG-0123", failure.AVDID) - assert.Equal(t, severity.Low, failure.Severity) - assert.Equal(t, "have a cup of tea", failure.Resolution) -} - -func Test_RegoScanning_WithInvalidInputSchema(t *testing.T) { - - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": `# METADATA -# schemas: -# - input: schema["input"] -package defsec.test - -deny { - input.evil == "lol" -} -`, - }) - - scanner := NewScanner(types.SourceDockerfile) - scanner.SetRegoErrorLimit(0) // override to not allow any errors - assert.ErrorContains( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - "undefined ref: input.evil", - ) -} - -func Test_RegoScanning_WithValidInputSchema(t *testing.T) { - - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": `# METADATA -# schemas: -# - input: schema["input"] -package defsec.test - -deny { - input.Stages[0].Commands[0].Cmd == "lol" -} -`, - }) - - scanner := NewScanner(types.SourceDockerfile) - assert.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) -} - -func Test_RegoScanning_WithFilepathToSchema(t *testing.T) { - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": `# METADATA -# schemas: -# - input: schema["dockerfile"] -package defsec.test - -deny { - input.evil == "lol" -} -`, - }) - scanner := NewScanner(types.SourceJSON) - scanner.SetRegoErrorLimit(0) // override to not allow any errors - assert.ErrorContains( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - "undefined ref: input.evil", - ) -} - -func Test_RegoScanning_CustomData(t *testing.T) { - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test -import data.settings.DS123.foo_bar_baz - -deny { - not foo_bar_baz -} -`, - }) - - dataFS := CreateFS(t, map[string]string{ - "data/data.json": `{ - "settings": { - "DS123":{ - "foo_bar_baz":false - } - } -}`, - "data/junk.txt": "this file should be ignored", - }) - - scanner := NewScanner(types.SourceJSON) - scanner.SetDataFilesystem(dataFS) - scanner.SetDataDirs(".") - - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{}) - require.NoError(t, err) - - assert.Equal(t, 1, len(results.GetFailed())) - assert.Equal(t, 0, len(results.GetPassed())) - assert.Equal(t, 0, len(results.GetIgnored())) -} - -func Test_RegoScanning_InvalidFS(t *testing.T) { - srcFS := CreateFS(t, map[string]string{ - "policies/test.rego": ` -package defsec.test -import data.settings.DS123.foo_bar_baz - -deny { - not foo_bar_baz -} -`, - }) - - dataFS := CreateFS(t, map[string]string{ - "data/data.json": `{ - "settings": { - "DS123":{ - "foo_bar_baz":false - } - } -}`, - "data/junk.txt": "this file should be ignored", - }) - - scanner := NewScanner(types.SourceJSON) - scanner.SetDataFilesystem(dataFS) - scanner.SetDataDirs("X://") - - require.NoError( - t, - scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil), - ) - - results, err := scanner.ScanInput(context.TODO(), Input{}) - require.NoError(t, err) - - assert.Equal(t, 1, len(results.GetFailed())) - assert.Equal(t, 0, len(results.GetPassed())) - assert.Equal(t, 0, len(results.GetIgnored())) -} diff --git a/pkg/rego/schemas/00_schema.go b/pkg/rego/schemas/00_schema.go deleted file mode 100644 index e6674912..00000000 --- a/pkg/rego/schemas/00_schema.go +++ /dev/null @@ -1,22 +0,0 @@ -package schemas - -import _ "embed" - -type Schema string - -var ( - None Schema = "" - Anything Schema = `{}` - - //go:embed dockerfile.json - Dockerfile Schema - - //go:embed kubernetes.json - Kubernetes Schema - - //go:embed rbac.json - RBAC Schema - - //go:embed cloud.json - Cloud Schema -) diff --git a/pkg/rego/schemas/builder.go b/pkg/rego/schemas/builder.go deleted file mode 100644 index 11b37d11..00000000 --- a/pkg/rego/schemas/builder.go +++ /dev/null @@ -1,270 +0,0 @@ -package schemas - -import ( - "fmt" - "reflect" - "strings" - - "github.com/aquasecurity/defsec/pkg/rego/convert" - "github.com/aquasecurity/defsec/pkg/state" -) - -type RawSchema struct { - Type string `json:"type"` // object - Properties map[string]Property `json:"properties,omitempty"` - Defs map[string]*Property `json:"definitions,omitempty"` -} - -type Property struct { - Type string `json:"type,omitempty"` - Ref string `json:"$ref,omitempty"` - Properties map[string]Property `json:"properties,omitempty"` - Items *Property `json:"items,omitempty"` -} - -type builder struct { - schema RawSchema -} - -func Build() (*RawSchema, error) { - - b := newBuilder() - - inputValue := reflect.ValueOf(state.State{}) - - err := b.fromInput(inputValue) - if err != nil { - return nil, err - } - - return &b.schema, nil -} - -func newBuilder() *builder { - return &builder{ - schema: RawSchema{ - Properties: nil, - Defs: nil, - }, - } -} - -func (b *builder) fromInput(inputValue reflect.Value) error { - - prop, err := b.readProperty("", nil, inputValue.Type(), 0) - if err != nil { - return err - } - if prop == nil { - return fmt.Errorf("property is nil") - } - b.schema.Properties = prop.Properties - b.schema.Type = prop.Type - return nil -} - -func refName(name string, parent, t reflect.Type) string { - if t.Name() == "" { // inline struct - return sanitise(parent.PkgPath() + "." + parent.Name() + "." + name) - } - return sanitise(t.PkgPath() + "." + t.Name()) -} - -func sanitise(s string) string { - return strings.ReplaceAll(s, "/", ".") -} - -func (b *builder) readProperty(name string, parent, inputType reflect.Type, indent int) (*Property, error) { - - if inputType.Kind() == reflect.Ptr { - inputType = inputType.Elem() - } - - switch inputType.String() { - case "types.Metadata", "types.Range", "types.Reference": - return nil, nil - } - - if b.schema.Defs != nil { - _, ok := b.schema.Defs[refName(name, parent, inputType)] - if ok { - return &Property{ - Type: "object", - Ref: "#/definitions/" + refName(name, parent, inputType), - }, nil - } - } - - fmt.Println(strings.Repeat(" ", indent) + name) - - switch kind := inputType.Kind(); kind { - case reflect.Struct: - return b.readStruct(name, parent, inputType, indent) - case reflect.Slice: - return b.readSlice(name, parent, inputType, indent) - case reflect.String: - return &Property{ - Type: "string", - }, nil - case reflect.Int: - return &Property{ - Type: "integer", - }, nil - case reflect.Bool: - return &Property{ - Type: "boolean", - }, nil - case reflect.Float32, reflect.Float64: - return &Property{ - Type: "number", - }, nil - } - - switch inputType.Name() { - case "BoolValue": - return &Property{ - Type: "object", - Properties: map[string]Property{ - "value": { - Type: "boolean", - }, - }, - }, nil - case "IntValue": - return &Property{ - Type: "object", - Properties: map[string]Property{ - "value": { - Type: "integer", - }, - }, - }, nil - case "StringValue", "TimeValue", "BytesValue": - return &Property{ - Type: "object", - Properties: map[string]Property{ - "value": { - Type: "string", - }, - }, - }, nil - case "MapValue": - return &Property{ - Type: "object", - Properties: map[string]Property{ - "value": { - Type: "object", - }, - }, - }, nil - - } - - fmt.Printf("WARNING: unsupported type: %s (%s)\n", inputType.Name(), inputType) - return nil, nil -} - -var converterInterface = reflect.TypeOf((*convert.Converter)(nil)).Elem() - -func (b *builder) readStruct(name string, parent, inputType reflect.Type, indent int) (*Property, error) { - - if b.schema.Defs == nil { - b.schema.Defs = map[string]*Property{} - } - - def := &Property{ - Type: "object", - Properties: map[string]Property{}, - } - - if parent != nil { - b.schema.Defs[refName(name, parent, inputType)] = def - } - - if inputType.Implements(converterInterface) { - if inputType.Kind() == reflect.Ptr { - inputType = inputType.Elem() - } - returns := reflect.New(inputType).MethodByName("ToRego").Call(nil) - if err := b.readRego(def, name, parent, returns[0].Type(), returns[0].Interface(), indent); err != nil { - return nil, err - } - } else { - - for i := 0; i < inputType.NumField(); i++ { - field := inputType.Field(i) - prop, err := b.readProperty(field.Name, inputType, field.Type, indent+1) - if err != nil { - return nil, err - } - if prop == nil { - continue - } - key := strings.ToLower(field.Name) - if key == "metadata" { - continue - } - def.Properties[key] = *prop - } - } - - if parent == nil { - return def, nil - } - - return &Property{ - Type: "object", - Ref: "#/definitions/" + refName(name, parent, inputType), - }, nil -} - -func (b *builder) readSlice(name string, parent, inputType reflect.Type, indent int) (*Property, error) { - - items, err := b.readProperty(name, parent, inputType.Elem(), indent+1) - if err != nil { - return nil, err - } - - prop := &Property{ - Type: "array", - Items: items, - } - return prop, nil -} - -func (b *builder) readRego(def *Property, name string, parent reflect.Type, typ reflect.Type, raw interface{}, indent int) error { - - switch cast := raw.(type) { - case map[string]interface{}: - def.Type = "object" - for k, v := range cast { - child := &Property{ - Properties: map[string]Property{}, - } - if err := b.readRego(child, k, reflect.TypeOf(raw), reflect.TypeOf(v), v, indent+1); err != nil { - return err - } - def.Properties[k] = *child - } - case map[string]string: - def.Type = "object" - for k, v := range cast { - child := &Property{ - Properties: map[string]Property{}, - } - if err := b.readRego(child, k, reflect.TypeOf(raw), reflect.TypeOf(v), v, indent+1); err != nil { - return err - } - def.Properties[k] = *child - } - default: - prop, err := b.readProperty(name, parent, typ, indent) - if err != nil { - return err - } - *def = *prop - } - - return nil - -} diff --git a/pkg/rego/schemas/cloud.json b/pkg/rego/schemas/cloud.json deleted file mode 100644 index 2ebadef6..00000000 --- a/pkg/rego/schemas/cloud.json +++ /dev/null @@ -1,6830 +0,0 @@ -{ - "type": "object", - "properties": { - "aws": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.AWS" - }, - "azure": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.Azure" - }, - "cloudstack": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.cloudstack.CloudStack" - }, - "digitalocean": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.digitalocean.DigitalOcean" - }, - "github": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.github.GitHub" - }, - "google": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.Google" - }, - "kubernetes": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.kubernetes.Kubernetes" - }, - "nifcloud": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.Nifcloud" - }, - "openstack": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.openstack.OpenStack" - }, - "oracle": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.oracle.Oracle" - } - }, - "definitions": { - "github.com.aquasecurity.defsec.pkg.providers.aws.AWS": { - "type": "object", - "properties": { - "accessanalyzer": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.accessanalyzer.AccessAnalyzer" - }, - "apigateway": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.APIGateway" - }, - "athena": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.athena.Athena" - }, - "cloudfront": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.cloudfront.Cloudfront" - }, - "cloudtrail": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.cloudtrail.CloudTrail" - }, - "cloudwatch": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.cloudwatch.CloudWatch" - }, - "codebuild": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.codebuild.CodeBuild" - }, - "config": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.config.Config" - }, - "documentdb": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.documentdb.DocumentDB" - }, - "dynamodb": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.dynamodb.DynamoDB" - }, - "ec2": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.EC2" - }, - "ecr": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ecr.ECR" - }, - "ecs": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ecs.ECS" - }, - "efs": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.efs.EFS" - }, - "eks": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.eks.EKS" - }, - "elasticache": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.elasticache.ElastiCache" - }, - "elasticsearch": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.elasticsearch.Elasticsearch" - }, - "elb": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.elb.ELB" - }, - "emr": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.emr.EMR" - }, - "iam": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.iam.IAM" - }, - "kinesis": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.kinesis.Kinesis" - }, - "kms": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.kms.KMS" - }, - "lambda": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.lambda.Lambda" - }, - "meta": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.Meta" - }, - "mq": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.mq.MQ" - }, - "msk": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.msk.MSK" - }, - "neptune": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.neptune.Neptune" - }, - "rds": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.rds.RDS" - }, - "redshift": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.redshift.Redshift" - }, - "s3": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.s3.S3" - }, - "sam": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sam.SAM" - }, - "sns": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sns.SNS" - }, - "sqs": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sqs.SQS" - }, - "ssm": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ssm.SSM" - }, - "workspaces": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.workspaces.WorkSpaces" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.AssumeRole": { - "type": "object", - "properties": { - "duration": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "externalid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "policy": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "policyarns": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "rolearn": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "sessionname": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "sourceidentity": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "tags": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.MapValue" - }, - "transitivetagkeys": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.AssumeRoleWithWebIdentity": { - "type": "object", - "properties": { - "duration": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "policy": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "policyarns": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "rolearn": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "sessionname": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "webidentitytoken": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "webidentitytokenfile": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.DefaultTags": { - "type": "object", - "properties": { - "tags": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.MapValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.IgnoreTags": { - "type": "object", - "properties": { - "keyprefixes": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "keys": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.Meta": { - "type": "object", - "properties": { - "tfproviders": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.TerraformProvider" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.TerraformProvider": { - "type": "object", - "properties": { - "accesskey": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "alias": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "allowedaccountsids": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "assumerole": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.AssumeRole" - }, - "assumerolewithwebidentity": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.AssumeRoleWithWebIdentity" - }, - "customcabundle": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "defaulttags": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.DefaultTags" - }, - "ec2metadataserviceendpoint": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "ec2metadataserviceendpointmode": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "endpoints": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.MapValue" - }, - "forbiddenaccountids": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "httpproxy": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "ignoretags": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.IgnoreTags" - }, - "insecure": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "maxretries": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - }, - "profile": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "region": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "retrymode": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "s3useast1regionalendpoint": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "s3usepathstyle": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "secretkey": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "sharedconfigfiles": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "sharedcredentialsfiles": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "skipcredentialsvalidation": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "skipmetadataapicheck": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "skipregionvalidation": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "skiprequestingaccountid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "stsregion": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "token": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "usedualstackendpoint": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "usefipsendpoint": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "version": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.accessanalyzer.AccessAnalyzer": { - "type": "object", - "properties": { - "analyzers": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.accessanalyzer.Analyzer" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.accessanalyzer.Analyzer": { - "type": "object", - "properties": { - "active": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "arn": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "findings": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.accessanalyzer.Findings" - } - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.accessanalyzer.Findings": { - "type": "object" - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.APIGateway": { - "type": "object", - "properties": { - "v1": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v1.APIGateway" - }, - "v2": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v2.APIGateway" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v1.API": { - "type": "object", - "properties": { - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "resources": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v1.Resource" - } - }, - "stages": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v1.Stage" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v1.APIGateway": { - "type": "object", - "properties": { - "apis": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v1.API" - } - }, - "domainnames": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v1.DomainName" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v1.AccessLogging": { - "type": "object", - "properties": { - "cloudwatchloggrouparn": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v1.DomainName": { - "type": "object", - "properties": { - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "securitypolicy": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v1.Method": { - "type": "object", - "properties": { - "apikeyrequired": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "authorizationtype": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "httpmethod": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v1.RESTMethodSettings": { - "type": "object", - "properties": { - "cachedataencrypted": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "cacheenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "method": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v1.Resource": { - "type": "object", - "properties": { - "methods": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v1.Method" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v1.Stage": { - "type": "object", - "properties": { - "accesslogging": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v1.AccessLogging" - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "restmethodsettings": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v1.RESTMethodSettings" - } - }, - "xraytracingenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v2.API": { - "type": "object", - "properties": { - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "protocoltype": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "stages": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v2.Stage" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v2.APIGateway": { - "type": "object", - "properties": { - "apis": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v2.API" - } - }, - "domainnames": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v2.DomainName" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v2.AccessLogging": { - "type": "object", - "properties": { - "cloudwatchloggrouparn": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v2.DomainName": { - "type": "object", - "properties": { - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "securitypolicy": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v2.Stage": { - "type": "object", - "properties": { - "accesslogging": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.apigateway.v2.AccessLogging" - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.athena.Athena": { - "type": "object", - "properties": { - "databases": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.athena.Database" - } - }, - "workgroups": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.athena.Workgroup" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.athena.Database": { - "type": "object", - "properties": { - "encryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.athena.EncryptionConfiguration" - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.athena.EncryptionConfiguration": { - "type": "object", - "properties": { - "type": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.athena.Workgroup": { - "type": "object", - "properties": { - "encryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.athena.EncryptionConfiguration" - }, - "enforceconfiguration": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.cloudfront.CacheBehaviour": { - "type": "object", - "properties": { - "viewerprotocolpolicy": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.cloudfront.Cloudfront": { - "type": "object", - "properties": { - "distributions": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.cloudfront.Distribution" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.cloudfront.Distribution": { - "type": "object", - "properties": { - "defaultcachebehaviour": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.cloudfront.CacheBehaviour" - }, - "logging": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.cloudfront.Logging" - }, - "orderercachebehaviours": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.cloudfront.CacheBehaviour" - } - }, - "viewercertificate": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.cloudfront.ViewerCertificate" - }, - "wafid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.cloudfront.Logging": { - "type": "object", - "properties": { - "bucket": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.cloudfront.ViewerCertificate": { - "type": "object", - "properties": { - "cloudfrontdefaultcertificate": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "minimumprotocolversion": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "sslsupportmethod": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.cloudtrail.CloudTrail": { - "type": "object", - "properties": { - "trails": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.cloudtrail.Trail" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.cloudtrail.DataResource": { - "type": "object", - "properties": { - "type": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "values": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.cloudtrail.EventSelector": { - "type": "object", - "properties": { - "dataresources": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.cloudtrail.DataResource" - } - }, - "readwritetype": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.cloudtrail.Trail": { - "type": "object", - "properties": { - "bucketname": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "cloudwatchlogsloggrouparn": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "enablelogfilevalidation": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "eventselectors": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.cloudtrail.EventSelector" - } - }, - "islogging": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "ismultiregion": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "kmskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.cloudwatch.Alarm": { - "type": "object", - "properties": { - "alarmname": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "dimensions": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.cloudwatch.AlarmDimension" - } - }, - "metricname": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "metrics": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.cloudwatch.MetricDataQuery" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.cloudwatch.AlarmDimension": { - "type": "object", - "properties": { - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "value": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.cloudwatch.CloudWatch": { - "type": "object", - "properties": { - "alarms": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.cloudwatch.Alarm" - } - }, - "loggroups": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.cloudwatch.LogGroup" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.cloudwatch.LogGroup": { - "type": "object", - "properties": { - "arn": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "kmskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "metricfilters": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.cloudwatch.MetricFilter" - } - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "retentionindays": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.cloudwatch.MetricDataQuery": { - "type": "object", - "properties": { - "expression": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "id": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.cloudwatch.MetricFilter": { - "type": "object", - "properties": { - "filtername": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "filterpattern": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.codebuild.ArtifactSettings": { - "type": "object", - "properties": { - "encryptionenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.codebuild.CodeBuild": { - "type": "object", - "properties": { - "projects": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.codebuild.Project" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.codebuild.Project": { - "type": "object", - "properties": { - "artifactsettings": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.codebuild.ArtifactSettings" - }, - "secondaryartifactsettings": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.codebuild.ArtifactSettings" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.config.Config": { - "type": "object", - "properties": { - "configurationaggregrator": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.config.ConfigurationAggregrator" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.config.ConfigurationAggregrator": { - "type": "object", - "properties": { - "sourceallregions": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.documentdb.Cluster": { - "type": "object", - "properties": { - "backupretentionperiod": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - }, - "enabledlogexports": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "identifier": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "instances": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.documentdb.Instance" - } - }, - "kmskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "storageencrypted": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.documentdb.DocumentDB": { - "type": "object", - "properties": { - "clusters": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.documentdb.Cluster" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.documentdb.Instance": { - "type": "object", - "properties": { - "kmskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.dynamodb.DAXCluster": { - "type": "object", - "properties": { - "pointintimerecovery": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "serversideencryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.dynamodb.ServerSideEncryption" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.dynamodb.DynamoDB": { - "type": "object", - "properties": { - "daxclusters": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.dynamodb.DAXCluster" - } - }, - "tables": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.dynamodb.Table" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.dynamodb.ServerSideEncryption": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "kmskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.dynamodb.Table": { - "type": "object", - "properties": { - "pointintimerecovery": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "serversideencryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.dynamodb.ServerSideEncryption" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ec2.BlockDevice": { - "type": "object", - "properties": { - "encrypted": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ec2.EC2": { - "type": "object", - "properties": { - "instances": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.Instance" - } - }, - "launchconfigurations": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.LaunchConfiguration" - } - }, - "launchtemplates": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.LaunchTemplate" - } - }, - "networkacls": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.NetworkACL" - } - }, - "securitygroups": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.SecurityGroup" - } - }, - "subnets": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.Subnet" - } - }, - "volumes": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.Volume" - } - }, - "vpcs": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.VPC" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ec2.Encryption": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "kmskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ec2.Instance": { - "type": "object", - "properties": { - "ebsblockdevices": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.BlockDevice" - } - }, - "metadataoptions": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.MetadataOptions" - }, - "rootblockdevice": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.BlockDevice" - }, - "securitygroups": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.SecurityGroup" - } - }, - "userdata": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ec2.LaunchConfiguration": { - "type": "object", - "properties": { - "associatepublicip": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "ebsblockdevices": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.BlockDevice" - } - }, - "metadataoptions": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.MetadataOptions" - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "rootblockdevice": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.BlockDevice" - }, - "userdata": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ec2.LaunchTemplate": { - "type": "object", - "properties": { - "instance": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.Instance" - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ec2.MetadataOptions": { - "type": "object", - "properties": { - "httpendpoint": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "httptokens": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ec2.NetworkACL": { - "type": "object", - "properties": { - "isdefaultrule": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "rules": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.NetworkACLRule" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ec2.NetworkACLRule": { - "type": "object", - "properties": { - "action": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "cidrs": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "protocol": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "type": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ec2.SecurityGroup": { - "type": "object", - "properties": { - "description": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "egressrules": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.SecurityGroupRule" - } - }, - "ingressrules": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.SecurityGroupRule" - } - }, - "isdefault": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "vpcid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ec2.SecurityGroupRule": { - "type": "object", - "properties": { - "cidrs": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "description": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ec2.Subnet": { - "type": "object", - "properties": { - "mappubliciponlaunch": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ec2.VPC": { - "type": "object", - "properties": { - "flowlogsenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "id": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "isdefault": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "securitygroups": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.SecurityGroup" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ec2.Volume": { - "type": "object", - "properties": { - "encryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ec2.Encryption" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ecr.ECR": { - "type": "object", - "properties": { - "repositories": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ecr.Repository" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ecr.Encryption": { - "type": "object", - "properties": { - "kmskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "type": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ecr.ImageScanning": { - "type": "object", - "properties": { - "scanonpush": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ecr.Repository": { - "type": "object", - "properties": { - "encryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ecr.Encryption" - }, - "imagescanning": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ecr.ImageScanning" - }, - "imagetagsimmutable": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "policies": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.iam.Policy" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ecs.Cluster": { - "type": "object", - "properties": { - "settings": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ecs.ClusterSettings" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ecs.ClusterSettings": { - "type": "object", - "properties": { - "containerinsightsenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ecs.ContainerDefinition": { - "type": "object", - "properties": { - "cpu": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - }, - "environment": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ecs.EnvVar" - } - }, - "essential": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "image": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "memory": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "portmappings": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ecs.PortMapping" - } - }, - "privileged": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ecs.ECS": { - "type": "object", - "properties": { - "clusters": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ecs.Cluster" - } - }, - "taskdefinitions": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ecs.TaskDefinition" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ecs.EFSVolumeConfiguration": { - "type": "object", - "properties": { - "transitencryptionenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ecs.EnvVar": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "value": { - "type": "string" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ecs.PortMapping": { - "type": "object", - "properties": { - "containerport": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - }, - "hostport": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ecs.TaskDefinition": { - "type": "object", - "properties": { - "containerdefinitions": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ecs.ContainerDefinition" - } - }, - "volumes": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ecs.Volume" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ecs.Volume": { - "type": "object", - "properties": { - "efsvolumeconfiguration": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ecs.EFSVolumeConfiguration" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.efs.EFS": { - "type": "object", - "properties": { - "filesystems": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.efs.FileSystem" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.efs.FileSystem": { - "type": "object", - "properties": { - "encrypted": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.eks.Cluster": { - "type": "object", - "properties": { - "encryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.eks.Encryption" - }, - "logging": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.eks.Logging" - }, - "publicaccesscidrs": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "publicaccessenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.eks.EKS": { - "type": "object", - "properties": { - "clusters": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.eks.Cluster" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.eks.Encryption": { - "type": "object", - "properties": { - "kmskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "secrets": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.eks.Logging": { - "type": "object", - "properties": { - "api": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "audit": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "authenticator": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "controllermanager": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "scheduler": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.elasticache.Cluster": { - "type": "object", - "properties": { - "engine": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "nodetype": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "snapshotretentionlimit": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.elasticache.ElastiCache": { - "type": "object", - "properties": { - "clusters": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.elasticache.Cluster" - } - }, - "replicationgroups": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.elasticache.ReplicationGroup" - } - }, - "securitygroups": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.elasticache.SecurityGroup" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.elasticache.ReplicationGroup": { - "type": "object", - "properties": { - "atrestencryptionenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "transitencryptionenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.elasticache.SecurityGroup": { - "type": "object", - "properties": { - "description": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.elasticsearch.AtRestEncryption": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "kmskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.elasticsearch.Domain": { - "type": "object", - "properties": { - "accesspolicies": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "atrestencryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.elasticsearch.AtRestEncryption" - }, - "dedicatedmasterenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "domainname": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "endpoint": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.elasticsearch.Endpoint" - }, - "logpublishing": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.elasticsearch.LogPublishing" - }, - "servicesoftwareoptions": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.elasticsearch.ServiceSoftwareOptions" - }, - "transitencryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.elasticsearch.TransitEncryption" - }, - "vpcid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.elasticsearch.Elasticsearch": { - "type": "object", - "properties": { - "domains": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.elasticsearch.Domain" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.elasticsearch.Endpoint": { - "type": "object", - "properties": { - "enforcehttps": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "tlspolicy": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.elasticsearch.LogPublishing": { - "type": "object", - "properties": { - "auditenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "cloudwatchloggrouparn": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.elasticsearch.ServiceSoftwareOptions": { - "type": "object", - "properties": { - "currentversion": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "newversion": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "updateavailable": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "updatestatus": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.elasticsearch.TransitEncryption": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.elb.Action": { - "type": "object", - "properties": { - "type": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.elb.ELB": { - "type": "object", - "properties": { - "loadbalancers": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.elb.LoadBalancer" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.elb.Listener": { - "type": "object", - "properties": { - "defaultactions": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.elb.Action" - } - }, - "protocol": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "tlspolicy": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.elb.LoadBalancer": { - "type": "object", - "properties": { - "dropinvalidheaderfields": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "internal": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "listeners": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.elb.Listener" - } - }, - "type": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.emr.Cluster": { - "type": "object", - "properties": { - "settings": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.emr.ClusterSettings" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.emr.ClusterSettings": { - "type": "object", - "properties": { - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "releaselabel": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "servicerole": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.emr.EMR": { - "type": "object", - "properties": { - "clusters": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.emr.Cluster" - } - }, - "securityconfiguration": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.emr.SecurityConfiguration" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.emr.SecurityConfiguration": { - "type": "object", - "properties": { - "configuration": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.iam.AccessKey": { - "type": "object", - "properties": { - "accesskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "active": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "creationdate": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.TimeValue" - }, - "lastaccess": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.TimeValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.iam.Document": { - "type": "object", - "properties": { - "endline": { - "type": "integer" - }, - "explicit": { - "type": "boolean" - }, - "filepath": { - "type": "string" - }, - "fskey": { - "type": "string" - }, - "managed": { - "type": "boolean" - }, - "startline": { - "type": "integer" - }, - "value": { - "type": "string" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.iam.Group": { - "type": "object", - "properties": { - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "policies": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.iam.Policy" - } - }, - "users": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.iam.User" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.iam.IAM": { - "type": "object", - "properties": { - "groups": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.iam.Group" - } - }, - "passwordpolicy": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.iam.PasswordPolicy" - }, - "policies": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.iam.Policy" - } - }, - "roles": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.iam.Role" - } - }, - "servercertificates": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.iam.ServerCertificate" - } - }, - "users": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.iam.User" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.iam.MFADevice": { - "type": "object", - "properties": { - "isvirtual": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.iam.PasswordPolicy": { - "type": "object", - "properties": { - "maxagedays": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - }, - "minimumlength": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - }, - "requirelowercase": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "requirenumbers": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "requiresymbols": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "requireuppercase": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "reusepreventioncount": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.iam.Policy": { - "type": "object", - "properties": { - "builtin": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "document": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.iam.Document" - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.iam.Role": { - "type": "object", - "properties": { - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "policies": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.iam.Policy" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.iam.ServerCertificate": { - "type": "object", - "properties": { - "expiration": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.TimeValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.iam.User": { - "type": "object", - "properties": { - "accesskeys": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.iam.AccessKey" - } - }, - "groups": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.iam.Group" - } - }, - "lastaccess": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.TimeValue" - }, - "mfadevices": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.iam.MFADevice" - } - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "policies": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.iam.Policy" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.kinesis.Encryption": { - "type": "object", - "properties": { - "kmskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "type": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.kinesis.Kinesis": { - "type": "object", - "properties": { - "streams": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.kinesis.Stream" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.kinesis.Stream": { - "type": "object", - "properties": { - "encryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.kinesis.Encryption" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.kms.KMS": { - "type": "object", - "properties": { - "keys": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.kms.Key" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.kms.Key": { - "type": "object", - "properties": { - "rotationenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "usage": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.lambda.Function": { - "type": "object", - "properties": { - "permissions": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.lambda.Permission" - } - }, - "tracing": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.lambda.Tracing" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.lambda.Lambda": { - "type": "object", - "properties": { - "functions": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.lambda.Function" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.lambda.Permission": { - "type": "object", - "properties": { - "principal": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "sourcearn": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.lambda.Tracing": { - "type": "object", - "properties": { - "mode": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.mq.Broker": { - "type": "object", - "properties": { - "logging": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.mq.Logging" - }, - "publicaccess": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.mq.Logging": { - "type": "object", - "properties": { - "audit": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "general": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.mq.MQ": { - "type": "object", - "properties": { - "brokers": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.mq.Broker" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.msk.BrokerLogging": { - "type": "object", - "properties": { - "cloudwatch": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.msk.CloudwatchLogging" - }, - "firehose": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.msk.FirehoseLogging" - }, - "s3": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.msk.S3Logging" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.msk.CloudwatchLogging": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.msk.Cluster": { - "type": "object", - "properties": { - "encryptionatrest": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.msk.EncryptionAtRest" - }, - "encryptionintransit": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.msk.EncryptionInTransit" - }, - "logging": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.msk.Logging" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.msk.EncryptionAtRest": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "kmskeyarn": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.msk.EncryptionInTransit": { - "type": "object", - "properties": { - "clientbroker": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.msk.FirehoseLogging": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.msk.Logging": { - "type": "object", - "properties": { - "broker": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.msk.BrokerLogging" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.msk.MSK": { - "type": "object", - "properties": { - "clusters": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.msk.Cluster" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.msk.S3Logging": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.neptune.Cluster": { - "type": "object", - "properties": { - "kmskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "logging": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.neptune.Logging" - }, - "storageencrypted": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.neptune.Logging": { - "type": "object", - "properties": { - "audit": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.neptune.Neptune": { - "type": "object", - "properties": { - "clusters": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.neptune.Cluster" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.rds.Classic": { - "type": "object", - "properties": { - "dbsecuritygroups": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.rds.DBSecurityGroup" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.rds.Cluster": { - "type": "object", - "properties": { - "availabilityzones": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "backupretentionperioddays": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - }, - "deletionprotection": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "encryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.rds.Encryption" - }, - "engine": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "instances": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.rds.ClusterInstance" - } - }, - "latestrestorabletime": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.TimeValue" - }, - "performanceinsights": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.rds.PerformanceInsights" - }, - "publicaccess": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "replicationsourcearn": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "skipfinalsnapshot": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.rds.ClusterInstance": { - "type": "object", - "properties": { - "clusteridentifier": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "instance": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.rds.Instance" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.rds.DBParameterGroupsList": { - "type": "object", - "properties": { - "dbparametergroupname": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "kmskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.rds.DBSecurityGroup": { - "type": "object" - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.rds.DBSnapshotAttributes": { - "type": "object", - "properties": { - "attributevalues": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.rds.Encryption": { - "type": "object", - "properties": { - "encryptstorage": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "kmskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.rds.Instance": { - "type": "object", - "properties": { - "autominorversionupgrade": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "backupretentionperioddays": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - }, - "dbinstancearn": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "dbinstanceidentifier": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "dbparametergroups": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.rds.DBParameterGroupsList" - } - }, - "deletionprotection": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "enabledcloudwatchlogsexports": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "encryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.rds.Encryption" - }, - "engine": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "engineversion": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "iamauthenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "latestrestorabletime": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.TimeValue" - }, - "multiaz": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "performanceinsights": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.rds.PerformanceInsights" - }, - "publicaccess": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "publiclyaccessible": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "readreplicadbinstanceidentifiers": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "replicationsourcearn": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "storageencrypted": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "taglist": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.rds.TagList" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.rds.ParameterGroups": { - "type": "object", - "properties": { - "dbparametergroupfamily": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "dbparametergroupname": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "parameters": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.rds.Parameters" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.rds.Parameters": { - "type": "object", - "properties": { - "parametername": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "parametervalue": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.rds.PerformanceInsights": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "kmskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.rds.RDS": { - "type": "object", - "properties": { - "classic": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.rds.Classic" - }, - "clusters": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.rds.Cluster" - } - }, - "instances": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.rds.Instance" - } - }, - "parametergroups": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.rds.ParameterGroups" - } - }, - "snapshots": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.rds.Snapshots" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.rds.Snapshots": { - "type": "object", - "properties": { - "dbsnapshotarn": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "dbsnapshotidentifier": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "encrypted": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "kmskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "snapshotattributes": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.rds.DBSnapshotAttributes" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.rds.TagList": { - "type": "object" - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.redshift.Cluster": { - "type": "object", - "properties": { - "allowversionupgrade": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "automatedsnapshotretentionperiod": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - }, - "clusteridentifier": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "encryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.redshift.Encryption" - }, - "endpoint": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.redshift.EndPoint" - }, - "loggingenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "masterusername": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "nodetype": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "numberofnodes": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - }, - "publiclyaccessible": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "subnetgroupname": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "vpcid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.redshift.ClusterParameter": { - "type": "object", - "properties": { - "parametername": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "parametervalue": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.redshift.Encryption": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "kmskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.redshift.EndPoint": { - "type": "object", - "properties": { - "port": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.redshift.Redshift": { - "type": "object", - "properties": { - "clusterparameters": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.redshift.ClusterParameter" - } - }, - "clusters": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.redshift.Cluster" - } - }, - "reservednodes": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.redshift.ReservedNode" - } - }, - "securitygroups": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.redshift.SecurityGroup" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.redshift.ReservedNode": { - "type": "object", - "properties": { - "nodetype": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.redshift.SecurityGroup": { - "type": "object", - "properties": { - "description": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.s3.Bucket": { - "type": "object", - "properties": { - "accelerateconfigurationstatus": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "acl": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "bucketlocation": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "bucketpolicies": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.iam.Policy" - } - }, - "encryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.s3.Encryption" - }, - "lifecycleconfiguration": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.s3.Rules" - } - }, - "logging": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.s3.Logging" - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "objects": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.s3.Contents" - } - }, - "publicaccessblock": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.s3.PublicAccessBlock" - }, - "versioning": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.s3.Versioning" - }, - "website": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.s3.Website" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.s3.Contents": { - "type": "object" - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.s3.Encryption": { - "type": "object", - "properties": { - "algorithm": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "kmskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.s3.Logging": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "targetbucket": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.s3.PublicAccessBlock": { - "type": "object", - "properties": { - "blockpublicacls": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "blockpublicpolicy": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "ignorepublicacls": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "restrictpublicbuckets": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.s3.Rules": { - "type": "object", - "properties": { - "status": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.s3.S3": { - "type": "object", - "properties": { - "buckets": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.s3.Bucket" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.s3.Versioning": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "mfadelete": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.s3.Website": { - "type": "object" - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sam.API": { - "type": "object", - "properties": { - "accesslogging": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sam.AccessLogging" - }, - "domainconfiguration": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sam.DomainConfiguration" - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "restmethodsettings": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sam.RESTMethodSettings" - }, - "tracingenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sam.AccessLogging": { - "type": "object", - "properties": { - "cloudwatchloggrouparn": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sam.Application": { - "type": "object", - "properties": { - "location": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sam.Location" - }, - "locationpath": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sam.DomainConfiguration": { - "type": "object", - "properties": { - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "securitypolicy": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sam.Function": { - "type": "object", - "properties": { - "functionname": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "managedpolicies": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "policies": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.iam.Policy" - } - }, - "tracing": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sam.HttpAPI": { - "type": "object", - "properties": { - "accesslogging": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sam.AccessLogging" - }, - "defaultroutesettings": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sam.RouteSettings" - }, - "domainconfiguration": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sam.DomainConfiguration" - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sam.Location": { - "type": "object", - "properties": { - "applicationid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "semanticversion": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sam.LoggingConfiguration": { - "type": "object", - "properties": { - "loggingenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sam.RESTMethodSettings": { - "type": "object", - "properties": { - "cachedataencrypted": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "datatraceenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "loggingenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "metricsenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sam.RouteSettings": { - "type": "object", - "properties": { - "datatraceenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "detailedmetricsenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "loggingenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sam.SAM": { - "type": "object", - "properties": { - "apis": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sam.API" - } - }, - "applications": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sam.Application" - } - }, - "functions": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sam.Function" - } - }, - "httpapis": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sam.HttpAPI" - } - }, - "simpletables": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sam.SimpleTable" - } - }, - "statemachines": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sam.StateMachine" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sam.SSESpecification": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "kmsmasterkeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sam.SimpleTable": { - "type": "object", - "properties": { - "ssespecification": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sam.SSESpecification" - }, - "tablename": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sam.StateMachine": { - "type": "object", - "properties": { - "loggingconfiguration": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sam.LoggingConfiguration" - }, - "managedpolicies": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "policies": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.iam.Policy" - } - }, - "tracing": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sam.TracingConfiguration" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sam.TracingConfiguration": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sns.Encryption": { - "type": "object", - "properties": { - "kmskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sns.SNS": { - "type": "object", - "properties": { - "topics": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sns.Topic" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sns.Topic": { - "type": "object", - "properties": { - "arn": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "encryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sns.Encryption" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sqs.Encryption": { - "type": "object", - "properties": { - "kmskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "managedencryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sqs.Queue": { - "type": "object", - "properties": { - "encryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sqs.Encryption" - }, - "policies": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.iam.Policy" - } - }, - "queueurl": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.sqs.SQS": { - "type": "object", - "properties": { - "queues": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.sqs.Queue" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ssm.SSM": { - "type": "object", - "properties": { - "secrets": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.ssm.Secret" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.ssm.Secret": { - "type": "object", - "properties": { - "kmskeyid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.workspaces.Encryption": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.workspaces.Volume": { - "type": "object", - "properties": { - "encryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.workspaces.Encryption" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.workspaces.WorkSpace": { - "type": "object", - "properties": { - "rootvolume": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.workspaces.Volume" - }, - "uservolume": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.workspaces.Volume" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.aws.workspaces.WorkSpaces": { - "type": "object", - "properties": { - "workspaces": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.workspaces.WorkSpace" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.Azure": { - "type": "object", - "properties": { - "appservice": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.appservice.AppService" - }, - "authorization": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.authorization.Authorization" - }, - "compute": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.compute.Compute" - }, - "container": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.container.Container" - }, - "database": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.database.Database" - }, - "datafactory": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.datafactory.DataFactory" - }, - "datalake": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.datalake.DataLake" - }, - "keyvault": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.keyvault.KeyVault" - }, - "monitor": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.monitor.Monitor" - }, - "network": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.network.Network" - }, - "securitycenter": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.securitycenter.SecurityCenter" - }, - "storage": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.storage.Storage" - }, - "synapse": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.synapse.Synapse" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.appservice.AppService": { - "type": "object", - "properties": { - "functionapps": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.appservice.FunctionApp" - } - }, - "services": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.appservice.Service" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.appservice.FunctionApp": { - "type": "object", - "properties": { - "httpsonly": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.appservice.Service": { - "type": "object", - "properties": { - "authentication": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.appservice.Service.Authentication" - }, - "enableclientcert": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "identity": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.appservice.Service.Identity" - }, - "site": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.appservice.Service.Site" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.appservice.Service.Authentication": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.appservice.Service.Identity": { - "type": "object", - "properties": { - "type": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.appservice.Service.Site": { - "type": "object", - "properties": { - "enablehttp2": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "minimumtlsversion": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.authorization.Authorization": { - "type": "object", - "properties": { - "roledefinitions": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.authorization.RoleDefinition" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.authorization.Permission": { - "type": "object", - "properties": { - "actions": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.authorization.RoleDefinition": { - "type": "object", - "properties": { - "assignablescopes": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "permissions": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.authorization.Permission" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.compute.Compute": { - "type": "object", - "properties": { - "linuxvirtualmachines": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.compute.LinuxVirtualMachine" - } - }, - "manageddisks": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.compute.ManagedDisk" - } - }, - "windowsvirtualmachines": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.compute.WindowsVirtualMachine" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.compute.Encryption": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.compute.LinuxVirtualMachine": { - "type": "object", - "properties": { - "osprofilelinuxconfig": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.compute.OSProfileLinuxConfig" - }, - "virtualmachine": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.compute.VirtualMachine" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.compute.ManagedDisk": { - "type": "object", - "properties": { - "encryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.compute.Encryption" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.compute.OSProfileLinuxConfig": { - "type": "object", - "properties": { - "disablepasswordauthentication": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.compute.VirtualMachine": { - "type": "object", - "properties": { - "customdata": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.compute.WindowsVirtualMachine": { - "type": "object", - "properties": { - "virtualmachine": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.compute.VirtualMachine" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.container.AddonProfile": { - "type": "object", - "properties": { - "omsagent": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.container.OMSAgent" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.container.Container": { - "type": "object", - "properties": { - "kubernetesclusters": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.container.KubernetesCluster" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.container.KubernetesCluster": { - "type": "object", - "properties": { - "addonprofile": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.container.AddonProfile" - }, - "apiserverauthorizedipranges": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "enableprivatecluster": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "networkprofile": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.container.NetworkProfile" - }, - "rolebasedaccesscontrol": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.container.RoleBasedAccessControl" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.container.NetworkProfile": { - "type": "object", - "properties": { - "networkpolicy": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.container.OMSAgent": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.container.RoleBasedAccessControl": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.database.Database": { - "type": "object", - "properties": { - "mariadbservers": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.database.MariaDBServer" - } - }, - "mssqlservers": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.database.MSSQLServer" - } - }, - "mysqlservers": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.database.MySQLServer" - } - }, - "postgresqlservers": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.database.PostgreSQLServer" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.database.ExtendedAuditingPolicy": { - "type": "object", - "properties": { - "retentionindays": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.database.FirewallRule": { - "type": "object", - "properties": { - "endip": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "startip": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.database.MSSQLServer": { - "type": "object", - "properties": { - "extendedauditingpolicies": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.database.ExtendedAuditingPolicy" - } - }, - "securityalertpolicies": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.database.SecurityAlertPolicy" - } - }, - "server": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.database.Server" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.database.MariaDBServer": { - "type": "object", - "properties": { - "server": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.database.Server" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.database.MySQLServer": { - "type": "object", - "properties": { - "server": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.database.Server" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.database.PostgreSQLServer": { - "type": "object", - "properties": { - "config": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.database.PostgresSQLConfig" - }, - "server": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.database.Server" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.database.PostgresSQLConfig": { - "type": "object", - "properties": { - "connectionthrottling": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "logcheckpoints": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "logconnections": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.database.SecurityAlertPolicy": { - "type": "object", - "properties": { - "disabledalerts": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "emailaccountadmins": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "emailaddresses": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.database.Server": { - "type": "object", - "properties": { - "enablepublicnetworkaccess": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "enablesslenforcement": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "firewallrules": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.database.FirewallRule" - } - }, - "minimumtlsversion": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.datafactory.DataFactory": { - "type": "object", - "properties": { - "datafactories": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.datafactory.Factory" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.datafactory.Factory": { - "type": "object", - "properties": { - "enablepublicnetwork": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.datalake.DataLake": { - "type": "object", - "properties": { - "stores": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.datalake.Store" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.datalake.Store": { - "type": "object", - "properties": { - "enableencryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.keyvault.Key": { - "type": "object", - "properties": { - "expirydate": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.TimeValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.keyvault.KeyVault": { - "type": "object", - "properties": { - "vaults": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.keyvault.Vault" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.keyvault.NetworkACLs": { - "type": "object", - "properties": { - "defaultaction": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.keyvault.Secret": { - "type": "object", - "properties": { - "contenttype": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "expirydate": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.TimeValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.keyvault.Vault": { - "type": "object", - "properties": { - "enablepurgeprotection": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "keys": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.keyvault.Key" - } - }, - "networkacls": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.keyvault.NetworkACLs" - }, - "secrets": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.keyvault.Secret" - } - }, - "softdeleteretentiondays": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.monitor.LogProfile": { - "type": "object", - "properties": { - "categories": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "locations": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "retentionpolicy": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.monitor.RetentionPolicy" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.monitor.Monitor": { - "type": "object", - "properties": { - "logprofiles": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.monitor.LogProfile" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.monitor.RetentionPolicy": { - "type": "object", - "properties": { - "days": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - }, - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.network.Network": { - "type": "object", - "properties": { - "networkwatcherflowlogs": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.network.NetworkWatcherFlowLog" - } - }, - "securitygroups": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.network.SecurityGroup" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.network.NetworkWatcherFlowLog": { - "type": "object", - "properties": { - "retentionpolicy": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.network.RetentionPolicy" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.network.PortRange": { - "type": "object", - "properties": { - "end": { - "type": "integer" - }, - "start": { - "type": "integer" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.network.RetentionPolicy": { - "type": "object", - "properties": { - "days": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - }, - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.network.SecurityGroup": { - "type": "object", - "properties": { - "rules": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.network.SecurityGroupRule" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.network.SecurityGroupRule": { - "type": "object", - "properties": { - "allow": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "destinationaddresses": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "destinationports": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.network.PortRange" - } - }, - "outbound": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "protocol": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "sourceaddresses": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "sourceports": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.network.PortRange" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.securitycenter.Contact": { - "type": "object", - "properties": { - "enablealertnotifications": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "phone": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.securitycenter.SecurityCenter": { - "type": "object", - "properties": { - "contacts": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.securitycenter.Contact" - } - }, - "subscriptions": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.securitycenter.SubscriptionPricing" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.securitycenter.SubscriptionPricing": { - "type": "object", - "properties": { - "tier": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.storage.Account": { - "type": "object", - "properties": { - "containers": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.storage.Container" - } - }, - "enforcehttps": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "minimumtlsversion": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "networkrules": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.storage.NetworkRule" - } - }, - "queueproperties": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.storage.QueueProperties" - }, - "queues": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.storage.Queue" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.storage.Container": { - "type": "object", - "properties": { - "publicaccess": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.storage.NetworkRule": { - "type": "object", - "properties": { - "allowbydefault": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "bypass": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.storage.Queue": { - "type": "object", - "properties": { - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.storage.QueueProperties": { - "type": "object", - "properties": { - "enablelogging": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.storage.Storage": { - "type": "object", - "properties": { - "accounts": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.storage.Account" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.synapse.Synapse": { - "type": "object", - "properties": { - "workspaces": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.azure.synapse.Workspace" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.azure.synapse.Workspace": { - "type": "object", - "properties": { - "enablemanagedvirtualnetwork": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.cloudstack.CloudStack": { - "type": "object", - "properties": { - "compute": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.cloudstack.compute.Compute" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.cloudstack.compute.Compute": { - "type": "object", - "properties": { - "instances": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.cloudstack.compute.Instance" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.cloudstack.compute.Instance": { - "type": "object", - "properties": { - "userdata": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.digitalocean.DigitalOcean": { - "type": "object", - "properties": { - "compute": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.digitalocean.compute.Compute" - }, - "spaces": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.digitalocean.spaces.Spaces" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.digitalocean.compute.Compute": { - "type": "object", - "properties": { - "droplets": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.digitalocean.compute.Droplet" - } - }, - "firewalls": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.digitalocean.compute.Firewall" - } - }, - "kubernetesclusters": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.digitalocean.compute.KubernetesCluster" - } - }, - "loadbalancers": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.digitalocean.compute.LoadBalancer" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.digitalocean.compute.Droplet": { - "type": "object", - "properties": { - "sshkeys": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.digitalocean.compute.Firewall": { - "type": "object", - "properties": { - "inboundrules": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.digitalocean.compute.InboundFirewallRule" - } - }, - "outboundrules": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.digitalocean.compute.OutboundFirewallRule" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.digitalocean.compute.ForwardingRule": { - "type": "object", - "properties": { - "entryprotocol": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.digitalocean.compute.InboundFirewallRule": { - "type": "object", - "properties": { - "sourceaddresses": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.digitalocean.compute.KubernetesCluster": { - "type": "object", - "properties": { - "autoupgrade": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "surgeupgrade": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.digitalocean.compute.LoadBalancer": { - "type": "object", - "properties": { - "forwardingrules": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.digitalocean.compute.ForwardingRule" - } - }, - "redirecthttptohttps": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.digitalocean.compute.OutboundFirewallRule": { - "type": "object", - "properties": { - "destinationaddresses": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.digitalocean.spaces.Bucket": { - "type": "object", - "properties": { - "acl": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "forcedestroy": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "objects": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.digitalocean.spaces.Object" - } - }, - "versioning": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.digitalocean.spaces.Versioning" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.digitalocean.spaces.Object": { - "type": "object", - "properties": { - "acl": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.digitalocean.spaces.Spaces": { - "type": "object", - "properties": { - "buckets": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.digitalocean.spaces.Bucket" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.digitalocean.spaces.Versioning": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.github.BranchProtection": { - "type": "object", - "properties": { - "requiresignedcommits": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.github.EnvironmentSecret": { - "type": "object", - "properties": { - "encryptedvalue": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "environment": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "plaintextvalue": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "repository": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "secretname": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.github.GitHub": { - "type": "object", - "properties": { - "branchprotections": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.github.BranchProtection" - } - }, - "environmentsecrets": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.github.EnvironmentSecret" - } - }, - "repositories": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.github.Repository" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.github.Repository": { - "type": "object", - "properties": { - "archived": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "public": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "vulnerabilityalerts": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.Google": { - "type": "object", - "properties": { - "bigquery": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.bigquery.BigQuery" - }, - "compute": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.compute.Compute" - }, - "dns": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.dns.DNS" - }, - "gke": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.gke.GKE" - }, - "iam": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.iam.IAM" - }, - "kms": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.kms.KMS" - }, - "sql": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.sql.SQL" - }, - "storage": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.storage.Storage" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.bigquery.AccessGrant": { - "type": "object", - "properties": { - "domain": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "role": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "specialgroup": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.bigquery.BigQuery": { - "type": "object", - "properties": { - "datasets": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.bigquery.Dataset" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.bigquery.Dataset": { - "type": "object", - "properties": { - "accessgrants": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.bigquery.AccessGrant" - } - }, - "id": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.compute.Compute": { - "type": "object", - "properties": { - "disks": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.compute.Disk" - } - }, - "instances": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.compute.Instance" - } - }, - "networks": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.compute.Network" - } - }, - "projectmetadata": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.compute.ProjectMetadata" - }, - "sslpolicies": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.compute.SSLPolicy" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.compute.Disk": { - "type": "object", - "properties": { - "encryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.compute.DiskEncryption" - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.compute.DiskEncryption": { - "type": "object", - "properties": { - "kmskeylink": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "rawkey": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BytesValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.compute.EgressRule": { - "type": "object", - "properties": { - "destinationranges": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "firewallrule": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.compute.FirewallRule" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.compute.Firewall": { - "type": "object", - "properties": { - "egressrules": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.compute.EgressRule" - } - }, - "ingressrules": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.compute.IngressRule" - } - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "sourcetags": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "targettags": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.compute.FirewallRule": { - "type": "object", - "properties": { - "enforced": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "isallow": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "ports": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - } - }, - "protocol": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.compute.IngressRule": { - "type": "object", - "properties": { - "firewallrule": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.compute.FirewallRule" - }, - "sourceranges": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.compute.Instance": { - "type": "object", - "properties": { - "attacheddisks": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.compute.Disk" - } - }, - "bootdisks": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.compute.Disk" - } - }, - "canipforward": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "enableprojectsshkeyblocking": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "enableserialport": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "networkinterfaces": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.compute.NetworkInterface" - } - }, - "osloginenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "serviceaccount": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.compute.ServiceAccount" - }, - "shieldedvm": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.compute.ShieldedVMConfig" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.compute.Network": { - "type": "object", - "properties": { - "firewall": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.compute.Firewall" - }, - "subnetworks": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.compute.SubNetwork" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.compute.NetworkInterface": { - "type": "object", - "properties": { - "haspublicip": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "natip": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "network": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.compute.Network" - }, - "subnetwork": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.compute.SubNetwork" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.compute.ProjectMetadata": { - "type": "object", - "properties": { - "enableoslogin": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.compute.SSLPolicy": { - "type": "object", - "properties": { - "minimumtlsversion": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "profile": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.compute.ServiceAccount": { - "type": "object", - "properties": { - "email": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "isdefault": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "scopes": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.compute.ShieldedVMConfig": { - "type": "object", - "properties": { - "integritymonitoringenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "securebootenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "vtpmenabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.compute.SubNetwork": { - "type": "object", - "properties": { - "enableflowlogs": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "purpose": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.dns.DNS": { - "type": "object", - "properties": { - "managedzones": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.dns.ManagedZone" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.dns.DNSSec": { - "type": "object", - "properties": { - "defaultkeyspecs": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.dns.KeySpecs" - } - }, - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.dns.KeySpecs": { - "type": "object", - "properties": { - "algorithm": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "keytype": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.dns.ManagedZone": { - "type": "object", - "properties": { - "dnssec": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.dns.DNSSec" - }, - "visibility": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.gke.ClientCertificate": { - "type": "object", - "properties": { - "issuecertificate": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.gke.Cluster": { - "type": "object", - "properties": { - "datapathprovider": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "enableautpilot": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "enablelegacyabac": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "enableshieldednodes": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "ipallocationpolicy": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.gke.IPAllocationPolicy" - }, - "loggingservice": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "masterauth": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.gke.MasterAuth" - }, - "masterauthorizednetworks": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.gke.MasterAuthorizedNetworks" - }, - "monitoringservice": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "networkpolicy": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.gke.NetworkPolicy" - }, - "nodeconfig": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.gke.NodeConfig" - }, - "nodepools": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.gke.NodePool" - } - }, - "privatecluster": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.gke.PrivateCluster" - }, - "removedefaultnodepool": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "resourcelabels": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.MapValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.gke.GKE": { - "type": "object", - "properties": { - "clusters": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.gke.Cluster" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.gke.IPAllocationPolicy": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.gke.Management": { - "type": "object", - "properties": { - "enableautorepair": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "enableautoupgrade": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.gke.MasterAuth": { - "type": "object", - "properties": { - "clientcertificate": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.gke.ClientCertificate" - }, - "password": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "username": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.gke.MasterAuthorizedNetworks": { - "type": "object", - "properties": { - "cidrs": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.gke.NetworkPolicy": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.gke.NodeConfig": { - "type": "object", - "properties": { - "enablelegacyendpoints": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "imagetype": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "serviceaccount": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "workloadmetadataconfig": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.gke.WorkloadMetadataConfig" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.gke.NodePool": { - "type": "object", - "properties": { - "management": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.gke.Management" - }, - "nodeconfig": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.gke.NodeConfig" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.gke.PrivateCluster": { - "type": "object", - "properties": { - "enableprivatenodes": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.gke.WorkloadMetadataConfig": { - "type": "object", - "properties": { - "nodemetadata": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.iam.Binding": { - "type": "object", - "properties": { - "includesdefaultserviceaccount": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "members": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "role": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.iam.Folder": { - "type": "object", - "properties": { - "bindings": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.iam.Binding" - } - }, - "folders": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.iam.Folder" - } - }, - "members": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.iam.Member" - } - }, - "projects": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.iam.Project" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.iam.IAM": { - "type": "object", - "properties": { - "organizations": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.iam.Organization" - } - }, - "workloadidentitypoolproviders": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.iam.WorkloadIdentityPoolProvider" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.iam.Member": { - "type": "object", - "properties": { - "defaultserviceaccount": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "member": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "role": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.iam.Organization": { - "type": "object", - "properties": { - "bindings": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.iam.Binding" - } - }, - "folders": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.iam.Folder" - } - }, - "members": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.iam.Member" - } - }, - "projects": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.iam.Project" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.iam.Project": { - "type": "object", - "properties": { - "autocreatenetwork": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "bindings": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.iam.Binding" - } - }, - "members": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.iam.Member" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.iam.WorkloadIdentityPoolProvider": { - "type": "object", - "properties": { - "attributecondition": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "workloadidentitypoolid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "workloadidentitypoolproviderid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.kms.KMS": { - "type": "object", - "properties": { - "keyrings": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.kms.KeyRing" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.kms.Key": { - "type": "object", - "properties": { - "rotationperiodseconds": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.kms.KeyRing": { - "type": "object", - "properties": { - "keys": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.kms.Key" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.sql.Backups": { - "type": "object", - "properties": { - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.sql.DatabaseInstance": { - "type": "object", - "properties": { - "databaseversion": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "isreplica": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "settings": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.sql.Settings" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.sql.Flags": { - "type": "object", - "properties": { - "containeddatabaseauthentication": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "crossdbownershipchaining": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "localinfile": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "logcheckpoints": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "logconnections": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "logdisconnections": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "loglockwaits": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "logmindurationstatement": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - }, - "logminmessages": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "logtempfilesize": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.sql.IPConfiguration": { - "type": "object", - "properties": { - "authorizednetworks": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.sql.IPConfiguration.AuthorizedNetworks" - } - }, - "enableipv4": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "requiretls": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.sql.IPConfiguration.AuthorizedNetworks": { - "type": "object", - "properties": { - "cidr": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.sql.SQL": { - "type": "object", - "properties": { - "instances": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.sql.DatabaseInstance" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.sql.Settings": { - "type": "object", - "properties": { - "backups": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.sql.Backups" - }, - "flags": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.sql.Flags" - }, - "ipconfiguration": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.sql.IPConfiguration" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.storage.Bucket": { - "type": "object", - "properties": { - "bindings": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.iam.Binding" - } - }, - "enableuniformbucketlevelaccess": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "encryption": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.storage.BucketEncryption" - }, - "location": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "members": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.iam.Member" - } - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.storage.BucketEncryption": { - "type": "object", - "properties": { - "defaultkmskeyname": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.google.storage.Storage": { - "type": "object", - "properties": { - "buckets": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.google.storage.Bucket" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.kubernetes.Egress": { - "type": "object", - "properties": { - "destinationcidrs": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "ports": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.kubernetes.Port" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.kubernetes.Ingress": { - "type": "object", - "properties": { - "ports": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.kubernetes.Port" - } - }, - "sourcecidrs": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.kubernetes.Kubernetes": { - "type": "object", - "properties": { - "networkpolicies": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.kubernetes.NetworkPolicy" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.kubernetes.NetworkPolicy": { - "type": "object", - "properties": { - "spec": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.kubernetes.NetworkPolicySpec" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.kubernetes.NetworkPolicySpec": { - "type": "object", - "properties": { - "egress": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.kubernetes.Egress" - }, - "ingress": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.kubernetes.Ingress" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.kubernetes.Port": { - "type": "object", - "properties": { - "number": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "protocol": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.Nifcloud": { - "type": "object", - "properties": { - "computing": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.computing.Computing" - }, - "dns": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.dns.DNS" - }, - "nas": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.nas.NAS" - }, - "network": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.network.Network" - }, - "rdb": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.rdb.RDB" - }, - "sslcertificate": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.sslcertificate.SSLCertificate" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.computing.Computing": { - "type": "object", - "properties": { - "instances": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.computing.Instance" - } - }, - "securitygroups": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.computing.SecurityGroup" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.computing.Instance": { - "type": "object", - "properties": { - "networkinterfaces": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.computing.NetworkInterface" - } - }, - "securitygroup": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.computing.NetworkInterface": { - "type": "object", - "properties": { - "networkid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.computing.SecurityGroup": { - "type": "object", - "properties": { - "description": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "egressrules": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.computing.SecurityGroupRule" - } - }, - "ingressrules": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.computing.SecurityGroupRule" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.computing.SecurityGroupRule": { - "type": "object", - "properties": { - "cidr": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "description": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.dns.DNS": { - "type": "object", - "properties": { - "records": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.dns.Record" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.dns.Record": { - "type": "object", - "properties": { - "record": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "type": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.nas.NAS": { - "type": "object", - "properties": { - "nasinstances": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.nas.NASInstance" - } - }, - "nassecuritygroups": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.nas.NASSecurityGroup" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.nas.NASInstance": { - "type": "object", - "properties": { - "networkid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.nas.NASSecurityGroup": { - "type": "object", - "properties": { - "cidrs": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "description": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.network.ElasticLoadBalancer": { - "type": "object", - "properties": { - "listeners": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.network.ElasticLoadBalancerListener" - } - }, - "networkinterfaces": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.network.NetworkInterface" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.network.ElasticLoadBalancerListener": { - "type": "object", - "properties": { - "protocol": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.network.LoadBalancer": { - "type": "object", - "properties": { - "listeners": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.network.LoadBalancerListener" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.network.LoadBalancerListener": { - "type": "object", - "properties": { - "protocol": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "tlspolicy": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.network.Network": { - "type": "object", - "properties": { - "elasticloadbalancers": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.network.ElasticLoadBalancer" - } - }, - "loadbalancers": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.network.LoadBalancer" - } - }, - "routers": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.network.Router" - } - }, - "vpngateways": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.network.VpnGateway" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.network.NetworkInterface": { - "type": "object", - "properties": { - "isvipnetwork": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "networkid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.network.Router": { - "type": "object", - "properties": { - "networkinterfaces": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.network.NetworkInterface" - } - }, - "securitygroup": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.network.VpnGateway": { - "type": "object", - "properties": { - "securitygroup": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.rdb.DBInstance": { - "type": "object", - "properties": { - "backupretentionperioddays": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - }, - "engine": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "engineversion": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "networkid": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "publicaccess": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.rdb.DBSecurityGroup": { - "type": "object", - "properties": { - "cidrs": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - }, - "description": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.rdb.RDB": { - "type": "object", - "properties": { - "dbinstances": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.rdb.DBInstance" - } - }, - "dbsecuritygroups": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.rdb.DBSecurityGroup" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.sslcertificate.SSLCertificate": { - "type": "object", - "properties": { - "servercertificates": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.nifcloud.sslcertificate.ServerCertificate" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.nifcloud.sslcertificate.ServerCertificate": { - "type": "object", - "properties": { - "expiration": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.TimeValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.openstack.Compute": { - "type": "object", - "properties": { - "firewall": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.openstack.Firewall" - }, - "instances": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.openstack.Instance" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.openstack.Firewall": { - "type": "object", - "properties": { - "allowrules": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.openstack.FirewallRule" - } - }, - "denyrules": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.openstack.FirewallRule" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.openstack.FirewallRule": { - "type": "object", - "properties": { - "destination": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "destinationport": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "enabled": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "source": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "sourceport": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.openstack.Instance": { - "type": "object", - "properties": { - "adminpassword": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.openstack.Networking": { - "type": "object", - "properties": { - "securitygroups": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.openstack.SecurityGroup" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.openstack.OpenStack": { - "type": "object", - "properties": { - "compute": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.openstack.Compute" - }, - "networking": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.openstack.Networking" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.openstack.SecurityGroup": { - "type": "object", - "properties": { - "description": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "name": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "rules": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.openstack.SecurityGroupRule" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.openstack.SecurityGroupRule": { - "type": "object", - "properties": { - "cidr": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - }, - "ethertype": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - }, - "isingress": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue" - }, - "portmax": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - }, - "portmin": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.IntValue" - }, - "protocol": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.oracle.AddressReservation": { - "type": "object", - "properties": { - "pool": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue" - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.oracle.Compute": { - "type": "object", - "properties": { - "addressreservations": { - "type": "array", - "items": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.oracle.AddressReservation" - } - } - } - }, - "github.com.aquasecurity.defsec.pkg.providers.oracle.Oracle": { - "type": "object", - "properties": { - "compute": { - "type": "object", - "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.oracle.Compute" - } - } - }, - "github.com.aquasecurity.defsec.pkg.types.BoolValue": { - "type": "object", - "properties": { - "endline": { - "type": "integer" - }, - "explicit": { - "type": "boolean" - }, - "filepath": { - "type": "string" - }, - "fskey": { - "type": "string" - }, - "managed": { - "type": "boolean" - }, - "resource": { - "type": "string" - }, - "sourceprefix": { - "type": "string" - }, - "startline": { - "type": "integer" - }, - "value": { - "type": "boolean" - } - } - }, - "github.com.aquasecurity.defsec.pkg.types.BytesValue": { - "type": "object", - "properties": { - "endline": { - "type": "integer" - }, - "explicit": { - "type": "boolean" - }, - "filepath": { - "type": "string" - }, - "fskey": { - "type": "string" - }, - "managed": { - "type": "boolean" - }, - "resource": { - "type": "string" - }, - "sourceprefix": { - "type": "string" - }, - "startline": { - "type": "integer" - }, - "value": { - "type": "string" - } - } - }, - "github.com.aquasecurity.defsec.pkg.types.IntValue": { - "type": "object", - "properties": { - "endline": { - "type": "integer" - }, - "explicit": { - "type": "boolean" - }, - "filepath": { - "type": "string" - }, - "fskey": { - "type": "string" - }, - "managed": { - "type": "boolean" - }, - "resource": { - "type": "string" - }, - "sourceprefix": { - "type": "string" - }, - "startline": { - "type": "integer" - }, - "value": { - "type": "integer" - } - } - }, - "github.com.aquasecurity.defsec.pkg.types.MapValue": { - "type": "object", - "properties": { - "endline": { - "type": "integer" - }, - "explicit": { - "type": "boolean" - }, - "filepath": { - "type": "string" - }, - "fskey": { - "type": "string" - }, - "managed": { - "type": "boolean" - }, - "resource": { - "type": "string" - }, - "sourceprefix": { - "type": "string" - }, - "startline": { - "type": "integer" - }, - "value": { - "type": "object" - } - } - }, - "github.com.aquasecurity.defsec.pkg.types.StringValue": { - "type": "object", - "properties": { - "endline": { - "type": "integer" - }, - "explicit": { - "type": "boolean" - }, - "filepath": { - "type": "string" - }, - "fskey": { - "type": "string" - }, - "managed": { - "type": "boolean" - }, - "resource": { - "type": "string" - }, - "sourceprefix": { - "type": "string" - }, - "startline": { - "type": "integer" - }, - "value": { - "type": "string" - } - } - }, - "github.com.aquasecurity.defsec.pkg.types.TimeValue": { - "type": "object", - "properties": { - "endline": { - "type": "integer" - }, - "explicit": { - "type": "boolean" - }, - "filepath": { - "type": "string" - }, - "fskey": { - "type": "string" - }, - "managed": { - "type": "boolean" - }, - "resource": { - "type": "string" - }, - "sourceprefix": { - "type": "string" - }, - "startline": { - "type": "integer" - }, - "value": { - "type": "string" - } - } - } - } -} \ No newline at end of file diff --git a/pkg/rego/schemas/dockerfile.json b/pkg/rego/schemas/dockerfile.json deleted file mode 100644 index d769cb19..00000000 --- a/pkg/rego/schemas/dockerfile.json +++ /dev/null @@ -1,70 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "https://github.com/aquasecurity/trivy-policies/blob/main/pkg/rego/schemas/dockerfile.json", - "type": "object", - "properties": { - "Stages": { - "type": "array", - "items": { - "$ref": "#/$defs/stage" - } - } - }, - "$defs": { - "stage": { - "type": "object", - "properties": { - "Name": { - "type": "string" - }, - "Commands": { - "type": "array", - "items": { - "$ref": "#/$defs/command" - } - } - } - }, - "command": { - "type": "object", - "properties": { - "Flags": { - "type": "array", - "items": { - "type": "string" - } - }, - "Value": { - "type": "array", - "items": { - "type": "string" - } - }, - "Cmd": { - "type": "string" - }, - "SubCmd": { - "type": "string" - }, - "Original": { - "type": "string" - }, - "Path": { - "type": "string" - }, - "JSON": { - "type": "boolean" - }, - "Stage": { - "type": "integer" - }, - "StartLine": { - "type": "integer" - }, - "EndLine": { - "type": "integer" - } - } - } - } -} \ No newline at end of file diff --git a/pkg/rego/schemas/kubernetes.json b/pkg/rego/schemas/kubernetes.json deleted file mode 100644 index 1975944b..00000000 --- a/pkg/rego/schemas/kubernetes.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "https://github.com/aquasecurity/trivy-policies/blob/main/pkg/rego/schemas/kubernetes.json", - "type": "object", - "properties": { - "apiVersion": { - "type": "string" - }, - "kind": { - "type": "string" - }, - "metadata": { - "type": "object" - }, - "spec": { - "type": "object" - }, - "rules": { - "type": "array", - "items": { - "type": "object", - "properties": { - "apiGroups": { - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "type": "array", - "items": { - "type": "string" - } - }, - "resourceNames": { - "type": "array", - "items": { - "type": "string" - } - }, - "verbs": { - "type": "array", - "items": { - "type": "string" - } - } - } - } - } - } -} \ No newline at end of file diff --git a/pkg/rego/schemas/rbac.json b/pkg/rego/schemas/rbac.json deleted file mode 100644 index c251890f..00000000 --- a/pkg/rego/schemas/rbac.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "https://github.com/aquasecurity/trivy-policies/blob/main/pkg/rego/schemas/rbac.json", - "type": "object", - "properties": { - "apiVersion": { - "type": "string" - }, - "kind": { - "type": "string" - }, - "metadata": { - "type": "object" - }, - "spec": { - "type": "object" - }, - "rules": { - "type": "array", - "items": { - "type": "object", - "properties": { - "apiGroups": { - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "type": "array", - "items": { - "type": "string" - } - }, - "resourceNames": { - "type": "array", - "items": { - "type": "string" - } - }, - "verbs": { - "type": "array", - "items": { - "type": "string" - } - } - } - } - } - } -} \ No newline at end of file diff --git a/pkg/rego/schemas/schemas.go b/pkg/rego/schemas/schemas.go deleted file mode 100644 index 1ece0358..00000000 --- a/pkg/rego/schemas/schemas.go +++ /dev/null @@ -1,16 +0,0 @@ -package schemas - -import ( - "github.com/aquasecurity/defsec/pkg/types" -) - -var SchemaMap = map[types.Source]Schema{ - types.SourceDefsec: Cloud, - types.SourceCloud: Cloud, - types.SourceKubernetes: Kubernetes, - types.SourceRbac: Kubernetes, - types.SourceDockerfile: Dockerfile, - types.SourceTOML: Anything, - types.SourceYAML: Anything, - types.SourceJSON: Anything, -} diff --git a/pkg/rego/store.go b/pkg/rego/store.go deleted file mode 100644 index 127b1d8d..00000000 --- a/pkg/rego/store.go +++ /dev/null @@ -1,48 +0,0 @@ -package rego - -import ( - "fmt" - "io/fs" - "os" - "path/filepath" - "strings" - - "github.com/open-policy-agent/opa/loader" - "github.com/open-policy-agent/opa/storage" -) - -// initialise a store populated with OPA data files found in dataPaths -func initStore(dataFS fs.FS, dataPaths, namespaces []string) (storage.Store, error) { - // FilteredPaths will recursively find all file paths that contain a valid document - // extension from the given list of data paths. - allDocumentPaths, _ := loader.FilteredPathsFS(dataFS, dataPaths, func(abspath string, info os.FileInfo, depth int) bool { - if info.IsDir() { - return false // filter in, include - } - ext := strings.ToLower(filepath.Ext(info.Name())) - for _, filter := range []string{ - ".yaml", - ".yml", - ".json", - } { - if filter == ext { - return false // filter in, include - } - } - return true // filter out, exclude - }) - - documents, err := loader.NewFileLoader().WithFS(dataFS).All(allDocumentPaths) - if err != nil { - return nil, fmt.Errorf("load documents: %w", err) - } - - // pass all namespaces so that rego rule can refer to namespaces as data.namespaces - documents.Documents["namespaces"] = namespaces - - store, err := documents.Store() - if err != nil { - return nil, fmt.Errorf("get documents store: %w", err) - } - return store, nil -} diff --git a/pkg/rego/testdata/policies/._sysfile.rego b/pkg/rego/testdata/policies/._sysfile.rego deleted file mode 100644 index e69de29b..00000000 diff --git a/pkg/rego/testdata/policies/invalid.rego b/pkg/rego/testdata/policies/invalid.rego deleted file mode 100644 index a2ef3607..00000000 --- a/pkg/rego/testdata/policies/invalid.rego +++ /dev/null @@ -1,8 +0,0 @@ -# METADATA -# schemas: -# - input: schema["input"] -package defsec.test_invalid - -deny { - input.Stages[0].Commands[0].FooBarNothingBurger == "lol" -} diff --git a/pkg/rego/testdata/policies/valid.rego b/pkg/rego/testdata/policies/valid.rego deleted file mode 100644 index 74a96afe..00000000 --- a/pkg/rego/testdata/policies/valid.rego +++ /dev/null @@ -1,8 +0,0 @@ -# METADATA -# schemas: -# - input: schema["input"] -package defsec.test_valid - -deny { - input.Stages[0].Commands[0].Cmd == "lol" -} diff --git a/pkg/rules/providers.go b/pkg/rules/providers.go deleted file mode 100644 index 60c976fd..00000000 --- a/pkg/rules/providers.go +++ /dev/null @@ -1,169 +0,0 @@ -package rules - -import ( - "encoding/json" - "strings" -) - -type Provider struct { - Name string `json:"name"` - Services []Service `json:"services"` -} - -type Service struct { - Name string `json:"name"` - Checks []Check `json:"checks"` -} - -type Check struct { - Name string `json:"name"` - Description string `json:"description"` -} - -func GetProvidersHierarchy() (providers map[string]map[string][]string) { - - registeredRules := GetRegistered() - - provs := make(map[string]map[string][]string) - - for _, rule := range registeredRules { - - cNames := make(map[string]bool) - pName := strings.ToLower(rule.GetRule().Provider.DisplayName()) - sName := strings.ToLower(rule.GetRule().Service) - cName := rule.GetRule().AVDID - - if _, ok := provs[pName]; !ok { - provs[pName] = make(map[string][]string) - } - - if _, ok := provs[pName][sName]; !ok { - provs[pName][sName] = make([]string, 0) - } - - if _, ok := cNames[cName]; !ok { - cNames[cName] = true - provs[pName][sName] = append(provs[pName][sName], cName) - } - } - - return provs -} - -func GetProviders() (providers []Provider) { - - registeredRules := GetRegistered() - - provs := make(map[string]map[string][]Check) - - for _, rule := range registeredRules { - - pName := strings.ToLower(rule.GetRule().Provider.DisplayName()) - sName := strings.ToLower(rule.GetRule().Service) - cName := rule.GetRule().AVDID - desc := rule.GetRule().Summary - - if _, ok := provs[pName]; !ok { - provs[pName] = make(map[string][]Check) - } - - if _, ok := provs[pName][sName]; !ok { - provs[pName][sName] = []Check{} - } - - provs[pName][sName] = append(provs[pName][sName], Check{ - Name: cName, - Description: desc, - }) - } - - for providerName, providerServices := range provs { - var services []Service - for serviceName, checks := range providerServices { - services = append(services, Service{ - Name: serviceName, - Checks: checks, - }) - } - - providers = append(providers, Provider{ - Name: providerName, - Services: services, - }) - } - - return providers -} - -func GetProvidersAsJson() ([]byte, error) { - - providers := GetProviders() - - return json.MarshalIndent(providers, "", " ") -} - -func GetProviderNames() []string { - - registeredRules := GetRegistered() - - providers := make(map[string]bool) - - for _, rule := range registeredRules { - - if _, ok := providers[rule.GetRule().Provider.DisplayName()]; !ok { - providers[rule.GetRule().Provider.DisplayName()] = true - } - - } - - var uniqueProviders []string - for p := range providers { - uniqueProviders = append(uniqueProviders, p) - } - - return uniqueProviders - -} - -func GetProviderServiceNames(providerName string) []string { - - registeredRules := GetRegistered() - - services := make(map[string]bool) - - for _, rule := range registeredRules { - - if !strings.EqualFold(providerName, rule.GetRule().Provider.DisplayName()) { - continue - } - - if _, ok := services[rule.GetRule().Service]; !ok { - services[rule.GetRule().Service] = true - } - - } - var uniqueServices []string - for p := range services { - uniqueServices = append(uniqueServices, p) - } - - return uniqueServices -} - -func GetProviderServiceCheckNames(providerName string, serviceName string) []string { - - registeredRules := GetRegistered() - - var checks []string - - for _, rule := range registeredRules { - - if !strings.EqualFold(providerName, rule.GetRule().Provider.DisplayName()) || - !strings.EqualFold(serviceName, rule.GetRule().Service) { - continue - } - - checks = append(checks, rule.GetRule().AVDID) - } - return checks -} diff --git a/pkg/rules/register.go b/pkg/rules/register.go deleted file mode 100644 index b03e1a63..00000000 --- a/pkg/rules/register.go +++ /dev/null @@ -1,25 +0,0 @@ -package rules - -import ( - "github.com/aquasecurity/defsec/pkg/framework" - "github.com/aquasecurity/defsec/pkg/scan" - - "github.com/aquasecurity/trivy-iac/internal/rules" - "github.com/aquasecurity/trivy-iac/pkg/types" -) - -func Register(rule scan.Rule) types.RegisteredRule { - return rules.Register(rule) -} - -func Deregister(rule types.RegisteredRule) { - rules.Deregister(rule) -} - -func GetRegistered(fw ...framework.Framework) []types.RegisteredRule { - return rules.GetFrameworkRules(fw...) -} - -func GetSpecRules(spec string) []types.RegisteredRule { - return rules.GetSpecRules(spec) -} diff --git a/pkg/rules/rules.go b/pkg/rules/rules.go deleted file mode 100644 index 1cbd54b8..00000000 --- a/pkg/rules/rules.go +++ /dev/null @@ -1,82 +0,0 @@ -package rules - -import ( - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/accessanalyzer" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/apigateway" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/athena" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/cloudfront" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/cloudtrail" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/cloudwatch" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/codebuild" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/config" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/documentdb" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/dynamodb" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/ec2" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/ecr" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/ecs" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/efs" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/eks" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/elasticache" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/elasticsearch" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/elb" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/emr" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/iam" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/kinesis" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/kms" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/lambda" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/mq" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/msk" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/neptune" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/rds" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/redshift" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/s3" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/sam" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/sns" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/sqs" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/ssm" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/aws/workspaces" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/appservice" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/authorization" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/compute" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/container" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/database" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/datafactory" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/datalake" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/keyvault" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/monitor" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/network" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/securitycenter" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/storage" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/azure/synapse" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/cloudstack/compute" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/digitalocean/compute" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/digitalocean/spaces" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/github/actions" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/github/branch_protections" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/github/repositories" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/google/bigquery" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/google/compute" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/google/dns" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/google/gke" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/google/iam" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/google/kms" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/google/sql" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/google/storage" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/nifcloud/computing" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/nifcloud/dns" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/nifcloud/nas" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/nifcloud/network" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/nifcloud/rdb" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/nifcloud/sslcertificate" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/openstack/compute" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/openstack/networking" - _ "github.com/aquasecurity/trivy-policies/checks/cloud/oracle/compute" - _ "github.com/aquasecurity/trivy-policies/checks/kubernetes/network" - trules "github.com/aquasecurity/trivy-policies/pkg/rules" -) - -func init() { - for _, r := range trules.GetRules() { - Register(r) - } -} diff --git a/pkg/scanners/azure/arm/scanner.go b/pkg/scanners/azure/arm/scanner.go index 8703c74c..0ba682c0 100644 --- a/pkg/scanners/azure/arm/scanner.go +++ b/pkg/scanners/azure/arm/scanner.go @@ -10,14 +10,14 @@ import ( "github.com/aquasecurity/defsec/pkg/debug" "github.com/aquasecurity/defsec/pkg/framework" + "github.com/aquasecurity/defsec/pkg/rego" + "github.com/aquasecurity/defsec/pkg/rules" "github.com/aquasecurity/defsec/pkg/scan" + "github.com/aquasecurity/defsec/pkg/scanners/options" "github.com/aquasecurity/defsec/pkg/state" "github.com/aquasecurity/defsec/pkg/types" - "github.com/aquasecurity/defsec/pkg/scanners/options" "github.com/aquasecurity/trivy-iac/internal/adapters/arm" - "github.com/aquasecurity/trivy-iac/pkg/rego" - "github.com/aquasecurity/trivy-iac/pkg/rules" "github.com/aquasecurity/trivy-iac/pkg/scanners" "github.com/aquasecurity/trivy-iac/pkg/scanners/azure" "github.com/aquasecurity/trivy-iac/pkg/scanners/azure/arm/parser" diff --git a/pkg/scanners/cloudformation/scanner.go b/pkg/scanners/cloudformation/scanner.go index 81bbc0d7..7bf865ca 100644 --- a/pkg/scanners/cloudformation/scanner.go +++ b/pkg/scanners/cloudformation/scanner.go @@ -10,13 +10,13 @@ import ( "github.com/aquasecurity/defsec/pkg/debug" "github.com/aquasecurity/defsec/pkg/framework" + "github.com/aquasecurity/defsec/pkg/rego" + "github.com/aquasecurity/defsec/pkg/rules" "github.com/aquasecurity/defsec/pkg/scan" "github.com/aquasecurity/defsec/pkg/scanners/options" "github.com/aquasecurity/defsec/pkg/types" adapter "github.com/aquasecurity/trivy-iac/internal/adapters/cloudformation" - "github.com/aquasecurity/trivy-iac/pkg/rego" - "github.com/aquasecurity/trivy-iac/pkg/rules" "github.com/aquasecurity/trivy-iac/pkg/scanners" "github.com/aquasecurity/trivy-iac/pkg/scanners/cloudformation/parser" ) diff --git a/pkg/scanners/dockerfile/scanner.go b/pkg/scanners/dockerfile/scanner.go index ddcbb45c..dca7f127 100644 --- a/pkg/scanners/dockerfile/scanner.go +++ b/pkg/scanners/dockerfile/scanner.go @@ -11,8 +11,8 @@ import ( "github.com/aquasecurity/defsec/pkg/scan" "github.com/aquasecurity/defsec/pkg/types" + "github.com/aquasecurity/defsec/pkg/rego" "github.com/aquasecurity/defsec/pkg/scanners/options" - "github.com/aquasecurity/trivy-iac/pkg/rego" "github.com/aquasecurity/trivy-iac/pkg/scanners" "github.com/aquasecurity/trivy-iac/pkg/scanners/dockerfile/parser" ) diff --git a/pkg/scanners/dockerfile/scanner_test.go b/pkg/scanners/dockerfile/scanner_test.go index e1fc5334..a4cf64b3 100644 --- a/pkg/scanners/dockerfile/scanner_test.go +++ b/pkg/scanners/dockerfile/scanner_test.go @@ -6,13 +6,13 @@ import ( "testing" "github.com/aquasecurity/defsec/pkg/framework" + "github.com/aquasecurity/defsec/pkg/rego" + "github.com/aquasecurity/defsec/pkg/rego/schemas" "github.com/aquasecurity/defsec/pkg/scan" + "github.com/aquasecurity/defsec/pkg/scanners/options" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/defsec/pkg/scanners/options" - "github.com/aquasecurity/trivy-iac/pkg/rego" - "github.com/aquasecurity/trivy-iac/pkg/rego/schemas" "github.com/aquasecurity/trivy-iac/test/testutil" ) diff --git a/pkg/scanners/helm/scanner.go b/pkg/scanners/helm/scanner.go index f5552011..cb93714d 100644 --- a/pkg/scanners/helm/scanner.go +++ b/pkg/scanners/helm/scanner.go @@ -14,9 +14,9 @@ import ( "github.com/aquasecurity/defsec/pkg/types" "github.com/liamg/memoryfs" + "github.com/aquasecurity/defsec/pkg/rego" "github.com/aquasecurity/defsec/pkg/scanners/options" "github.com/aquasecurity/trivy-iac/pkg/detection" - "github.com/aquasecurity/trivy-iac/pkg/rego" "github.com/aquasecurity/trivy-iac/pkg/scanners" "github.com/aquasecurity/trivy-iac/pkg/scanners/helm/parser" kparser "github.com/aquasecurity/trivy-iac/pkg/scanners/kubernetes/parser" diff --git a/pkg/scanners/json/scanner.go b/pkg/scanners/json/scanner.go index dac15a03..6cc55b3a 100644 --- a/pkg/scanners/json/scanner.go +++ b/pkg/scanners/json/scanner.go @@ -8,10 +8,10 @@ import ( "github.com/aquasecurity/defsec/pkg/debug" "github.com/aquasecurity/defsec/pkg/framework" + "github.com/aquasecurity/defsec/pkg/rego" "github.com/aquasecurity/defsec/pkg/scan" "github.com/aquasecurity/defsec/pkg/scanners/options" "github.com/aquasecurity/defsec/pkg/types" - "github.com/aquasecurity/trivy-iac/pkg/rego" "github.com/aquasecurity/trivy-iac/pkg/scanners" "github.com/aquasecurity/trivy-iac/pkg/scanners/json/parser" ) diff --git a/pkg/scanners/kubernetes/scanner.go b/pkg/scanners/kubernetes/scanner.go index bd1b7355..0f11e3b3 100644 --- a/pkg/scanners/kubernetes/scanner.go +++ b/pkg/scanners/kubernetes/scanner.go @@ -10,10 +10,10 @@ import ( "github.com/aquasecurity/defsec/pkg/debug" "github.com/aquasecurity/defsec/pkg/framework" + "github.com/aquasecurity/defsec/pkg/rego" "github.com/aquasecurity/defsec/pkg/scan" "github.com/aquasecurity/defsec/pkg/scanners/options" "github.com/aquasecurity/defsec/pkg/types" - "github.com/aquasecurity/trivy-iac/pkg/rego" "github.com/aquasecurity/trivy-iac/pkg/scanners" "github.com/aquasecurity/trivy-iac/pkg/scanners/kubernetes/parser" "github.com/liamg/memoryfs" diff --git a/pkg/scanners/terraform/executor/executor.go b/pkg/scanners/terraform/executor/executor.go index 59331f8f..af88b819 100644 --- a/pkg/scanners/terraform/executor/executor.go +++ b/pkg/scanners/terraform/executor/executor.go @@ -8,14 +8,14 @@ import ( "github.com/aquasecurity/defsec/pkg/debug" "github.com/aquasecurity/defsec/pkg/framework" + "github.com/aquasecurity/defsec/pkg/rules" "github.com/aquasecurity/defsec/pkg/scan" "github.com/aquasecurity/defsec/pkg/severity" "github.com/aquasecurity/defsec/pkg/state" "github.com/aquasecurity/defsec/pkg/terraform" + "github.com/aquasecurity/defsec/pkg/rego" adapter "github.com/aquasecurity/trivy-iac/internal/adapters/terraform" - "github.com/aquasecurity/trivy-iac/pkg/rego" - "github.com/aquasecurity/trivy-iac/pkg/rules" ) // Executor scans HCL blocks by running all registered rules against them diff --git a/pkg/scanners/terraform/executor/executor_test.go b/pkg/scanners/terraform/executor/executor_test.go index 3d4b791b..e6f0ed0f 100644 --- a/pkg/scanners/terraform/executor/executor_test.go +++ b/pkg/scanners/terraform/executor/executor_test.go @@ -5,14 +5,15 @@ import ( "testing" "github.com/aquasecurity/defsec/pkg/providers" + "github.com/aquasecurity/defsec/pkg/rules" "github.com/aquasecurity/defsec/pkg/scan" "github.com/aquasecurity/defsec/pkg/severity" "github.com/aquasecurity/defsec/pkg/terraform" - "github.com/aquasecurity/trivy-iac/pkg/rules" - "github.com/aquasecurity/trivy-iac/pkg/scanners/terraform/parser" - "github.com/aquasecurity/trivy-iac/test/testutil" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + + "github.com/aquasecurity/trivy-iac/pkg/scanners/terraform/parser" + "github.com/aquasecurity/trivy-iac/test/testutil" ) var panicRule = scan.Rule{ diff --git a/pkg/scanners/terraform/executor/option.go b/pkg/scanners/terraform/executor/option.go index 99411640..54701463 100644 --- a/pkg/scanners/terraform/executor/option.go +++ b/pkg/scanners/terraform/executor/option.go @@ -5,9 +5,9 @@ import ( "github.com/aquasecurity/defsec/pkg/debug" "github.com/aquasecurity/defsec/pkg/framework" + "github.com/aquasecurity/defsec/pkg/rego" "github.com/aquasecurity/defsec/pkg/scan" "github.com/aquasecurity/defsec/pkg/state" - "github.com/aquasecurity/trivy-iac/pkg/rego" ) type Option func(s *Executor) diff --git a/pkg/scanners/terraform/executor/pool.go b/pkg/scanners/terraform/executor/pool.go index b386688f..9ea1f690 100644 --- a/pkg/scanners/terraform/executor/pool.go +++ b/pkg/scanners/terraform/executor/pool.go @@ -9,11 +9,11 @@ import ( "strings" "sync" + "github.com/aquasecurity/defsec/pkg/rego" "github.com/aquasecurity/defsec/pkg/scan" "github.com/aquasecurity/defsec/pkg/state" "github.com/aquasecurity/defsec/pkg/terraform" - "github.com/aquasecurity/trivy-iac/pkg/rego" - "github.com/aquasecurity/trivy-iac/pkg/types" + types "github.com/aquasecurity/defsec/pkg/types/rules" ) type Pool struct { diff --git a/pkg/scanners/terraform/scanner.go b/pkg/scanners/terraform/scanner.go index 4f6411b4..f274ec45 100644 --- a/pkg/scanners/terraform/scanner.go +++ b/pkg/scanners/terraform/scanner.go @@ -18,8 +18,8 @@ import ( "github.com/aquasecurity/defsec/pkg/types" "golang.org/x/exp/slices" + "github.com/aquasecurity/defsec/pkg/rego" "github.com/aquasecurity/trivy-iac/pkg/extrafs" - "github.com/aquasecurity/trivy-iac/pkg/rego" "github.com/aquasecurity/trivy-iac/pkg/scanners" "github.com/aquasecurity/trivy-iac/pkg/scanners/terraform/executor" "github.com/aquasecurity/trivy-iac/pkg/scanners/terraform/parser" diff --git a/pkg/scanners/terraform/scanner_test.go b/pkg/scanners/terraform/scanner_test.go index e7f9647e..07044f8d 100644 --- a/pkg/scanners/terraform/scanner_test.go +++ b/pkg/scanners/terraform/scanner_test.go @@ -8,15 +8,16 @@ import ( "testing" "github.com/aquasecurity/defsec/pkg/providers" + "github.com/aquasecurity/defsec/pkg/rules" "github.com/aquasecurity/defsec/pkg/scan" "github.com/aquasecurity/defsec/pkg/scanners/options" "github.com/aquasecurity/defsec/pkg/severity" "github.com/aquasecurity/defsec/pkg/state" "github.com/aquasecurity/defsec/pkg/terraform" - "github.com/aquasecurity/trivy-iac/pkg/rules" - "github.com/aquasecurity/trivy-iac/test/testutil" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + + "github.com/aquasecurity/trivy-iac/test/testutil" ) var alwaysFailRule = scan.Rule{ diff --git a/pkg/scanners/toml/scanner.go b/pkg/scanners/toml/scanner.go index 0bea9556..d3550bc3 100644 --- a/pkg/scanners/toml/scanner.go +++ b/pkg/scanners/toml/scanner.go @@ -8,10 +8,10 @@ import ( "github.com/aquasecurity/defsec/pkg/debug" "github.com/aquasecurity/defsec/pkg/framework" + "github.com/aquasecurity/defsec/pkg/rego" "github.com/aquasecurity/defsec/pkg/scan" "github.com/aquasecurity/defsec/pkg/scanners/options" "github.com/aquasecurity/defsec/pkg/types" - "github.com/aquasecurity/trivy-iac/pkg/rego" "github.com/aquasecurity/trivy-iac/pkg/scanners/toml/parser" ) diff --git a/pkg/scanners/yaml/scanner.go b/pkg/scanners/yaml/scanner.go index f211b4be..dba59cf6 100644 --- a/pkg/scanners/yaml/scanner.go +++ b/pkg/scanners/yaml/scanner.go @@ -8,10 +8,10 @@ import ( "github.com/aquasecurity/defsec/pkg/debug" "github.com/aquasecurity/defsec/pkg/framework" + "github.com/aquasecurity/defsec/pkg/rego" "github.com/aquasecurity/defsec/pkg/scan" "github.com/aquasecurity/defsec/pkg/scanners/options" "github.com/aquasecurity/defsec/pkg/types" - "github.com/aquasecurity/trivy-iac/pkg/rego" "github.com/aquasecurity/trivy-iac/pkg/scanners/yaml/parser" ) diff --git a/pkg/types/rule.go b/pkg/types/rule.go deleted file mode 100644 index dec3879d..00000000 --- a/pkg/types/rule.go +++ /dev/null @@ -1,18 +0,0 @@ -package types - -import ( - "github.com/aquasecurity/defsec/pkg/scan" -) - -type RegisteredRule struct { - scan.Rule - Number int -} - -func (r *RegisteredRule) GetRule() scan.Rule { - return r.Rule -} - -func (r *RegisteredRule) AddLink(link string) { - r.Rule.Links = append([]string{link}, r.Rule.Links...) -} diff --git a/test/count_test.go b/test/count_test.go index e7ede950..5f6d0154 100644 --- a/test/count_test.go +++ b/test/count_test.go @@ -4,12 +4,13 @@ import ( "testing" "github.com/aquasecurity/defsec/pkg/providers" + "github.com/aquasecurity/defsec/pkg/rules" "github.com/aquasecurity/defsec/pkg/scan" "github.com/aquasecurity/defsec/pkg/severity" "github.com/aquasecurity/defsec/pkg/terraform" - "github.com/aquasecurity/trivy-iac/pkg/rules" - "github.com/aquasecurity/trivy-iac/test/testutil" "github.com/stretchr/testify/assert" + + "github.com/aquasecurity/trivy-iac/test/testutil" ) func Test_ResourcesWithCount(t *testing.T) { diff --git a/test/deterministic_test.go b/test/deterministic_test.go index a197a42a..55a88c8a 100644 --- a/test/deterministic_test.go +++ b/test/deterministic_test.go @@ -4,11 +4,12 @@ import ( "context" "testing" - "github.com/aquasecurity/trivy-iac/pkg/rules" + "github.com/aquasecurity/defsec/pkg/rules" + "github.com/stretchr/testify/require" + "github.com/aquasecurity/trivy-iac/pkg/scanners/terraform/executor" "github.com/aquasecurity/trivy-iac/pkg/scanners/terraform/parser" "github.com/aquasecurity/trivy-iac/test/testutil" - "github.com/stretchr/testify/require" ) func Test_DeterministicResults(t *testing.T) { diff --git a/test/docker_test.go b/test/docker_test.go index 798a6909..371e74f4 100644 --- a/test/docker_test.go +++ b/test/docker_test.go @@ -8,9 +8,10 @@ import ( "github.com/aquasecurity/defsec/pkg/scan" "github.com/aquasecurity/defsec/pkg/scanners/options" - "github.com/aquasecurity/trivy-iac/pkg/scanners/dockerfile" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + + "github.com/aquasecurity/trivy-iac/pkg/scanners/dockerfile" ) // func addFilesToMemFS(memfs *memoryfs.FS, typePolicy bool, folderName string) error { diff --git a/test/fs_test.go b/test/fs_test.go index 592eafa2..e57a8e0c 100644 --- a/test/fs_test.go +++ b/test/fs_test.go @@ -6,9 +6,10 @@ import ( "testing" "github.com/aquasecurity/defsec/pkg/scanners/options" - "github.com/aquasecurity/trivy-iac/pkg/scanners/terraform" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + + "github.com/aquasecurity/trivy-iac/pkg/scanners/terraform" ) func Test_OS_FS(t *testing.T) { diff --git a/test/ignore_test.go b/test/ignore_test.go index 017a314a..a9a9c0fc 100644 --- a/test/ignore_test.go +++ b/test/ignore_test.go @@ -6,10 +6,10 @@ import ( "testing" "github.com/aquasecurity/defsec/pkg/providers" + "github.com/aquasecurity/defsec/pkg/rules" "github.com/aquasecurity/defsec/pkg/scan" "github.com/aquasecurity/defsec/pkg/severity" "github.com/aquasecurity/defsec/pkg/terraform" - "github.com/aquasecurity/trivy-iac/pkg/rules" "github.com/stretchr/testify/assert" ) diff --git a/test/json_test.go b/test/json_test.go index a4d7afef..5f7f3144 100644 --- a/test/json_test.go +++ b/test/json_test.go @@ -4,10 +4,11 @@ import ( "testing" "github.com/aquasecurity/defsec/pkg/providers" + "github.com/aquasecurity/defsec/pkg/rules" "github.com/aquasecurity/defsec/pkg/scan" "github.com/aquasecurity/defsec/pkg/severity" "github.com/aquasecurity/defsec/pkg/terraform" - "github.com/aquasecurity/trivy-iac/pkg/rules" + "github.com/aquasecurity/trivy-iac/test/testutil" ) diff --git a/test/kubernetes_test.go b/test/kubernetes_test.go index bea73100..6d3e3864 100644 --- a/test/kubernetes_test.go +++ b/test/kubernetes_test.go @@ -9,9 +9,10 @@ import ( "github.com/aquasecurity/defsec/pkg/scan" "github.com/aquasecurity/defsec/pkg/scanners/options" - "github.com/aquasecurity/trivy-iac/pkg/scanners/kubernetes" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + + "github.com/aquasecurity/trivy-iac/pkg/scanners/kubernetes" ) func Test_Kubernetes_RegoPoliciesFromDisk(t *testing.T) { diff --git a/test/loader_test.go b/test/loader_test.go deleted file mode 100644 index c0e60c8f..00000000 --- a/test/loader_test.go +++ /dev/null @@ -1,49 +0,0 @@ -package test - -import ( - "testing" - - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - - "github.com/aquasecurity/trivy-iac/pkg/rules" -) - -func Test_loader_returns_expected_providers(t *testing.T) { - providers := rules.GetProviderNames() - assert.Len(t, providers, 11) -} - -func Test_load_returns_expected_services(t *testing.T) { - services := rules.GetProviderServiceNames("aws") - assert.Len(t, services, 33) -} - -func Test_load_returns_expected_service_checks(t *testing.T) { - checks := rules.GetProviderServiceCheckNames("aws", "s3") - assert.Len(t, checks, 11) -} - -func Test_get_providers(t *testing.T) { - dataset := rules.GetProviders() - assert.Len(t, dataset, 11) -} - -func Test_get_providers_as_Json(t *testing.T) { - jsonData, err := rules.GetProvidersAsJson() - require.NoError(t, err) - - assert.NotEmpty(t, jsonData) -} - -func Test_get_provider_hierarchy(t *testing.T) { - hierarchy := rules.GetProvidersHierarchy() - - var providers []string - - for provider := range hierarchy { - providers = append(providers, provider) - } - - assert.Len(t, providers, 11) -} diff --git a/test/module_test.go b/test/module_test.go index 12730cb8..59293fd8 100644 --- a/test/module_test.go +++ b/test/module_test.go @@ -8,16 +8,17 @@ import ( "testing" "github.com/aquasecurity/defsec/pkg/providers" + "github.com/aquasecurity/defsec/pkg/rules" "github.com/aquasecurity/defsec/pkg/scan" "github.com/aquasecurity/defsec/pkg/scanners/options" "github.com/aquasecurity/defsec/pkg/severity" "github.com/aquasecurity/defsec/pkg/terraform" - "github.com/aquasecurity/trivy-iac/pkg/rules" + "github.com/stretchr/testify/require" + "github.com/aquasecurity/trivy-iac/pkg/scanners/terraform/executor" "github.com/aquasecurity/trivy-iac/pkg/scanners/terraform/parser" "github.com/aquasecurity/trivy-iac/test/testutil" "github.com/aquasecurity/trivy-policies/checks/cloud/aws/iam" - "github.com/stretchr/testify/require" ) var badRule = scan.Rule{ diff --git a/test/performance_test.go b/test/performance_test.go index 29f58912..761d78e8 100644 --- a/test/performance_test.go +++ b/test/performance_test.go @@ -6,7 +6,8 @@ import ( "io/fs" "testing" - "github.com/aquasecurity/trivy-iac/pkg/rules" + "github.com/aquasecurity/defsec/pkg/rules" + "github.com/aquasecurity/trivy-iac/pkg/scanners/terraform/executor" "github.com/aquasecurity/trivy-iac/pkg/scanners/terraform/parser" "github.com/aquasecurity/trivy-iac/test/testutil" diff --git a/test/rego_test.go b/test/rego_test.go deleted file mode 100644 index d13f9ca9..00000000 --- a/test/rego_test.go +++ /dev/null @@ -1,198 +0,0 @@ -package test - -import ( - "bytes" - "context" - "encoding/json" - "io/fs" - "path/filepath" - "strings" - "testing" - - "github.com/open-policy-agent/opa/ast" - "github.com/open-policy-agent/opa/rego" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - - trivyRego "github.com/aquasecurity/trivy-iac/pkg/rego" - "github.com/aquasecurity/trivy-iac/pkg/rego/schemas" - policies "github.com/aquasecurity/trivy-policies" -) - -var embeddedFilesystems = []fs.FS{policies.EmbeddedLibraryFileSystem, policies.EmbeddedPolicyFileSystem} - -type walkDirFunc func(fs.FS) fs.WalkDirFunc - -func walkOverFilesystems(root string, fn walkDirFunc, filesystems ...fs.FS) error { - for _, fsys := range filesystems { - if err := fs.WalkDir(fsys, root, fn(fsys)); err != nil { - return err - } - } - return nil -} - -func Test_AllRegoCloudRulesMatchSchema(t *testing.T) { - - // load all the tests first - baseModules := make(map[string]*ast.Module) - walkDirFunc := func(fsys fs.FS) fs.WalkDirFunc { - return func(path string, d fs.DirEntry, err error) error { - if err != nil { - return err - } - if d.IsDir() || filepath.Ext(path) != ".rego" { - return nil - } - - data, err := fs.ReadFile(fsys, path) - if err != nil { - return err - } - module, err := ast.ParseModuleWithOpts(path, string(data), ast.ParserOptions{ - ProcessAnnotation: true, - }) - if err != nil { - return err - } - - if strings.HasSuffix(path, "_test.rego") { - return nil - } - - baseModules[path] = module - return nil - } - } - - require.NoError(t, walkOverFilesystems("checks/cloud", walkDirFunc, policies.EmbeddedPolicyFileSystem)) - - var schema interface{} - require.NoError(t, json.Unmarshal([]byte(schemas.Cloud), &schema)) - - schemaSet := ast.NewSchemaSet() - schemaSet.Put(ast.MustParseRef("schema.cloud"), schema) - - compiler := ast.NewCompiler(). - WithUseTypeCheckAnnotations(true). - WithCapabilities(ast.CapabilitiesForThisVersion()). - WithSchemas(schemaSet) - - compiler.Compile(baseModules) - assert.False(t, compiler.Failed(), "compilation failed: %s", compiler.Errors) -} - -func Test_AllRegoRules(t *testing.T) { - - // load all the tests first - baseModules := make(map[string]*ast.Module) - testModules := make(map[string]*ast.Module) - walkDirFunc := func(fsys fs.FS) fs.WalkDirFunc { - return func(path string, d fs.DirEntry, err error) error { - if err != nil { - return err - } - if d.IsDir() || filepath.Ext(path) != ".rego" { - return nil - } - - data, err := fs.ReadFile(fsys, path) - if err != nil { - return err - } - module, err := ast.ParseModuleWithOpts(path, string(data), ast.ParserOptions{ - ProcessAnnotation: true, - }) - if err != nil { - return err - } - - baseModules[path] = module - - // this is a library file or a rule file - if !strings.HasSuffix(path, "_test.rego") { - return nil - } - - testModules[path] = module - return nil - } - } - require.NoError(t, walkOverFilesystems(".", walkDirFunc, embeddedFilesystems...)) - - schemaSet := ast.NewSchemaSet() - schemaSet.Put(ast.MustParseRef("schema.dockerfile"), map[string]interface{}{}) - schemaSet.Put(ast.MustParseRef("schema.cloud"), map[string]interface{}{}) - schemaSet.Put(ast.MustParseRef("schema.kubernetes"), map[string]interface{}{}) - - compiler := ast.NewCompiler(). - WithUseTypeCheckAnnotations(true). - WithCapabilities(ast.CapabilitiesForThisVersion()). - WithSchemas(schemaSet) - - compiler.Compile(baseModules) - if compiler.Failed() { - t.Fatal(compiler.Errors) - } - - retriever := trivyRego.NewMetadataRetriever(compiler) - - ctx := context.Background() - - // now run the tests - for _, module := range testModules { - t.Run(module.Package.Path.String(), func(t *testing.T) { - - t.Run("schema", func(t *testing.T) { - static, err := retriever.RetrieveMetadata(ctx, module) - require.NoError(t, err) - assert.Greater(t, len(static.InputOptions.Selectors), 0, "all rego files should specify at least one input selector") - if static.Library { // lib files do not require avd IDs etc. - return - } - assert.NotEmpty(t, static.AVDID, "all rego files should specify an AVD ID") - assert.NotEmpty(t, static.Title, "all rego files should specify a title") - assert.NotEmpty(t, static.Description, "all rego files should specify a description") - assert.NotEmpty(t, static.Severity, "all rego files should specify a severity") - assert.NotEmpty(t, static.ShortCode, "all rego files should specify a short code") - }) - - var hasTests bool - for _, rule := range module.Rules { - ruleName := rule.Head.Name.String() - if !strings.HasPrefix(ruleName, "test_") { - continue - } - hasTests = true - t.Run(ruleName, func(t *testing.T) { - regoOptions := []func(*rego.Rego){ - rego.Query(rule.Path().String()), - rego.Compiler(compiler), - rego.Schemas(schemaSet), - rego.Trace(true), - } - - instance := rego.New(regoOptions...) - set, err := instance.Eval(ctx) - require.NoError(t, err) - - tracer := bytes.NewBuffer(nil) - rego.PrintTrace(tracer, instance) - trace := tracer.String() - - assert.Len(t, set, 1, "assertion did not pass for: %s - trace follows:\n%s", rule.Path().String(), trace) - for _, result := range set { - assert.Len(t, result.Expressions, 1, "assertion did not pass for: %s - trace follows:\n%s", rule.Path().String(), trace) - for _, expression := range result.Expressions { - pass, ok := expression.Value.(bool) - assert.Equal(t, true, ok, "test result was unexpected type") - assert.Equal(t, true, pass, "test failed") - } - } - - }) - } - assert.True(t, hasTests, "no tests found for module") - }) - } -} diff --git a/test/rules_test.go b/test/rules_test.go index 045ff7fc..a8fc8bbf 100644 --- a/test/rules_test.go +++ b/test/rules_test.go @@ -8,9 +8,8 @@ import ( "testing" "github.com/aquasecurity/defsec/pkg/framework" + "github.com/aquasecurity/defsec/pkg/rules" "github.com/stretchr/testify/require" - - "github.com/aquasecurity/trivy-iac/pkg/rules" ) func TestAVDIDs(t *testing.T) { diff --git a/test/setup_test.go b/test/setup_test.go index d7d8f381..9c18c477 100644 --- a/test/setup_test.go +++ b/test/setup_test.go @@ -7,10 +7,11 @@ import ( "github.com/aquasecurity/defsec/pkg/scan" "github.com/aquasecurity/defsec/pkg/scanners/options" "github.com/aquasecurity/defsec/pkg/terraform" + "github.com/stretchr/testify/require" + tfScanner "github.com/aquasecurity/trivy-iac/pkg/scanners/terraform" "github.com/aquasecurity/trivy-iac/pkg/scanners/terraform/parser" "github.com/aquasecurity/trivy-iac/test/testutil" - "github.com/stretchr/testify/require" ) func createModulesFromSource(t *testing.T, source string, ext string) terraform.Modules { diff --git a/test/wildcard_test.go b/test/wildcard_test.go index f4c12944..c8a0d37c 100644 --- a/test/wildcard_test.go +++ b/test/wildcard_test.go @@ -4,10 +4,11 @@ import ( "fmt" "testing" + "github.com/aquasecurity/defsec/pkg/rules" "github.com/aquasecurity/defsec/pkg/scan" "github.com/aquasecurity/defsec/pkg/severity" "github.com/aquasecurity/defsec/pkg/terraform" - "github.com/aquasecurity/trivy-iac/pkg/rules" + "github.com/aquasecurity/trivy-iac/test/testutil" )